Office 365 Email Encryption – Setup Guide

Define rules to encrypt or decrypt email messages

As an administrator, you can create mail flow rules, also known as transport rules, to enable Office 365

Message Encryption. This lets you encrypt any outgoing email messages and remove encryption from

encrypted messages coming from inside your organization or from replies to encrypted messages sent

from your organization. You can use the UNRESOLVED_TOKEN_VAL(exEAC) (EAC) or Windows PowerShell

cmdlets for Exchange Online to create these rules. In addition to overall encryption rules, you can also

choose to enable or disable individual message encryption options for end-users.

Encrypt email messages

You can define transport rules for triggering email message encryption by using the EAC or Windows

PowerShell cmdlets for Exchange Online.

To create a rule for encrypting email messages by using the EAC

1. From the EAC, go to mail flow > rules > New. If you need help to become familiar with the EAC,

see Exchange Admin Center in Exchange Online.

2. Select + > Create a new rule.

3. In Name, type a name for the rule, such as Encrypt mail for [email protected].

4. In Apply this rule if select a condition, and enter a value if necessary. For example, to encrypt

messages going to [email protected]:

a. In Apply this rule if, select the recipient is.

b. Select an existing name from the contact list or type a new email address in the check

names box.

To select an existing name, select it from the list and then click OK.

To enter a new name, type an email address in the check names box and then

select check names > add > OK.

5. To add more conditions, select add condition and select from the list. For example, to specify

that the previous rule applies only if the recipient is outside your organization:

a. Select add condition and then select The recipient is located > Outside the

organization.

b. Select OK.

6. To enable encryption, in Do the following, select Modify the message security > Apply Office

365 Message Encryption, as shown below, and then select Save. You can select add action if

you want to specify another action.

To create a rule for encrypting email messages by using PowerShell cmdlets

1. Connect to Office 365 using Remote PowerShell, as described in Connect to Exchange Online

using Remote PowerShell.

2. Define a rule with the ApplyOME attribute set to True. For example, to require that all email

messages that are addressed to [email protected] must be encrypted, type:

3. New-TransportRule "Encrypt rule for drtoniramos" -SentTo

"[email protected]" -SentToScope "NotInOrganization" -ApplyOME

$true

Where:

This parameter Specifies:

New-TransportRule "Encrypt rule for

[email protected]" Name of the new

rule

-SentTo "[email protected]" Condition 1

-SentToScope "NotinOrganization" Condition 2

-ApplyOME $true Encrypt the

message

Note:

If you get an error message when you try to create an encryption transport rule, verify

that Azure Rights Management (RMS) is set up for your organization by following

the steps to activate Azure Rights Management from the Office 365 admin center. If

you see an option to activate Azure RMS, then it has not been set up yet, and you'll

need to activate it in order to use Office 365 Message Encryption.

Remove encryption from email replies

When your email users send encrypted messages, recipients of those messages can respond with

encrypted replies. You can create transport rules to automatically remove encryption from replies so email

users in your organization don’t have to sign in to the encryption portal to view them. You can use the

EAC or Windows PowerShell cmdlets to define those rules. You can only decrypt messages that are either

sent from within your organization or messages that are replies to messages sent from within your

organization. Encrypted messages originating from outside of your organization cannot be decrypted.

To create a rule for removing encryption from email replies by using the EAC

1. From the EAC, go to Mail flow > + > Create a new rule.

2. In Name, type a name for the rule, such as Remove encryption from incoming mail.

3. In Apply this rule if, select the conditions where encryption should be removed from messages,

such as The recipient is located > Inside the organization.

4. In Do the following, select Modify the message security > Remove Office 365 Message

Encryption.

5. Select Save.

To create a rule to remove encryption from email replies by using PowerShell cmdlets

1. Connect to Exchange Online using Remote PowerShell.

2. Define a rule with the RemoveOME parameter. For example

New-transportrule -name "Remove encryption from incoming mail" -SentToScope

"InOrganization" -RemoveOME $true

Where:

This parameter Specifies:

New-TransportRule "Remove encryption from incoming mail" Name of the new rule

-SentToScope "InOrganization" Condition

-RemoveOME $true Encrypt the message

Add branding to encrypted messages

As an Exchange Online or Exchange Online Protection administrator, you can apply your company

branding to customize the look of your organization’s Office 365 Message Encryption email messages and

the contents of the encryption portal. Using Windows PowerShell cmdlets, you can customize the

following aspects of the viewing experience for recipients of encrypted email messages:

• Introductory text of the email that contains the encrypted message

• Disclaimer text of the email that contains the encrypted message

• Portal text that will appear in the message viewing portal

• Logo that will appear in the email message and viewing portal

You can also revert back to the default look and feel at any time.

The following example shows a custom logo for ContosoPharma in the email attachment:

To customize encryption email messages and the encryption portal with your organization’s brand

1. Connect to Exchange Online using Remote PowerShell, as described in Connect to Exchange

Online Using Remote PowerShell.

2. Use the Set-OMEConfiguration cmdlet as described here: Set-OMEConfiguration or use the

following table for guidance.

Encryption customization options

To customize this

feature of the

encryption experience

Use these Windows PowerShell commands

Default text that

accompanies encrypted

email messages

The default text appears

above the instructions

for viewing encrypted

messages

Set-OMEConfiguration -Identity

<OMEConfigurationIdParameter> -EmailText

"<string of up to 1024 characters>"

Example: Set-OMEConfiguration -Identity "OME

Configuration" -EmailText "Encrypted message

from ContosoPharma secure messaging system"

Disclaimer statement in

the email that contains

the encrypted message

Set-OMEConfiguration -Identity

<OMEConfigurationIdParameter> DisclaimerText

"<your disclaimer statement, string of up to

1024 characters>"

Example: Set-OMEConfiguration -Identity "OME

Configuration" -DisclaimerText "This message is

confidential for the use of the addressee only"

Text that appears at the

top of the encrypted

mail viewing portal

Set-OMEConfiguration -Identity

<OMEConfigurationIdParameter> -PortalText "<text

for your portal, string of up to 128

characters>"

Example: Set-OMEConfiguration -Identity "OME

Configuration" -PortalText "ContosoPharma secure

email portal"

Logo Set-OMEConfiguration -Identity

<OMEConfigurationIdParameter> -Image <Byte[]>

Example: Set-OMEConfiguration -Identity "OME

configuration" -Image (Get-Content

"C:\Temp\contosologo.png" -Encoding byte)

Supported file formats: .png, .jpg, .bmp, or .tiff

Optimal size of logo file: less than 40 KB

Optimal size of logo image: 170x70 pixels

To remove brand customizations on encryption email messages and the encryption portal

1. Connect to Exchange Online using Remote PowerShell, as described in Connect to Exchange

Online Using Remote PowerShell.

2. Use the Set-OMEConfiguration cmdlet as described here: Set-OMEConfiguration. To remove your

organization's branded customizations from the DisclaimerText, EmailText, and PortalText values,

set the value to an empty string, "". For all image values, such as Logo, set the value to "$null".

Encryption customization options

To revert this feature of the

encryption experience back

to the default text and

image

Use these Windows PowerShell commands

Default text that accompanies

encrypted email messages

The default text appears

above the instructions for

viewing encrypted messages

Set-OMEConfiguration -Identity

<OMEConfigurationIdParameter> -EmailText

"<empty string>"

Example: Set-OMEConfiguration -Identity "OME

Configuration" -EmailText ""

Disclaimer statement in the

email that contains the

encrypted message

Set-OMEConfiguration -Identity

<OMEConfigurationIdParameter>

DisclaimerText "<empty string>"

Example: Set-OMEConfiguration -Identity "OME

Configuration" -DisclaimerText ""

Text that appears at the top of

the encrypted mail viewing

portal

Set-OMEConfiguration -Identity

<OMEConfigurationIdParameter> -PortalText

"<empty string>"

Example reverting back to default: Set-

OMEConfiguration -Identity "OME

Configuration" -PortalText ""

Logo Set-OMEConfiguration -Identity

<OMEConfigurationIdParameter> -Image

<"$null">

Example reverting back to default: Set-

OMEConfiguration -Identity "OME

configuration" -Image $null

Send, view, and reply to encrypted messages

A message that is encrypted by Office 365 Message Encryption is delivered to a recipient’s inbox just like

any other email message, but it contains an HTML file attachment. After opening the attachment, the

recipient can sign in or use a one-time passcode to view the message on the Office 365 Message

Encryption portal. The email includes instructions for viewing the encrypted message, as in the following

example (the attachment is highlighted):

Send an encrypted message

There are two primary ways to send encrypted messages. You can set up admin-defined encryption rules,

as described in Define rules to encrypt or decrypt email messages, which automatically encrypt messages

meeting certain criteria. For instance, you can create a rule that encrypts all messages sent outside your

organization. (In this case, the sender doesn’t have to take extra steps to encrypt the message.)

Alternatively, you can create a rule that gives the sender the ability to encrypt messages at will. For

example, a rule can initiate encryption for each message where the sender adds “encrypt” to the subject

line.

View and reply to an encrypted message

An encrypted email message arrives in the recipient’s inbox with an HTML attachment. After opening the

attachment, recipients see instructions for opening and viewing the message. Regardless of their type of

email service, the experience is the same. The recipient can choose to sign in with a work account

associated with Office 365, with a Microsoft account. Alternatively, the recipient can choose to use a one-

time passcode if, for example, they don't have a work account or a Microsoft account and don’t want to

create a new Microsoft account. To learn more, see Use a one-time passcode to view an encrypted

message.

An administrator can set a rule to automatically decrypt replies. This means that the recipients of your

reply don’t have to sign in to the encryption portal to view the message. To learn about setting this rule,

go to Define rules to encrypt or decrypt email messages.

To view an encrypted message using a Microsoft account

1. Follow the instructions in the email message to save the attachment.

2. Open the message.html file and select Sign in.

Tip:

If a message appears that asks if you want to submit information to an external page,

choose OK. You may also need to allow pop-ups, if your web browser blocks them.

3. Sign in to the encryption portal with a Microsoft account, as instructed in the message. If you

don’t have a Microsoft account, you can choose the option to create one associated with your

email address. (You’ll have to fill out a form and complete a verification step.) In order to view the

encrypted message, he email address for the Microsoft account must match the address to which

the encrypted message was sent.

If you’re already signed in, you won’t have to sign in again.

4. After signing in, you can view the contents of the encrypted message.

Note:

If you are inactive for more than 15 minutes, you are automatically signed out of the

encryption portal.

To reply to an encrypted message

1. Choose Reply or Reply All.

2. On the page that appears, type a reply and choose Send. An encrypted copy of your reply

message is sent to you.

Office 365 Message Encryption FAQ

Got questions about Office 365 Message Encryption? Here are some answers. If you can’t find what you

need, check the Office 365 community forums at Office 365 community.

Q. My users send encrypted email messages to recipients outside our organization. Is there

anything that external recipients have to do in order to read and reply to email messages that are

encrypted with Office 365 Message Encryption?

Recipients outside your organization who receive Office 365 encrypted messages can view them in one of

two ways:

• By signing in with a Microsoft account or a work or school account associated with Office 365. For

details, see Send, view, and reply to encrypted messages.

• By using a one-time passcode. To learn more, see Use a one-time passcode to view an encrypted

message.

Q. Are Office 365 encrypted messages stored in the cloud or on Microsoft servers?

No, the encrypted messages are kept on the recipient’s email system, and when the recipient opens the

message, it is temporarily posted for viewing on Office 365 servers. The messages are not stored there.

Q. Can I customize encrypted email messages with my brand?

Yes. You can use Windows PowerShell cmdlets to customize the default text that appears at the top of

encrypted email messages, the disclaimer text, and the logo that you want to use for the email message

and the encryption portal. For details, see Add branding to encrypted messages.

Q. Is there a trial version of Office 365 Message Encryption available?

Office 365 Message Encryption is included with Microsoft Azure Rights Management (Azure RMS). You

can sign-up for a 30-day trial of the service from the Office 365 Rights Management trial portal

here: Azure Rights Management plan. In order to use Office 365 Message Encryption, you must meet the

following criteria:

• If using Office 365, you need to have a plan that includes Azure RMS or can support Azure RMS

purchased separately. To learn which plans include Azure RMS, see Office 365 Plan Options.

• If using on-premises mailboxes, you must route email through Exchange Online, either by using

Exchange Online Protection for email filtering or by establishing hybrid mail flow.

Q. I am using Exchange 2013. Will Office 365 Message Encryption be made available to me?

Yes, as long as you route email through Exchange Online, either by using Exchange Online Protection for

email filtering or by establishing hybrid mail flow. You can purchase Azure RMS and then configure rules

to encrypt email using Office 365 Message Encryption.

Q. How can I purchase Office 365 Message Encryption?

Office 365 Message Encryption is available as part of Microsoft Azure Rights Management (Azure RMS).

Office 365 Enterprise E3 and Office 365 Enterprise E4 users already have Azure RMS as part of their

subscriptions. Other Office 365 plans don’t include Azure RMS, but some support it as an add-on,

purchased separately on a per-user basis. To learn which plans support Azure RMS as an add-on,

see Office 365 Plan Options.

On-premises customers can gain access to Office 365 Message Encryption by purchasing Azure RMS on a

per-user basis. Additionally, on-premises customers must route email through Exchange Online, either by

using Exchange Online Protection for email filtering or by establishing hybrid mail flow.

Q. Does the service require a license for every user in my organization?

A license is required for every user in the organization who sends encrypted email.

Q. Do external recipients require subscriptions?

No, external recipients do not require a subscription to read or reply to encrypted messages.

Q. Will Office 365 Message Encryption be available in Office 365 Dedicated?

Yes. You must first purchase Exchange Online Protection (EOP) and configure mail flow via EOP. Once that

is done, customers can purchase Azure RMS and configure rules to encrypt email.

Q. How is Office 365 Message Encryption different from Rights Management Services (RMS)?

RMS provides Information Rights Protection capabilities for an organization’s internal emails by providing

built-in templates, such as: Do not forward and Company Confidential. Office 365 Message Encryption

supports email message encryption for messages that are sent to external recipients as well as internal

recipients.

Q. How is Office 365 Message Encryption different from S/MIME?

S/MIME is essentially a client-side encryption technology, and requires complicated certificate

management and publishing infrastructure. Office 365 Message Encryption uses transport rules and does

not depend on certificate publishing.

Q. How does Office 365 Message Encryption work?

Visit Encryption in Office 365.

Q. Can I read the encrypted messages over mobile devices?

Yes, you can view messages on Android and iOS by downloading the OME Viewer apps from the Google

Play store and the Apple App store. Open the HTML attachment in the OME Viewer app and then follow

the instructions to open your encrypted message. For other mobile devices, you can open the HTML

attachment as long as your mail client supports Form Post.

Q. Are replies and forwarded messages encrypted?

Yes. Responses continue to be encrypted throughout the duration of the thread.

Q. Does Office 365 Message Encryption provide localization?

Incoming email and HTML content is localized based on sender email settings. The viewing portal is

localized based on recipient's browser settings. However, the actual body (content) of encrypted message

isn't localized.

Q. What encryption method is used for Office 365 Message Encryption?

Office 365 Message Encryption uses Rights Management Services (RMS) as its encryption infrastructure.

The encryption method used depends on where you obtain the RMS keys used to encrypt and decrypt

messages.

• If you use Microsoft Azure RMS to obtain the keys, Cryptographic Mode 2 is used. Cryptographic

Mode 2 is an updated and enhanced AD RMS cryptographic implementation. It supports RSA

2048 for signature and encryption, and supports SHA-256 for signature.

• If you use Active Directory (AD) RMS to obtain the keys, either Cryptographic Mode 1 or

Cryptographic Mode 2 is used. The method used depends on your on-premises AD RMS

deployment. Cryptographic Mode 1 is the original AD RMS cryptographic implementation. It

supports RSA 1024 for signature and encryption, and supports SHA-1 for signature. This mode

continues to be supported by all current versions of RMS.

For more information, see AD RMS Cryptographic Modes.

Q. Why do some encrypted messages say they come from [email protected]?

When an encrypted reply is sent from the encryption portal or through the OME Viewer app, the sending

email address is set to [email protected] because the encrypted message is sent

through a Microsoft endpoint. This helps to prevent encrypted messages from being marked as spam. The

displayed name on the email and the address within the encryption portal aren't changed because of this

labeling. Also, this labeling only applies to messages sent through the portal, not through any other email

client.

Q. I am an Exchange Hosted Encryption (EHE) subscriber. Where can I learn more about the

upgrade to Office 365 Message Encryption?

All EHE customers have been upgraded to Office 365 Message Encryption. For more information, visit

the Exchange Hosted Encryption Upgrade Center.

Q. Do I need to open any URLs, IP addresses, or ports in my organization’s firewall to support

Office 365 Message Encryption?

Yes. You have to add URLs for Exchange Online to the allow list for your organization to enable

authentication for messages encrypted by Office 365 Message Encryption. For a list of Exchange Online

URLs, see Office 365 URLs and IP address ranges.

Q. How many recipients can I send an Office 365 encrypted message to?

The recipient limit for an encrypted message is based on the number of characters in the

message’s To field. When combined (after distribution list expansion), recipient addresses in the To field

should not exceed 11,980 characters. Because email addresses can vary in character length, there isn’t a

standard recipient limit for a single encrypted message.

Q. Is it possible to revoke a message sent to a particular recipient?

No. You can’t revoke a message to a particular person after it’s sent.

Q. Can I view a report of encrypted messages that have been received and read?

There isn’t a report that shows if an encrypted message has been viewed, but there are Office 365 reports

available that you can leverage to determine the number of messages that matched a specific transport

rule, for instance.

Q. What does Microsoft do with the information I provide through the OME Portal and the OME

Viewer App?

The Office 365 Messaging Encryption Portal and Viewer App privacy statement provides detailed

information about what Microsoft does and doesn't do with your private information.