Email Encryption and Rights Protection
Published Sep 26 2017 08:14 PM 149K Views


Announcing new capabilities available in Office 365 Message Encryption



As part of our integrated information protection investments we are releasing rich new capabilities in Office 365 Message Encryption that protect and control your sensitive emails. These enhancements are aimed squarely at helping you better safeguard your sensitive email communications without hampering the ability for your users to be productive and to easily collaborate with those inside or outside of your organization.


At a high-level, the new enhancements include:


  • Helping you lower the risk of accidental or malicious data loss by making it easier for your users to protect and read sensitive emails.
  • Enabling non-Office 365 recipients of protected emails to read and respond with ease, regardless of the device, app, service, or identity they use to receive their email.

Additionally, Office 365 Message Encryption will support customer-managed keys, to help meet their compliance needs.

Please read below to understand more detail on what we are delivering and how you can get started.  


What’s New


Helping you lower the risk of accidental or malicious data loss by making it easier for your users to protect and read sensitive emails.

In the previous version of Office 365 Message Encryption, users could encrypt their messages by using certain keywords in the subject line or in the body of the message. While this is a powerful feature for organizations to automatically encrypt sensitive emails, it presented a hurdle for end users that wanted to send ad-hoc encrypted messages.


Today, in addition to the automatic policies that can be set by administrators, we are empowering end users to encrypt and rights protect sensitive messages using the default ad hoc policy “Do Not Forward”, as well as other custom policies. End users can now apply encryption and rights protection from Outlook in a few clicks.



 Example of an email being protected in the Outlook rich client.


Another area we’re investing in to protect sensitive data, is the ability to rights protect messages that are shared outside the organization for B2B and B2C scenarios.


Until recently, you could use Office 365 Message Encryption to send protected email to external recipients, but Office 365 Message Encryption presented a very different experience from Information Rights Management (IRM). In the new Office 365 Message Encryption, we are extending the feature to include the best of IRM, with the added benefit for the sender to not need to worry about anything before clicking Send. For example, we are eliminating complexity by removing the need to establish explicit trusts between organizations. Now users can easily send encrypted and rights protected messages to anyone inside and outside the organization. Additionally, this protection will be applied to the Office 365 document(s) attached to the message.


This makes it possible to not only protect sensitive data from being read by unintended audiences, but it also allows you to set usage rights, such as preventing the message from being forwarded, copied or printed.



Picture2.png Example of a protected email with an Office attachment that also has been protected.


Lastly, to further enable users to collaborate securely on protected emails, Office 365 users can get a seamless reading experience on any device if they are using Outlook (desktop, Mac, web, iOS or Android mobile). For those users who do not choose to use the Outlook app, we are also adding the ability for you—as IT—to enable other Exchange ActiveSync (EAS) mobile email clients, like the native Mail app on iOS, to receive and respond to protected emails.



 Example of reading and sending a protected message from Outlook app on iOS.


Ensuring that recipients of protected emails can read and respond with ease, regardless of the device, app, service, or identity they use to receive their email.

Another investment we made was to enable users to read a protected message regardless of their email provider. Previously, Office 365 Message Encryption recipients had to read encrypted message with a Microsoft Account or a One-time Passcode.


Today, Gmail and Yahoo recipients can easily authenticate using their Google or Yahoo identity and sign in to a limited-time web view that allows them to read and collaborate on protected emails.


 Example of the sign-in with Google page, where recipient can use their Google identity to read protected message in limited-time web-view.


Customers using less popular email providers can continue to use a Microsoft Account or a One-time Passcode.


Support for customer-managed keys

Regulated customers have expressed their provide customer-managed keys to the Microsoft cloud and having the ability to protect their mails using these keys. Exchange Online now supports a customer-managed tenant key for Azure Information Protection. Read here to understand how to set this up in Azure Key Vault.


How can I get this?


The new message protection capabilities is offered in Office 365 E3 and above for commercial customers and Office 365 A1 and above for EDU customers. We also offer this in several other plans with the appropriate add-ons - please refer to this table for more detail. 


Get Started Today!


Customers should get started on these new capabilities that are available today! Please see resources below that can help you get started:


  1. Watch the session delivered at Ignite: BRK2203 Protect and control your sensitive emails with new Office365 Message Encryption capa...
  1. Attend the webinar that will talk through the new capabilities in more detail.
  2. Review set up guidance on


As we continue to invest in and deliver on more information protection capabilities, we would love to hear your feedback –engage with us here on the TechCommunity.


Thank you!


Caroline Shin



Version history
Last update:
‎May 11 2021 01:54 PM
Updated by: