Chris Stegh / / Categories: Security

Why Not Encrypt Confidential Emails?

If you thought the only way to encrypt email was with PGP or S/MIME, who could blame you for not doing it?  But with unsung announcements at Ignite about advancements about sending and opening encrypted email messages via Exchange Online, IT Pros can now give it a serious look.


All this capability is part of Microsoft Office 365 E3 and E5 licensing plans.  The two online services involved are Office Message Encryption (really a part of Exchange Online) and Advanced Information Protection (just a free subset of the a la carte paid upgrade).


The Major Innovations

Office Message Encryption now enables encrypted emails to be sent without users having to do anything.  Admins can configure some of AIP's basic rights management functionality to scan emails for specific keywords and encrypt them, and disallow printing and forwarding. Conditions are applied by email flow settings in Exchange Transport Rules.  Of course, users can also opt to encrypt messages on their own by clicking the "Protect" button.

Recipients of the encrypted emails that are on Microsoft email systems (365,, etc.) as well as Yahoo!, or Gmail systems can now open encrypted messages once their identity is authenticated by their email platform.  MICROSOFT worked with these providers (who cover 80%+ of email accts) to share encryption keys.  Of course, the recipient can still opt to enter a one-time password to see the email as well.

These capabilities work if the organization has Exchange Online (even w/ hybrid).  The prerequisite is that email must enter/exit the organization through Exchange Online.


Also Worth Noting

Organizations can create templates with logos and organizational headers/footers in the encrypted emails.

organizations can bring their own keys, and have full control of them to encrypt email.  While MICROSOFT expects 80% of clients to use MICROSOFT's keys, there are regulated industries for whom BYOK is critical.


Enabling’s Advice

To test, try it out in a test tenant.  Encryption and scanning messages for keywords is a universal setting and is not available for only specific mailboxes.

Set up Exchange Transport Rules to encrypt all emails between executives, or emails to external contractors.  Or whoever sends the most confidential emails, which are the most sensitive targets

Contact us if you have questions:



Below find FAQs from the Q&A from a webinar on the topic on 10/5.

What would be your solution if an external user only needs to consume the AIP service, the external enterprise has 365 but self-sign up is disabled by policy, they do not have AIP licenses, so RMS for individuals is not possible?

The external user, or specifically the external email recipient, does not need AIP licenses or even Office 365 licenses to consume the protected message.

Is OME ready for external recipients now?

Yes! This is part of what's new. You can now send an encrypted and rights protected emails for both internal and external recipients to enable B2B and B2C scenarios.

Does Azure IP Work with locally stored versions of Office like Office 2013, 216 etc.?

Azure Information Protection is supported on Office 2010, 2013 and 2016

Follow up question on OME; Is it documented anywhere on how it works? Can they prevent download of attachments for external recipients?

Yes! Here is the blog

Can OME also send encrypted emails to personal email addresses like addresses?

Yes! For lesser-known email providers, recipients can sign in through One Time Passcode or through a Microsoft Account. For Gmail or Yahoo recipients can use their Google or Yahoo identity to authenticate.

Is there any type of built-in protection from software that can take snapshots of the data? i.e. Snagit

We cannot guarantee the behavior of any 3rd party app - as they need to enforce the permissions

Which Office 365 Plan do you need to get the 'Protect" capabilities? When will this be available as I do not see it yet?

Any Office 365 E3 and above subscription will get these capabilities. Or you can use Office 365 E1 with the AIP P1 as add-on the setup details are here-

Also, what do we need to do to get the new stuff (button, and inline) enabled?

You can enable it today for your organization by following the instructions at

What do we need to Exchange Online to start using this?

If you are in Office E3, follow the instructions from

If I send out a protected message to an external user, and they reply with sensitive information in the body of the reply or an attachment, is the reply also encrypted and protected?

Yes, the entire conversation (including replies from external users) is encrypted and protected.

 Is the Protect button available in Outlook 2016 client?

We are working on it - should be expected shortly. It's available in OWA as of *today*

How does an organization automatically protect emails that contain PII?

You can use AIP/DLP to detect content and automatically protect content.

Do you need an "E" license to do this? I have Office 365 Business Premium and Azure IP 1?

Yes, you do. This is offered as part of Office 365 E3 and above *or* Office 365 E1 and Azure IP 1 add-on

Can email be automatically protected based on content policies?

Yes, use the transport rules from

With E3, how do you enable?

Praveen is talking about setting up now but here is the documentation as well

So, this is organic to the E3 full license?

Yes, this feature is available with E3 and above licenses.

When does this server feature available for MICROSOFT OFFICE 365 Exchange online? When is this client features available in Office 365 Outlook desktop app when updates on "monthly" or deferred channel? What if recipients have old versions of outlook?

You can enable the service from No changes are required in OLK desktop. Future updates will simplify the workflow - but fundamentally, you can get started today - Till they are on OLK 2013/16 - they are good to go.

What do we need to do to convert out tenants to this? Currently, we have transport rules and IRM setup. But we would use this instead. Do we have to remove our existing IRM?

If you are using IRM with Azure RMS - just follow the instructions from

Does the customization require Azure AD Premium?

No, it does not.

Will this work with a hybrid deployment?

Yes, a hybrid is supported, as long as the email is routed through Exchange Online.

Can you describe how to use AIP/DLP to automatically protect PII?

Yes, you can use DLP in Exchange Transport Rules. However, at this time, Encryption as an action is not available through DLP in Security and Compliance Center.

Does the same concept work for Native Android (Samsung) for example?

Yes, if a recipient can read and reply to encrypted messages natively in Outlook Android apps.

Is there documentation available for the Server-Side Decryption?

Sever side decryption documentation is available here

If I do an eDiscovery search with the Admin tool, would I be able to consider protected email and attachments and see clear text, and search for text within the protected messages/docs?


What about an MICROSOFT OFFICE 365 user with EMS sending to an on-premises Exchange organization?

Any recipient, including on-premises Exchange users, will be able to read and reply to encrypted and rights protected messages.

You use the word content; does it scan the emails for specific words and phrases and it is able to apply a policy automatically?

You can use keyword match, as well as many other conditions available in Exchange Mail Flow rules.

What is the potential immediate impact to end users when you enable it if any?

MICROSOFT OFFICE 365 end-users will be able to read and reply to encrypted messages natively in Outlook apps. Non-MICROSOFT OFFICE 365 users will be able to read messages from OME portal.

Is there another way to encrypt the messages other than specifically adding the external recipient's address to a transport rule?

Yes! Exchange Mail Flow rules have flexible controls to apply for automatic protection.

Do we have to create each recipient manually?

Not necessarily. AIP provides rich capabilities to create custom templates. Additionally, end-users can use the out-of-box Do Not Forward policy to send an encrypted email to any recipient

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Tags: Security