*New* Office 365 Message Encryption

Some more exciting news came out of September’s Microsoft Ignite conference – Microsoft has re-released Office 365 Message Encryption (I’m dubbing this product OMEnext for the time being). I use the term “re-released” because this functionality has been in Exchange Online for years. So if it’s been around for years, why the hype? This is now a next-generation message encryption technology built on top of Azure Information Protection.

This is a big deal for a few reasons. Number one, Azure Information Protection (AIP) is the information protection solution of choice going forward inside of Azure. This helps to “future-proof” the solution. Number two, putting message encryption inside of AIP gives you a heck of a lot more functionality and flexibility than you once had. One big deal here is that Microsoft now allows you to bring your own encryption keys. This was a big sticking point for a lot of companies and now it’s a non-issue. Lastly, this new method combines the best of both worlds with the old way of handling message encryption in Office 365 with the new way of handling it.

Licensing Requirements

Let’s get this one out of the way – like any other business, Microsoft is here to make money. As such, the use of Office 365 Message Encryption requires proper licensing in order to function. The information on this is murky at best, but OMEnext, at a minimum, requires the Azure Information Protection P1 license, or an Office 365 Commercial license like Enterprise E3. If you want functionality like BYOK and automatic classification of data, you’ll need to pony up for the AIP P2 license. For the purpose of OMEnext functionality, and for simplicity’s sake here, if you’ve got an Enterprise E3 and\or an Enterprise Mobility + Security (EMS) E3 license, you’re all covered on the licensing front.

Configuration Requirements

If you previously set up AD RMS, you’ve got some work to do first. If you haven’t getting OMEnext set up is pretty straight forward with some PowerShell magic required. You’ll need to download the Windows PowerShell for Azure Rights Management module first. Once you do that, log into the Azure RM module with a global administrator account for your tenant. Then you’ll need to issue the following commands:

After you issue those commands, you can test out the IRM Configuration using an email address in your tenant:

You should end up with something like this (your template names may vary based on when this was enabled):

Results : Acquiring RMS Templates …
– PASS: RMS Templates acquired. Templates available: Contoso – Confidential View Only, Contoso – Confidential, Do Not
Verifying encryption …
– PASS: Encryption verified successfully.
Verifying decryption …
– PASS: Decryption verified successfully.
Verifying IRM is enabled …
– PASS: IRM verified successfully.


If you want to make enabling encryption super easy for your end users in Outlook on the web, you can enable the new “Protect” button in your OWA policy in Exchange Online (connect to Exchange Online Powershell!):

Use it!

Now that you’ve got OMEnext set up, you should try it out! It’s super easy and can be sent to any recipients. If you’re in OWA, you simply hit the Protect button, craft your email and send it. In outlook, simply hit the Do Not Forward button under the Message tab:

Any replies to you will be auto-encrypted. Neat! One important note here – for Outlook clients, you MUST be using Office 365 ProPlus, or else you can’t use encryption from the Outlook fat client. So if you have a Business SKU, you won’t be able to hit that Do Not Forward button. Right now, Microsoft, Google, and Yahoo are federated. This means that when you send an email to recipients in those domains, they will be able to login with their own respective accounts to read the encrypted message. Otherwise, recipients will be required to input a one time passcode, MFA-style. No accounts needed.

Take it a step further with Transport Rules

For those of you who used to use OME are probably asking, “Well, great, I used to be able to use transport rules to automatically encrypt messages based on rules that I set forth. Now what??” The answer is, you’re in luck! Transport rules can still be used! However, instead of using the “Apply Office 365 Message Encryption” action, you’ll be using the “Apply Rights Protection” action with the template of your choosing (usually, for now, Do Not Forward – more on that later). You can then set forth any rules you like so that encryption will be used automatically. One use-case example for this is you’ve got a contract with a company that requires all contract-related communications to be encrypted. Just set up your rules to include any messages with the subject line, sender, recipient, etc., and you’re good to go. Super flexible and super easy.

Change from this:

To this:

One Big Gotcha, For Now…

Right now, OMEnext is a pretty complete and flexible solution. However, there is one big gap in terms of feature parity with the previous iteration of OME. This gap is called the “Encrypt Only” template. Let me explain, because the info is scarce on this, but it’s super important. Currently, you have two choices for templates with OME – you can use the built-in and unchangeable “Do Not Forward” (DNF) template, or you can create a custom template. The DNF template removes the ability for the recipient to Forward the encrypted email. The user can Read, Reply, and Reply All to the message. That’s it. The recipient can’t Print, Copy, or Forward the message.

Custom templates can be more flexible in that you can mix and match those permissions, however, custom template REQUIRE a recipient address or recipient domain to apply those “specialized” permissions to. What if you’ve got a user who wants to be able to apply these permissions to a recipient you haven’t specified in the custom template on the back end? Without contacting the help desk to add the recipient to the template, your user is out of luck – for now. Microsoft has promised the addition of what’s called the “Encrypt Only” template which will do just that – encrypt the email only. This means the recipient can do everything like Print, Copy, etc… Once this template is released, Microsoft will more than likely sound the death knell for the old OME.


The new Office 365 Message Encryption feature built on top of Azure Information Protection is an exciting addition to the ever-expanding portfolio of features inside of Office 365. Consequently, It’s a value-add that is extremely easy to set up and something that could be very useful to your company if it’s deployed correctly. Happy encrypting everyone!


General info –
Microsoft Tech Community chatter –
Ignite session –
AIP Info –
Feature Licensing Availability –



One thought on “*New* Office 365 Message Encryption

Leave a Reply

Your email address will not be published. Required fields are marked *