Outlook Microsoft purview Advanced message encryption

New Contributor


Im looking into Microsoft Purview advanced message encryption and have a couple of questions i dont fully understand after reading into this. 

After creating a new OME custom configuration, how can i show this in Outlook to choose different templates i have created? Or do i HAVE to use mail flow rules to apply the custom OME configuration? Can i apply it in some other way, for example sensitive labels? 

From what it looks like sensitivity labels only use the default OME configuration, and i cant specify any newly created OME configuration templates, is this true?

In the end i want to be able to create multiple OME configurations, and be able to choose what configuration to use when sending a email, and apply different configuration for different users. Is this possible? Also i want to disable OTP and force users to always go to the OME portal to read message in all different email providers (outlook, google etc). The only way to force users to read message in OME portal from what i understand is to create a custom OME configuration.

Thanks in advance!

4 Replies
best response confirmed by Robomurphy (New Contributor)
You can only use the default OME configuration so there's no way to make the customized selectable in the client I'm afraid. OME, now called Microsoft Purview Message Encryption, have two options with Encrypt Only and Do Not Forward. It is for email use case only while sensitivity labels are for protection no matter location of the document.

You have to use mail flow rules for the customized templates as far as I know.

Consider sensitivity labels instead, they are much more flexible and can be configured granularly and either let the users choose or make labeling mandatory etc.

I see. Is there any way i can force all encrypted emails to use the OME portal without the use of transport rules for the default template "OME Configuration"? Because i would only like to force users to the OME portal if the encrypt/do not forward templates are being selected by users - not all external emails or specific domains.

AFAIK you can’t.

@Robomurphy Had to do some experiments here just to see what happened. So, I used the GUID from the Encrypt template, set up a rule that when that template was used (using header properties) it would attach the custom branding template on it. Sort of "encryption on already encrypted". It worked on desktop apps, but not using browsers, meaning only the wrapper was sent. But I cannot make it work as normal again even though I removed the rule, so simply a confirmation that this isn't supported and shouldn't be implemented. Could be a delay involved, time will tell.