, , ,

Email encryption in Office 365 with Exchange Online

Office 365 Message Encryption cover image


This post will be updated soon.

Data protection, security and encryption - three topics that have become increasingly important in recent years. As the world becomes ever more connected, the challenges of transforming the world into the digital age in a way that is both intuitive and secure are growing. With the General Data Protection Regulation (GDPR), the European Union has already defined a framework roadmap that, among other things, prescribes the encryption of personal data. Today we look at an important part of this - email encryption for Microsoft Office 365 with Office 365 Message Encryption (OME).

Office 365 Message Encryption (OME)


Microsoft offers with Office 365 Message Encryption (OME) offers a fully integrated solution for the encryption and decryption (internal and external) of emails for Office 365 users. The solution offers a Secure communication in accordance with GDPR regulations and a Seamless integration with Office 365 and Microsoft apps. Depending on the Office 365 plan, the solution may already be included and can therefore be used free of charge. Office 365 Message Encryption is part of Azure Information Protection (AIP) - a Microsoft cloud service that allows documents and messages to be classified and protected according to individually defined guidelines. These are stored in the Azure Rights Management (RMS) configured.


Allow user-defined policies Customized scenarios and rights for documents and emailssuch as the following:

[su_list icon="icon: angle-right"]

  • Only internal employees are allowed to read an encrypted e-mail.
  • Each recipient may read the encrypted e-mail, but may not forward it.
  • Emails to external parties are automatically encrypted.
  • An incoming reply to an email initially encrypted by us is to be decrypted for internal processing.
  • If an e-mail is sent with an attachment, it should be encrypted automatically.
  • Email attachments can inherit the protection (encryption, policies) of emails.


With the use of Office 365 Message Encryption, sensitive data is protected. Data effectively protectedas the following scenarios show:

Office 365 Message Encryption scenarios


To the Encryption of e-mails the following products can be used:

[su_list icon="icon: angle-right"]

  • Microsoft Outlook 2013/2016/2019 for macOS and Windows
  • Microsoft Outlook OWA (Outlook Web Access)


The Authentication as a prerequisite for Decryption of e-mails can be carried out natively by Microsoft Outlook. The following products are supported:

[su_list icon="icon: angle-right"]

  • Microsoft Outlook 2013/2016/2019 for macOS and Windows
  • Microsoft Outlook for Android and iOS
  • Outlook OWA (Outlook Web Access)


If no product listed above is used, the email cannot be displayed. Instead, the user is shown email content that enables them to send an email. Alternative authentication to be carried out. This can be carried out by one of the following providers (if the e-mail address can be assigned to a provider) and always with a one-time code:

[su_list icon="icon: angle-right"]

  • Yahoo account
  • Google account
  • Microsoft account
  • One-time identification by e-mail


When authenticating via a one-time code, such a code is sent to the e-mail address of the recipient of the encrypted e-mail. In this respect, the user opening the email verifies themselves as the person who originally received it and is authorized to do so.

You can find more information on opening encrypted emails here:

Implementation and configuration


If your Office 365 plan does not yet include Office 365 Message Encryption or you need more advanced features, you must first purchase an Azure Information Protection Premium plan. You can do this in the Microsoft 365 Admin Center. If your Office 365 plan already contains the necessary functionalities, simply skip this step.

Activate Azure Information Protection (AIP)

In the Azure portal now search for Azure Information Protection and select the service. Under the item Protection activation the Protection status active are.

Activate Azure Rights Management (RMS)

Now make sure that Azure Rights Management is activated. You can do this in the Microsoft 365 Admin Center to RMS search and Azure rights management settings select or follow this link.

Creating and modifying designations and guidelines

Azure Information Protection already brings Predefined guidelines with them. These are partly configurable and partly fixed, as they are hardwired to other functions. The following two designations are predefined and can therefore only be viewed when creating rules for applying the protection:

[su_list icon="icon: angle-right"]

  • Encrypt (Encrypt Only)
  • Do not forward (Do Not Forward)


Under Azure > Azure Information Protection > Designations new Designations created or existing ones modified or deleted:

Office 365 Message Encryption Azure Information Protection Designations Default

Of particular importance when creating and configuring the Action that is performed when the designation is applied:

[su_list icon="icon: angle-right"]

  • Not configured (quick deactivation of a policy if required; no solution for productive operation)
  • Protect (encrypt)
  • Remove protection (decrypt)


Likewise, a Intelligent classification for the sectors Finance, Medicine and healthcare and Data protection can be made: For example, if credit card information is identified in an e-mail, a selected designation can be applied automatically. However, this requires an additional license (AIP P2).

After completing the configuration, any new designations are adopted in a directiveso that they can be actively used. Under Azure > Azure Information Protection > Policies this can be done.

You need a Comprehensive implementation and configuration?

Encryption and decryption rules for Exchange Online

Rules and conditions for assigning labels to emails and thus encrypting them can be configured in the Office 365 Exchange Admin Center. You can access this via Microsoft 365 Admin Center > Admin Centers > Exchange. Under the menu item Message flow rules are executed and created with which the use of encryption can be activated and deactivated:

About the Plus + new rules are created.

Prices and availability

In Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3 and A5 as well as Office 365 G3 and G5 Office 365 Message Encryption for Office 365 already a fixed component. No new licenses need to be purchased to use the basic encryption options. If you have Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Office 365 Business Essentials, Office 365 Business Premium or Office 365 Enterprise E1, you can purchase a Plan for Azure Information Protection to implement the service:

Office 365 Message Encryption Pricing


Are replies to encrypted e-mails also encrypted?

Yes, because this is necessary to protect the content (in the long term).

Are attachments encrypted?

Yes, they will. At the same time, they inherit (by default) the protection (policies) of the associated email, so that the attachment is protected even after it has been downloaded. Contact me to create an individual configuration so that downloaded attachments are automatically decrypted - a typical requirement of many companies. There is also a List of supported file typesthat can be encrypted by Office 365 Message Encryption.

Are shared mailboxes supported?

No, encryption is currently only supported for individual and uniquely identifiable accounts.

Where can I download the Azure Information Protection Client?

That works here. For further information contact me with pleasure.

How can I get further help with configuration and implementation?

Contact me gladly.

Leave a Reply

Your email address will not be published. Required fields are marked *