Office 365 - Message Encryption - and sign using S/MIME

%3CLINGO-SUB%20id%3D%22lingo-sub-203996%22%20slang%3D%22en-US%22%3EOffice%20365%20-%20Message%20Encryption%20-%20and%20sign%20using%20S%2FMIME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203996%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%3C%2FP%3E%3CP%3EJust%20added%20an%20E3%20license%20to%20some%20users%2C%20a%20transport%20rule%20is%20created%20(and%20working)%2C%20so%20all%20mails%20sent%20from%20a%20specific%20mail%20is%20sent%20encrypted%20using%20Azrure%20Right%20Management%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EBUT!%3C%2FP%3E%3CP%3EI%20have%20bought%20a%20certificate%20and%20added%20that%20using%20Powershell%20to%20the%20Office365%20tenant%2C%20and%20applied%20it%20to%20the%20mailbox.%3C%2FP%3E%3CP%3EMy%20question%20is%3A%20I%20thought%2C%20that%20when%20a%20certificate%20was%20added%20to%20%22backend%22%20-%20a%20rule%20could%20be%20created%2C%20so%20all%20mail%20sent%20from%20a%20specific%20mailbox%20is%20sent%20encrypted%20AND%20signed%20with%20the%20applied%20certificate%20(using%20S%2FMIME).%20(followed%20this%26nbsp%3B%3CA%20title%3D%22How%20to%20configure%20S%2FMIME%22%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2014%2F12%2F15%2Fhow-to-configure-smime-in-office-365%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2014%2F12%2F15%2Fhow-to-configure-smime-in-office-365%2F%3C%2FA%3E%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-203996%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMessage%20Encryption%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESMIME%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204236%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20-%20Message%20Encryption%20-%20and%20sign%20using%20S%2FMIME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204236%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EDecide%20whether%20you%20want%20Microsoft%20to%20manage%20the%20root%20key%20for%20Azure%20Information%20Protection%20(the%20default)%2C%20or%20generate%20and%20manage%20this%20key%20yourself%20(known%20as%20bring%20your%20own%20key%2C%20or%20BYOK).%20If%20you%20want%20to%20generate%20and%20manage%20this%20key%20yourself%2C%20you%20need%20to%20complete%20some%20steps%20before%20you%20set%20up%20the%20new%20capabilities%20for%20OME.%20For%20more%20information%2C%20see%20%3C%2FSPAN%3E%3CA%20class%3D%22ocpExternalLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Finformation-protection%2Fplan-design%2Fplan-implement-tenant-key%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EPlanning%20and%20implementing%20your%20Azure%20Information%20Protection%20tenant%20key%3C%2FA%3E%3CSPAN%3E.%20Microsoft%20recommends%20that%20you%20complete%20these%20steps%20before%20you%20set%20up%26nbsp%3BOME.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fset-up-new-office-365-message-encryption-capabilities-7ff0c040-b25c-4378-9904-b1b50210d00e%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fset-up-new-office-365-message-encryption-capabilities-7ff0c040-b25c-4378-9904-b1b50210d00e%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204173%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20-%20Message%20Encryption%20-%20and%20sign%20using%20S%2FMIME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204173%22%20slang%3D%22en-US%22%3E%3CP%3EWell..%3C%2FP%3E%3CP%3EWe%20have%20bought%20a%20certificate%20to%20sign%20all%20outgoing%20mails%20with%20a%20company%20signing%20(Company%20certificate).%20I%20want%20to%20add%20this%20certificate%20AND%20use%20the%20OME%20encryption%20features.%3C%2FP%3E%3CP%3ESo%20when%20sending%20an%20email%2C%20its%20encrypted%20from%20OME%20AND%20signed%20using%20the%20certificate%20(Even%20though%20it%20should%20be%20added%20local%20from%20Outlook.)%3C%2FP%3E%3CP%3EIf%20I%20add%20S%2FMIME%20certificate%20from%20Outlook%2C%20the%20encryption%20from%20OME%20is%20removed%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204171%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20-%20Message%20Encryption%20-%20and%20sign%20using%20S%2FMIME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204171%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20entirely%20sure%20what%20you%20mean%20by%20that.%20OME%20does%20not%20need%20any%20certificate%2C%20it%20generates%20all%20the%20needed%20cryptographic%20components%20on%20the%20backend.%20The%20process%20is%20explained%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Funderstand-explore%2Fhow-does-it-work%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Funderstand-explore%2Fhow-does-it-work%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204167%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20-%20Message%20Encryption%20-%20and%20sign%20using%20S%2FMIME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204167%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vasil%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%20for%20responding.%3C%2FP%3E%3CP%3EBut%20is%20it%20possible%20to%20add%20the%20certificate%20using%20OME%20then%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204163%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20-%20Message%20Encryption%20-%20and%20sign%20using%20S%2FMIME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204163%22%20slang%3D%22en-US%22%3E%3CP%3ES%2FMIME%20signing%2Fencrypting%20is%20a%20client-based%20operation%2C%20you%20can%20only%20do%20it%20via%20Outlook%20or%20OWA.%20There%20is%20no%20transport%20rule%20action%20that%20corresponds%20to%20this.%20You%20can%20use%20OME%20instead%2C%20as%20you've%20already%20discovered.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi.

Just added an E3 license to some users, a transport rule is created (and working), so all mails sent from a specific mail is sent encrypted using Azrure Right Management :)

BUT!

I have bought a certificate and added that using Powershell to the Office365 tenant, and applied it to the mailbox.

My question is: I thought, that when a certificate was added to "backend" - a rule could be created, so all mail sent from a specific mailbox is sent encrypted AND signed with the applied certificate (using S/MIME). (followed this https://blogs.technet.microsoft.com/exchange/2014/12/15/how-to-configure-smime-in-office-365/ )

 

5 Replies
Highlighted

S/MIME signing/encrypting is a client-based operation, you can only do it via Outlook or OWA. There is no transport rule action that corresponds to this. You can use OME instead, as you've already discovered.

Highlighted

Hi Vasil


Thanks for responding.

But is it possible to add the certificate using OME then?

Highlighted

I'm not entirely sure what you mean by that. OME does not need any certificate, it generates all the needed cryptographic components on the backend. The process is explained here: https://docs.microsoft.com/en-us/azure/information-protection/understand-explore/how-does-it-work

Highlighted

Well..

We have bought a certificate to sign all outgoing mails with a company signing (Company certificate). I want to add this certificate AND use the OME encryption features.

So when sending an email, its encrypted from OME AND signed using the certificate (Even though it should be added local from Outlook.)

If I add S/MIME certificate from Outlook, the encryption from OME is removed???

Highlighted

Decide whether you want Microsoft to manage the root key for Azure Information Protection (the default), or generate and manage this key yourself (known as bring your own key, or BYOK). If you want to generate and manage this key yourself, you need to complete some steps before you set up the new capabilities for OME. For more information, see Planning and implementing your Azure Information Protection tenant key. Microsoft recommends that you complete these steps before you set up OME.

 

https://support.office.com/en-us/article/set-up-new-office-365-message-encryption-capabilities-7ff0c...