Encrypt email messages ... Office 365 Email Encryption – Setup Guide Define rules to encrypt or decrypt email messages As an administrator, you can create mail flow rules, also known

Office 365 Email Encryption – Setup Guide

Define rules to encrypt or decrypt email messages

As an administrator, you can create mail flow rules, also known as transport rules, to enable Office 365

Message Encryption. This lets you encrypt any outgoing email messages and remove encryption from

encrypted messages coming from inside your organization or from replies to encrypted messages sent

from your organization. You can use the UNRESOLVED_TOKEN_VAL(exEAC) (EAC) or Windows PowerShell

cmdlets for Exchange Online to create these rules. In addition to overall encryption rules, you can also

choose to enable or disable individual message encryption options for end-users.

Encrypt email messages You can define transport rules for triggering email message encryption by using the EAC or Windows

PowerShell cmdlets for Exchange Online.

To create a rule for encrypting email messages by using the EAC

1. From the EAC, go to mail flow > rules > New. If you need help to become familiar with the EAC,

see Exchange Admin Center in Exchange Online.

2. Select + > Create a new rule.

3. In Name, type a name for the rule, such as Encrypt mail for [email protected]

4. In Apply this rule if select a condition, and enter a value if necessary. For example, to encrypt

messages going to [email protected]:

a. In Apply this rule if, select the recipient is.

b. Select an existing name from the contact list or type a new email address in the check

names box.

To select an existing name, select it from the list and then click OK.

To enter a new name, type an email address in the check names box and then

select check names > add > OK.

5. To add more conditions, select add condition and select from the list. For example, to specify

that the previous rule applies only if the recipient is outside your organization:

a. Select add condition and then select The recipient is located > Outside the

organization.

b. Select OK.

6. To enable encryption, in Do the following, select Modify the message security > Apply Office

365 Message Encryption, as shown below, and then select Save. You can select add action if

you want to specify another action.

https://technet.microsoft.com/en-us/library/jj200743(v=exchg.150).aspx

To create a rule for encrypting email messages by using PowerShell cmdlets

1. Connect to Office 365 using Remote PowerShell, as described in Connect to Exchange Online

using Remote PowerShell.

2. Define a rule with the ApplyOME attribute set to True. For example, to require that all email

messages that are addressed to [email protected] must be encrypted, type:

3. New-TransportRule "Encrypt rule for drtoniramos" -SentTo

"[email protected]" -SentToScope "NotInOrganization" -ApplyOME

$true

Where:

This parameter Specifies:

New-TransportRule "Encrypt rule for

[email protected]" Name of the new

rule

https://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx https://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

-SentTo "[email protected]" Condition 1

-SentToScope "NotinOrganization" Condition 2

-ApplyOME $true Encrypt the

message

Note:

If you get an error message when you try to create an encryption transport rule, verify

that Azure Rights Management (RMS) is set up for your organization by following

the steps to activate Azure Rights Management from the Office 365 admin center. If

you see an option to activate Azure RMS, then it has not been set up yet, and you'll

need to activate it in order to use Office 365 Message Encryption.

Remove encryption from email replies When your email users send encrypted messages, recipients of those messages can respond with

encrypted replies. You can create transport rules to automatically remove encryption from replies so email

users in your organization don’t have to sign in to the encryption portal to view them. You can use the

EAC or Windows PowerShell cmdlets to define those rules. You can only decrypt messages that are either

sent from within your organization or messages that are replies to messages sent from within your

organization. Encrypted messages originating from outside of your organization cannot be decrypted.

To create a rule for removing encryption from email replies by using the EAC

1. From the EAC, go to Mail flow > + > Create a new rule.

2. In Name, type a name for the rule, such as Remove encryption from incoming mail.

3. In Apply this rule if, select the conditions where encryption should be removed from messages,

such as The recipient is located > Inside the organization.

4. In Do the following, select Modify the message security > Remove Office 365 Message

Encryption.

5. Select Save.

To create a rule to remove encryption from email replies by using PowerShell cmdlets

1. Connect to Exchange Online using Remote PowerShell.

2. Define a rule with the RemoveOME parameter. For example

New-transportrule -name "Remove encryption from incoming mail" -SentToScope

"InOrganization" -RemoveOME $true

https://go.microsoft.com/fwlink/p/?LinkId=525775

Where:

This parameter Specifies:

New-TransportRule "Remove encryption from incoming mail" Name of the new rule

-SentToScope "InOrganization" Condition

-RemoveOME $true Encrypt the message

Add branding to encrypted messages

As an Exchange Online or Exchange Online Protection administrator, you can apply your company

branding to customize the look of your organization’s Office 365 Message Encryption email messages and

the contents of the encryption portal. Using Windows PowerShell cmdlets, you can customize the

following aspects of the viewing experience for recipients of encrypted email messages:

• Introductory text of the email that contains the encrypted message

• Disclaimer text of the email that contains the encrypted message

• Portal text that will appear in the message viewing portal

• Logo that will appear in the email message and viewing portal

You can also revert back to the default look and feel at any time.

The following example shows a custom logo for ContosoPharma in the email attachment:

To customize encryption email messages and the encryption portal with your organization’s brand

1. Connect to Exchange Online using Remote PowerShell, as described in Connect to Exchange

Online Using Remote PowerShell.

2. Use the Set-OMEConfiguration cmdlet as described here: Set-OMEConfiguration or use the

following table for guidance.

https://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx https://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx https://technet.microsoft.com/en-us/3ef0aec0-ce28-411d-abe8-7236f082af1b

Encryption customization options

To customize this

feature of the

encryption experience

Use these Windows PowerShell commands

Default text that

accompanies encrypted

email messages

The default text appears

above the instructions

for viewing encrypted

messages

Set-OMEConfiguration -Identity

-EmailText

""

Example: Set-OMEConfiguration -Identity "OME

Configuration" -EmailText "Encrypted message

from ContosoPharma secure messaging system"

Disclaimer statement in

the email that contains

the encrypted message

Set-OMEConfiguration -Identity

DisclaimerText

""

Example: Set-OMEConfiguration -Identity "OME

Configuration" -DisclaimerText "This message is

confidential for the use of the addressee only"

Text that appears at the

top of the encrypted

mail viewing portal

Set-OMEConfiguration -Identity

-PortalText ""

Example: Set-OMEConfiguration -Identity "OME

Configuration" -PortalText "ContosoPharma secure

email portal"

Logo Set-OMEConfiguration -Identity -Image

Example: Set-OMEConfiguration -Identity "OME

configuration" -Image (Get-Content

"C:\Temp\contosologo.png" -Encoding byte)

Supported file formats: .png, .jpg, .bmp, or .tiff

Optimal size of logo file: less than 40 KB

Optimal size of logo image: 170x70 pixels

To remove brand customizations on encryption email messages and the encryption portal

1. Connect to Exchange Online using Remote PowerShell, as described in Connect to Exchange

Online Using Remote PowerShell.

2. Use the Set-OMEConfiguration cmdlet as described here: Set-OMEConfiguration. To remove your

organization's branded customizations from the DisclaimerText, EmailText, and PortalText values,

set the value to an empty string, "". For all image values, such as Logo, set the value to "$null".

Encryption customization options

To revert this feature of the

encryption experience back

to the default text and

image