Tutorial: How to downgrade to the old Office 365 Message EncryptionAlex Fields
I recently shared the method used to enable the “new” Office 365 Message Encryption features, built on Azure Information Protection. That process can be followed either to setup a new tenant with the latest version (v2), or to upgrade an existing tenant from the old version (v1.2) to the new version.
And now, I will share the opposite–how to go from v2.0, and downgrade to the old 1.2 version, which uses a different transport rule, and comes with a slightly different client-side experience.
But first, “WHY?! Why would you want to go backwards, Alex? WHY?!!!”
I’ll tell you why.
Because for some Organizations, the “new” hip OME experience will be unacceptably cumbersome in certain situations. The two biggest issues I’ve seen so far are:
In the new version, recipients cannot forward, print or copy the content of of the messages they receive. The reason is because the “new” features are really just using the RMS template for “Do Not Forward” to encrypt messages and apply protections. These protections include restrictions against printing, copying, etc., as well as a natural expiry date about one year into the future. It is the only template that can be used to send to users outside the organization.
So, if your plan is to keep your information very safeguarded every single time you share anything outside the org, then this is a good option. However, if you just want an encrypted delivery mechanism, but if you also want to allow your recipients to be able to work with the message/attachments, and actually do more than just look at the content, then you’ll need a different solution (like the old version of Office 365 Message Encryption). There are plenty of scenarios where you’d want your recipients to be able to print documents they received securely, etc.
Disparate recipient experiences
When using encryption technologies with email, organizations sometimes even have a “write-up” or “how-to” document that senders can get out in advance to their recipients. This is because encryption solutions aren’t always intuitive or convenient to use. But security isn’t always convenient, right? Even in the old version of Office 365 message encryption, users would get an email with an attachment, which they would need to open. That attachment is an HTML file that then presents them with sign-in options (use their MS account or use one-time passcode). It may not have been great, but it was better than a lot of the solutions out there. The steps are slightly different on mobile devices than Outlook or other email clients, but the idea is about the same.
In the “new” experience, this gets convoluted quickly. I can honestly report it does work “better” on almost every non-Microsoft email client. Gmail for example is great, because I can even choose to sign in with my Google identity, and there is no more annoying attachment requiring a special viewer on mobile devices. It just works right through a browser. And if you have an up-to-date Outlook 2016 client, it is seamless–just opens right up. But if you have an older version of Outlook–2013 or 2010 say, it is horrible–you can’t even open the message at all, without a special download from Microsoft (the user will also need to pick between 64 and 32-bit, for additional annoyance). Imagine sending out a document trying to explain the different scenarios depending on whether you have a certain Outlook version like 2010, and a 32 or 64 bit OS. Ick.
How to switch back to the old Office 365 Message Encryption
So in order to move backwards, if you plowed ahead with version 2.2, followed the instructions and were disappointed in the results, this is how.
1. Connect to Exchange Online in PowerShell
$cred = Get-Credential $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $session
2. Disable the “new” IRM configuration
Set-IRMConfiguration -AzureRMSLicensingEnabled $false -InternalLicensingEnabled $false -ExternalLicensingEnabled $false
Once you have that done, a test of the service should fail
Test-IRMConfiguration -Sender firstname.lastname@example.org
3. Enable the “old” IRM
Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc” Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online” Set-IRMConfiguration -InternalLicensingEnabled $true Set-IRMConfiguration -ExternalLicensingEnabled $true
Don’t forget to update your encryption mailflow rules–they should use Apply the previous version of OME.
4. Last step is, test. Probably it won’t work. Then, you wait. Like, for several hours.Then test again. Eventually works.