Encrypt email messages...Office 365 Email Encryption – Setup Guide Define rules to encrypt or...
Transcript of Encrypt email messages...Office 365 Email Encryption – Setup Guide Define rules to encrypt or...
Office 365 Email Encryption – Setup Guide
Define rules to encrypt or decrypt email messages
As an administrator, you can create mail flow rules, also known as transport rules, to enable Office 365
Message Encryption. This lets you encrypt any outgoing email messages and remove encryption from
encrypted messages coming from inside your organization or from replies to encrypted messages sent
from your organization. You can use the UNRESOLVED_TOKEN_VAL(exEAC) (EAC) or Windows PowerShell
cmdlets for Exchange Online to create these rules. In addition to overall encryption rules, you can also
choose to enable or disable individual message encryption options for end-users.
Encrypt email messages
You can define transport rules for triggering email message encryption by using the EAC or Windows
PowerShell cmdlets for Exchange Online.
To create a rule for encrypting email messages by using the EAC
1. From the EAC, go to mail flow > rules > New. If you need help to become familiar with the EAC,
see Exchange Admin Center in Exchange Online.
2. Select + > Create a new rule.
3. In Name, type a name for the rule, such as Encrypt mail for [email protected].
4. In Apply this rule if select a condition, and enter a value if necessary. For example, to encrypt
messages going to [email protected]:
a. In Apply this rule if, select the recipient is.
b. Select an existing name from the contact list or type a new email address in the check
names box.
To select an existing name, select it from the list and then click OK.
To enter a new name, type an email address in the check names box and then
select check names > add > OK.
5. To add more conditions, select add condition and select from the list. For example, to specify
that the previous rule applies only if the recipient is outside your organization:
a. Select add condition and then select The recipient is located > Outside the
organization.
b. Select OK.
6. To enable encryption, in Do the following, select Modify the message security > Apply Office
365 Message Encryption, as shown below, and then select Save. You can select add action if
you want to specify another action.
To create a rule for encrypting email messages by using PowerShell cmdlets
1. Connect to Office 365 using Remote PowerShell, as described in Connect to Exchange Online
using Remote PowerShell.
2. Define a rule with the ApplyOME attribute set to True. For example, to require that all email
messages that are addressed to [email protected] must be encrypted, type:
3. New-TransportRule "Encrypt rule for drtoniramos" -SentTo
"[email protected]" -SentToScope "NotInOrganization" -ApplyOME
$true
Where:
This parameter Specifies:
New-TransportRule "Encrypt rule for
[email protected]" Name of the new
rule
-SentTo "[email protected]" Condition 1
-SentToScope "NotinOrganization" Condition 2
-ApplyOME $true Encrypt the
message
Note:
If you get an error message when you try to create an encryption transport rule, verify
that Azure Rights Management (RMS) is set up for your organization by following
the steps to activate Azure Rights Management from the Office 365 admin center. If
you see an option to activate Azure RMS, then it has not been set up yet, and you'll
need to activate it in order to use Office 365 Message Encryption.
Remove encryption from email replies
When your email users send encrypted messages, recipients of those messages can respond with
encrypted replies. You can create transport rules to automatically remove encryption from replies so email
users in your organization don’t have to sign in to the encryption portal to view them. You can use the
EAC or Windows PowerShell cmdlets to define those rules. You can only decrypt messages that are either
sent from within your organization or messages that are replies to messages sent from within your
organization. Encrypted messages originating from outside of your organization cannot be decrypted.
To create a rule for removing encryption from email replies by using the EAC
1. From the EAC, go to Mail flow > + > Create a new rule.
2. In Name, type a name for the rule, such as Remove encryption from incoming mail.
3. In Apply this rule if, select the conditions where encryption should be removed from messages,
such as The recipient is located > Inside the organization.
4. In Do the following, select Modify the message security > Remove Office 365 Message
Encryption.
5. Select Save.
To create a rule to remove encryption from email replies by using PowerShell cmdlets
1. Connect to Exchange Online using Remote PowerShell.
2. Define a rule with the RemoveOME parameter. For example
New-transportrule -name "Remove encryption from incoming mail" -SentToScope
"InOrganization" -RemoveOME $true
Where:
This parameter Specifies:
New-TransportRule "Remove encryption from incoming mail" Name of the new rule
-SentToScope "InOrganization" Condition
-RemoveOME $true Encrypt the message
Add branding to encrypted messages
As an Exchange Online or Exchange Online Protection administrator, you can apply your company
branding to customize the look of your organization’s Office 365 Message Encryption email messages and
the contents of the encryption portal. Using Windows PowerShell cmdlets, you can customize the
following aspects of the viewing experience for recipients of encrypted email messages:
• Introductory text of the email that contains the encrypted message
• Disclaimer text of the email that contains the encrypted message
• Portal text that will appear in the message viewing portal
• Logo that will appear in the email message and viewing portal
You can also revert back to the default look and feel at any time.
The following example shows a custom logo for ContosoPharma in the email attachment:
To customize encryption email messages and the encryption portal with your organization’s brand
1. Connect to Exchange Online using Remote PowerShell, as described in Connect to Exchange
Online Using Remote PowerShell.
2. Use the Set-OMEConfiguration cmdlet as described here: Set-OMEConfiguration or use the
following table for guidance.
Encryption customization options
To customize this
feature of the
encryption experience
Use these Windows PowerShell commands
Default text that
accompanies encrypted
email messages
The default text appears
above the instructions
for viewing encrypted
messages
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -EmailText
"<string of up to 1024 characters>"
Example: Set-OMEConfiguration -Identity "OME
Configuration" -EmailText "Encrypted message
from ContosoPharma secure messaging system"
Disclaimer statement in
the email that contains
the encrypted message
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> DisclaimerText
"<your disclaimer statement, string of up to
1024 characters>"
Example: Set-OMEConfiguration -Identity "OME
Configuration" -DisclaimerText "This message is
confidential for the use of the addressee only"
Text that appears at the
top of the encrypted
mail viewing portal
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -PortalText "<text
for your portal, string of up to 128
characters>"
Example: Set-OMEConfiguration -Identity "OME
Configuration" -PortalText "ContosoPharma secure
email portal"
Logo Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -Image <Byte[]>
Example: Set-OMEConfiguration -Identity "OME
configuration" -Image (Get-Content
"C:\Temp\contosologo.png" -Encoding byte)
Supported file formats: .png, .jpg, .bmp, or .tiff
Optimal size of logo file: less than 40 KB
Optimal size of logo image: 170x70 pixels
To remove brand customizations on encryption email messages and the encryption portal
1. Connect to Exchange Online using Remote PowerShell, as described in Connect to Exchange
Online Using Remote PowerShell.
2. Use the Set-OMEConfiguration cmdlet as described here: Set-OMEConfiguration. To remove your
organization's branded customizations from the DisclaimerText, EmailText, and PortalText values,
set the value to an empty string, "". For all image values, such as Logo, set the value to "$null".
Encryption customization options
To revert this feature of the
encryption experience back
to the default text and
image
Use these Windows PowerShell commands
Default text that accompanies
encrypted email messages
The default text appears
above the instructions for
viewing encrypted messages
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -EmailText
"<empty string>"
Example: Set-OMEConfiguration -Identity "OME
Configuration" -EmailText ""
Disclaimer statement in the
email that contains the
encrypted message
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter>
DisclaimerText "<empty string>"
Example: Set-OMEConfiguration -Identity "OME
Configuration" -DisclaimerText ""
Text that appears at the top of
the encrypted mail viewing
portal
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -PortalText
"<empty string>"
Example reverting back to default: Set-
OMEConfiguration -Identity "OME
Configuration" -PortalText ""
Logo Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -Image
<"$null">
Example reverting back to default: Set-
OMEConfiguration -Identity "OME
configuration" -Image $null
Send, view, and reply to encrypted messages
A message that is encrypted by Office 365 Message Encryption is delivered to a recipient’s inbox just like
any other email message, but it contains an HTML file attachment. After opening the attachment, the
recipient can sign in or use a one-time passcode to view the message on the Office 365 Message
Encryption portal. The email includes instructions for viewing the encrypted message, as in the following
example (the attachment is highlighted):
Send an encrypted message
There are two primary ways to send encrypted messages. You can set up admin-defined encryption rules,
as described in Define rules to encrypt or decrypt email messages, which automatically encrypt messages
meeting certain criteria. For instance, you can create a rule that encrypts all messages sent outside your
organization. (In this case, the sender doesn’t have to take extra steps to encrypt the message.)
Alternatively, you can create a rule that gives the sender the ability to encrypt messages at will. For
example, a rule can initiate encryption for each message where the sender adds “encrypt” to the subject
line.
View and reply to an encrypted message
An encrypted email message arrives in the recipient’s inbox with an HTML attachment. After opening the
attachment, recipients see instructions for opening and viewing the message. Regardless of their type of
email service, the experience is the same. The recipient can choose to sign in with a work account
associated with Office 365, with a Microsoft account. Alternatively, the recipient can choose to use a one-
time passcode if, for example, they don't have a work account or a Microsoft account and don’t want to
create a new Microsoft account. To learn more, see Use a one-time passcode to view an encrypted
message.
An administrator can set a rule to automatically decrypt replies. This means that the recipients of your
reply don’t have to sign in to the encryption portal to view the message. To learn about setting this rule,
go to Define rules to encrypt or decrypt email messages.
To view an encrypted message using a Microsoft account
1. Follow the instructions in the email message to save the attachment.
2. Open the message.html file and select Sign in.
Tip:
If a message appears that asks if you want to submit information to an external page,
choose OK. You may also need to allow pop-ups, if your web browser blocks them.
3. Sign in to the encryption portal with a Microsoft account, as instructed in the message. If you
don’t have a Microsoft account, you can choose the option to create one associated with your
email address. (You’ll have to fill out a form and complete a verification step.) In order to view the
encrypted message, he email address for the Microsoft account must match the address to which
the encrypted message was sent.
If you’re already signed in, you won’t have to sign in again.
4. After signing in, you can view the contents of the encrypted message.
Note:
If you are inactive for more than 15 minutes, you are automatically signed out of the
encryption portal.
To reply to an encrypted message
1. Choose Reply or Reply All.
2. On the page that appears, type a reply and choose Send. An encrypted copy of your reply
message is sent to you.
Office 365 Message Encryption FAQ
Got questions about Office 365 Message Encryption? Here are some answers. If you can’t find what you
need, check the Office 365 community forums at Office 365 community.
Q. My users send encrypted email messages to recipients outside our organization. Is there
anything that external recipients have to do in order to read and reply to email messages that are
encrypted with Office 365 Message Encryption?
Recipients outside your organization who receive Office 365 encrypted messages can view them in one of
two ways:
• By signing in with a Microsoft account or a work or school account associated with Office 365. For
details, see Send, view, and reply to encrypted messages.
• By using a one-time passcode. To learn more, see Use a one-time passcode to view an encrypted
message.
Q. Are Office 365 encrypted messages stored in the cloud or on Microsoft servers?
No, the encrypted messages are kept on the recipient’s email system, and when the recipient opens the
message, it is temporarily posted for viewing on Office 365 servers. The messages are not stored there.
Q. Can I customize encrypted email messages with my brand?
Yes. You can use Windows PowerShell cmdlets to customize the default text that appears at the top of
encrypted email messages, the disclaimer text, and the logo that you want to use for the email message
and the encryption portal. For details, see Add branding to encrypted messages.
Q. Is there a trial version of Office 365 Message Encryption available?
Office 365 Message Encryption is included with Microsoft Azure Rights Management (Azure RMS). You
can sign-up for a 30-day trial of the service from the Office 365 Rights Management trial portal
here: Azure Rights Management plan. In order to use Office 365 Message Encryption, you must meet the
following criteria:
• If using Office 365, you need to have a plan that includes Azure RMS or can support Azure RMS
purchased separately. To learn which plans include Azure RMS, see Office 365 Plan Options.
• If using on-premises mailboxes, you must route email through Exchange Online, either by using
Exchange Online Protection for email filtering or by establishing hybrid mail flow.
Q. I am using Exchange 2013. Will Office 365 Message Encryption be made available to me?
Yes, as long as you route email through Exchange Online, either by using Exchange Online Protection for
email filtering or by establishing hybrid mail flow. You can purchase Azure RMS and then configure rules
to encrypt email using Office 365 Message Encryption.
Q. How can I purchase Office 365 Message Encryption?
Office 365 Message Encryption is available as part of Microsoft Azure Rights Management (Azure RMS).
Office 365 Enterprise E3 and Office 365 Enterprise E4 users already have Azure RMS as part of their
subscriptions. Other Office 365 plans don’t include Azure RMS, but some support it as an add-on,
purchased separately on a per-user basis. To learn which plans support Azure RMS as an add-on,
see Office 365 Plan Options.
On-premises customers can gain access to Office 365 Message Encryption by purchasing Azure RMS on a
per-user basis. Additionally, on-premises customers must route email through Exchange Online, either by
using Exchange Online Protection for email filtering or by establishing hybrid mail flow.
Q. Does the service require a license for every user in my organization?
A license is required for every user in the organization who sends encrypted email.
Q. Do external recipients require subscriptions?
No, external recipients do not require a subscription to read or reply to encrypted messages.
Q. Will Office 365 Message Encryption be available in Office 365 Dedicated?
Yes. You must first purchase Exchange Online Protection (EOP) and configure mail flow via EOP. Once that
is done, customers can purchase Azure RMS and configure rules to encrypt email.
Q. How is Office 365 Message Encryption different from Rights Management Services (RMS)?
RMS provides Information Rights Protection capabilities for an organization’s internal emails by providing
built-in templates, such as: Do not forward and Company Confidential. Office 365 Message Encryption
supports email message encryption for messages that are sent to external recipients as well as internal
recipients.
Q. How is Office 365 Message Encryption different from S/MIME?
S/MIME is essentially a client-side encryption technology, and requires complicated certificate
management and publishing infrastructure. Office 365 Message Encryption uses transport rules and does
not depend on certificate publishing.
Q. How does Office 365 Message Encryption work?
Visit Encryption in Office 365.
Q. Can I read the encrypted messages over mobile devices?
Yes, you can view messages on Android and iOS by downloading the OME Viewer apps from the Google
Play store and the Apple App store. Open the HTML attachment in the OME Viewer app and then follow
the instructions to open your encrypted message. For other mobile devices, you can open the HTML
attachment as long as your mail client supports Form Post.
Q. Are replies and forwarded messages encrypted?
Yes. Responses continue to be encrypted throughout the duration of the thread.
Q. Does Office 365 Message Encryption provide localization?
Incoming email and HTML content is localized based on sender email settings. The viewing portal is
localized based on recipient's browser settings. However, the actual body (content) of encrypted message
isn't localized.
Q. What encryption method is used for Office 365 Message Encryption?
Office 365 Message Encryption uses Rights Management Services (RMS) as its encryption infrastructure.
The encryption method used depends on where you obtain the RMS keys used to encrypt and decrypt
messages.
• If you use Microsoft Azure RMS to obtain the keys, Cryptographic Mode 2 is used. Cryptographic
Mode 2 is an updated and enhanced AD RMS cryptographic implementation. It supports RSA
2048 for signature and encryption, and supports SHA-256 for signature.
• If you use Active Directory (AD) RMS to obtain the keys, either Cryptographic Mode 1 or
Cryptographic Mode 2 is used. The method used depends on your on-premises AD RMS
deployment. Cryptographic Mode 1 is the original AD RMS cryptographic implementation. It
supports RSA 1024 for signature and encryption, and supports SHA-1 for signature. This mode
continues to be supported by all current versions of RMS.
For more information, see AD RMS Cryptographic Modes.
Q. Why do some encrypted messages say they come from [email protected]?
When an encrypted reply is sent from the encryption portal or through the OME Viewer app, the sending
email address is set to [email protected] because the encrypted message is sent
through a Microsoft endpoint. This helps to prevent encrypted messages from being marked as spam. The
displayed name on the email and the address within the encryption portal aren't changed because of this
labeling. Also, this labeling only applies to messages sent through the portal, not through any other email
client.
Q. I am an Exchange Hosted Encryption (EHE) subscriber. Where can I learn more about the
upgrade to Office 365 Message Encryption?
All EHE customers have been upgraded to Office 365 Message Encryption. For more information, visit
the Exchange Hosted Encryption Upgrade Center.
Q. Do I need to open any URLs, IP addresses, or ports in my organization’s firewall to support
Office 365 Message Encryption?
Yes. You have to add URLs for Exchange Online to the allow list for your organization to enable
authentication for messages encrypted by Office 365 Message Encryption. For a list of Exchange Online
URLs, see Office 365 URLs and IP address ranges.
Q. How many recipients can I send an Office 365 encrypted message to?
The recipient limit for an encrypted message is based on the number of characters in the
message’s To field. When combined (after distribution list expansion), recipient addresses in the To field
should not exceed 11,980 characters. Because email addresses can vary in character length, there isn’t a
standard recipient limit for a single encrypted message.
Q. Is it possible to revoke a message sent to a particular recipient?
No. You can’t revoke a message to a particular person after it’s sent.
Q. Can I view a report of encrypted messages that have been received and read?
There isn’t a report that shows if an encrypted message has been viewed, but there are Office 365 reports
available that you can leverage to determine the number of messages that matched a specific transport
rule, for instance.
Q. What does Microsoft do with the information I provide through the OME Portal and the OME
Viewer App?
The Office 365 Messaging Encryption Portal and Viewer App privacy statement provides detailed
information about what Microsoft does and doesn't do with your private information.