The encryption button fiasco

Back to Blog
09Apr2018

The encryption button fiasco

I have done quite a few posts recently on the new Office Message Encryption (OME) features in Office 365 Exchange Online.

This past winter, Microsoft released version 2 of OME, which had some improvements over version 1, but came with some downsides/trade-offs also. Oftentimes, the downsides were so annoying, that many customers just ended up downgrading back to OME v1.

Even more recently, however, Microsoft released some updates to v2, including a new “Encrypt” template which was long overdue. And I think it is safe to say now that we should be embracing version 2–I have been working with it, and find that it is much improved, and basically what we’ve been asking for since, I don’t know, ever.

Now, the new version also introduced something else which probably should have been included all along: a button that allows you to easily encrypt your email messages, right in the UI:

The only problem is that this button is ONLY available in the Microsoft Outlook Web Access client (OWA)–e.g. the online portal for Microsoft Outlook in Office 365. An equivalent is not yet available in the normal Outlook client for Windows (and a majority of small and large enterprises alike still prefer the Outlook client over OWA).

So what this usually means is: organizations adopt a rule or series of rules which triggers encryption based on certain conditions. The most popular is to configure an encrypt rule based on a subject or body tag (matching some text pattern such as “Encrypt” or “SecureMail”).

As you can probably guess, I see this complaint probably more than any other: Why in the actual eff are we HERE?!  Why not just have a simple button for triggering the encryption on demand? It’s a valid question. It is easy enough to misspell or mistype your subject line or body tag, right?  SecreMail anyone? No? Compliance violation? Ooops.

So to be fair, in the new version of OME, Microsoft provides a (not easy to find) button which will allow you to apply the Rights Management templates–and these have the effect of encryption–if you don’t also mind the annoying permissions that they apply along with it. Confidential permissions mean that the message can only be sent within an organization, while the Do Not Forward permissions will prevent anyone from forwarding, copying or even printing the content.

But all we really want is to have an experience roughly equivalent to what is available in OWA. Is it so hard, Microsoft?  Now I don’t write software code, so maybe it is. I dunno. But, as a workaround, here is what I am going to start recommending we do instead (and no coding required).

How to create your own encryption button

Simply create a “Quick Step” that automatically starts a new message with your subject line tag pre-inserted.  Admittedly, it is a very low-tech solution, but it works. AND it works regardless of whether you’re using OME v1 or v2.

From the Home tab, click Create New under Quick Steps as shown below.

Then, simply fill in the details to create your rule.

2. Give it Name

3. Choose New Message for the Action.

4. Expand the options so you can fill in the Subject with your tag (e.g. Encrypt, SecureMail, or whatever)

5. Click Finish

(Note: the above rule could also be modified to use a body tag instead)

The result is, you now have a button in Outlook under your Quick Steps that will open a new message with the subject line tag already present.

Like I said, low tech. But it works. Note that there is no way to control this via Group Policy that I am aware of, so each user would need to set it up for themselves. For a higher-tech solution, something may exist, but it probably involves macros or some other light coding, maybe VBS scripts or something. Nothing I really want to spend time on. Of course what we really want, is for Microsoft to give us the same button’/options that we have in OWA already. Fingers crossed–other wishes of mine have come true lately…

Business, Technical , , 5 Comments
Share:

Comments (5)

  • Paul W Reply

    Thanks for the article

    Quite confusing this, as in one of my tenants I have an ‘Encrypt’ rule pre made in my ‘permissions’ button , and the other I don’t

    MS say that sometimes it’s there but they can’t guarantee it, the exact words of the engineer were:
    “As per the guidelines, we can not guarantee it.”

    May 21, 2018 at 7:09 am
  • Paul Walker Reply

    The biggest problem with Microsoft encryption is that people using it look from their perspective and not the recipients perspective. What the recipient gets is a log in page, which then leads to the email. Problem is for systems that automatically file incoming emails to files/cases etc and email archiving systems. What you get is email after email of log in pages making it impossible for the recipient to see and trace email content/what email contains. How long will the emails be retained on Microsoft’s servers?. The present solution in the solicitors I work at is everything is printed off and put on a file if the sender uses encryption, no other way around it. The whole system is absolutely useless.

    June 8, 2018 at 7:30 am
    • Alex Reply

      What is really happening with the encryption is that the message never really leaves the 365 server. So you get a link to sign into the server instance, that way the contents of the message never “goes” anywhere. But, it all depends on what you are trying to achieve/protect. There are other ways to, for example, ensure that you are sending email messages via TLS between certain partner organizations with whom you regularly exchange email–and that will mean that the mail cannot be delivered over an encrypted communication channel, such as port 25. Many organizations go that route, when they want their archiving/journaling or whatever to capture the messages and keep them searchable.

      June 14, 2018 at 10:14 am
  • Jacob R Reply

    Yeah, about 2 months ago I thought they fixed the issue of IRM be applied to Office documents when encrypting an email using OMEv2. It worked on all of my tests but then one partner complained that they couldn’t open it so we went back to OMEv2 again. I am thinking that person had some outdated software or something but its kind of hard to tell hundreds of people they need to update their Outlook.

    Althoug, with me, the problem was people opening an email through Outlook on the desktop and IRM was applied to the attachment when I only wanted encryption. But once I see this button on OWA, maybe I will convert to OMEv2 and not tell anyone and just see if any complaints come. OWA always forget as far as opening an encrypted email with an attachment using OMEv2 but not Outlook on the desktop.

    February 18, 2019 at 10:48 am
    • Alex Reply

      OMEv2 should be the best option now. You do not need special software. It is possible to enable decryption of downloaded attachments. See my recent article on AIP for email encyrption.

      February 18, 2019 at 3:16 pm

Leave a Reply

Back to Blog

Related Posts

11Nov

From Ignite 2019: Office 365 ATP Best Practices Analyzer, and other actions MS is taking to democratize security

I haven't had time to write an overall review of Ignite and all the various announcements that were made. And honestly, I might just skip that because there are so many others out there doing the same. They probably did an even do a better... read more
21Jan

Password write-back is now supported on Microsoft 365 Business Premium! (And how to setup SSPR for hybrid accounts)

Well, well. Isn't this a pleasant surprise? Microsoft recently granted another one of my wishes, which I have previously blogged about, here. (1) Self-service password reset (SSPR) is now supported for hybrid synced accounts on the Microsoft 365 Business Premium subscription. The welcome announcement made on... read more
26May

Migration path from SBS to Office 365 & Windows Server 2016

So many small businesses adopted Microsoft's Windows Small Business Server (SBS) product--now that the product has been discontinued, these organizations tend to need a little more guidance regarding the migration path forward from SBS 2003, 2008 or 2011. Do I still need an On-premises Windows Server? With the option to... read more
01Sep

Updated best practices guides, Conditional access policy design and more!

Update March 2023: All of the Best Practices Checklists and Guides have seen major updates since this article was originally posted. You can obtain the Best Practices here. Updates this month include several revisions to the Azure Active Directory Best Practices checklist, and some updates to... read more
09Nov

Migrate from Windows Server Essentials with Azure AD integration to Windows Server Standard and Azure AD Connect

I have a love-hate relationship with Windows Server Essentials. It's a great product with a lot of goodness baked in, but there are some real limits to it as well. On the one hand, Remote Web Access, Client PC backup, the Azure Recovery plugins, and... read more
15Jan

Differences between Azure Information Protection labels and Office 365 Sensitivity labels

In the previous two posts, we looked at two capabilities of Azure Information Protection (AIP) P1, which is one of the many subscriptions bundled into Microsoft 365 Business: Email encryption & customizationLabels for classifying messages and documents Recent announcements have shifted the sands a bit... read more
21Nov

How to enforce the use of managed applications (e.g. the Outlook app for Exchange Online) using Conditional Access in Azure AD Premium

In a previous post I demonstrated how easy it is to create a Mobile Application Management policy in Microsoft 365. With the addition of Azure AD Premium P1, we can also leverage Conditional Access polices that will require users to interact with corporate data through... read more
06Oct

Tutorial: How to setup and configure Microsoft Azure Backup Server, part 2: configuring

In the previous post, we discussed Microsoft Azure Backup Server, and covered the basic setup/installation process for this software. In today's article, we will cover configuration of the software. Pre-requisites We have covered almost everything in the previous article, but to review, and to begin moving forward... read more
04Jul

Migrating File Shares from SBS to Windows Server 2016 Essentials Experience

To copy files from a legacy file server to a new file server, whether 2012 R2 or 2016, the process would be the same. Note: Some files shares might be better off in SharePoint, and users' personal Documents Libraries can probably go to OneDrive. This could greatly... read more
22Aug

Why MDM for Office 365 may be obsolete, with updates to Exchange Active Sync

Disclaimer: This is not breaking news, what I am about to describe has been available for a while, but I just haven't gotten around to blogging about it. Previously I wrote about MDM for Office 365, and I had to update that article since Microsoft... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me