How to use Office 365 Message Encryption to protect emails sent externally

[Update]: The article was updated on March 26, 2024 to reflect the latest developments in Microsoft 365 message encryption, e.g. licensing requirements.

Email encryption provides additional layer of information security by making sure only intended recipients can read messages. If you are looking for a user-friendly email encryption solution for your Microsoft 365 organization, there is a native tool for that – Office 365 Message Encryption (OME). Now, although the OME name is still in use, the official, up-to-date name is Microsoft Purview Message Encryption. It’s not quite the same, since OME was deprecated on July 1, 2023. But, like with most name changes, OME is and probably will be used for a long, long time to come, so I’ll use it interchangeably. Anyway, from the user’s perspective, OME is the easiest encryption method to use: it can be configured so that it does not require any additional actions on their part. From the recipient’s perspective, this form of email encryption works seamlessly with Microsoft 365 accounts and offers an intuitive experience for all other email clients and email service providers. Read on to learn how to create a Microsoft 365 sensitivity label and use it in a transport rule to encrypt emails and files.

Or take a look at our complete guide to sensitivity labels in Microsoft 365

How to encrypt Office365 emails sent externally

How encryption in Microsoft 365 works

Office 365 Message Encryption is a service that is integrated with Microsoft’s email clients (Outlook desktop, Outlook for Mac, Outlook mobile on iOS and Android, and Outlook on the web). It has a number of features and configuration options, but here I will focus on how to automatically encrypt emails sent outside your organization by members of a specific group (the Legal Team).

In this scenario, a message is encrypted as it is sent (before it leaves your Microsoft 365 organization) and the sender does not have to do anything. When the encrypted message reaches its intended recipient, they will be asked to authenticate to open the message contents. If the recipient is signed-in to their Microsoft 365 or on-premises Exchange account and is using one of Microsoft’s email clients, they do not need to take any additional actions. The message will open as usual but will contain information that it has been encrypted (the same applies to email attachments). If the recipient is using one of the other supported email clients such as Gmail, Yahoo! or Outlook.com, they will receive a wrapper email (aka “envelope”), which will direct them to the Office 365 Message Encryption Portal (OME Portal), where they will be asked to authenticate. The required authentication method depends on the email client and may require following a link to re-send the user’s credentials or entering a one-time code that can be sent to the recipient in a separate message. For some email clients, opening an encrypted message might require manually entering Microsoft account credentials or using a one-time code to open the message in the OME Portal.

This article shows you how an admin can use Microsoft Purview Message Encryption (or Office 365 Message Encryption, or OME) to encrypt emails without user interaction. There is also a mechanism that allows a user to encrypt emails when composing them in the Outlook desktop app or in Outlook on the web. Read this Microsoft article to learn more.

But before I dive into specific set up steps, let’s first look into what’s exactly supported by sensitivity labels that are the underlying mechanism for protecting contents of your emails.

File types supported by sensitivity labels

Sensitivity labels are crucial to ensuring safety of your data. There are three “levels” of support.

Full support

Some file types, like .docx, allow you to manage sensitivity labels directly in an Office app.

  • Text files: DOCX, DOCM
  • Workbooks: XLSX, XLSM, XLSB
  • Slide shows: PPTX, PPSX

Partial support

Other types (like plain old 97’ .doc) don’t let you manage labels within an Office app, BUT can have labels applied. So their contents can be protected from copying or taking screenshots.

  • Text files: DOC, DOT, DOTX, DOTM
  • Workbooks: XLS, XLT, XLC, XLW, XLTX , XLTM, XLAM
  • Slide shows: PPT, POT, PPS, PPA, PPSXM, POTX, PPAM, PPTM, POTM, PPSM
  • PDF – now, PDFs are something else. Labels are applied to PDFs created with Word, Excel or PowerPoint. Not in all cases, though. If you use the options such as save, export or send as copy, the labels will work and limit access to those files. However, printing to PDF, or using some add-ins will remove labeling.

No support

Lack of support whatsoever, which means you will not be able to protect those file types with sensitivity labels. It includes every single thing not listed above. Some of the obvious examples are TXTs and all kinds of image files. To benefit from the label protection, you can always copy contents of those files into a .docx file and slap a label then.

Back to setting up Microsoft 365 Message Encryption.

Preconditions

Microsoft 365 Encryption is based on Azure Rights Management Service (Azure RMS) – part of Azure Information Protection (AIP) – so you need to have a Microsoft 365 / Office 365 plan that supports it. The plans that do support AIP include: A3, A5, E3, E5, F1, F3 and F5. It was possible to use any other license plan together with the Azure Information Protection P1 add-on, but since April 15, 2024, the license add-on is retired. Make sure to check the current Microsoft requirements here.

Before you start using Office 365 Message Encryption, verify if the Azure Rights Management Service is active in your organization as discussed in this Microsoft article.

Labels and policies required to configure Office 365 Message Encryption were previously managed in the Azure portal, but this solution reached end-of-life on April 1, 2021. Sensitivity labels are now managed in the Microsoft Purview compliance portal, but you may have to deploy the unified labeling client across your organization, as discussed in this Microsoft article.

Setup

Setting up Microsoft Purview Message Encryption to encrypt emails sent externally is relatively easy. You will do this in two steps. First, configure a sensitivity label to apply the encryption. Then, create a transport rule that will apply this label to outgoing messages sent by members of a selected group of users.

Configure a sensitivity label

For the purpose of this article, I will create a new sensitivity label that will apply encryption to emails and files attached to them. You can skip this section if you already have sensitivity labels and policies in place in your organization or if you want to use a default label created by Microsoft.

To create a new label:

  1. Go to the Microsoft Purview compliance portal and open Information protection from the menu on the left.
  2. Open the Labels tab and click Create a label. This will open the New sensitivity label wizard.
  3. Use the fields provided in the Name & description step to enter the name of the label and additional information. The information in the Display name and Description for users fields will be visible to email recipients so make the description clear and concise. Click Next to move to the next step.
Creating a sensitivity label - name and description
  1. In the Scope step of the wizard, select Items and confirm by clicking Next.
  2. In the Items step, select Encrypt items and leave the Mark items unselected.
  3. In the Encryption step, select Configure encryption settings. Select Assign permissions now, and then select Never in the User access to content expires and Always in the Allow offline access drop-down menus, as shown in the screen below.
Creating a sensitivity label - encryption
  1. Click the Assign permissions link (the blue link visible in the screen above) and in the pane that opens click Add any authenticated users (see the screen below). Permissions set in this step control who can open the email and its attachments. The setting I selected will allow users from outside your organization to access and open messages and their attachments when they are authenticated.
  2. While in the same pane, click Choose permissions (see the screen below) and select a permission level. The permission level controls what the user can do with the email and its attachments. In this example, I set the Co-Author permissions level that does not impose many restrictions. Click Save to confirm and close the pane.
Creating a sensitivity label - permissions
  1. In the next step, Auto-labelling for files and emails, it is possible to set up Microsoft 365 to apply this label if it detects that the email or file contains specific types of information such as account number, passport number or other private information. In this example it is not necessary because I want the transport rule to control when this label is applied, so I make sure this feature is turned Off.
  2. Since I have selected to use this label with emails and files only, I will not be able to modify information in the Groups & sites and Schematized data assets (preview) steps.
  3. In the Finish step you can review the label configuration and make changes as needed. When you are ready, click the Create label button.

Note: Creating a label can take several seconds and when it is complete, you will receive a confirmation.

Creating a sensitivity label - publishing

From here, you can publish your label via a new label policy, skip this step and create a new policy later or add the label to an existing label policy. In this scenario, the new label will be used in case of a specific group (the Legal Team) and it should be automatically applied by a transport rule to emails sent externally. I will publish it by creating a new label policy (specific for members of the Legal Team) to make it available for selection in the transport rule creation wizard.

  1. Select Publish label to users’ apps and click Done. This will trigger the policy creation wizard.
  2. In the first step, click the Choose sensitivity labels to publish link and select your label. Click Add and proceed by clicking Next.
  3. In the Users and groups step, narrow down the scope to the Legal Team by clicking the Choose user or group link and selecting the group in the pane that opens.
  4. In the next four steps of the wizard, you can modify general policy settings (e.g., you can require the users to provide a justification before removing the label or lowering its classification) and set a default label for documents, emails and Power BI content. Once done, proceed to the penultimate step.
  5. Name your label policy (you can also provide a description with more information) and click Next.
  6. Finally, review the provided details and click the Submit button to publish the policy and close the wizard.

Note that it may take up to 24 hours for the new label to propagate, so you might need to wait before you can perform the steps described further in this article.

Configure a transport rule to apply encryption to emails sent externally

When the label is published, I will use it to create a transport rule that will automatically apply encryption to emails sent outside the organization by members of a selected group. There is a number of ways in which you can define the scope of senders whose emails will be encrypted. The important thing to remember is to define all conditions and exceptions in the transport rule as it controls if the label is applied. To do so:

  1. Open the Exchange admin center and go to Mail flow > Rules.
  2. Click the Add a rule button and select Apply Office 365 Message Encryption and rights protection to messages.
  3. Name the new rule e.g. External email encryption.
  4. In the Apply this rule if section, choose The recipient > Is internal/external and select Outside the organization. Confirm by clicking Save.
  5. Click the + icon to add another condition and select The sender > is a member of this group from the drop-down menu. In the pane that opens, select the group whose members will have their emails encrypted (in this example Legal Team) and confirm by clicking Save.

    Note: Microsoft 365 groups can’t be selected by choosing them from the list. The only way to add a group of this type is to enter/paste its full email address in the search box and press Enter.

  6. In the Do the following section, make sure that Modify the message security > Apply Office 365 Message Encryption and rights protection is selected. Then click the Select one link below and select the sensitivity label you have created in the previous steps (or the default label or another existing label of your choice). In this case, I chose External email encryption.
Creating a transport rule for emails sent externally
  1. Complete the remaining steps of the rule creation wizard. Review your rule settings and click Finish to create the new transport rule.
  2. Once created, the mail flow rule is disabled by default. Select it from the rules list and use the toggle to enable the rule.
Enabling the created transport rule

As soon as the new rule is enabled, every email that is sent by a member of the selected group (Legal Team) to a recipient outside the organization will be automatically encrypted using Office 365 Message Encryption.

Tools for Exchange Server

5 thoughts on “How to use Office 365 Message Encryption to protect emails sent externally


  1. The interface in Purview for the creation of sensitivity labels has changed a bit in the meantime. I appreciate the good work here but would be nice if this post could be updated again :)

    • Hi André,
      Thanks for the information. I will have a look and update the article accordingly.

  2. “I’ve followed the steps and all looks right but when choosing RMS template in he mail transport rules, all I see are the default RMS templates. I’ve waited 24 hours and my custom label doesnt’ show in the drop down.”
    ========================================
    me the same

  3. Hi there,

    I’ve followed the steps and all looks right but when choosing RMS template in he mail transport rules, all I see are the default RMS templates. I’ve waited 24 hours and my custom label doesnt’ show in the drop down.

    Thanks

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.