[Update]: This article was first published on May 11, 2021. It’s been updated to due to recent changes in the Exchange admin center and migration of some options from Microsoft 365 compliance to Microsoft Purview.
Email encryption provides additional layer of information security by making sure only intended recipients can read messages. If you are looking for a user-friendly email encryption solution for your Microsoft 365 organization, there is a native tool for that – Office 365 Message Encryption. From the user’s perspective, it is the easiest to use: it can be configured so that it does not require any additional actions on their part. From the recipient’s perspective, this form of email encryption works seamlessly with Microsoft 365 accounts and offers an intuitive experience for all other email clients and email service providers. Read on to learn how to create a Microsoft 365 sensitivity label and use it in a transport rule to encrypt emails and files.
How encryption in Microsoft 365 works
Office 365 Message Encryption is a service that is integrated with Microsoft’s email clients (Outlook desktop, Outlook for Mac, Outlook mobile on iOS and Android, and Outlook on the web). It has a number of features and configuration options, but here I will focus on how to automatically encrypt emails sent outside your organization by members of a specific group (the Legal Team).
In this scenario, a message is encrypted as it is sent (before it leaves your Microsoft 365 organization) and the sender does not have to do anything. When the encrypted message reaches its intended recipient, they will be asked to authenticate to open the message contents. If the recipient is signed-in to their Microsoft 365 or on-premises Exchange account and is using one of Microsoft’s email clients, they do not need to take any additional actions. The message will open as usual but will contain information that it has been encrypted (the same applies to email attachments). If the recipient is using one of the other supported email clients such as Gmail, Yahoo! or Outlook.com, they will receive a wrapper email (aka “envelope”), which will direct them to the Office 365 Message Encryption Portal (OME Portal), where they will be asked to authenticate. The required authentication method depends on the email client and may require following a link to re-send the user’s credentials or entering a one-time code that can be sent to the recipient in a separate message. For some email clients, opening an encrypted message might require manually entering Microsoft account credentials or using a one-time code to open the message in the OME Portal.
This article shows you how an admin can use Office 365 Message Encryption to encrypt emails without user interaction. There is also a mechanism that allows a user to encrypt emails when composing them in the Outlook desktop app or in Outlook on the web. Read this Microsoft article to learn more.
Office 365 Encryption is based on Azure Rights Management Service (Azure RMS) – part of Azure Information Protection – so you need to have a Microsoft 365 / Office 365 plan that supports it (as of November 2022, it’s the Enterprise E3 plan or higher) or you need to purchase Azure Information Protection Plan 1 separately for users who will use email encryption in your organization. Make sure to check the current Microsoft requirements here.
Before you start using Office 365 Message Encryption, verify if the Azure Rights Management Service is active in your organization as discussed in this Microsoft article.
Labels and policies required to configure Office 365 Message Encryption were previously managed in the Azure portal, but this solution reached end-of-life on April 1, 2021. Sensitivity labels are now managed in the Microsoft Purview compliance portal, but you may have to deploy the unified labeling client across your organization as discussed in this Microsoft article.
Setting up Office 365 Encryption to encrypt emails sent externally is relatively easy. You will do this in two steps. First, configure a sensitivity label to apply the encryption. Then, create a transport rule that will apply this label to outgoing messages sent by members of a selected group of users.
Configure a sensitivity label
For the purpose of this article, I will create a new sensitivity label that will apply encryption to emails and files attached to them. You can skip this section if you already have sensitivity labels and policies in place in your organization or if you want to use a default label created by Microsoft.
To create a new label:
- Go to the Microsoft Purview compliance portal and open Information protection from the menu on the left.
- Open the Labels tab and click Create a label. This will open the New sensitivity label wizard.
- Use the fields provided in the Name & description step to enter the name of the label and additional information. The information in the Display name and Description for users fields will be visible to email recipients so make the description clear and concise. Click Next to move to the next step.
- In the Scope step of the wizard, select Items and confirm by clicking Next.
- In the Items step, select Encrypt items and leave the Mark items unselected.
- In the Encryption step, select Configure encryption settings. Select Assign permissions now, and then select Never in the User access to content expires and Always in the Allow offline access drop-down menus, as shown in the screen below.
- Click the Assign permissions link (the blue link visible in the screen above) and in the pane that opens click Add any authenticated users (see the screen below). Permissions set in this step control who can open the email and its attachments. The setting I selected will allow users from outside your organization to access and open messages and their attachments when they are authenticated.
- While in the same pane, click Choose permissions (see the screen below) and select a permission level. The permission level controls what the user can do with the email and its attachments. In this example, I set the Co-Author permissions level that does not impose many restrictions. Click Save to confirm and close the pane.
- In the next step, Auto-labelling for files and emails, it is possible to set up Microsoft 365 to apply this label if it detects that the email or file contains specific types of information such as account number, passport number or other private information. In this example it is not necessary because I want the transport rule to control when this label is applied, so I make sure this feature is turned Off.
- Since I have selected to use this label with emails and files only, I will not be able to modify information in the Groups & sites and Schematized data assets (preview) steps.
- In the Finish step you can review the label configuration and make changes as needed. When you are ready, click the Create label button.
Note: Creating a label can take several seconds and when it is complete, you will receive a confirmation.
From here, you are able to publish your label via a new label policy, skip this step and create a new policy later or add the label to an existing label policy. In this scenario, the new label will be used in case of a specific group (the Legal Team) and it should be automatically applied by a transport rule to emails sent externally. I will publish it by creating a new label policy (specific for members of the Legal Team) to make it available for selection in the transport rule creation wizard.
- Select Publish label to users’ apps and click Done. This will trigger the policy creation wizard.
- In the first step, click the Choose sensitivity labels to publish link and select your label. Click Add and proceed by clicking Next.
- In the Users and groups step, narrow down the scope to the Legal Team by clicking the Choose user or group link and selecting the group in the pane that opens.
- In the next four steps of the wizard, you can modify general policy settings (e.g., you can require the users to provide a justification before removing the label or lowering its classification) and set a default label for documents, emails and Power BI content. Once done, proceed to the penultimate step.
- Name your label policy (you can also provide a description with more information) and click Next.
- Finally, review the provided details and click the Submit button to publish the policy and close the wizard.
Note that it may take up to 24 hours for the new label to propagate, so you might need to wait before you can perform the steps described further in this article.
Configure a transport rule to apply encryption to emails sent externally
When the label is published, I will use it to create a transport rule that will automatically apply encryption to emails sent outside the organization by members of a selected group. There is a number of ways in which you can define the scope of senders whose emails will be encrypted. The important thing to remember is to define all conditions and exceptions in the transport rule as it controls if the label is applied. To do so:
- Open the Exchange admin center and go to Mail flow > Rules.
- Click the Add a rule button and select Apply Office 365 Message Encryption and rights protection to messages.
- Name the new rule e.g. External email encryption.
- In the Apply this rule if section, choose The recipient > Is internal/external and select Outside the organization. Confirm by clicking Save.
- Click the + icon to add another condition and select The sender > is a member of this group from the drop-down menu. In the pane that opens, select the group whose members will have their emails encrypted (in this example Legal Team) and confirm by clicking Save.
Note: Microsoft 365 groups can’t be selected by choosing them from the list. The only way to add a group of this type is to enter/paste its full email address in the search box and press Enter.
- In the Do the following section, make sure that Modify the message security > Apply Office 365 Message Encryption and rights protection is selected. Then click the Select one link below and select the sensitivity label you have created in the previous steps (or the default label or another existing label of your choice). In this case, I chose External email encryption.
- Complete the remaining steps of the rule creation wizard. Review your rule settings and click Finish to create the new transport rule.
- Once created, the mail flow rule is disabled by default. Select it from the rules list and use the toggle to enable the rule.
As soon as the new rule is enabled, every email that is sent by a member of the selected group (Legal Team) to a recipient outside the organization will be automatically encrypted using Office 365 Message Encryption.