Delen via


Office 365 Message Encryption (& Decryption) – Steps for Purchase, Configuration, Branding and Use – Everything you need to know

 

Microsoft has replaced Exchange Hosted Encryption Service with the Office 365 Message Encryption Service. This article is a succession to my previous blog - Exchange Hosted Encryption - Steps for Configuration and Use.

This article talks about the ways to purchase, configure and use this service. While doing so, I have included screenshots from my lab for reference.

I have used excerpts from TechNet articles and Office 365 team blog to make this a more complete description.

 

A variety of encryption technologies work together in Office 365 to provide protection for emails at rest and in transit:

  • TLS encrypts the tunnel between mail server to help prevent snooping/eavesdropping.
  • SSL encrypts the connection between mail clients and Office 365 servers.
  • BitLocker encrypts the data on the hard drives in the datacenter so that if someone gets unauthorized access to the machine they can't read it.
  • Information Rights Management. Windows Azure Rights Management in Office 365 prevents sensitive information from being printed, forwarded, or copiedby unauthorized people inside the organization.
  • S/MIME is an encryption scheme that uses client-side encryption keys, popular for some government B2B scenarios. Read more about the upcoming S/MIME enhancements in Office 365 here.

Office 365 Message Encryption is designed to help you send confidential messages to people outside your company simply and securely, without the administrative overhead required to use S/MIME or similar technologies. It's an outside-the-company companion to Information Rights Management, which is why it's included as part of the Windows Azure Rights Management offering.

 

Office 365 Message Encryption uses Rights Management Services (RMS) infrastructure with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption. For details, go to Service information for Office 365 Message Encryption.

 

Technical Details – Office 365 Message Encryption Service

 

The following table provides technical details for the Office 365 Message Encryption service.

Service details

Description

Client device requirements

Encrypted messages can be viewed on any client device, as long as the HTML attachment can be opened in a modern browser that supports Form Post.

Encryption algorithm and Federal Information Processing Standards (FIPS) compliance

Office 365 Message Encryption uses the same encryption keys as Windows Azure Information Rights Management (IRM) and supports Cryptographic Mode 2 (2K key for RSA and 256 bits key for SHA-1 systems). For more information about the underlying IRM cryptographic modes, see AD RMS Cryptographic Modes.

Message size limits

Office 365 Message Encryption can encrypt messages of up to 25 megabytes. For more details about message size limits, see Exchange Online Limits.

Exchange Online email retention policies

Exchange Online doesn't store the encrypted messages.

Language support for Office 365 Message Encryption

Office 365 Message encryption supports Office 365 languages, as follows:

  • Incoming email messages and attached HTML files are localized based on the sender's language settings.
  • The viewing portal is localized based on the recipient's browser settings.
  • The body (content) of the encrypted message isn't localized.

 

 

How to Buy Office 365 Message Encryption Service?

 

Office 365 Message Encryption requires the purchase of Microsoft Azure Rights Management, which is available for $2 per user per month. For more details, see Microsoft Azure Rights Management.

Office 365 Message Encryption will be available as part of Windows Azure Rights Management. Office 365 Enterprise E3 and E4 users will get Office 365 Message Encryption at no extra cost. We're including it in Windows Azure Rights Management, which is already part of the E3 and E4 plans. We're also including it in the standalone version of Windows Azure Rights Management, without raising the price of that service. Office 365 Message Encryption is available as an add-on for other Office 365 plans and for standalone plans. For example, Exchange Online Kiosk Plan 1 and Plan 2 customers will be able to add the service to their subscriptions at a cost of $2 per user per month.

Office 365 Message Encryption is also available to Exchange on-premises customers who purchase Windows Azure Rights Management service. Office 365 Message Encryption requires on-premises customers to route email through Exchange Online, either by using Exchange Online Protection for email filtering or by establishing hybrid mail-flow.

Try Office 365 Message Encryption. This trial enables you to try Information Rights Management capabilities as well as the capabilities of Office 365 Message Encryption.

Customers who are currently using Exchange Hosted Encryption (EHE) will be upgraded to Office 365 Message Encryption beginning in the first quarter of 2014. EHE customers can learn more information about the upgrade by visiting the EHE Upgrade Center.

 

 

STEP 1: Preparing for Office 365 Message Encryption

 

Office 365 Message Encryption requires that you have an Exchange Online or Exchange Online Protection (EOP) subscription and that you've set up Azure Rights Management. If your setup meets these requirements, all you need to do to enable Office 365 Message Encryption is define rules that trigger encryption

 

STEP 1 (a): Activate Azure Rights Management on Office 365 Portal

 

  • If Azure Rights Management is already set up for Exchange Online or Exchange Online Protection, you're ready to define transport rules and start using the Office 365 Message Encryption service, as described in Define rules to encrypt or decrypt email messages.

  • If you have Azure Rights Management but it's not set up for Exchange Online or Exchange Online Protection, activate it following the steps described in this topic under Activate Azure Rights Management for Office 365 Message Encryption.

  • If you don't have an Azure Rights Management subscription for Exchange Online or Exchange Online Protection, you must purchase a subscription and set up Azure Rights Management in order to use Office 365 Message Encryption. For information purchasing a subscription to Azure Rights Management, see Azure Rights Management. The next section gives you information about activating Azure Rights Management.

  • If you're not sure of what your subscription includes, see the Exchange Online service descriptions for Message Policy, Recovery, and Compliance.

     

    Office 365 Message Encryption requires the Azure Rights Management service. Once you have a subscription to this service, you can activate it as described in the following procedure. For more information about this requirement, see Prerequisites for using Office 365 Message Encryption.

 

In the Office 365 Admin Center, go to 'Service Settings'.

 

In 'Service Settings', click on the 'Rights Management' tab. When clicked-on for the first time, the portal might take a few moments to set up rights management, before displaying any content.

When it does, click on 'Manage'.

 

Click to 'activate' rights management.

 

Confirm

 

Rights management is activated.

 

 

STEP 1 (b): Set up Azure Rights Management – PowerShell based steps. (Two Options)

 

Following conditions need to be satisfied before we move to the options.

Condition 1: The administrator needs to have the necessary permissions to administer Microsoft Office 365 Message Encryption (OME) and Information Rights Management (IRM) configuration.

And so must be a part of the following role groups under Office 365 portal >> 'Exchange admin center' >> 'permissions' >> 'admin roles'.

  1. Compliance Management
  2. Organization Management
  3. Records Management

 

Condition 2: Install the Rights Management administration module (For Prereqisites - https://technet.microsoft.com/en-us/library/jj585012.aspx)

  1. Go to the Microsoft Download Center and download the Azure AD Rights Management Administration Tool, which contains the Azure Rights Management administration module for Windows PowerShell.
  2. From the local folder where you downloaded and saved the Rights Management installer file, double-click the executable file that you downloaded for your platform (WindowsAzureADRightsManagementAdministration_x64 or WindowsAzureADRightsManagementAdministration_x86.exe) to start the Windows Azure AD Rights Management Administration Setup Wizard.
  3. Complete the wizard.

Windows PowerShell for Azure Rights Management is now installed. To see which cmdlets are available, start Windows PowerShell with the Run as administrator option and type the following: Get-Command -Module aadrm

 

Condition 3: Set Execution Policy to 'RemoteSigned'

The Set-ExecutionPolicy cmdlet changes the user preference for the Windows PowerShell execution policy. (https://technet.microsoft.com/en-us/library/hh849812.aspx)

The execution policy is part of the security strategy of Windows PowerShell. It determines whether you can load configuration files (including your Windows PowerShell profile) and run scripts, and it determines which scripts, if any, must be digitally signed before they will run. For more information, see about_Execution_Policies (https://go.microsoft.com/fwlink/?LinkID=135170).

NOTE: To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the "Run as administrator" option.

 

Set-ExecutionPolicy RemoteSigned

 

 

If you need to set up Azure Rights Management, you have two options:

  1. Set up Azure Rights Management for Office 365 Message Encryption, but prevent IRM templates from being available to users by disabling them in Microsoft Outlook Web App and Microsoft Outlook. (For step-by step procedures, see below. Reference: Set up Microsoft Azure Rights Management for Office 365 Message Encryption.)

Or

  1. Set up Azure Rights Management for Office 365 Message Encryption and enable IRM templates so they're available to users in OWA and Outlook. (For step-by step procedures, see below. For Reference: Configure IRM to use Microsoft Azure Rights Management.)

 

Option 1: Set up Microsoft Azure Rights Management for Office 365 Message Encryption

 

To set up Azure Rights Management for Office 365 Message Encryption, do the following:

  1. Use Exchange Online Remote Power Shell to perform the steps in this procedure. For information about connecting to Remote PowerShell, see Connect to Exchange Online Using Remote PowerShell.
  2. Configure the Rights Management Services (RMS) online key-sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location, as shown in this table:

Location

RMS key sharing location

North America

https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

European Union

https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

Asia

https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

South America

https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

Office 365 for Government (Government Community Cloud)

https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc (1)

 

 Note:

(1)   Only customers who have purchased Office 365 for Government SKUs (Government Community Cloud) should use this RMS key sharing location.

 
 

For example, to configure the RMS Online key sharing location for a customer in North America, you would use this URL:

Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"

For detailed syntax and parameter information, see Set-IRMConfiguration.

  1. Run the following command to import the Trusted Publishing Domain (TPD) from RMS Online:

    Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

    For detailed syntax and parameter information, see Import-RMSTrustedPublishingDomain.

  2. To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service, run the Test-IRMConfiguration cmdlet. Among other things, the command checks connectivity with the RMS Online service, downloads the TPD, and checks its validity.

  3. Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:

    1. To disable IRM templates in OWA and Outlook:

Set-IRMConfiguration - ClientAccessServerEnabled $false

  1. To enable IRM for Office 365 Message Encryption:

Set-IRMConfiguration -InternalLicensingEnabled $true

For detailed syntax and parameter information, see Set-IRMConfiguration.

  1. To verify that you successfully imported the TPD and enabled IRM, use the Test-IRMConfiguration cmdlet to test IRM functionality. For details, see "Example 1" in Test-IRMConfiguration.

 

Option 2: Configure IRM to Use Microsoft Azure Rights Management

 

Information Rights Management (IRM) in Exchange Online uses Active Directory Rights Management Services (AD RMS), an information protection technology in Windows Server 2008 and later and Microsoft Azure Rights Management service in Office 365. IRM protection is applied to email by applying an AD RMS rights policy template to an email message. Usage rights are attached to the message itself so that protection occurs online and offline and inside and outside of your organization's firewall.

This topic shows you how to configure IRM to use the Azure Rights Management service. For details about how to accomplish the same task using an on-premises AD RMS server, see Configure IRM to Use an On-Premises AD RMS Server.

To learn more about IRM in Exchange Online, see Information Rights Management in Exchange Online.

 Tip:

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

 

Step A: Verify in the Office 365 Admin Center - Azure Rights Management must be activated. (Steps for activation as above in Step 1(a))

By default, Azure Rights Management is disabled. To enable IRM features in Exchange Online, you need to activate it by using the Rights Management settings within the Office 365 administrative portal. For more information, see Activating rights management.

Step B: Use the Shell to configure the RMS Online key sharing location in Exchange Online

  1. Use Exchange Online Remote Power Shell to perform the steps in this procedure. For information about connecting to Remote PowerShell, see Connect to Exchange Online Using Remote PowerShell.

     

    $UserCredential = Get-Credential

     

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection

     

    Import-PSSession $Session

     

    OR

     

    $UserCredential = Get-Credential

     

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic –AllowRedirection

     

    Import-PSSession $Session

     

     

     

     

    (Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command - Remove-PSSession $Session )

 

  1. In the Microsoft datacenters, certain objects are consolidated to save space. When you try to use Windows PowerShell to modify one of these objects for the first time, you may encounter an error message that tells you to run the Enable-OrganizationCustomization cmdlet.

     

     

     

  2. Configure the Rights Management Services (RMS) online key-sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location, as shown in this table:

Location

RMS key sharing location

North America

https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

European Union

https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

Asia

https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

South America

https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

Office 365 for Government (Government Community Cloud)

https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc 1

 

 Note:

1   Only customers who have purchased Office 365 for Government SKUs (Government Community Cloud) should use this RMS key sharing location.

 

This command configures the RMS Online key sharing location in Exchange Online for a customer located in North America. Replace the RMS Online key sharing location with the correct URL for your location from the above table.

Set-IRMConfiguration -RMSOnlineKeySharingLocation "**https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc**"

For detailed syntax and parameter information, see Set-IRMConfiguration.

 

Step C: Use the Shell to import the Trusted Publishing Domain (TPD) from RMS Online

Run the following command to import the TPD from RMS Online.

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

For detailed syntax and parameter information, see Import-RMSTrustedPublishingDomain.

 

How do you know this step worked?

To verify that you have successfully configured IRM in Exchange Online to use Azure Rights Management service, run the Test-IRMConfiguration cmdlet. Among other things, the command checks connectivity with the RMS Online service, downloads the TPD, and checks its validity.

Test-IRMConfiguration -RMSOnline

 

Step D: Use the Shell to enable IRM in Exchange Online

After you configure the RMS Online key sharing location in Exchange Online and import the RMS Online TPD, run the following command to enable IRM for your cloud-based email organization.

Set-IRMConfiguration -InternalLicensingEnabled $true

For detailed syntax and parameter information, see Set-IRMConfiguration.

 

How do you know this task worked?

To verify that you have successfully imported the TPD and enabled IRM, do the following:

  • Use the Test-IRMConfiguration cmdlet to test IRM functionality. For details, see "Example 1" in Test-IRMConfiguration.
  • Compose a new message in Outlook Web App and IRM-protect it by selecting Set permissions from the extended menu ( ).

 

 

 

STEP 2: Defining rules for Office 365 Message Encryption

 

Things to know about rules for Office 365 Message Encryption

  1. Overview

    Administrators enable Office 365 Message Encryption by creating Exchange transport rules that determine under what conditions email messages should be encrypted. There are also rules for defining conditions where encryption should be removed from messages. Once you've set the encryption action within the rule, any messages that match the rule conditions are encrypted before they're sent out.

    Transport rules are flexible, letting you combine conditions so you can meet specific security requirements in a single rule. For example, you can create a rule to encrypt all messages that contain specified keywords and are addressed to external recipients. Office 365 Message Encryption also encrypts replies from recipients of encrypted email, and you can create a rule that decrypts those replies as a convenience for your email users. That way, users in your organization won't have to sign in to the encryption portal to view replies.

    For more information about how to create Exchange transport rules, see Define rules to encrypt or decrypt email messages.

 

  1. Integrating Office 365 Message Encryption with Data Loss Prevention Policies

    You can add message encryption conditions to DLP policies. DLP policies can be created in Office 365 >> Exchange Admin Center >> Compliance Management >> Data Loss Prevention >> Click on "+" >> Choose 'New DLP policy from template' >> Scroll and Choose a template to create a policy.

    You can use the following article for reference: Create a DLP Policy From a Template

    A DLP policy is a collectionof transport rules. By default, DLP policies created from a template will not contain any message encryption action items. If however, you would like to add encryption triggers, browse to Office 365 >> Exchange Admin Center >> mail flow >> rules – You will find rules created corresponding to DLP policies added by the administrator. These rules can be edited to add an additional action items to trigger encryption of messages wherever appropriate.

     

  2. Support for Custom Rules (To scan for custom data formats & patterns)

    Out of the box, administrators have access to pre-defined templates for sensitive data like, U.S. Passport Number, U.S. Bank Account Number, U.S. Driver's License Number, U.S. Individual Taxpayer Identification Number (ITIN) etc. These can be added to mail flow rules to scan emails and prevent information leakage.  

    If however, screening emails for information like Date of Birth etc. , is a necessity, customized rules can be made to trigger compliance rules by scanning messages for keywords or specific text patterns.

    The appropriate syntaxes are described in the following articles.

 

Steps to create a rule for Message Encryption

 

  1. From the EAC, go to mail flow > rules > New. If you need help to become familiar with the EAC, see Exchange Admin Center in Exchange Online.

     

  2. Select + > Create a new rule.

     

  3. In Name, type a name for the rule, such as Encrypt mail for test.

  4. In Apply this rule if select a condition, and enter a value if necessary.

  • In Apply this rule if, select a condition

  • To view all available conditions, scroll down and select 'More options…' in the 'new rule' console.

     

  1. To add more conditions, select add condition and select from the list.

    For example, to specify that the previous rule applies only if the recipient is outside your organization:

  • Select add condition and then select The recipient is located > Outside the organization.
  • Select OK.
  1. To enable encryption, in Do the following, select Modify the message security > Apply Office 365 Message Encryption, as shown below, and then select Save. You can select add action if you want to specify another action.

     

    For instance, in this case study, my test rule applies Office 365 Message Encryption an email whenever the recipient is located 'Outside the organization'

 

Experience with Office 365 Message Encryption

 

Sending a test email to my Microsoft email address. As the recipient address is 'outside the organization', Office 365 Message Encryption will be applied to the email.

 

The recipient will receive an email with a 'message.html' attachment. This email will have the same subject line as the originally sent email.

 

Double click or open the 'message.html' attachment in a browser – preferably Internet Explorer.

 

Click on 'View your encrypted message' .    

 

Use one of the sign in options.

  • If the recipient has never received an email from Office 365 Message Encryption service, then an initial sign up process is required to verify the account. Once signed up, the recipient can use the created credentials for any future messages encrypted by Office 365 Message Encryption Service.
  • If the recipient's email address belongs to one of Microsoft's services like Office 365, then the same can be used directly to sign in and view the encrypted message.
  • If however, the recipient address belongs to a third-party or unsupported service, an associated Microsoft account is created for the recipient as part of the sign up process.

Note that the recipient does not need an Office 365 Message Encryption license to view or reply to the encrypted message. And all subsequent replies to an encrypted message, including attachments, are also encrypted.

The message opens in a captive portal.

The recipient will be able to 'reply', 'reply all' or 'forward' the email.

 

The recipient can insert an attachment to the reply and it goes out as part of the encrypted message.

Also, the recipient automatically receives a copy of the reply, as an encrypted email, for reference.

 

The recipient can also add other recipients in 'bcc', set importance levels or message options for sensitivity levels (normal, personal, private & confidential), to the reply.

 

When the reply is sent, it is delivered as an encrypted message to the first sender.

This is because, in this test organization, currently there is no decryption rule in place.

 

All subsequent communications are thus encrypted.

 

 

Steps for creating a rule to remove Message Encryption (or Decryption).

 

When your email users send encrypted messages, recipients of those messages can respond with encrypted replies. You can create transport rules to automatically remove encryption from replies so email users in your organization don't have to sign in to the encryption portal to view them. You can use the EAC or Windows PowerShell cmdlets to define those rules.

 

For example, to create a rule for removing encryption from email replies (for all users inside the organization) by using the EAC

  1. From the EAC, go to Mail flow > + > Create a new rule.
  2. In Name, type a name for the rule, such as Remove encryption from incoming mail.
  3. In Apply this rule if, select the conditions where encryption should be removed from messages, such as The recipient is located > Inside the organization.
  4. In Do the following, select Modify the message security > Remove Office 365 Message Encryption.
  5. Select Save.

 

Experience with Message Decryption

 

Now, when the recipient replies to an encrypted message, the message is decrypted before being delivered to the original sender.

 

The reply is received decrypted.

 

 

Creating Encryption and Decryption rules using PowerShell

 

To create a rule for encrypting email messages by using PowerShell cmdlets

  1. Connect to Office 365 using Remote PowerShell, as described in Connect to Exchange Online using Remote PowerShell.
  2. Define a rule with the ApplyOME attribute set to True. For example, to require that all email messages that are addressed to drToniramos@hotmail.com must be encrypted, type:

New-TransportRule "Encrypt rule for test" -SentTo "anshu.man@live.com" -SentToScope "NotInOrganization" -ApplyOME $true

Where:

This parameter

Specifies:

New-TransportRule "Encrypt rule for test"

Name of the new rule

-SentTo "anshu.man@live.com"

Condition 1

-SentToScope "NotinOrganization"

Condition 2

-ApplyOME $true

Encrypt the message

 

 

To create a rule to remove encryption from email replies by using PowerShell cmdlets

  1. Connect to Exchange Online using Remote PowerShell.
  2. Define a rule with the RemoveOME parameter. For example:

New-transportrule -name "Remove encryption from incoming mail" -SentToScope "InOrganization" -RemoveOME $true

Where:

This parameter

Specifies:

New-TransportRule "Remove encryption from incoming mail"

Name of the new rule

-SentToScope "InOrganization"

Condition

-RemoveOME $true

Encrypt the message

 

 

 

STEP 3: Customizing encrypted messages with Office 365 Message Encryption

 

As an Exchange Online or Exchange Online Protection administrator, you can apply your company branding to customize the look of your organization's Office 365 Message Encryption email messages and the contents of the encryption portal. For example, you can customize the introduction and disclaimer text in the email message that accompanies encrypted messages as well as some text that appears on the portal where the recipient views the messages. You can also add a logo to the email message and encrypted message viewing portal.

For more information about how to customize encrypted messages, see Add branding to encrypted messages.

Using Windows PowerShell cmdlets, you can customize the following aspects of the viewing experience for recipients of encrypted email messages:

  • Introductory text of the email that contains the encrypted message
  • Disclaimer text of the email that contains the encrypted message
  • Portal text that will appear in the message viewing portal
  • Logo that will appear in the email message and viewing portal

 

To customize encryption email messages and the encryption portal with your organization's brand

  1. Connect to Exchange Online using Remote PowerShell, as described in Connect to Exchange Online Using Remote PowerShell.
  2. Use the Set-OMEConfiguration cmdlet as described here: Set-OMEConfiguration or use the following table for guidance.

Encryption customization options

To customize this feature of the encryption experience

Use these Windows PowerShell commands

Default text that accompanies encrypted email messages

The default text appears above the instructions for viewing encrypted messages

Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<string of up to 1024 characters>"

Example: Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Encrypted message from ContosoPharma secure messaging system"

Disclaimer statement in the email that contains the encrypted message

Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "<your disclaimer statement, string of up to 1024 characters>"

Example: Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is confidential for the use of the addressee only"

Text that appears at the top of the encrypted mail viewing portal

Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText "<text for your portal, string of up to 128 characters>"

Example: Set-OMEConfiguration -Identity "OME Configuration" -PortalText "ContosoPharma secure email portal"

Logo

Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <Byte[]>

Example: Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "C:\Temp\contosologo.png" -Encoding byte)

Supported file formats: .png, .jpg, .bmp, or .tiff

Optimal size of logo file: less than 40 KB

Optimal size of logo image: 170x70 pixels

 

 

You can customize the cmdlets above to meet your company's requirements.

 

Now, the recipient receives an email with your company's branding.

In the delivered email, the recipient will be able to view the following customizations along with the attached encrypted 'message.html' file.

  • The default text appears above the instructions for viewing encrypted messages

  • Disclaimer statement in the email that contains the encrypted message

  • Logo

     

 

When the 'message.html' attachment is opened, the captive portal sports the company logo and a customized text that appears at the top of the console.

 

 

Following customizations will be reflected in the encrypted mail viewing portal.

  • Text that appears at the top of the portal

  • Logo

     

 

With Office 365 Message Encryption, email messages are encrypted automatically, based on administrator-defined rules. An email that bears an encrypted message arrives in the recipient's Inbox with an attached HTML file that lets the recipient to sign-in to view the encrypted message.

Recipients follow instructions in the message to authenticate by using a Microsoft account or an organizational account. If recipients don't have either account, they're directed to create a Microsoft account that will let them sign in to view the encrypted message. After being authenticated, recipients can view the decrypted message and reply to it with an encrypted message.

For detailed guidance about how to send and view encrypted messages, see Send, view, or reply to encrypted messages.

 

Why Office 365 Message Encryption?

 

Deliver confidential business communications with enhanced security, allowing users to send and receive encrypted email as easily as regular email directly from their desktops. Customize the email viewing portal to enhance your organization's brand. Email can be encrypted without complex hardware and software to purchase, configure, or maintain, which helps to minimize capital investment, free up IT resources, and mitigate messaging risks.

Improve security and reliability

Office 365 Message Encryption provides advanced security and reliability to help protect your information.

  • Send encrypted email messages to anyone, regardless of the recipient's email address.
  • Provide strong, automated encryption with a cost-effective infrastructure.
  • Eliminate the need for certificates and use a recipient's email address as the public key.
  • Communication through a TLS-enabled network further enhances message security.
  • Enhance the security of subsequent email responses by encrypting each message in the thread.

Stay in control

Office 365 Message Encryption helps keep your data safe, while allowing you to maintain control over your environment.

  • Easily set up encryption using the single action Exchange transport rules.
  • Protect sensitive information and data from leaving your gateway, consistently and automatically.
  • Policy-based encryption encrypts messages at the gateway based on policy rules.
  • Help manage compliance by leveraging the strong integration with data loss prevention.
  • Integrate with existing email infrastructure for minimal up-front capital investment.
  • Grow your organization's brand by using custom branding text or disclaimers and a custom logo.

Easy to use and maintain

It's easier than ever to protect your organization's email.

  • Easily navigate through the encrypted message with the clean Office 365 interface.
  • Encrypted email delivered directly to recipients' inbox and not to a Web service.
  • Email decrypted and read with confidence, without installing client software.
  • Simplified user management that eliminates the need for certificate maintenance.
  • Encryption process is transparent to the sender, who does not need to do anything other than write and send the message as usual.

Try Office 365 Message Encryption. This trial enables you to try Information Rights Management capabilities as well as the capabilities of Office 365 Message Encryption.

 

 

Mail-flow Summary

 

Office 365 Message Encryption is an online service that's built on Microsoft Azure Rights Management. With Azure Rights Management set up for an organization, administrators can enable message encryption by defining transport rules that determine the conditions for encryption. A rule can require the encryption of all messages addressed to a specific recipient, for example.

When an Exchange Online user sends an email message that matches an encryption rule, the message is sent out with an HTML attachment. A recipient opens the HTML attachment in the email message, recognizes a familiar brand if that's present, and follows the embedded instructions to sign in, open, and read the encrypted message on the Office 365 Message Encryption portal. The sign-in process helps ensure that only intended recipients can view encrypted messages.

The following diagram summarizes the passage of an email message through the encryption process.

  1. An Exchange Online user sends a message to the recipient.

  2. The message is filtered based on administrator-defined rules that define conditions for encryption.

  3. The tenant key for your Office 365 organization is accessed and the message is encrypted.

  4. The encrypted message is delivered to the recipient's Inbox.

  5. The recipient opens the HTML attachment and connects to the Office 365 encryption portal.

  6. The recipient authenticates using a Microsoft account or an Office 365 organizational account.

  7. The tenant key for your Office 365 organization is accessed to remove encryption from the message and the user views the unencrypted message.

     

For more information about the keys that help ensure the safe delivery of encrypted messages to designated recipient inboxes, see Service information for Office 365 Message Encryption.

 

Frequently Asked Questions

 

Q. My users send encrypted email messages to recipients outside our organization. Is there anything that external recipients have to do differently in order to read and reply to email messages that are encrypted with Office 365 Message Encryption?

Recipients outside your organization who receive encrypted email messages from senders in your organization are asked to create a Microsoft account if they don't have one so they can sign in to view and reply to encrypted messages. For details, see Send, view, or reply to encrypted messages.

Q. Are Office 365 encrypted messages stored in the cloud or on Microsoft servers?

No, the encrypted messages are kept on the recipient's email system, and when the recipient opens the message, it is temporarily posted for viewing on Office 365 servers. The messages are not stored there.

Q. Can I customize encrypted email messages with my brand?

Yes. You can use Windows PowerShell cmdlets to customize the default text that appears at the top of encrypted email messages, the disclaimer text, and the logo that you want to use for the email message and the encryption portal. For details, see Add branding to encrypted messages.

Q. Is there a trial version of Office 365 Message Encryption available?

Office 365 Message Encryption is included with Windows Azure Rights Management. You can sign-up for a 30-day trial of the service from the Office 365 Rights Management trial portal here: Azure Rights Management plan. In order to use the new encryption service, you must meet the following criteria:

  • If using Office 365, you must be using the newest version.
  • If using on-premises mailboxes, you must be using Exchange Online Protection.
  • If you're a Forefront Online Protection for Exchange (FOPE) customer, you must have upgraded to Exchange Online Protection.

Q. I am using Exchange 2013. Will Office 365 Message Encryption be made available to me?

Yes, as long as you are using Exchange Online Protection or have a hybrid deployment in which mail flow is routed through EOP. You can purchase Windows Azure Rights Management and then configure rules to encrypt email using Office 365 Message Encryption.

Q. How can I purchase the Office 365 Message Encryption?

Office 365 Message Encryption will be available as part of Windows Azure Rights Management. Office 365 Enterprise E3 and E4 users already have Windows Azure Rights Management as part of their service, while Office 365 Enterprise E1 and K1, Exchange Online Kiosk, Plan 1 and Plan 2 customers will be able to add the service to their subscriptions at a cost of $2 per user per month.

Enterprise E1 plan subscribers can add Office 365 Message Encryption on a per-user basis by purchasing Windows Azure Rights Management.

On-premises customers can gain access to Office 365 Message Encryption by purchasing Windows Azure Rights Management for their users at a cost of $2 per user per month and purchasing Exchange Online Protection to set up mail-flow through Exchange Online.

Q. Does the service require a license for every user in my organization?

A license is required for every user in the organization who sends encrypted email.

Q. Do external recipients require subscriptions?

No, external recipients do not require a subscription to read or reply to encrypted messages.

Q. Will Office 365 Message Encryption be available in Office 365 Dedicated?

Yes. You must first purchase Exchange Online Protection(EOP) and configure mail flow via EOP. Once that is done, customers can purchase Windows Azure Rights Management and configure rules to encrypt email.

Q. How is Office 365 Message Encryption different than Rights Management Services (RMS)?

RMS provides Information Rights Protection capabilities for an organization's internal emails by providing built-in templates, such as: Do not forward and Company Confidential. Office 365 Message Encryption supports email message encryption for messages that are sent to external recipients as well as internal recipients.

Q. How is Office 365 Message Encryption different than S/MIME?

S/MIME is essentially a client-side encryption technology, and requires complicated certificate management and publishing infrastructure. Office 365 Message Encryption uses transport rules and does not depend on certificate publishing.

Q. How does Office 365 Message Encryption work?

Visit Office 365 Message Encryption.

Q. Can I read the encrypted messages over mobile devices?

Yes. You can view messages on mobile devices, providing that the device HTML viewer allows posting of forms. There is no app to install to view the Office 365 encrypted messages. Instead, the recipient opens the encrypted attachment in the message and then signs in to the web browser on the device to view the encrypted message.

Q. Are replies and forwarded messages encrypted?

Yes. Responses continue to be encrypted throughout the duration of the thread.

Q. Does Office 365 Message Encryption provide localization?

Incoming email and HTML content is localized based on sender email settings. The viewing portal is localized based on recipient's browser settings. However, the actual body (content) of encrypted message isn't localized.

Q. What encryption is used for Office 365 Message Encryption?

Office 365 Message Encryption uses Rights Management Services (RMS) infrastructure with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption. For details, go to Service information for Office 365 Message Encryption.

Q. I am an EHE Subscriber. Where can I learn more about the upgrade to Office 365 Message Encryption?

For more information, visit the EHE Upgrade center website at GetEncryption.com.

 

References

 

Office 365 Message Encryption

Set up Microsoft Azure Rights Management for Office 365 Message Encryption

Define rules to encrypt or decrypt email messages

Add branding to encrypted messages

Send, view, or reply to encrypted messages

Service information for Office 365 Message Encryption

Office 365 Message Encryption FAQ

Comments

  • Anonymous
    January 01, 2003
    Very usefull post ! Thanks !
  • Anonymous
    July 03, 2014
    great blog post, very easy to follow. thanks a lot!
  • Anonymous
    July 09, 2014
    Best Ever....!
  • Anonymous
    July 30, 2014
    This page is EXACTLY what I was looking for! A step-by-step guide for a newly signed up Exchange Online w/Azure Management administrator that needed to get message encryption up and going asap! Thank you thank you thank you!
  • Anonymous
    September 24, 2014
    Good post, but didn't find what I was really looking for. I need a way to process this logic: If recipient domain supports TLS, then force delivery over TLS. Else, apply Office 365 Message Encryption and send over unsecured SMTP.

    Any ideas? Thanks in advance.
  • Anonymous
    October 05, 2014
    I see these two messages when trying to send an encrypted message from OWA. Any ideas?

    An error occurred while encrypting this S/MIME message. Certificates can't be found for any recipients.

    An error occurred while encoding this S/MIME message. No certificate was found. If you have a smart card-based certificate, insert the card and try again.
  • Anonymous
    October 28, 2014
    If we use O365 encryption and the recipient receiving the email uses standard TLS encryption setup on their exchange servers, will this decrypt the received emails so that they don't have to sign in online?
  • Anonymous
    February 23, 2015
    As I understand, When we click on the HTML link. It will re-direct to the server and retrieve the encrypted email post authentication. My Query is how long the email content will stay on the server for the end users to retrieve? Do we have any retention?
  • Anonymous
    June 16, 2015
    This is what i was looking for, however still cannot understand why why and why it should so difficult to configure something. Can microsoft developers make a single link on configuration page to configure all it saelf by script or everybody has to make experemnts. This office 365 will never go further until they will not make it easier. So many blogs so mnay discussions, even admins have to spent from to two days to configure all this issues just to turn the message encryption ...
  • Anonymous
    October 09, 2015
    Thank you for sharing this very well documented and practical article. I used this to install Encryption on my site, and to help customers set it on theirs, as well.
  • Anonymous
    September 01, 2016
    Thanks so much!! FYI - I noticed there is an extra space in the following command: "Set-IRMConfiguration – ClientAccessServerEnabled $false"
  • Anonymous
    January 06, 2017
    Fantastic article! Very informative and helpful. Have used it a couple of times! Many Thakns!!FYI - pretty easy to catch, but just wanted to point out that there is a typo in the following command - an extra space between "-" and the switch: "Set-IRMConfiguration – ClientAccessServerEnabled $false"
  • Anonymous
    January 13, 2017
    Thanks for consolidating all needed items into one post. Yet I have a question would one define a large list of external recipients or external domains?
  • Anonymous
    January 13, 2017
    Thanks for consolidating all needed items into one post. Yet, how would one define a large list of external recipients or external domains?
  • Anonymous
    February 02, 2017
    This is much too complicated to set up. Activating this feature should just require the click of a button that says "on". There is practically nothing to customise anyway. Please Microsoft, try to make your software as easy for administrators as you try to make it for end users.