Tutorial: Enabling the “new” Office 365 Email Encryption

15. January 2018 Technical 8

Previously we have covered Office 365 Message Encryption, as well as what used to be called Azure Rights Management (now Azure Information Protection).  The name changes weren’t confusing enough for us, right? Well, awhile back they announced this big change to the email encryption experience. But it is a little bit misleading. That is, the “new” encryption technology isn’t really new at all.

Take for example this shiny new button we get for “protecting” our messages in OWA.  With the “protect” feature, you are really just getting a shortcut to apply the Do Not Forward permission to your messages. But we had that capability before. You can also setup transport rules for it, which again, was available previously.

 

What really changed?

Using the original Office 365 message encryption feature, users would get an html attachment, and when they opened it, they would be asked to sign in (using a Microsoft account or a one-time passcode), which redirected the user to a website, where they could view the message online through a web browser. Now there is a new experience that makes things a little easier. But note: the protection is really just Do Not Forward–it is not using the “Office 365 Message Encryption” feature anymore. Microsoft appears to be encouraging us to move away from the “old” experience of Office 365 message encryption, and toward the “message protection” features–e.g. Do Not Forward.

Here is how the experience looks for end-users, who are recipients of a protected message. If they have Outlook 2016, Outlook for iOS, Outlook for Android, or Outlook on the web, then they will be able to open these messages seamlessly in the Outlook client. The content is still protected as always–you cannot copy, print or forward the content (so I don’t have a screenshot for you–since it won’t let me), but nothing further is required. If the recipient is signed into Outlook using their Microsoft account (and they have the latest updates)–they should be good to go.

On the other hand, if you don’t have the official Outlook client to open these messages, then users will have to click through to read their message on the web. Check out Gmail:

Notice, however, that the process is now a bit easier (no attachment) and I can even sign in using my Gmail account. One time passcode is still an option, also.

Just like that, I can retrieve my message via the browser (screenshots allowed here I guess):

Yes, this is still encryption

The Do Not Forward permission does in fact encrypt the content of the message, including attachments. If you are not the intended recipient, you will not be able to open and view the contents. You must be able to “sign in” as the intended user. Furthermore, the intended recipient will not be able to forward or copy the message contents out.

It is worth mentioning that the other permissions that are included–Confidential and Highly Confidential–still apply encryption and special permissions, but they only apply to internally sent messages (within the company). I think the vast majority of small businesses will be most interested in the Do Not Forward permission for that reason (it is the only default that applies to internal and external messages).

How to setup the new features

In a new tenant, or a tenant who has not previously configured the old Azure RMS or OME features, you will need the following:

  • An Office 365 subscription that includes Azure Rights Management as well as Exchange Online or Exchange Online Protection (EOP).

  • An Azure Information Protection subscription and an Office 365 subscription that includes Exchange Online or Exchange Online Protection (EOP).

Then it is all done through PowerShell. Note that the following is accepting all defaults, and we’re not doing any fancy Bring Your Own Key (BYOK) or custom templates or anything like that. See this page for the source of this script:

It can take awhile before all of this goes through, and if you just applied your licensing, you may be unable to proceed until the back-end service has caught up with you. But when you’re done, you can test it:

Notice that if you get the IRM configuration, we no longer see the RMS publishing locations, etc.–those values are no longer needed with the new method.

Finally, you can exit your session:

If you followed this procedure for a tenant where you had previously enabled the original Office 365 Message Encryption (probably with a transport rule), then following the above procedure, and simply replacing your transport rules will suffice to get you on the new hotness.

If setting up transport rules, you would not choose Apply Office 365 Message Encryption, as before, but instead, Apply rights protection.

 


8 thoughts on “Tutorial: Enabling the “new” Office 365 Email Encryption”

  • 1
    Mario on January 17, 2018 Reply

    Thanks for this article. What don’t I understand is how do I find out if my organization has this?

    How to setup the new features
    In a new tenant, or a tenant who has not previously configured the old Azure RMS or OME features, you will need the following:

    An Office 365 subscription that includes Azure Rights Management as well as Exchange Online or Exchange Online Protection (EOP).

    An Azure Information Protection subscription and an Office 365 subscription that includes Exchange Online or Exchange Online Protection (EOP).

    • 2
      Alex on January 18, 2018 Reply

      In order to use the features you need either Azure Information Protection as an add-on to some Exchange plan, or if you have the E3 plan for example, then it is already included.

      • 3
        Mario on January 18, 2018 Reply

        Right, and how do I know what subscription do I have in both environments?

        • 4
          Alex on January 20, 2018 Reply

          Check out your billing/subscriptions from the admin portal.

  • 5
    Mike Shaw on February 2, 2018 Reply

    What if you don’t have that option that you are referring to that just says Apply Rights Protection? In the tenant I am working with we have the following options.

    Apply Office 365 Message Encryption and rights protection
    Require TLS encryption
    Apply the previous version of OME
    Remove the previous version of OME
    Remove Office 365 Message Encryption and rights protection

    In this instance I chose the first one Apply Office 365… and chose the Do Not Forward RMS template.

    • 6
      Alex on February 11, 2018 Reply

      Yep, that sounds like you did it correctly.

  • 7
    lofiz on February 12, 2018 Reply

    We try Enabling the “new” Office 365 Email Encryption on our Tenant. But We have problems with external users, they can’t open the encrypted mail. Once they click on social auth or use the one time code, they have got “You are not allowed to see this message This message is protected and you are not allowed to view it.”
    Any idea ? Thanks

    • 8
      Alex on February 12, 2018 Reply

      Haven’t seen that message. I have seen the one where it basically tells you to wait 5 minutes and try again. So far that has been unresolved, and we just ended up rolling back to the old version.

Leave a Reply

Your email address will not be published. Required fields are marked *