Encryption in Office 365
Topic Last Modified: 2014-09-29
Office 365 Message Encryption is an easy-to-use service that lets email users send encrypted messages to people inside or outside their organization. Designated recipients can easily view their encrypted messages and return encrypted replies. Regardless of the destination email service—whether it’s Outlook.com, Yahoo, Gmail, or another service—email users can send confidential business communications with an added level of protection against unauthorized access.
There are many scenarios in which email message encryption might be required, including the following:
A bank employee sending credit card statements to customers
An insurance company representative providing policy details to customers
A mortgage broker requesting financial information from a customer for a loan application
A health care provider sending health care information to patients
An attorney sending confidential information to a customer or another attorney
A consultant sending a contract to a customer
Exchange Online and Exchange Online Protection (EOP) administrators set up Office 365 Message Encryption by defining encryption rules. As an administrator, you can also customize encrypted messages with your own text and logo, presenting a company brand that’s familiar to message recipients.
Office 365 Message Encryption is an online service that’s built on Microsoft Azure Rights Management (Azure RMS). With Azure RMS set up for an organization, administrators can enable message encryption by defining transport rules that determine the conditions for encryption. A rule can require the encryption of all messages addressed to a specific recipient, for example.
When an Exchange Online user sends an email message that matches an encryption rule, the message is sent out with an HTML attachment. The recipient opens the HTML attachment in the email message, recognizes a familiar brand if that’s present, and follows the embedded instructions to view the encrypted message on the Office 365 Message Encryption portal. The recipient can choose to view the message by signing in with a Microsoft account or an Office 365 organizational account, or by using a one-time passcode. Both options help ensure that only the intended recipient can view the encrypted message.
The following diagram summarizes the passage of an email message through the encryption process.
An Exchange Online user sends a message to the recipient.
The message is filtered based on administrator-defined rules that define conditions for encryption.
The tenant key for your Office 365 organization is accessed and the message is encrypted.
The encrypted message is delivered to the recipient’s Inbox.
The recipient opens the HTML attachment and connects to the Office 365 encryption portal.
The recipient authenticates by signing in with a Microsoft account or an Office 365 organizational account, or by using a one-time passcode.
The tenant key for your Office 365 organization is accessed to remove encryption from the message and the user views the unencrypted message.
For more information about the keys that help ensure the safe delivery of encrypted messages to designated recipient inboxes, see Service information for Office 365 Message Encryption.
This short video shows how Office 365 Message Encryption works.
Office 365 Message Encryption requires that you have an Exchange Online or Exchange Online Protection (EOP) subscription and that you’ve set up Azure Rights Management. If your setup meets these requirements, all you need to do to enable Office 365 Message Encryption is define rules that trigger encryption
If you need to set up Azure Rights Management, you have two options:
Set up Azure Rights Management for Office 365 Message Encryption, but prevent IRM templates from being available to users by disabling them in Microsoft Outlook Web App and Microsoft Outlook. For step-by step procedures, see Set up Microsoft Azure Rights Management for Office 365 Message Encryption.
Set up Azure Rights Management for Office 365 Message Encryption and enable IRM templates so they’re available to users in OWA and Outlook. For step-by step procedures, see Configure IRM to use Microsoft Azure Rights Management.
Administrators enable Office 365 Message Encryption by creating Exchange transport rules that determine under what conditions email messages should be encrypted. There are also rules for defining conditions where encryption should be removed from messages. Once you’ve set the encryption action within the rule, any messages that match the rule conditions are encrypted before they’re sent out.
Transport rules are flexible, letting you combine conditions so you can meet specific security requirements in a single rule. For example, you can create a rule to encrypt all messages that contain specified keywords and are addressed to external recipients. Office 365 Message Encryption also encrypts replies from recipients of encrypted email, and you can create a rule that decrypts those replies as a convenience for your email users. That way, users in your organization won’t have to sign in to the encryption portal to view replies.
For more information about how to create Exchange transport rules, see Define rules to encrypt or decrypt email messages.
As an administrator, you can add your company’s brand to encrypted messages. For example, you can customize the introduction and disclaimer text in the email message that accompanies encrypted messages as well as some text that appears on the portal where the recipient views the messages. You can also add a logo to the email message and encrypted message viewing portal.
For more information about how to customize encrypted messages, see Add branding to encrypted messages.
With Office 365 Message Encryption, email messages are encrypted automatically, based on administrator-defined rules. An email that bears an encrypted message arrives in the recipient’s Inbox with an attached HTML file.
Recipients follow instructions in the message to open the attachment and authenticate by using a Microsoft account or an organizational account. If recipients don’t have either account, they’re directed to create a Microsoft account that will let them sign in to view the encrypted message. Alternatively, recipients can choose to get a one-time passcode to view the message. After signing in or using a one-time passcode, recipients can view the decrypted message and send an encrypted reply.
For detailed guidance about how to send and view encrypted messages, see Send, view, and reply to encrypted messages. To learn how to get a one-time passcode instead of signing in, see Use a one-time passcode to view an encrypted message.