You give Encrypt button back NOW, Microsoft!!!!

Back to Blog
02Nov2019

You give Encrypt button back NOW, Microsoft!!!!

Recently Sensitivity labels were brought to Outlook, across all the various apps now, including mobile, desktop and web access.

This drama has certainly been worth watching. I think Sensitivity labels should gain a lot of traction in general over the next year or two. It’s so much more powerful than most people yet realize: Security that travels with the message or document wherever it roams, and is enforced not through some kind of “container” or perimeter-based protection, but rather a label–which corresponds to an abstract object in the cloud that contains the permissions list for documents bearing said label.

Therefore even with a single message or file that ends up traveling or spreading across multiple locations: Exchange, OneDrive, Teams, SharePoint, etc. or multiple clouds even (Google, DropBox, whatever), I would still only need to manage permissions and access to the original document as well as any other copies of that document in one single place: on the label via the 365 Security &/or Compliance admin centers.

Really cool stuff, and glad to see they continue to make forward progress bringing this functionality to all the various apps and services.

But, I have only one complaint for today… that area where you see the Sensitivity button in Outlook now? Yeah, that used to be the Encrypt button. And even though I love Sensitivity labels… I love the Encrypt button even more.

We miss you, Encrypt button.

The reason is that 90-95% of the time, today at least, the only thing my customers really want to do with Information Protection in Outlook is ENCRYPT an email. Some of them like the Do Not Forward option too (really the only Outlook specific permission I can currently apply with a custom Sensitivity label anyway), but that’s a much smaller subset of people than those that just want pure and simple encryption.

So Microsoft, let me remind you that we went through all of this before:

First there was NO BUTTON, and you had to manually trigger encryption using like a subject line or body tag and a transport rule. YUK!

Then, thank Goodness, a button arrived, but it was buried and not super obvious what it was for. It also applied more protection by default with the Do Not Forward template, which also prevented printing any attachments.

FINALLY the button became more prominent and clear (in OWA at least–but it was called Protect instead of Encrypt), and then eventually the default permission was set to the Encrypt only template, which only encrypts the message and attachments (doesn’t apply any other restrictions like printing, forwarding, etc.).

It took sooooo long to win that button battle… I was soooo happy when they finally got it (mostly) right. Aaaaannnd now I’m soooooo bummed, because it’s buried again.

Eff you ellipses. Just Eff you.

Look Microsoft, I really don’t think it’s too much to ask that you bring the Encrypt button back. And while you’re at it, can we have the Encrypt button also prominently displayed on the Home ribbon in Outlook for the desktop? It’s still hiding under the Options tab. Blah.

We were almost there on Outlook desktop too…

Just. Put. The. Button. Where. It. Belongs.

I don’t care what you do with the Sensitivity button. I mean, we’re proud of you–good work. And you can leave it on the home ribbon too if you want to, or maybe put it under an ellipses or back on the Options tab since it is second choice / less frequent an ask in my experience (will probably be used more to mark confidential internal emails, etc.).

My last choice would be if you placed the Encrypt button under the Sensitivity labels, and that was like a default label applied globally to everyone. But… no don’t do that. Seriously, what about just going back to the good old fashioned Encrypt button? That seems easiest.

Opinion , , , , , 11 Comments
Share:

Comments (11)

  • Bhavesh Shah Reply

    I am not sure but many organizations must have trouble with encryption button if they are using third party solution to monitor data leakage. We had to disable this button as our third party solution can not inspect attachment if sent as encryption.

    Look at wider audience

    November 2, 2019 at 11:00 am
    • Alex Reply

      Or maybe look at what is available first party before going to third…

      November 2, 2019 at 6:05 pm
  • Aaron Jacobs Reply

    Our ever better, let us choose!

    November 3, 2019 at 12:07 am
  • Edward Mendoza Reply

    I believe the Encrypt button is replaced with Sensitivity if you enable Unified Labeling. At least that seems to be the case with the tenant where we have it enabled. I do not see a way to turn it off once it is enabled.

    February 21, 2020 at 2:10 pm
  • Kevin Nguyen Reply

    I just migrated to M365 and trying to implement encryption for email and files. Also working on Azure Information Protection and things get confusion with the classic label and the new unifying label. I’m starting to understand it a bit, but still not sure I need both the Sensitivity button and the Encrypt button.

    Doesn’t the Sensitivity button does the same thing as the Encrypt button if you configure it like so?

    November 17, 2020 at 3:31 pm
    • Alex Reply

      There are two encryption templates: Encrypt only and Do Not Forward. The Sensitivity labels (unified labels) do not at present have the ability to apply the Encrypt only template, only the Do Not Forward. So I can create a label that applies Do Not Forward, but not Encrypt. Encrypt is more flexible, in that you do not have to apply restrictions such as preventing copy/paste, forwarding and so on. The message can be encrypted but not restricted. If that makes sense. If they do open the ability to apply Encrypt only using a Sensitivity label, then I would just create an Encrypt only label, and then yes the other button would be moot.

      November 18, 2020 at 12:01 pm
  • Kevin Nguyen Reply

    I understand it now. I didn’t start configuring Sensitivity Label, so didn’t realize that it’s not possible. Very inconvenient for users. Would you please let me know if I got this right regarding the templates under the Encrypt button?

    1) Encrypt and “Do Not Forward” template came from OME and is not configurable.
    2) You can configure the templates in Azure Information Protection under the “Protection templates” in Labels. These two templates, Company Confidential and Highly Confidential< also show up under the Encrypt button. Are the part of OME or AIP?

    November 19, 2020 at 1:37 pm
    • Alex Reply

      Yeah those harken back to the olden days of AIP and OMEv1. I believe new tenants just have the two in OMEv2. The Confidential/Highly Confidential stuff belongs in Sensitivity labels rather than using those protection templates. Eventually I would like to see the option to add “encrypt” to a Sensitivity label, and be done with the distinction. Time will tell.

      November 20, 2020 at 1:50 pm
  • John Reply

    How in the hell does someone even get the Encrypt button to appear in Outlook desktop? Appears and functions fine in OWA, but cannot get it to appear in Outlook (“MS 365 Apps for business”)?

    March 15, 2021 at 4:00 pm
    • Alex Reply

      It is not as prominent as it is in Outlook but it should be there. New message (separate window not within the preview pane) > Options (on the ribbon) > Encrypt, or go to File > Encrypt

      March 16, 2021 at 4:21 pm
    • Alex Reply

      And your subscription must support it (e.g. Microsoft 365 Business Premium)

      March 16, 2021 at 4:22 pm

Leave a Reply

Back to Blog

Related Posts

The three opportunities for MSP's moving forward
30Jul

The three opportunities for MSP’s moving forward

The writing has been on the wall a while now; with a mass exodus to cloud services such as Microsoft 365 from traditional on-premises infrastructure, it was only a matter of time before those selling MSP services had to either evolve or die off. And... read more
27Apr

Differences between Shared Mailboxes, Distribution Lists and Office 365 Groups

Before we begin our article today, I just want to say this: if you guys and gals aren't aware of the CIAOPS community yet, then you should definitely check it out. It's a great place to hang out, with lots of smart people both asking... read more
31Mar

Comparing Costs: Azure IaaS vs. On-Premises Server Hardware

Most people do not compare costs of running infrastructure in Azure to traditional on-premises deployments appropriately. To begin with, it is almost impossible to compare them apples-to-apples. For example: as soon as you deploy a VM in Azure, all of your data will be written into 3 different storage locations... read more
25Nov

Unpopular opinion: Do not restrict users from creating Teams (Office 365 Groups)

I realize that advocating for no (or very limited) boundaries on who can create Teams puts me in the minority. When I look out across the community, I mostly see consultants in this space suggesting the opposite is a superior approach for various reasons--that the... read more
21Jul

My opinion on Microsoft Threat Protection for the SMB

Since I released my guide on Microsoft 365 E5 Security and Microsoft Threat Protection, I have been getting a lot of questions and comments about my stance on the use of these products for SMB customers. I left it too neutral, I guess, in the... read more
07Jul

Yes, you really can let go: Microsoft 365 Groups and Teams creation policy, revisited

I have to laugh because this is still such a seemingly controversial idea. "Should users be allowed to create their own Teams?" I have written about this topic many times before, but I still get the best comments about it from non-believers. The real issue... read more
05Oct

iPadOS (iOS 13+) still not compatible with MAM enforced by Conditional access

Update 11/18/2019: This issue has now been fixed. I wrote about this before the update dropped, and in my testing since then I am afraid the situation has not improved. The setup Create a Conditional access policy for iOS that requires an approved client app.... read more
10Mar

Azure AD Premium vs. Azure AD with Office 365

If you have an Office 365 subscription, then you already rely on Azure Active Directory. If you have DirSync or Azure AD Connect enabled, then that means your on-premises user identities and passwords are being synchronized to your Azure Active Directory tenancy in the cloud. I recommend... read more
14Oct

Why you shouldn’t disable external sharing (really)

Okay, so anyone who has ever done consulting with Microsoft / Office 365 before has probably heard this question: "Can we disable external sharing?"--Any customer at every Office 365 consulting engagement, ever. Bless their souls, these questions are usually coming from a good place, but to see... read more
10Nov

How Skype for Business changed the way I work

This platform can do way more than what I'm using it for right now (I don't have the extra fancy features where you can get a phone number, call land lines, forward to your cell, etc.). My understanding is that Skype can do all that,... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me