Office 365 Message Encryption FAQ
Applies to: Exchange Online, Exchange Online Protection, Office 365
Topic Last Modified: 2016-01-14
Got questions about Office 365 Message Encryption? Here are some answers. If you can’t find what you need, check the Office 365 community forums at Office 365 community.
Q. My users send encrypted email messages to recipients outside our organization. Is there anything that external recipients have to do in order to read and reply to email messages that are encrypted with Office 365 Message Encryption?
Recipients outside your organization who receive Office 365 encrypted messages can view them in one of two ways:
By signing in with a Microsoft account or a work or school account associated with Office 365. For details, see Send, view, and reply to encrypted messages.
By using a one-time passcode. To learn more, see Use a one-time passcode to view an encrypted message.
Q. Are Office 365 encrypted messages stored in the cloud or on Microsoft servers?
No, the encrypted messages are kept on the recipient’s email system, and when the recipient opens the message, it is temporarily posted for viewing on Office 365 servers. The messages are not stored there.
Q. Can I customize encrypted email messages with my brand?
Yes. You can use Windows PowerShell cmdlets to customize the default text that appears at the top of encrypted email messages, the disclaimer text, and the logo that you want to use for the email message and the encryption portal. For details, see Add branding to encrypted messages.
Q. Is there a trial version of Office 365 Message Encryption available?
Office 365 Message Encryption is included with Microsoft Azure Rights Management (Azure RMS). You can sign-up for a 30-day trial of the service from the Office 365 Rights Management trial portal here: Azure Rights Management plan. In order to use Office 365 Message Encryption, you must meet the following criteria:
If using Office 365, you need to have a plan that includes Azure RMS or can support Azure RMS purchased separately. To learn which plans include Azure RMS, see Office 365 Plan Options.
If using on-premises mailboxes, you must route email through Exchange Online, either by using Exchange Online Protection for email filtering or by establishing hybrid mail flow.
Q. I am using Exchange 2013. Will Office 365 Message Encryption be made available to me?
Yes, as long as you route email through Exchange Online, either by using Exchange Online Protection for email filtering or by establishing hybrid mail flow. You can purchase Azure RMS and then configure rules to encrypt email using Office 365 Message Encryption.
Q. How can I purchase Office 365 Message Encryption?
Office 365 Message Encryption is available as part of Microsoft Azure Rights Management (Azure RMS). Office 365 Enterprise E3 and Office 365 Enterprise E4 users already have Azure RMS as part of their subscriptions. Other Office 365 plans don’t include Azure RMS, but some support it as an add-on, purchased separately on a per-user basis. To learn which plans support Azure RMS as an add-on, see Office 365 Plan Options.
On-premises customers can gain access to Office 365 Message Encryption by purchasing Azure RMS on a per-user basis. Additionally, on-premises customers must route email through Exchange Online, either by using Exchange Online Protection for email filtering or by establishing hybrid mail flow.
Q. Does the service require a license for every user in my organization?
A license is required for every user in the organization who sends encrypted email.
Q. Do external recipients require subscriptions?
No, external recipients do not require a subscription to read or reply to encrypted messages.
Q. Will Office 365 Message Encryption be available in Office 365 Dedicated?
Yes. You must first purchase Exchange Online Protection (EOP) and configure mail flow via EOP. Once that is done, customers can purchase Azure RMS and configure rules to encrypt email.
Q. How is Office 365 Message Encryption different from Rights Management Services (RMS)?
RMS provides Information Rights Protection capabilities for an organization’s internal emails by providing built-in templates, such as: Do not forward and Company Confidential. Office 365 Message Encryption supports email message encryption for messages that are sent to external recipients as well as internal recipients.
Q. How is Office 365 Message Encryption different from S/MIME?
S/MIME is essentially a client-side encryption technology, and requires complicated certificate management and publishing infrastructure. Office 365 Message Encryption uses transport rules and does not depend on certificate publishing.
Q. How does Office 365 Message Encryption work?
Visit Encryption in Office 365.
Q. Can I read the encrypted messages over mobile devices?
Yes, you can view messages on Android and iOS by downloading the OME Viewer apps from the Google Play store and the Apple App store. Open the HTML attachment in the OME Viewer app and then follow the instructions to open your encrypted message. For other mobile devices, you can open the HTML attachment as long as your mail client supports Form Post.
Q. Are replies and forwarded messages encrypted?
Yes. Responses continue to be encrypted throughout the duration of the thread.
Q. Does Office 365 Message Encryption provide localization?
Incoming email and HTML content is localized based on sender email settings. The viewing portal is localized based on recipient's browser settings. However, the actual body (content) of encrypted message isn't localized.
Q. What encryption method is used for Office 365 Message Encryption?
Office 365 Message Encryption uses Rights Management Services (RMS) as its encryption infrastructure. The encryption method used depends on where you obtain the RMS keys used to encrypt and decrypt messages.
If you use Microsoft Azure RMS to obtain the keys, Cryptographic Mode 2 is used. Cryptographic Mode 2 is an updated and enhanced AD RMS cryptographic implementation. It supports RSA 2048 for signature and encryption, and supports SHA-256 for signature.
If you use Active Directory (AD) RMS to obtain the keys, either Cryptographic Mode 1 or Cryptographic Mode 2 is used. The method used depends on your on-premises AD RMS deployment. Cryptographic Mode 1 is the original AD RMS cryptographic implementation. It supports RSA 1024 for signature and encryption, and supports SHA-1 for signature. This mode continues to be supported by all current versions of RMS.
For more information, see AD RMS Cryptographic Modes.
Q. Why do some encrypted messages say they come from Office365@messaging.microsoft.com?
When an encrypted reply is sent from the encryption portal or through the OME Viewer app, the sending email address is set to Office365@messaging.microsoft.com because the encrypted message is sent through a Microsoft endpoint. This helps to prevent encrypted messages from being marked as spam. The displayed name on the email and the address within the encryption portal aren't changed because of this labeling. Also, this labeling only applies to messages sent through the portal, not through any other email client.
Q. I am an Exchange Hosted Encryption (EHE) subscriber. Where can I learn more about the upgrade to Office 365 Message Encryption?
All EHE customers have been upgraded to Office 365 Message Encryption. For more information, visit the Exchange Hosted Encryption Upgrade Center.
Q. Do I need to open any URLs, IP addresses, or ports in my organization’s firewall to support Office 365 Message Encryption?
Yes. You have to add URLs for Exchange Online to the allow list for your organization to enable authentication for messages encrypted by Office 365 Message Encryption. For a list of Exchange Online URLs, see Office 365 URLs and IP address ranges.
Q. How many recipients can I send an Office 365 encrypted message to?
The recipient limit for an encrypted message is based on the number of characters in the message’s To field. When combined (after distribution list expansion), recipient addresses in the To field should not exceed 11,980 characters. Because email addresses can vary in character length, there isn’t a standard recipient limit for a single encrypted message.
Q. Is it possible to revoke a message sent to a particular recipient?
No. You can’t revoke a message to a particular person after it’s sent.
Q. Can I view a report of encrypted messages that have been received and read?
There isn’t a report that shows if an encrypted message has been viewed, but there are Office 365 reports available that you can leverage to determine the number of messages that matched a specific transport rule, for instance.
Q. What does Microsoft do with the information I provide through the OME Portal and the OME Viewer App?
The Office 365 Messaging Encryption Portal and Viewer App privacy statement provides detailed information about what Microsoft does and doesn't do with your private information.