Blog Post

Security, Compliance, and Identity Blog
5 MIN READ

New updates to Office 365 Message Encryption

Caroline Shin's avatar
Caroline Shin
Icon for Microsoft rankMicrosoft
Sep 25, 2018

Last year at Ignite we announced several new capabilities that enabled users to more seamlessly collaborate securely with anyone. Since then, we’ve released further updates such as a new out of the box template called encrypt-only, and others that make it easier for consumer recipients to collaborate on encrypted messages. 

 

 

We’re excited to share a few new updates to Office 365 Message Encryption that further enhances the recipient experience and also help IT Admins to proactively protect their organization's' sensitive data.

 

Please read further for more details.

 

Enhanced Recipient Experiences

 

Flexible controls for attachments for any recipient  

To further support collaboration on protected emails with consumer recipients, Office 365 Message Encryption enables organizations to control whether attachments should also be encrypted when using the Encrypt-Only template. This means recipients have full permissions to share the attachment in the protected email. This was a key ask from customers to support scenarios in which the recipient of sensitive information should have full permissions to attachments, such as a patient receiving her lab results, or a bank customer receiving his financials.

 

This update is generally available today. Admins can enable this setting by running a Windows PowerShell cmdlet.

  1. Connect to Exchange Online Using Remote PowerShell (see https://aka.ms/exopowershell)
  2. Run the Set-OMEMessageRevocation cmdlet as follows: Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true

 

Customized branded emails   

Last year we announced the capability for admins to customize their business-to-consumer emails (see Add your organization's brand to your encrypted messages). We are pleased to announce additional enhancements for customized branded emails:

  • The ability to create several branding templates that can be applied to business-to-consumer emails via an Exchange mail flow rule
  • The ability to always enforce a branded recipient experience, regardless of the recipient identity 
  • The ability to revoke business-to-consumer emails. Please see below

These enhancements would allow organizations to improve the look and feel of their business-to-consumer emails, as well as improve its collaboration and protection capabilities. These are planned to be delivered by the end of the calendar year.

 

 

Protecting PDFs  

 

Office 365 Message Encryption can encrypt and rights protect not only the email content but also the attachment. Previously, only Office attachments were encrypted. At the end of the calendar year we will enable users to encrypt and rights protect PDFs. 

 

Proactively protect sensitive emails for IT Admins

 

Apply Office 365 Message Encryption through a DLP Policy  

 

The unified DLP platform allows organizations to manage multiple workloads from a single management experience, reducing the time required to set up and maintain security and compliance within your organization. We are pleased to announce that unified DLP now has the ability to encrypt emails.To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security & Compliance Center, you can now identify, monitor, and automatically encrypt sensitive emails in Office 365.

 

 

Along with unified policy creation, we also provide a single location to view reports for your DLP policies across Exchange Online, SharePoint Online and OneDrive for Business. This makes it easier to understand the business impact of your DLP polices and uncover actions that violate policies across multiple workloads.

 

 

Reporting

 

To help organizations better manage and control sensitive emails, IT Admins can monitor and view reports on encrypted messages to proactively apply policies to sensitive emails based on observed patterns. This has been a key customer ask so that admins can monitor the impact of encrypted email in their tenant. This feature will be available in public preview. 

 

During preview the following reporting capabilities will be available:

  • Breakdown of total encrypted message volume by encryption method such as encryption applied through ad-hoc end user controls or through an automatic policy such as an Exchange Mail Flow rule or a Unified DLP rule
  • Number of encrypted messages by volume and by encryption template such as Do Not Forward, Encrypt-Only, OME Previous (OMEv1), or custom encryption templates
  • Details for each encrypted email such as sender, recipient, encryption template, etc.
  • Ability to schedule reports and have them sent to admins by email
  • Report that shows breakdown of total encrypted message volume by top recipient domains

 

Reporting is now available in public preview and we welcome feedback. To access the report:

  1. Sign-in to https://protection.office.com with admin credentials
  2. Then go to this link: https://protection.office.com/?flight=EnableEncryptionReport#/reportv2?id=EncryptionReport

 

 

 

Revocation

 

We are also releasing in public preview the ability for admins to revoke encrypted emails sent to consumer email accounts. Revocation of encrypted emails is only possible if the recipient received a link-based branded email experience for the encrypted email. If the recipient received a native inline experience in a supported Outlook client, then those emails cannot be revoked.

 

Organizations will have the ability to force a link-based experience regardless of the recipient identity. This way, all recipients will get a branded email with a link to the Office 365 Message Encryption portal where they will be able to read and reply to encrypted emails. All such encrypted emails will be revocable.

 

Once an email has been revoked, the recipient will get an error when trying to access the encrypted email through the Office 365 Message Encryption portal: “The message has been revoked by the sender.”

 

 

The admin can revoke encrypted emails by using a Windows PowerShell cmdlet.

  1. Connect to Exchange Online Using Remote PowerShell (see https://aka.ms/exopowershell)
  2. Run the Set-OMEMessageRevocation cmdlet as follows:

Set-OMEMessageRevocation -Revoke $true -MessageId "<messageId>"

 

Admins can find the MessageId from the aforementioned Message Encryption Report or from Message Trace in Security and Compliance Center.

 

If revocation is successful, the following result will be returned:

The encrypted email with subject “<subject>” and Message ID “<messageId>” was successfully revoked.

 

Get started!

If you haven’t used Office 365 Message Encryption, getting started is very easy. Office 365 Message Encryption is configured for all eligible Office 365 tenants. Create an Exchange Mail Flow rule or a Unified Data Loss Prevention policy to get started. Technical documentation is available here

 

Office 365 Message Encryption is offered in Office 365 E3 and E5, or as an add-on. You can find the full list of where Office 365 Message Encryption is offered here.

 

Please let us know what you think here or give us your feedback on uservoice

 

 

 

 

Updated May 11, 2021
Version 5.0
  • wroot thanks for your comment and feedback. The intention was to enable users who primarily use DLP to be able to apply encryption. With that said, understand the ask here and will keep this in mind for our next updates. 

     

    Michael Sampson thanks for your comment and great questions- (1) including business recipients (2) correct (3) yes regardless if it's a business or consumer user (5 and 6) we need to prioritize releasing in GA revocation, once we do we will update roadmap with any enhancements with this capability.

  • wroot's avatar
    wroot
    Silver Contributor

    Everything is fine, but while reading it i see that it can be set via DLP, Mail Flow rules, etc. There is as usual a number of places to do similar stuff scattered around admin interface. Consolidation should be the higher goal for MS. Too many duplicating options.

  • Caroline Shin Thanks for the updates above. Looks like you had some good announcements lined up for Ignite.

    A couple of questions:

    1. Turning off encryption of attachments is noted above for "consumer recipients." If an email is sent with an attachment using Encrypt-Only to a business recipient - I'm guessing your definition of consumer means gmail, yahoo, etc - will that attachment also be decrypted?
    2. The PowerShell command to enable decryption of attachments is all or nothing for a tenant - right? 
    3. For branding, it says "business-to-consumer" and "regardless of the recipient identity." Does the combination mean that while an Exchange Mail Flow rule can apply one of several templates for business-to-consumer emails, there is separately another way of applying a branded experience to ALL encrypted messages, regardless of whether they are "consumer" or "business"?
    4. Encrypting PDFs - nice addition.
    5. Revocation is noted as only being possible for the link-based experience. Is this a fundamental design limitation of OMEv2, or a cadenced release decision to delay revocation for non-link-based messages for later? From the way I understand it, even a message received natively in-line in a supported Outlook client has to check the authorisation of the recipient at open time, and therefore it should theoretically be possible to also revoke those messages (e.g., by revoking the encryption key of the message).
    6. Revocation is only possible for admins. Any word on plans to enable the sender to do this too, since they have direct access to the sent message?

    Sorry it's a long list. Trying to understand. 

  • DaithiG's avatar
    DaithiG
    Steel Contributor

    These are great features. Thanks!

     

    Do you know the timeline for "Organizations will have the ability to force a link-based experience regardless of the recipient identity"?

  •  Thanks for the answers Caroline Shin. So:

    1. If it is both consumer and business recipients, why do you use the phrase "consumer recipients"? Is that shorthand for "outside the organisation"?
    2. Thanks for the confirmation. An organisation that needed some encrypted and some not could just create a separate policy, and use Encrypt-Only and the PowerShell command for the decrypt attachments option, and their custom one for no decryption. Is that what you'd suggest?
    3. As per #1.
    4. -
    5. (and 6) Thanks, that's helpful. 
  • Jeff Bramlette's avatar
    Jeff Bramlette
    Copper Contributor

    When will the "DecryptAttachmentForEncryptOnly" parameter be available?

     

    I can see it when I run "Get-IRMConfiguration", but when I attempt to run "Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true" I receive the following error:
    A parameter cannot be found that matches parameter name 'DecryptAttachmentForEncryptOnly'.
    + CategoryInfo : InvalidArgument: (:) [Set-IRMConfiguration], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-IRMConfiguration
    + PSComputerName : outlook.office365.com

  • Nice 😊

     

    I hope the mail app of Windows 10 support this Message encryption.

    for using Windows 10 mail app 

    and also Microsoft Flow support this Message encryption at the Office 365 outlook action.

    for automate our flow with Message encryption

     

     

     

  • Kasia Persson's avatar
    Kasia Persson
    Copper Contributor

    Hello,

    Is it not possible to remove encryption of replies of originally sent as encrypted messages? We need to do it in our Outlook so mail can be journal.

    I try create a Exchange Online Rule  in my environment to remove message encryption before getting Journal, I get the following errors after clicking Save on the new rule.

    ERROR -  You can't create the rule containing the RemoveOMEv2 action with value true because FromScope in not specified or its value in not InOrganization.

    Any help with this issue would be appreciated.

     

     

  • Hector Perez's avatar
    Hector Perez
    Copper Contributor

    These are all fantastic additions to OME! I am especially interested in the Reporting announcement as I have had a few asks from clients related to this.

    A question regarding this report. I can access the report without a problem, however, if I switch to the Details Table and expand the results to go back more than 7 days I see the following message:

     

    You'll notice the Request report button (and Create Schedule button) does not show up on this report as seen above. The button does show up on other reports, though.

    Will the Request report option be available soon?

    Thanks!

  • Hector Perez's avatar
    Hector Perez
    Copper Contributor

    These are all fantastic additions to OME! I am especially interested in the Reporting announcement as I have had a few asks from clients related to this.

    A question regarding this report. I can access the report without a problem, however, if I switch to the Details Table and expand the results to go back more than 7 days I see the following message:

     

     

    You'll notice the Request report button (and Create Schedule button) does not show up on this report as seen above. The button does show up on other reports, though.

    Will the Request report option be available soon?

    Thanks!