Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Admin control for attachments now available in Office 365 Message Encryption
Published Jun 13 2018 01:05 PM 61.5K Views
Microsoft

EDITORS NOTE 1/3/2019

We have updated the blog to reflect that we've expanded the ability to control if Office attachments are protected for recipients inside Office 365 - previously this was only supported for non-Office 365 users. Changes are reflected below in the blog. 

 

Summary

Administrators can now control whether Office attachments are protected for recipients inside and outside of Office 365 when the Encrypt-Only template is used.  This was a key ask from Office 365 Message Encryption customers and is now available as a tenant-level setting.

 

Background

 

We have now made it possible for administrators to control how Encrypt-Only behaves for attachments. By default, when a user sends an email and attachments using Encrypt-only, the Office attachments are also protected with Encrypt-Only permissions and that encryption persists throughout lifecycle of the content. To provide more flexible controls for recipients, organizations can control if recipients have unrestricted permissions on the attachment or not for Encrypt-Only emails. For example, one scenario this is valued is when a doctor shares a protected attachment to her patient, and the patient wants to share this with his family, the attachment is no longer encrypted so they can open the attachment without any additional steps.

 

What is available 

 

Admins can control whether attachments have unrestricted permissions for Encrypt-Only emails. Details on implementing the settings are below.

 

When the recipient signs-in to the Office 365 Message Encryption portal, they can preview attachments as before. 

 

Preview attachments _1.png

 

  

If the control to unrestrict the attachment is enabled, the document will be decrypted and the recipient will be able to view it normally. Additionally, the content will remain decrypted and unrestricted unless additional protections are applied.

 

Document is decrypted_2.png

 

Scope

 

This setting is available for the Encrypt-only template and not for the Do Not Forward or Custom templates.

 

It’s enforced at the tenant level.

 

How to control the setting

 

To manage whether to allow recipients to download Encrypt-only attachments without encryption, follow these steps:

 

Connect to Exchange Online Using Remote PowerShell (see https://aka.ms/exopowershell)

Run the Set-IRMConfiguration cmdlet with the DecryptAttachmentForEncryptOnly parameter as follows:

 

Set-IRMConfiguration - DecryptAttachmentForEncryptOnly <$true|$false>

 

For example, to allow download of attachments without protection for Encrypt-only:

Set-IRMConfiguration - DecryptAttachmentForEncryptOnly $true

 

If you decide that you want to revert the setting and keep attachments protected even after download:

Set-IRMConfiguration - DecryptAttachmentForEncryptOnly $false

 

Please note, as of 12/13/18, we have deprecated  DecryptAttachmentFromPortal. It will continue working for existing customers who have run the old cmdlet but new customers should start using the new cmdlet (DecryptAttachmentForEncryptOnly) updated above.

 

Additional Resources

 

This was a key ask from organizations that had a broad set of scenarios which requires email recipients to "own" the attachment by unrestricting permissions on the attachment. We hope this additional control can provide more flexibility in collaborating on protected content for all users. Your feedback matters- leave us a comment below or go to uservoice and submit your feedback/vote! 

 

For additional resources on Office 365 Message Encryption - you can find them below:

 

 

 

28 Comments
Deleted
Not applicable

Its a great announcement after Encrypt feature, appreciate your continuous efforts to make customers flexible to use 'Encrypt' feature.

 

I have couple of queries regarding this,

1. If a non-O365 user forwards the email to O365 user will the document remains encrypted for O365 user? 

2. If a O365 user (who are not on the earlier version - 1804 of Outlook) forwards the email to non-O365 user from OME portal, will the attachment gets decrypted for non-O365 users?

Brass Contributor

It is a welcoming feature, but how reliable is it, we still have to test it out

 

Comment edited to add the following sentence.

Please make thing simple....Not powershell please.

Copper Contributor

Desperately need this feature! When will it complete rollout to our tenancy?

Microsoft

@P Roby, the feature is fully rolled out.

 

@Vamsi the feature allows download without encryption from the OME portal for any recipient. It doesn't matter which identity forwarded the email to the recipient.

Copper Contributor

This what I receive 

 

A parameter cannot be found that matches parameter name 'DecryptAttachmentFromPortal'.
+ CategoryInfo : InvalidArgument: (:) [Set-IRMConfiguration], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-IRMConfiguration
+ PSComputerName : outlook.office365.com

Microsoft

This is unexpected. If anyone else runs into this issue, they should open a support ticket.

Brass Contributor
Hi When will you add support for scoped RMS templates in Exchange transport rules ? We cannot move to Azure based RMS due to that.
Microsoft

Scoped RMS templates in ETRs is coming very soon. Though can't give a public eta yet.

Copper Contributor

Any restriction on the Office version to be able to open the decrypted attachment?  Such as Office 2010 or older?  Currently working through an issue with a client that they are unable to open a word document.  Getting the message 'You do not have credentials that allow you to open this document. You can request updated permission from *@*.com. Do you want to request updated permission?

Copper Contributor

Great news and I have run the PS command. Now external users can open attachments without being asked for any other account details.

 

We are only using the two RMS Templates:

1.jpg

The above is from an ETR/Mail Flow rule I setup to test. When I send attachment (Excel) to that non Office 365 email address I receive the email stating 'Galvin, Mark (mark.galvin@xxxxxxx.co.uk) has sent you a protected message.'. I have click the link and it opens in the OME Portal. I have then clicked the 'request one-time passcode to view the message' (as I am testing this from the perspective of a user that does not have Office 365 or any other Microsoft account). Once the one time passcode arrives in my non Office 365 account, I copy the passcode and it opens the email in the OME portal. I then am able to download the Excel file and open without any issue.

 

Using same Office 365 account I can use the 'Protect' --> 'Encrypt' option in OWA:

2.JPG

Same result as the ETR/Mail Flow rule - perfect.

 

Now, we mainly use Outlook 2016 ProPlus so I need that Encrypt option to appear in Outlook Desktop. I had read from here that we need to have at least the 1804 build, so I have updated to the 1806 version:

3.jpg

 

Restarted Outlook and I do not see the Encrypt button anywhere. I have tried under 'Options' then 'Permissions' but just see the 'Connect to Rights Management Server to get templates' and when I click on that nothing happens.

 

I have installed the AIP Client (we have the Azure Information Protection Plan 1 license on top of our E3 license) but that only gives me any Labels setup in AIP Portal and not the Encrypt option. It does give me the Do Not Forward option but when I click on it it gives error.

 

Any one know how to get working please?

 

thanks

Mark

 

Copper Contributor

Managed to get it to work although I'm not sure if it was this or just being patient! I sent a test email from OWA to an external account (which also has a redirect all incoming email back to my Office 365 account). when I tried to open that encrypted email I get:

---------------------------
Microsoft Outlook
---------------------------
Sorry, something went wrong opening Information Rights Management protected content. The request is not supported.
---------------------------
OK
---------------------------

 

Before that appeared, a box briefly appeared what looked like it was connecting to the server and then in a new email:

4.JPG

Copper Contributor

I have sent a test email from Outlook (Office 365 E3) to my iCloud and another Office 365 (Business Premium) that I have. 

 

iCloud - works perfectly. I get the 'Galvin, Mark (mark.galvin@) has sent you a protected message.' email and I get click the link to open the OME portal and get the one time pass code etc- cool.

 

Other Office 365 account - when I double click that email in Outlook I get the 'Sorry, something went wrong opening Information Rights Management protected content. The request is not supported.' error. Open OWA for that second account and in the message preview window I see the email and its attachment. Double click it and:

5.JPG

 

Any ideas here?

 

Thanks

Mark

Copper Contributor

Still Waiting for the command to be made available. I was promised end of June by support!

Copper Contributor

@P Roby- what command are you waiting for?

 

Thanks

Mark

Copper Contributor

@Mark Galvin

 

$UserCredential = Get-Credential

 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

 

Import-PSSession $Session

 

Set-IRMConfiguration -DecryptAttachmentFromPortal $true

 

Output

A parameter cannot be found that matches parameter name 'DecryptAttachmentFromPortal'.
+ CategoryInfo : InvalidArgument: (:) [Set-IRMConfiguration], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-IRMConfiguration
+ PSComputerName : outlook.office365.com

 

 

 

 

 

Copper Contributor

@P Roby

 

If you run 'Get-IRMConfiguration' once connected what do you see? Once I have run the 'Set-IRMConfiguration -DecryptAttachmentFromPortal $true' and then the 'Get-IRMConfiguration' I get:

10.JPGPlease post what you get.

 

thanks

Mark

Copper Contributor
Copper Contributor

@P Robyoh snap.  thats odd. I take you are a global admin?

Copper Contributor

@Mark Galvin

 

Yes i am global admin.

 

I really hope its just a case of waiting for it roll out properly to our tenancy.

Copper Contributor

Hi.

I wondering on how we can open the mail in the portal if we want to decrypt the attached documents. If we do send to an Office 365 customer or internal recipient with new Outlook, the inline function works. But then we are unable to decrypt the documents?

Copper Contributor

 

 @P Roby  Did you manage to find a solution to this? 

 

I'm getting the exact same error running ps command. 

 

I've spoken to MS Office 365 support. They've repeatedly sent me an out of date link to download Windows Management Framework 5.0 (https://www.microsoft.com/en-us/download/details.aspx?id=) Checking the version, I'm already running version 5.1. 

 

They're now telling me to use Internet Explorer! 

Copper Contributor

@Alex Bean No joy at all yet, I am going to raise another ticket. I personally think our tenancy has not yet been updated. I really need this feature!

Copper Contributor

@Alex Bean

 

I have now resolved the issue with tech support. The tenancy hadn't finished the upgrade to our existing admin accounts. However creating a new admin account and running the command as the new account worked!

Microsoft

@P Roby@Alex Bean@Christian Knarvik@Mark Galvin, @Deleted, thanks for your questions and engaging with us here. Due to the interest and general questions, we decided to host an AMA. Note, that it's not just for questions but we are also using this as an opportunity to get feedback on new investments. We hope you can join us tomorrow! https://techcommunity.microsoft.com/t5/Office-365-Encryption-AMA/Announcing-an-Office-365-Message-Encryption-AMA/m-p/216186#M66 

Copper Contributor

@Caroline ShinArgh. I was on vacation, so I missed this.. Is it still possible to get an answer to my question? :)  I wondering on how we can open the mail in the portal if we want to decrypt the attached documents. If we do send to an Office 365 customer or internal recipient with new Outlook, the inline function works. But then we are unable to decrypt the documents?

Copper Contributor

Set-IRMConfiguration -DecryptAttachmentFromPortal $true

This command is not working. Microsoft Support could not fix it. They could not run this command neither. This is so frustrating. we need this feature but there is no way to make it happen.

 

Has anyone find a way to run this?

 

Thanks,

 

 

Microsoft

This cmdlet is replaced by Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true. Can you use that instead?

Copper Contributor

This stopped working for our tenant about two weeks ago. I have gone into PowerShell and checked the IRMConfiguration settings and DecryptAttachmentFromPortal and DecryptAttachmentForEncryptOnly are both set to True, but now all our Office document attachments are retaining the protection when downloaded using the Outlook desktop application. I've gone to our O365 provider for help but so far they haven't been able to help us.

Version history
Last update:
‎May 11 2021 01:53 PM
Updated by: