Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Encrypt only rolling out starting today in Office 365 Message Encryption
Published Feb 22 2018 05:55 AM 146K Views
Microsoft

Last September, we announced new capabilities in Office 365 Message Encryption that enable users to seamlessly collaborate on protected emails with anyone. This release included Do Not Forward an out-of-the-box policy that encrypts emails and Office attachments, and restricts the content and email from being forwarded, printed or copied.

 

Today, we are happy to share that we are releasing another out-of-the-box policy called encrypt only. With the encrypt-only policy, users can send encrypted email to any recipient, whether they are inside or outside the organization, and the protection follows the lifecycle of the email. That means recipients can copy, print and forward the email, and encryption will not be removed. This new policy provides more flexibility in the type of protection that can be applied to your sensitive emails.

 

This is valuable for organizations that want persistent encryption, but do not want to add additional restrictions. For example, a doctor looking to protect an email containing sensitive personal information, can apply the encrypt-only policy, and the patient receiving the email can easily consume the protected message regardless of their email provider, and forward that email to another trusted party.  

 

With this new, flexible policy, users and admins can apply different levels of protection to best fit their data protection needs. 

 

Read more to understand what the encrypt-only policy looks like and how to apply the policy.  

 

How the encrypt-only policy works

The encrypt-only policy is an out-of-the box policy that can be used without additional configuration, and as the name suggests, only applies encryption to the email. You can apply the policy through end-user controls in Outlook or through automatic admin managed controls in the Exchange admin center. Users can apply this policy to individual emails through end-user controls in Outlook, and Admins can apply this policy automatically to any email that matches the set criteria through admin-managed controls in the Exchange admin center.

 

Customers that have enabled the new Office 365 Message Encryption capabilities will see the encrypt-only policy first through Outlook on the web and in the Exchange admin center under mail flow rules. Updates to Outlook for Windows and Outlook for Mac are planned for the coming months.

 

How to send an email with the encrypt-only policy in Outlook on the web

Users can apply protection with the encrypt-only policy by clicking on the protect button and changing the permissions to just encrypt. While the other options encrypt the message, the encrypt option will apply the encrypt-only policy to the message, therefore enabling recipients to forward, copy and print the message.

 

Applying this option will offer added flexibility for recipients to share the email with other trusted parties while encryption continues to persist and throughout the lifecycle of the email.

  In Outlook on the web, users can click on the protect button to change the permissions of the email. Once a user clicks on protect, the users can click on encrypt, to only encrypt the email.In Outlook on the web, users can click on the protect button to change the permissions of the email. Once a user clicks on protect, the users can click on encrypt, to only encrypt the email.  Once the encrypt-only policy is applied, the user will see a notification that encryption has been applied.Once the encrypt-only policy is applied, the user will see a notification that encryption has been applied.

How to apply the encrypt-only policy through Exchange mail flow rules

As an administrator, you can apply the encrypt-only policy automatically to emails that meet certain conditions by creating a mail flow rule. When you do this, email affected by the encrypt-only policy is encrypted in transport by Office 365.

 

For instructions on creating a mail flow rule that employs the encrypt-only policy, see define mail flow rules to encrypt email messages in Office 365

 You as an administrator can create new mail flow rule to automatically apply the encrypt-only policy to emails.You as an administrator can create new mail flow rule to automatically apply the encrypt-only policy to emails.

  

How to read encrypt-only email using Outlook on the web and Outlook mobile

Office 365 recipients can easily read and reply to emails that have been applied with the encrypt-only policy using Outlook on the web and Outlook mobile directly from the client.

 

Users can read the encrypted message natively directly in Outlook on the web and Outlook mobile.Users can read the encrypted message natively directly in Outlook on the web and Outlook mobile.

 

The inline reading experience for Outlook desktop (Windows and Mac) will be available in the coming months. In the meantime, Office 365 users using Outlook desktop will see the encrypted mail as an html mail with an rpmsg_v2 attachment.

 

How to read encrypt-only emails for non-Office 365 users (on-prem, Gmail, and Outlook.com users)

Non-Office 365 users, receive an html mail with an rpmsg_v4 attachment. Once they click Read Message they are redirected to the Office 365 Message Encryption portal where they can reply, forward, print, or take other allowed actions. More information can be found in this article.

 

Get started!

The new encrypt-only policy rolls out starting today as part of Office 365 Message Encryption.

 

Office 365 Message Encryption is offered in Office 365 E3 and E5, or as an add-on -you can find the full list of where Office 365 Message Encryption is offered here.

 

Please let us know what you think here or give us your feedback on uservoice

 

 

200 Comments
Copper Contributor

Some recipients are missing the option to download the attachment - preview only on an encrypted email.  Why would download be missing?

 

I have Apply Office 365 Message Encryption and rights protection on my mail flow rule and I'm using the Encrypt template.

I also have "DecryptAttachmentFromPortal" and "DecryptAttachmentForEncryptOnly" both set to TRUE

Brass Contributor

Any updates on when the "Encrypt" option will be available for Outlook for Mac?

Iron Contributor

@Jessie Hernandez Roadmap #32646 says next month (November 2018). This was recently modified to pull it back from Q1 2019.

Copper Contributor

As many others have stated these DECRYPT functions do not work as intended, for anyone receiving the message who is on O365 for email.

 

Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true

 

No matter what this is set to if the receiving party is an Exchange Online tenant they cannot open attachments. Tested with over 15 different domains, all of these users are setup for email in O365. This needs to be a top priority for OMEv2, and is a glaring issue for anyone attempting to make this switch.

 

If its someone who is @gmail.com or @yahoo.com or @hotmail.com they can receive the message and attachment fine.

DO NOT GO TO OMEv2 until this is resolved. There has been no communication from Microsoft regarding this being a known issue, and should be in their Service Alerts in the Admin Center.

Brass Contributor

@Joshua Tepper

I totally agree.  I have had Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true enabled for at least 2 month and it still does not work with other O365 tenants.  Last week I went through support again, gave them all of the documentation, screenshots, etc and the moved it up to the next tier support.  This does need a priority.

Microsoft

@Joshua Tepper and @Jacob R thank you for flagging this.  We are actively looking into this. 

Microsoft

@Joshua Tepper and @Jacob R I am unable to repro this issue. I sent an Encrypt-only mail with an attachment to another Office 365 tenant and Gmail user, and since the DecryptAttachmentForEncryptOnly flag was True, the attachments were indeed received as decrypted. 

Can you please share your tenants via private message and also send encrypted emails to my test account admin@fabrikamfrance.onmicrosoft.com?

Copper Contributor

Salah, I think you are missing their point. It's not their tenant that is the issue. Users may need to send encrypted information to any one in the world and regardless of how that external agency has their tenant setup, the recipient should be able to get, open, and read the message and any attachment.

 

Brass Contributor

@Salah Ahmed  Just sent a test.  Remember, the problem is with Outlook on the desktop not being able to ready encrypted attachments.  OWA works fine.

 

Thanks

Copper Contributor

There are a couple of different issues being mentioned in this discussion, but I (and at least a couple of others) posted previously that there is a problem not just with Outlook desktop, and not just with attachments, when sending encrypted messages to external Office 365 tenants. 

 

I have had an issue with recipients at two different agencies who both use Office 365.  When I send them an encrypted only message, they are unable to open it at all - even if there is no attachment.

 

They have tried this with both Outlook 2013 and 2016 desktop clients,

 

They have also tried this with Outlook web and were unable to open the emails.

 

The message they receive when attempting to access the message is:

 

"The message you tried to open is protected with Information Rights Management and can only be opened using Outlook. Download a free trial of Microsoft Outlook."

 

Sending to anyone else who is not an Office 365 tenant works fine.

 

I haven't tested this in the last couple of weeks, but haven't seen any communication that this is fixed.

Copper Contributor

We’ve been seeing the same issue, even without attachments, external recipients are unable to open the message. This is really causing us headaches, being in the healthcare industry. 

Microsoft

When external recipients aren't able to open encrypted messages in OWA, it's usually because the recipient tenant has turned off the feature. 

 

To enable the recipient to read encrypted messages in OWA, they need to run in PowerShell: Set-IRMConfiguration -ClientAccessServerEnabled $true

 

We are doing work to clean up the configuration of all tenants so that they are all able to read encrypted emails in OWA, and then take away their ability to turn off encryption. This work will take a few months to be fully deployed.

Brass Contributor

Well I just did a test with Salah and OMEv2 and he was able to open the attachment.  I have two seperate tenant account and it does not work for me. 

So it must have something to do with Outlook settings. I have the latest update for Outlook ProPlus and unfortunately I cannot do it myself and neither can some of our partners.  So I still cannot trust a hit or miss so I am sticking with OMEv1 for now.

 

Thanks @Salah Ahmed

Copper Contributor

@Salah Ahmed @Caroline Shin

I cannot send those emails domains publicly, if you could email me I would be more than happy to provide those details.

I can say these are multiple tenants, some being government and some commercial.

 

Nowhere is it mentioned that the receiving party has to enable Set-IRMConfiguration -ClientAccessServerEnabled $true to receive emails from O365 tenant to tenant using OMEv2. 

Why isn't that mentioned in any of the configuration articles? Shouldn't that be listed as needed per configuration?

I should not have to enforce configuration changes on another tenant just to be able to email encrypted messages. Especially if both organizations are using the same service, Exchange Online.

 

Copper Contributor

@Salah Ahmed 

 

I have just sent you private message with tenant details as well as PowerShell settings etc. 

 

Any thoughts would be helpful.

 

Thanks

Mark

Copper Contributor

Hi,

 

I'm running into an issue where I can't open any encrypted sent to me from Outlook. My Outlook version is 1809.

OWA works fine.

 

error.png

 

Hoping you can help.

Thanks.

Copper Contributor

Hi everyone. 

I just received a call from Microsoft O365 support saying that they are aware of the problem and trying to find a solution/patch on higher level support. No timeline was given but they wanted to close my ticket. The workaround is to use webmail when reading encrypted mail, until their fix/patch is ready.

 

I just wanted to inform you, so you can stop banging your heads to wall trying to solve this :)

 

Bye for now

 

Tommy

Copper Contributor

Thanks Tommy

 

I sent a Private Message to Salah earlier this week and he told me the same. 

 

If someone from MS had of just posted the same earlier in the thread it may have saved us all some time!!

Copper Contributor

@Tommy Forsman Thank you for the update.

Copper Contributor

I still don't get why this isn't posted in the Exchange Online Admin center. This needs to be a communicated outage... anyone from Microsoft reading this?

Everything else gets posted for outage when it's been down for hours to a days...but this hasn't been working for months and no one thought to inform its user base?

Copper Contributor

Good point Joshua. Although since as far I can see OMEv2 has never worked properly maybe it's not so much an outage as an unfinished product. We've been waiting on Outlook being fixed for opening encrypted emails since the start of the year.

Microsoft

Hi folks, appreciate your patience as we address this issue - and also for taking the time to share the issues you maybe seeing. We are actively working on a fix and we plan to respond to this more formally. To ensure this message gets shared to the impacted customers, we will be sending notification through message center. You should see a communication from us by the end of this week or early next week.  

 

Copper Contributor

Which issue is being addressed? I think we have experienced every issue mentioned in this thread.  The most frustrating thing is I cannot find any documentation for any of these issues from Microsoft.  

 

Right now, another O365 tenant is receiving the "unexpected response from the Rights Management server" error when trying to open our emails.  They are on the latest monthly build (1809 10827.20181).

Copper Contributor

We are getting this error now when clients try to view the encrypted emails we send them.  I am also having the same issue when trying to open an email with my Office 365 account.  If I use an OTP it opens without any problems.problem.PNGCapture.GIF

 To Mark Galvin ‎& Brian Phillips who reported issues on 08-16-2018 01:43 AM,  ‎10-05-2018 12:12 PM respectively - what was the recipient machine topology? Was the recipient signed into Windows using the same creds as used to sign in to Office? Were the recipient machines joined to a domain/AAD-joined?

 

Thanks

Iron Contributor

Hi @Caroline Shin, any update, on the notification through message center?

Brass Contributor

Hopefully the update in 16.19 fixes things.

 

Updated feature: Encryption updates in Outlook for Mac and Outlook for Windows
MC165252
Stay Informed
Published On : November 16, 2018
We are updating the way to encrypt emails in Outlook for Mac and bringing a consistent approach in the ribbon for both Secure/Multipurpose Internet Mail Extension (S/MIME) and information rights management (IRM). This functionality is now under a new command for Office 365 organizations in both Outlook for Mac and Outlook for Windows. This feature has begun rolling out to all Office 365 organizations. This message is associated with Microsoft 365 Roadmap ID: 32646.
How does this affect me?
The existing Security button in the Outlook for Mac ribbon will become an Encrypt button in version 16.19.18110915+. Similarly, the current Permission button in Outlook for Windows will soon become an Encrypt button. The new Encrypt button will look like a padlock on the ribbon and this lock icon image will appear on all encrypted emails, visible within the Outlook message list. Additionally, Outlook for Mac users will have an additional Encrypt-Only method to secure emails with Office 365 Message Encryption . This means that in addition to supporting S/MIME, which is also currently supported in Outlook on the Web and Outlook for Windows, the Outlook for Mac Encrypt command may include options such as Office 365 Message Encryption Encrypt-Only or Do Not Forward, S/MIME encryption (if configured) and other admin-defined Rights Management Service (RMS) protection templates. Further, the S/MIME sign option in Outlook for Mac will now be consistent with Outlook for Windows under a stand-alone Sign button for digital signing.
What do I need to do to prepare for this change?
There is nothing you need to do to prepare for this change. See Additional information to learn more.
Copper Contributor

@Caroline ShinAny updates? Have not seen any public information on the issues with Messages Encryption

 

Iron Contributor

 Hi @Caroline Shin, perhaps i missed it, but haven't seen an update, on the notification through message center yet.

 
Copper Contributor

@Caroline Shin 

I have been checking for the notification everyday, I still haven't seen one. Is it possible to get a time frame on when this will be documented as an issue for users? This has been happening for a while, and I'm still confused why it isn't being clearly communicated with the user base?

Microsoft

@Martijn Steffens @Christian Knarvik @Joshua Tepper  thanks for reaching out and your patience. I just wanted to send you a note that I am aware of your messages - and plan on sending response tomorrow around noon PST. 

Copper Contributor

Hi folks

 

Besides any messages in the Message Center on this issue (MC165252):

7.JPG

 

 

I have noticed an improvement following release 1811 (Build 11029.20045 Click-to-Run).

 

Here I go:

Tenant 1

Outlook wanted an update yesterday. Ran it and now running:

1.JPG

So, sent a test email to Tenant 2:

2.jpg

And I was able to open it without fail:

 

3.jpg

4.jpg

On Outlook on Tenant 2, currently on:

5.jpg

I checked if there was an update and (sad face):

6.jpg

Must have to wait for the update to replicate through all tenants. Once Updated I will test sending from Tenant 2 to Tenant 1 and hopefully working!

 

Microsoft

@Martijn Steffens @Christian Knarvik @Joshua Tepper apologies for the delay! We published documentation about a set of known issues that have been fixed which is available here. Please note that if you have the latest build installed and are experiencing an error or other symptoms not listed in the documentation, you may still be seeing issues. This seems to be outside the norm and difficult to replicate, therefore we are investigating with customers who have raised this issue with support. Early assessment indicates that there is an Office client bug – once we have a fix, we will communicate through the proper channels and update the documentation with more details. 

Copper Contributor

 @Caroline Shin Well, this is a let-down.  The issues we have experienced are not even acknowledged in that article.  Furthermore, the fix is to upgrade to build 1808+ and we are having issues with 1809/1810.  

 

Once we have a fix, we will communicate through the proper channels and update the documentation with more details.

Why not communicate that there is a problem now?  You could prevent your customers from wasting time searching for a solution if you would at least recognize this as an issue. 

 

Also, what are the "proper channels"?  Is a link to an article in the comments section of a blog post a proper channel?  Why is this not communicated through the message center? Does this not qualify as a service degradation?  Shouldn't it be listed under service health?

Copper Contributor

I would also like to know whether there has been any progress resolving issues for those opening encrypted messages in webmail. We send email to certain agencies who use Office 365 in the browser instead of Outlook and they've been unable to open messages.

Brass Contributor

FINALLY!!!  Its working from send an encrypted email with an office document attachment from tenant to tenant using Outlook desktop.  Initially the email said it is encrypted and to double-click to verify credentials so I did and the email and attachment were there.  This is the first time it has happened correctly.  Usually I cannot get passed the double-click to verify part.  Maybe now I can start using OMEv2 with our partners.

Steel Contributor
Maybe it's been stated already but pro-tip if you're having problems opening encrypted emails: go to File > Office Accounts and click 'sign out' in the top left. Keep clicking it until all your accounts are signed out. That sucker was hiding 6 different accounts on one of my user's PCs and logging them out of all of them and back into the correct one fixed the issue immediately.
Brass Contributor

Is sending a protected attachment using an RMS permission template still prohibited for yahoo, gmail and other personal email addresses? 

Copper Contributor

Finally.

 

I can confirm that once both tenants are running Version 1811 (Build 11029.20079 Click-to-Run) AND signing out of all Office connected accounts, sign back in, OMEV2 works in both directions!

 

Now, when testing with non Office 365 accounts (say iCloud) the response from the website is painfully slow.

 

What is being done to address that?

 

Thanks

Mark

 

Copper Contributor

Morning all

 

Having managed to test and confirm that OMEv2 is working on my two test tenants (see last post), I now need to roll out to Citrix Desktop users at tenant 1.

 

Over weekend I updated Citrix XenApp servers to same version nd build of Office that I have on the Desktop I have been using there. 

 

When a Citrix Outlook user ropens the Permissions menu they see:

1.png

Clicking on that gives them:

2.png

Then:

3.png

So, from my desktop I have sent them an Encrypt-Only email =:

4.png

but when they open it they get:

5.png

Anyone else managed to get this working? I am using a test user in Citrix (newly created this morning so everything is complete fresh). I have tried signing the test user out of Office and back in again but same result. 

 

Really wish Microsoft had all of this resolved before GDPR came in, in May!

 

Hoping someone can help :)

 

Thanks

Mark

Copper Contributor

Still can't enable the do not encrypt attachements for encrypt only.  I can see it with get-irmconfiguration, but not set it:

 

PS C:\> Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true
A parameter cannot be found that matches parameter name 'DecryptAttachmentForEncryptOnly'.
    + CategoryInfo          : InvalidArgument: (:) [Set-IRMConfiguration], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-IRMConfiguration
    + PSComputerName        : outlook.office365.com

PS C:\> get-IRMConfiguration | fl decr*
DecryptAttachmentForEncryptOnly : False
DecryptAttachmentFromPortal     : True

 

when i used Encrypt only option in outlook and send to other users they are not able to open the message

 

Same case when i used AIP label and applied Transport rule to Encrypt the message  they cannot open message in outlook but they can view in outlook web access, we want to have option to view in outlook web access and should decrypt during journaling and download for investigation

Copper Contributor

So I enabled OMEv2 for the company as the default encryption by using a keyword.   It seems to be working better as I have not had any complaints from partners yet.  Possibly because over time, these recipients have update the Outlook (desktop).  I have learned some ways to fix errors when it happens with Outlook (desktop).  The encrypt only mode does not seem to be adding RMS to attachments anymore which was a big issue.

1.  Tell them to be sure and updated Outlook or Office 365.

2.  Make sure they are sign into Outlook with the email address the email was sent to (if Office 365) by go to File -> Office Account

3.  They can always view the encrypted email by using OWA since they have to sign into to OWA.

 

Fingers crossed

Copper Contributor

So, my org recently migrated from OMEv1 to OMEv2. Most recipients are able to open the messages inline inside of OWA, and Outlook desktop just fine. But some are able to only view them in OWA.

Here is an example from one of our partners:

  • On desktops running windows 7 and 10 using Office/Outlook 64 bit version it would not open the secured email. Both the operating systems and Office/Outlook were up to date. A fresh windows image and a new install of Office were used and they also would not open the secured email. A new Outlook profile would not open the secured email. The recipient is running Office version 1909 Click-to-Run.
  • On mobile devices running Outlook on iOS, the message opens inline without any issue.
  • Logging into OWA for Office 365 (test on both chrome and firefox) allows the secure email to be opened.

It appears that only the outlook client is having an issue.Is there anything else that I can look into on the Outlook client side? I've tried clearing credential manager for anything pertaining to Office, signing out of and back into Office, with no luck. I'm stumped...

Copper Contributor
Make sure they are signed into Outlook at File-> Account with the email that the encrypted email was sent to. Sometimes you have to double-click the message summary to open the mail in its own screen.
Copper Contributor

They are signed in, we've closed all office apps, and signed out of Office and back in. Still doesn't work. Yes, sometimes you cannot read them in the preview pane but this isn't the issue here.

Brass Contributor

@Salah Ahmed 

"When external recipients aren't able to open encrypted messages in OWA, it's usually because the recipient tenant has turned off the feature. 

To enable the recipient to read encrypted messages in OWA, they need to run in PowerShell: Set-IRMConfiguration -ClientAccessServerEnabled $true

We are doing work to clean up the configuration of all tenants so that they are all able to read encrypted emails in OWA, and then take away their ability to turn off encryption. This work will take a few months to be fully deployed."

 

Is this now enabled for all tenants? We still seem to have issues with some organizations who have been on Office 365 before OMEv2 still having issues opening encrypted emails.

Copper Contributor

OMEv2 is still the single most problematic thing that me and my helpdesk have to deal with. We receive complaints DAILY from several organizations that they simply cannot open our encrypted emails.

 

We are using OMEv2 with the Encrypt-Only template.

Copper Contributor

Thats used to happened to us but now it rarely does as recipients start learning the process.

1.  If they use Microsoft as an email provider and the address sent to is Microsoft, they can see the encrypted email if they check their email online.

2.  If they are using Outlook, it helps if their Outlook is signed into an Outlook account (if they have one) under options -> account.

3.  Sometimes they have to double-click the actual email in Outlook and it will download rights real quick.

4.  Sometime you have to enable "DecryptAttachmentForEncryptOnly" via Exchange PowerShell.  I forgot how.

5.  If the email was sent to a distribution list, they will have issues.

6.  If they are forwarding an email to someone, the will not be able to sign into the original recepient email to see the email.

 

It is a matter of just responding to the recipients and having them try different methods  that might work and eventually the "should" get it.

 

 

 

 

Copper Contributor

Any way to set the Encrypt-Only flag via Microsoft.Office.Interop.Outlook to a MailItem?

Version history
Last update:
‎May 11 2021 01:54 PM
Updated by: