The encryption button fiasco

Back to Blog

The encryption button fiasco

I have done quite a few posts recently on the new Office Message Encryption (OME) features in Office 365 Exchange Online.

This past winter, Microsoft released version 2 of OME, which had some improvements over version 1, but came with some downsides/trade-offs also. Oftentimes, the downsides were so annoying, that many customers just ended up downgrading back to OME v1.

Even more recently, however, Microsoft released some updates to v2, including a new “Encrypt” template which was long overdue. And I think it is safe to say now that we should be embracing version 2–I have been working with it, and find that it is much improved, and basically what we’ve been asking for since, I don’t know, ever.

Now, the new version also introduced something else which probably should have been included all along: a button that allows you to easily encrypt your email messages, right in the UI:

The only problem is that this button is ONLY available in the Microsoft Outlook Web Access client (OWA)–e.g. the online portal for Microsoft Outlook in Office 365. An equivalent is not yet available in the normal Outlook client for Windows (and a majority of small and large enterprises alike still prefer the Outlook client over OWA).

So what this usually means is: organizations adopt a rule or series of rules which triggers encryption based on certain conditions. The most popular is to configure an encrypt rule based on a subject or body tag (matching some text pattern such as “Encrypt” or “SecureMail”).

As you can probably guess, I see this complaint probably more than any other: Why in the actual eff are we HERE?!  Why not just have a simple button for triggering the encryption on demand? It’s a valid question. It is easy enough to misspell or mistype your subject line or body tag, right?  SecreMail anyone? No? Compliance violation? Ooops.

So to be fair, in the new version of OME, Microsoft provides a (not easy to find) button which will allow you to apply the Rights Management templates–and these have the effect of encryption–if you don’t also mind the annoying permissions that they apply along with it. Confidential permissions mean that the message can only be sent within an organization, while the Do Not Forward permissions will prevent anyone from forwarding, copying or even printing the content.

But all we really want is to have an experience roughly equivalent to what is available in OWA. Is it so hard, Microsoft?  Now I don’t write software code, so maybe it is. I dunno. But, as a workaround, here is what I am going to start recommending we do instead (and no coding required).

How to create your own encryption button

Simply create a “Quick Step” that automatically starts a new message with your subject line tag pre-inserted.  Admittedly, it is a very low-tech solution, but it works. AND it works regardless of whether you’re using OME v1 or v2.

From the Home tab, click Create New under Quick Steps as shown below.

Then, simply fill in the details to create your rule.

2. Give it Name

3. Choose New Message for the Action.

4. Expand the options so you can fill in the Subject with your tag (e.g. Encrypt, SecureMail, or whatever)

5. Click Finish

(Note: the above rule could also be modified to use a body tag instead)

The result is, you now have a button in Outlook under your Quick Steps that will open a new message with the subject line tag already present.

Like I said, low tech. But it works. Note that there is no way to control this via Group Policy that I am aware of, so each user would need to set it up for themselves. For a higher-tech solution, something may exist, but it probably involves macros or some other light coding, maybe VBS scripts or something. Nothing I really want to spend time on. Of course what we really want, is for Microsoft to give us the same button’/options that we have in OWA already. Fingers crossed–other wishes of mine have come true lately…

Comments (5)

  • Paul W Reply

    Thanks for the article

    Quite confusing this, as in one of my tenants I have an ‘Encrypt’ rule pre made in my ‘permissions’ button , and the other I don’t

    MS say that sometimes it’s there but they can’t guarantee it, the exact words of the engineer were:
    “As per the guidelines, we can not guarantee it.”

    May 21, 2018 at 7:09 am
  • Paul Walker Reply

    The biggest problem with Microsoft encryption is that people using it look from their perspective and not the recipients perspective. What the recipient gets is a log in page, which then leads to the email. Problem is for systems that automatically file incoming emails to files/cases etc and email archiving systems. What you get is email after email of log in pages making it impossible for the recipient to see and trace email content/what email contains. How long will the emails be retained on Microsoft’s servers?. The present solution in the solicitors I work at is everything is printed off and put on a file if the sender uses encryption, no other way around it. The whole system is absolutely useless.

    June 8, 2018 at 7:30 am
    • Alex Reply

      What is really happening with the encryption is that the message never really leaves the 365 server. So you get a link to sign into the server instance, that way the contents of the message never “goes” anywhere. But, it all depends on what you are trying to achieve/protect. There are other ways to, for example, ensure that you are sending email messages via TLS between certain partner organizations with whom you regularly exchange email–and that will mean that the mail cannot be delivered over an encrypted communication channel, such as port 25. Many organizations go that route, when they want their archiving/journaling or whatever to capture the messages and keep them searchable.

      June 14, 2018 at 10:14 am
  • Jacob R Reply

    Yeah, about 2 months ago I thought they fixed the issue of IRM be applied to Office documents when encrypting an email using OMEv2. It worked on all of my tests but then one partner complained that they couldn’t open it so we went back to OMEv2 again. I am thinking that person had some outdated software or something but its kind of hard to tell hundreds of people they need to update their Outlook.

    Althoug, with me, the problem was people opening an email through Outlook on the desktop and IRM was applied to the attachment when I only wanted encryption. But once I see this button on OWA, maybe I will convert to OMEv2 and not tell anyone and just see if any complaints come. OWA always forget as far as opening an encrypted email with an attachment using OMEv2 but not Outlook on the desktop.

    February 18, 2019 at 10:48 am
    • Alex Reply

      OMEv2 should be the best option now. You do not need special software. It is possible to enable decryption of downloaded attachments. See my recent article on AIP for email encyrption.

      February 18, 2019 at 3:16 pm

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.