Email Encryption in Office 365
In current times to be compliant with secure data and access, companies are challenged day by day to the possible threat of information leakage.
And sharing the data, although often necessary for work projects, also needs to be secured.
Encryption is the most effective way to achieve data security. Encryption is the process of encoding a message or information making it restricted for specific people. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. In other words, a “permission”. In an IT perspective, data encryption translates data into another form, or code, so that only people with said access can read it.
How does this relate to Office 365? Compliance is an on-going process and a shared responsibility. Data Loss can be a loss of a deal to the competition; Leak of the company’s customer data; Internal procedures and or legal related cases; Company user's private data; Etc. And most of the time, it will affect the company negatively in one way or the other.
Azure Information Protection (AIP) is cloud service which purpose is to allow an organization to classify, label, and protect its documents and emails in compliance with private data. Rules and conditions can be defined either by an administrator or, users if allowed.
Azure Rights Management Services (RMS) is a Microsoft security tool that provides persistent data protection by enforcing data access policies (also known as Templates). Together with encryption, these authorization policies are what allows the cloud-based service to help secure files and emails, working across a variety of devices - phones, tablets, and PCs. Information can be protected even outside an organization because that protection remains attached to data, even when it leaves an organization’s boundaries. As a very simple example:
(…) employees might email a document to a partner company or, save a document to their cloud drive. The persistent protection that Azure RMS provides not only helps to secure your company data, but might also be legally mandated for compliance, legal discovery requirements, or simply for good information management practices. (…) https://docs.microsoft.com/en-us/azure/information-protection/understand-explore/what-is-azure-rms Note: Keep in mind that users with access can still take a photo with their cell phones or take notes of the information that they see on their computers, where the file is protected. |
AIP protection technology makes use of Azure RMS encryption, access policies and identity. These policies or Templates stay with the documents even when they leave the organization. So, how does it integrate with Exchange? Through Information Rights Management (IRM), which is the RMS enabled Application for Exchange. IRM is the component in the RMS-enabled application that enforces said rights on Exchange Online or SharePoint Online.
In the Beginning…
Rights management started as an add-on to the windows server. On premises, the service has the name of Active Directory Rights Management (or AD RMS for short) and encryption features were allowed for integrate with Exchange Server (2010 onwards), SharePoint and Windows File Server Resource Manager under the name of Information Rights Management (or IRM). At the time, only Office files were supported for the service.
How does it Work
Simply put, a file or email is encrypted by getting a publishing license from the RMS service. When the user accesses their mail client (web or desktop client) and tries to see the RMS Templates, Exchange’s IRM would query RMS which in turn would query the Active Directory to see if the user has permission.
Going to cloud: With the need of service integration, flexibility and remote access, disaster recovery, collaboration (between same or different companies), document control and security (among others) for companies, Microsoft released a cloud solution and subscription-based service in June 2011 (i.e. Office 365) which only allowed for integration with on-premises (AD RMS) encryption service for exchange online at the time.
Later in 2013 Azure RMS was released, making use of the Azure Active Directory, associated with the Office 365 directory. Azure RMS would allow integration with the on-premises solutions, allowing for customers already using the service on premises (with respective templates and permissions) to be able to use them in Azure RMS for the cloud-based users as well.
As an example, IRM is to RMS what Microsoft Office Outlook is to Exchange.
“Ok, Azure RMS and IRM. But what About OME?”
OME stands for “Office Message Encryption” and started as an Office integration with document protection. OME is currently the external “branding” part of the IRM as it is tightly integrated with it and with document protection (email attachments). OME also evolved, allowing company marketing on Exchange’s encrypted emails across different organizations.
Cloud Services features and integration with Exchange Online:
Azure RMS divides into Labeling/Classification and Protection. To explain the “Azure Protection” evolution on Exchange Online, we need to consider that, when on cloud, Azure RMS had several builds, initially similar to the On-premises solutions, but with its own “cloud” properties. We can presently consider two main versions of Azure RMS, Version 2 being the most recent.
Currently, version 2 holds a lot of the main features with more security policies features, more device and OS compatibility and more customizations.
Still, there are some differences that an Exchange Administrator should consider when deploying, specially, if the organization had the system previously enabled (or even an On-premises deployment in Hybrid Environments):
- With Azure RMS on Exchange Online, email encryption improved considerably, both in terms of user use as admin control:
-Besides licensing, Version 2 activation requires only one action (either on portal or via powershell:
Set-IrmConfiguration -AzureRMSLicensingEnabled $True -InternalLicensingEnable $True)
NOTE: Version 1 would require more configuration steps on PowerShell (like importing the “trusted published domain” (TPD) policy and setting service location)
-On version 2, to update template permissions/settings, you just save changes on Azure portal to update (“Publish” button no longer used, as templates are published automatically when saving)
NOTE: Version 1 required having to re-import the TPD each time changes were made to the templates
-Version 2 is compatible with version 1 if it has been set*. If this isn’t true, actions like “Apply previous Version of OME” on a transport rule in Exchange Online will not work
*Important: The only version 1 templates that will not work with version 2 are the “Scoped Templates”. Version 2’s scope policies are defined in the main portal, not on the template.
-Version 2 also improved by being compatible with more email providers, not only Outlook.com or Hotmail.com but also with gmail, yahoo, etc.
- The next topic to approach is licensing. Licenses in Office 365 contain plans, and these are essential for the services to work properly. Azure Information Protection is no different, as there are certain features that depend on the plan.
For the service to work, according to Azure Information Protection Documentation:
“(…) To use this data protection solution, your organization must have a service plan that includes the Azure Rights Management service from Azure Information Protection. Without this, the Azure Rights Management service cannot be activated. You must have one of the following: An Azure Information Protection plan An Office 365 plan that includes Rights Management (E3 and up)” |
Regarding Exchange Online, E3 contains the “Azure Rights Management” plan, which grants access to Azure RMS protection features, like email or document encryption. For the labeling or other specific features, an Azure Information Plan (it can be plan 1 or plan 2, depending on Feature) is needed.
You can verify each plan features via the link https://azure.microsoft.com/en-us/pricing/details/information-protection/
Very Important: “(…) Some Azure Information Protection features require a subscription to Office 365 ProPlus, which is not included with Office 365 Business Essentials, Office 365 Business Premium, Office 365 Enterprise E1, Office 365 Education, or Office 365 Enterprise F1.” https://technet.microsoft.com/library/exchange-online-service-description.aspx |
- On Premises, Azure Information Protection Offers two solutions in case of Hybrid Deployments:
If you have an AD RMS on premises, you can migrate your templates to Azure RMS, making them accessible to cloud users. You can also choose to manage your key or have Microsoft manage it.
You can check it on https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements-servers
Alternately, customers not having an AD RMS on premises can still use Azure Information Protection by deploying the Azure RMS Connector (keep in mind that the connector should not be installed in a computer which has IIS services installed and configured on it, like a web app for example).
More information on https://docs.microsoft.com/en-us/azure/information-protection/deploy-use/deploy-rms-connector
These options will extend some Azure RMS features to Exchange on premises servers, although with some limitations.
Note: Currently, on premises OWA users do not have access to the “Protect” option as Exchange Online OWA users. They are still able to open encrypted messages but, for version 2 template selection, they should use Outlook Client with Azure Information Protection Tool installed. This is one of said examples. |
Not less important, here are some additional considerations in Exchange:
-Keep in mind that RMS protected emails need to be taken into consideration when performing context search or eDiscovery
-The “Do Not Forward” and “Encrypt” templates are policies that come from Exchange Online side when IRM is enabled.
These are not directly managed by the Azure Information Protection
-On OWA, email protection is applied via the “Protect” button
-For Outlook, The Azure Information Protection tool installation is needed to be able to have the “Protect” icon
-Currently, Outlook does not support the “Encrypt” template which can only be opened in OWA.
If an email with this template is received, Outlook will open the message on OWA automatically
For assistance on configuring the services, there is a script made by Microsoft's Exchange Escalation Team which can be used:
(Credit to my colleagues Daniel and Victor): https://blogs.technet.microsoft.com/exovoice/2018/02/26/office-message-encryption-configuration-and-troubleshooting/
In conclusion, in Exchange Online when the user accesses their mail client (web or desktop client) and tries to see the RMS Templates, Exchange’s IRM will query RMS which in turn would query Azure Active Directory to see if the user has permission or is within the RMS template scope, which gives the user permissions to use it or to decrypt it. It’s the policy within the file that it’s queried, not the content.
Exchange Online and Azure RMS integration has brought Organization control to help secure email messages, documents, and sensitive data that is shared outside company walls.