Decrypting attachments automatically may be an essential additional feature for the implementation of Office 365 Message Encryption (OME). Having this function activated enables recepients without a Microsoft Active Directory Account (MS AAD) to open a downloaded attachment (locally saved document). However, a few minor but important chances regarding the related parameters were made recently: The parameter DecryptAttachmentFromPortal is now decrypted. Use DecryptAttachmentForEncryptOnly instead which covers all the use cases of the DecryptAttachmentFromPortal parameter.
How it was…
Before changes were made, the following two parameters were responsible for the behavior of decrypting attachments automatically:
|DecryptAttachmentForEncryptOnly||Encryption is removed for all the attachments for all recipients after they have authenticated – no matter which authentification method they used or how they viewed their email.|
|DecryptAttachmentFromPortal||Encryption is removed only in the Office 365 Message Encryption Portal (the one which opens when you have to access an email using the Microsoft web interface) when somebody downloads an attachment. Recipients with an Azure AD Account that access emails from Outlook (any plattform), the attachment would remain encrypted since there woudn’t be any need to open the Office 365 Message Encryption Portal.|
…and how it is now.
Microsoft removed the DecryptAttachmentFromPortal parameter in order to create a consistent end user experience and keep the service lean. You will receive an error message when trying to set it using Exchange Online PowerShell (although it might still appear as an attribute):
Set-IRMConfiguration -DecryptAttachmentFromPortal $true
A parameter cannot be found that matches paramter name 'DecryptAttachmentFromPortal'.
+ CategoryInfo : InvalidArgument: (:) [Set-IRMConfiguration], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-IRMConfiguration
+ PSComputerName : outlook.office365.com
From now on, the DecryptAttachmentForEncryptOnly parameter can only be used to archieve an automatic decryption of attachments (which happens as soon as the email is opened). However, the DecryptAttachmentForEncryptOnly parameter should normally cover every requirement.
For more information, please refer to the official documentation and my tutorial for implementing Office 365 Message Encryption.
Are you planning to implement Office 365 Message Encryption? Feel free to contact me.