Email Encryption in Office 365 using Exchange Online
Data protection, security and encryption – three topics that have become increasingly important in recent years. As the world becomes more and more networked, the challenges of making an intuitive and at the same time secure transformation of the world into the digital age are growing. With the General Data Protection Regulation (GDPR), the European Union has already established a framework which, among other things, prescribes the encryption of personal data. Today we’re looking at an important part of it – email encryption for Microsoft Office 365 using Office 365 Message Encryption (OME).
Office 365 Message Encryption (OME)
Solution / Service
With Office 365 Message Encryption (OME), Microsoft offers a fully integrated solution for encryption and decryption (internal and external use) for Office 365 email users. The solution provides secure communication in compliance with GDPR regulations and seamless integration with Office 365 and Microsoft apps. Depending on the Office 365 plan, the solution may already be included and can therefore be used free of charge. Office 365 Message Encryption is part of Azure Information Protection (AIP) – a Microsoft cloud service that allows documents and messages to be classified and protected according to individually defined policies. These are configured in Azure Rights Management (RMS).
User-defined policies allow custom scenarios and permissions for documents and emails, such as the following:[su_list icon=“icon: angle-right“]
- Only internal employees may read an encrypted e-mail.
- Each recipient may read the encrypted e-mail, but may not forward it.
- E-mails to external parties are automatically encrypted.
- An incoming reply to an e-mail initially encrypted by us has to be decrypted for internal processing.
- If an e-mail with attachment is sent, it should be encrypted automatically.
- Attachments of an e-mail can inherit the protection (encryption, guidelines) of e-mails.
With the use of Office 365 Message Encryption, sensitive data is effectively protected, as the following scenarios show:
The following products can be used to encrypt e-mails:[su_list icon=“icon: angle-right“]
- Microsoft Outlook 2013/2016/2019 for macOS and Windows
- Microsoft Outlook OWA (Outlook Web Access)
Authentication as a prerequisite for decrypting e-mails can be performed natively by Microsoft Outlook. The following products are supported:[su_list icon=“icon: angle-right“]
- Microsoft Outlook 2013/2016/2019 for macOS and Windows
- Microsoft Outlook for Android and iOS
- Outlook OWA (Outlook Web Access)
If no product listed above is used, the e-mail cannot be displayed initially. Instead, the user is presented with email content that allows him to perform alternative authentication methods. This can be done optionally by one of the following providers (if the e-mail address can be assigned to a provider) and always by a unique code:[su_list icon=“icon: angle-right“]
- Yahoo account
- Google account
- Microsoft account
- one-time code via e-mail
When authenticating using a one-time code, a one-time code is sent to the e-mail address of the recipient of the encrypted e-mail. In this respect, the user opening the e-mail verifies himself as the person who originally received it and therefore is authorized to do so.
More information about opening encrypted emails can be found here:
Implementation and Configuration
If your Office 365 plan does not yet include Office 365 Message Encryption, or if you need more advanced features, you must first purchase an Azure Information Protection Premium Plan. You can do this in the Microsoft 365 Admin Center. If your Office 365 Plan already includes the functionality you need, skip this step.
Activate Azure Information Protection (AIP)
In the Azure-Portal you can now search for Azure Information Protection and select the service. Under Protection Activation the protection status must be active.
Activate Azure Rights Management (RMS)
Creation and Modification of Classifications and Policies
Azure Information Protection comes with pre-defined policies. These are partly configurable and partly fixed as they are hardwired to other functions. The following two classifications are predefined and can therefore only be viewed when creating rules for applying protection:[su_list icon=“icon: angle-right“]
- Encrypt Only
- Do Not Forward
Under Azure > Azure Information Protection > Classifications new classifications are created or existing ones modified or deleted:
Of particular importance during creation and configuration is the action performed by applying the classification:[su_list icon=“icon: angle-right“]
- Not configured (quickly disable a classification on demand; not suitable for production)
- Protect (encrypt)
- Remove protection (decrypt)
An intelligent classification can also be applied to the financial, medical, healthcare and data protection industries: If, for example, credit card information is identified in an e-mail, a selected classification can be automatically applied. However, this requires an additional license (AIP P2).
After completing the configuration, any new classifications must be included in a policy so that they can be actively used. This can be done under Azure > Azure Information Protection > Policies.
Do you need a comprehensive implementation and configuration?
Encryption and decryption rules for Exchange Online
Rules and conditions for classifying and encrypting emails can be configured in the Office 365 Exchange Admin Center. You can get here from Microsoft 365 Admin Center > Admin Centers > Exchange. Under the menu item mail flow, rules are executed and created with which the use of encryption can be activated and deactivated:
New rules are created using the Plus + symbol.
Pricing and Availability
Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3 and A5, and Office 365 G3 and G5 already include Office 365 Message Encryption for Office 365. No new licenses need to be purchased to use the basic encryption capabilities. If you use Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Office 365 Business Essentials, Office 365 Business Premium or Office 365 Enterprise E1, you can purchase an Azure Information Protection plan to implement the service:
Are responses to encrypted emails also encrypted?
Yes, this is necessary in order to protect the contant (in the long term).
Are attachments encrypted?
Yes, they will. At the same time, they inherit (by default) the protection (policy) of the associated email so that the attachment is protected even after downloading it. Contact me to create a custom configuration so that downloaded attachments are automatically decrypted – a typical requirement of many companies. There is also a list of supported file types that can be encrypted by Office 365 Message Encryption.
Are shared mailboxes supported?
No, encryption is currently only supported for individual and uniquely identifiable accounts.
How do I get more help with configuration and implementation?
Please feel free to contact me.