How to use Office 365 Message Encryption to protect emails sent externally

Email encryption provides additional layer of information security by making sure only intended recipients can read messages. If you are looking for a user-friendly email encryption solution for your Microsoft 365 organization, there is a native tool for that – Office 365 Message Encryption. From the user’s perspective, it is the easiest to use: it can be configured so that it does not require any additional actions on their part. From the recipient’s perspective, this form of email encryption works seamlessly with Microsoft 365 accounts and offers an intuitive experience for all other email clients and email service providers. Read on to learn how to create a Microsoft 365 sensitivity label and use it in a transport rule to encrypt emails and files.

How to encrypt Office365 emails sent externally

How encryption in Microsoft 365 works

Office 365 Message Encryption is a service that is integrated with Microsoft’s email clients (Outlook desktop, Outlook for Mac, Outlook mobile on iOS and Android, and Outlook on the web). It has a number of features and configuration options, but here I will focus on how to automatically encrypt emails sent outside your organization by members of a specific group (the Legal Team).

In this scenario, a message is encrypted as it is sent (before it leaves your Microsoft 365 organization) and the sender does not have to do anything. When the encrypted message reaches its intended recipient, they will be asked to authenticate to open the message contents. If the recipient is signed-in to their Microsoft 365 or on-premises Exchange account and is using one of Microsoft’s email clients, they do not need to take any additional actions. The message will open as usual but will contain information that it has been encrypted (the same applies to email attachments). If the recipient is using one of the other supported email clients such as Gmail, Yahoo! or, they will receive a wrapper email, which will direct them to the Office 365 Message Encryption Portal (OME Portal), where they will be asked to authenticate. The required authentication method depends on the email client and may require following a link to re-send the user’s credentials or entering a one-time code that can be sent to the recipient in a separate message. For some email clients, opening an encrypted message might require manually entering Microsoft account credentials or using a one-time code to open the message in the OME Portal.

This article shows you how an admin can use Office 365 Message Encryption to encrypt emails without user interaction. There is also a mechanism that allows a user to encrypt emails when composing them in the Outlook desktop app or in Outlook on the web. Read this Microsoft article to learn more.


Office 365 Encryption is based on Azure Rights Management Service (Azure RMS) – part of Azure Information Protection – so you need to have a Microsoft 365 / Office 365 plan that supports it (as of May 2021, it’s the Enterprise E3 plan or higher) or you need to purchase Azure Information Protection Plan 1 separately for users who will use email encryption in your organization. Make sure to check the current Microsoft requirements here.

Before you start using Office 365 Message Encryption, verify if the Azure Rights Management Service is active in your organization as discussed in this Microsoft article.

Labels and policies required to configure Office 365 Message Encryption were previously managed in the Azure portal, but this solution reached end-of-life on April 1, 2021. Sensitivity labels are now managed in the Microsoft 365 compliance center, but you may have to deploy the unified labeling client across your organization as discussed in this Microsoft article.


Setting up Office 365 Encryption to encrypt emails sent externally is relatively easy. You will do this in two steps. First, configure a sensitivity label to apply the encryption. Then, create a transport rule that will apply this label to outgoing messages sent by members of a selected group of users.

Configure a sensitivity label

For the purpose of this article, I will create a new sensitivity label that will apply encryption to emails and files attached to them. You can skip this section if you already have sensitivity labels and policies in place in your organization or if you want to use a default label created by Microsoft.

To create a new label:

  1. Go to the Microsoft 365 compliance center and open Information protection > Labels from the menu on the left (expand the menu by pressing Show all if you do not see the links).
  2. Open the Labels tab and click Create a label. This will open the New sensitivity label wizard.
  3. Use the fields provided in the Name & description step to enter the name of the label and additional information. The information in the Display name and Description for users fields will be visible to email recipients so make the description clear and concise. Click Next to move to the next step.
Creating a sensitivity label - name and description
  1. In the Scope step of the wizard, select Files & emails and confirm by clicking Next.
  2. In the Files & emails step, select Encrypt files and emails and leave the Mark the content of files unselected.
  3. In the Encryption step, select Configure encryption settings. Select Assign permissions now, and then select Never in the User access to content expires and Always in the Allow offline access drop-down menus, as shown in the screen below.
Creating a sensitivity label - encryption
  1. Click the Assign permissions link (the blue link visible in the screen above) and in the pane that opens click Add any authenticated users (see the screen below). Permissions set in this step control who can open the email and its attachments. The setting I selected will allow users from outside your organization to access and open messages and their attachments when they are authenticated.
  2. While in the same pane, click Choose permissions (see the screen below) and select a permission level. The permission level controls what the user can do with the email and its attachments. In this example, I set the Co-Author permissions level that does not impose many restrictions. Click Save to confirm and close the pane.
Creating a sensitivity label - permissions
  1. In the next step, Auto-labelling, you can set up Microsoft 365 to apply this label if it detects that the email or file contains specific types of information such as account number, passport number or other private information. In this example it is not necessary because I want the transport rule to control when this label is applied, so turn this feature Off using the toggle.
  2. Since I have selected to use this label with emails and files only, I will not be able to modify information in the Groups & sites and Azure Purview assets (preview) steps.
  3. In the Finish step you can review the label configuration and make changes as needed. When you are ready, click the Create label button.

Creating a label can take several seconds and when it is complete, you will receive a notification. Click Done to confirm and close the wizard. Note that it may take up to 24 hours for the new label to propagate, so you might need to wait before you can perform the steps described further in this article.

Configure a transport rule to apply encryption to emails sent externally

When the label is ready, I will use it to create a transport rule that will automatically apply encryption to emails sent outside the organization by members of a selected group. There is a number of ways in which you can define the scope of senders whose emails will be encrypted. The important thing to remember is to define all conditions and exceptions in the transport rule as it controls if the label is applied. To do so:

  1. Open the Exchange admin center and go to Mail flow > Rules.
  2. Click the New button and select Apply Office 365 Message Encryption and rights protection to messages.
  3. Name the new rule e.g. External email encryption.
  4. In the Apply this rule if drop-down menu choose The recipient > Is internal/external and select Outside the organization. Confirm by clicking OK.
  5. Click add condition and select The sender > is a member of this group from the drop-down menu. In the window that opens select the group whose members will have their emails encrypted (in this example Legal Team), click add and confirm by clicking OK.
  6. In the Do the following menu make sure that Apply Office 365 Message Encryption and rights protection to messages is selected. Then click the Select one link on the right and select the sensitivity label you have created in the previous steps (or the default label or another existing label of your choice). In this case, I chose External email encryption.
  7. Click Save to create the new transport rule.
Creating a transport rule for emails sent externally

As soon as the new rule is created, every email that is sent by a member of the selected group (Legal Team) to a recipient outside the organization will be automatically encrypted using Office 365 Message Encryption.

Tools for Microsoft 365

3 thoughts on “How to use Office 365 Message Encryption to protect emails sent externally

  1. “I’ve followed the steps and all looks right but when choosing RMS template in he mail transport rules, all I see are the default RMS templates. I’ve waited 24 hours and my custom label doesnt’ show in the drop down.”
    me the same

  2. Hi there,

    I’ve followed the steps and all looks right but when choosing RMS template in he mail transport rules, all I see are the default RMS templates. I’ve waited 24 hours and my custom label doesnt’ show in the drop down.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.