New updates to Office 365 Message Encryption
Published Sep 25 2018 05:59 AM 35.8K Views

Last year at Ignite we announced several new capabilities that enabled users to more seamlessly collaborate securely with anyone. Since then, we’ve released further updates such as a new out of the box template called encrypt-only, and others that make it easier for consumer recipients to collaborate on encrypted messages. 



We’re excited to share a few new updates to Office 365 Message Encryption that further enhances the recipient experience and also help IT Admins to proactively protect their organization's' sensitive data.


Please read further for more details.


Enhanced Recipient Experiences


Flexible controls for attachments for any recipient  

To further support collaboration on protected emails with consumer recipients, Office 365 Message Encryption enables organizations to control whether attachments should also be encrypted when using the Encrypt-Only template. This means recipients have full permissions to share the attachment in the protected email. This was a key ask from customers to support scenarios in which the recipient of sensitive information should have full permissions to attachments, such as a patient receiving her lab results, or a bank customer receiving his financials.


This update is generally available today. Admins can enable this setting by running a Windows PowerShell cmdlet.

  1. Connect to Exchange Online Using Remote PowerShell (see
  2. Run the Set-OMEMessageRevocation cmdlet as follows: Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true


Customized branded emails   

Last year we announced the capability for admins to customize their business-to-consumer emails (see Add your organization's brand to your encrypted messages). We are pleased to announce additional enhancements for customized branded emails:

  • The ability to create several branding templates that can be applied to business-to-consumer emails via an Exchange mail flow rule
  • The ability to always enforce a branded recipient experience, regardless of the recipient identity 
  • The ability to revoke business-to-consumer emails. Please see below

These enhancements would allow organizations to improve the look and feel of their business-to-consumer emails, as well as improve its collaboration and protection capabilities. These are planned to be delivered by the end of the calendar year.




Protecting PDFs  


Office 365 Message Encryption can encrypt and rights protect not only the email content but also the attachment. Previously, only Office attachments were encrypted. At the end of the calendar year we will enable users to encrypt and rights protect PDFs. 


Proactively protect sensitive emails for IT Admins


Apply Office 365 Message Encryption through a DLP Policy  


The unified DLP platform allows organizations to manage multiple workloads from a single management experience, reducing the time required to set up and maintain security and compliance within your organization. We are pleased to announce that unified DLP now has the ability to encrypt emails.To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security & Compliance Center, you can now identify, monitor, and automatically encrypt sensitive emails in Office 365.




Along with unified policy creation, we also provide a single location to view reports for your DLP policies across Exchange Online, SharePoint Online and OneDrive for Business. This makes it easier to understand the business impact of your DLP polices and uncover actions that violate policies across multiple workloads.






To help organizations better manage and control sensitive emails, IT Admins can monitor and view reports on encrypted messages to proactively apply policies to sensitive emails based on observed patterns. This has been a key customer ask so that admins can monitor the impact of encrypted email in their tenant. This feature will be available in public preview. 


During preview the following reporting capabilities will be available:

  • Breakdown of total encrypted message volume by encryption method such as encryption applied through ad-hoc end user controls or through an automatic policy such as an Exchange Mail Flow rule or a Unified DLP rule
  • Number of encrypted messages by volume and by encryption template such as Do Not Forward, Encrypt-Only, OME Previous (OMEv1), or custom encryption templates
  • Details for each encrypted email such as sender, recipient, encryption template, etc.
  • Ability to schedule reports and have them sent to admins by email
  • Report that shows breakdown of total encrypted message volume by top recipient domains


Reporting is now available in public preview and we welcome feedback. To access the report:

  1. Sign-in to with admin credentials
  2. Then go to this link:






We are also releasing in public preview the ability for admins to revoke encrypted emails sent to consumer email accounts. Revocation of encrypted emails is only possible if the recipient received a link-based branded email experience for the encrypted email. If the recipient received a native inline experience in a supported Outlook client, then those emails cannot be revoked.


Organizations will have the ability to force a link-based experience regardless of the recipient identity. This way, all recipients will get a branded email with a link to the Office 365 Message Encryption portal where they will be able to read and reply to encrypted emails. All such encrypted emails will be revocable.


Once an email has been revoked, the recipient will get an error when trying to access the encrypted email through the Office 365 Message Encryption portal: “The message has been revoked by the sender.”




The admin can revoke encrypted emails by using a Windows PowerShell cmdlet.

  1. Connect to Exchange Online Using Remote PowerShell (see
  2. Run the Set-OMEMessageRevocation cmdlet as follows:

Set-OMEMessageRevocation -Revoke $true -MessageId "<messageId>"


Admins can find the MessageId from the aforementioned Message Encryption Report or from Message Trace in Security and Compliance Center.


If revocation is successful, the following result will be returned:

The encrypted email with subject “<subject>” and Message ID “<messageId>” was successfully revoked.


Get started!

If you haven’t used Office 365 Message Encryption, getting started is very easy. Office 365 Message Encryption is configured for all eligible Office 365 tenants. Create an Exchange Mail Flow rule or a Unified Data Loss Prevention policy to get started. Technical documentation is available here


Office 365 Message Encryption is offered in Office 365 E3 and E5, or as an add-on. You can find the full list of where Office 365 Message Encryption is offered here.


Please let us know what you think here or give us your feedback on uservoice





Version history
Last update:
‎May 11 2021 02:04 PM
Updated by: