Define mail flow rules to encrypt email messages in Office 365

As an Office 365 global administrator, you can create mail flow rules, also known as transport rules, to help protect email messages you send and receive. You can set up rules to encrypt any outgoing email messages and remove encryption from encrypted messages coming from inside your organization or from replies to encrypted messages sent from your organization. You can use the Exchange admin center (EAC) or Windows PowerShell cmdlets for Exchange Online to create these rules. In addition to overall encryption rules, you can also choose to enable or disable individual message encryption options for end-users.

If you recently migrated from AD RMS to Azure Information Protection, you'll need to review your existing mail flow rules to ensure that they continue to work in your new environment. Additionally, if you want to take advantage of the new Office 365 Message Encryption (OME) capabilities available to you through Azure Information Protection, you need to update your existing mail flow rules. Otherwise, your users will continue to receive encrypted mail that uses the previous HTML attachment format instead of the new, seamless OME experience. If you haven't set up OME yet, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection for information.

Create a mail flow rule to encrypt email messages with the new OME capabilities

You can define mail flow rules for triggering message encryption with the new OME capabilities by using the EAC.

To create a rule for encrypting email messages with the new OME capabilities by using the EAC

  1. In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.

  2. Choose the Admin tile.

  3. In the Office 365 admin center, choose Admin centers > Exchange.

  4. In the EAC, go to mail flow > rules > New icon  (New) > Create a new rule. For more information about using the EAC, see Exchange Admin Center in Exchange Online.

  5. In Name, type a name for the rule, such as Encrypt mail for DrToniRamos@hotmail.com.

  6. In Apply this rule if select a condition, and enter a value if necessary. For example, to encrypt messages going to DrToniRamos@hotmail.com:

    1. In Apply this rule if, select the recipient is.

    2. Select an existing name from the contact list or type a new email address in the check names box.

      To select an existing name, select it from the list and then click OK.

      To enter a new name, type an email address in the check names box and then select check names > OK.

  7. To add more conditions, choose More options and then choose add condition and select from the list.

    For example, to apply the rule only if the recipient is outside your organization, select add condition and then select The recipient is external/internal > Outside the organization > OK.

  8. To enable encryption using the new OME capabilities, from Do the following, select Modify the message security and then choose Apply rights protection. Select an RMS template from the list, choose Save, and then choose OK.

    The list of templates includes all default templates and options as well as any custom templates you've created for use by Office 365. If the list is empty, ensure that you have set up Office 365 Message Encryption with the new capabilities as described in Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection. For information about the default templates, see Configuring and managing templates for Azure Information Protection. For information about the Do Not Forward option, see Do Not Forward option for emails.

    You can choose add action if you want to specify another action.

To update an existing mail flow rule to use the new OME capabilities by using the EAC

  1. In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.

  2. Choose the Admin tile.

  3. In the Office 365 admin center, choose Admin centers > Exchange.

  4. In the EAC, go to mail flow > rules.

  5. In the list of mail flow rules, select the rule you want to modify to use the new OME capabilities and then choose Edit icon (Edit).

  6. To enable encryption using the new OME capabilities, from Do the following, choose Modify the message security and then choose Apply rights protection. Select an RMS template from the list, choose Save and then choose OK.

    The list of templates includes all default templates and options as well as any custom templates you've created for use by Office 365. If the list is empty, ensure that you have set up Office 365 Message Encryption with the new capabilities as described in Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection. For information about the default templates, see Configuring and managing templates for Azure Information Protection. For information about the Do Not Forward option, see Do Not Forward option for emails.

    You can choose add action if you want to specify another action.

  7. From the Do the following list, remove any actions that are assigned to Modify the message security > Apply Office 365 Message Encryption.

  8. Choose Save.

Creating rules for Office 365 Message Encryption without the new capabilities

If you haven't yet moved your Office 365 organization to the new OME capabilities, use these tasks to define mail flow rules to encrypt messages for your organization. Microsoft recommends that you make a plan to move to the new OME capabilities as soon as it is reasonable for your organization. For instructions, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection.

To create a rule for encrypting email messages without the new OME capabilities by using the EAC

  1. In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.

  2. Choose the Admin tile.

  3. In the Office 365 admin center, choose Admin centers > Exchange.

  4. In the EAC, go to mail flow > rules > + (New) > Create a new rule. For more information about using the EAC, see Exchange Admin Center in Exchange Online.

  5. In Name, type a name for the rule, such as Encrypt mail for DrToniRamos@hotmail.com.

  6. In Apply this rule if select a condition, and enter a value if necessary. For example, to encrypt messages going to DrToniRamos@hotmail.com:

    1. In Apply this rule if, select the recipient is.

    2. Select an existing name from the contact list or type a new email address in the check names box.

      To select an existing name, select it from the list and then click OK.

      To enter a new name, type an email address in the check names box and then select check names > OK.

  7. To add more conditions, choose More options and then select add condition and select from the list.

    For example, to apply the rule only if the recipient is outside your organization, select add condition and then select The recipient is external/internal > Outside the organization > OK.

  8. To enable encryption without using the new OME capabilities, in Do the following, select Modify the message security > Apply Office 365 Message Encryption, and then choose Save.

    If you receive an error that IRM licensing isn't enabled, then you haven't set up OME for your organization yet. If you'd like to set up OME now, you must set it up to use the new OME capabilities. For information, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection. Microsoft no longer supports setting up new deployments of OME without the new capabilities.

    You can choose add action if you want to specify another action.

To create a rule for encrypting email messages without the new OME capabilities by using Windows PowerShell for Exchange Online

  1. Use Windows PowerShell on your local computer to create a remote PowerShell session to Exchange Online. For more information, see Connect to Exchange Online PowerShell.

  2. Define a rule by using the New-TransportRule cmdlet and set the ApplyOME attribute to true.

    For example, to require that all email messages that are addressed to DrToniRamos@hotmail.com must be encrypted, type:

    New-TransportRule –Name "Encrypt rule for Dr Toni Ramos" –SentTo "DrToniRamos@hotmail.com" –SentToScope "NotinOrganization" -ApplyOME $true

    In this example:

    • The name of the new rule is "Encrypt rule for Dr Toni Ramos".

    • The -SentTo parameter, specifies a condition that looks for recipients in email messages. You can use any value that uniquely identifies the recipient, such as an email address, name, distinguished name (DN), etc. In this example, the recipient is identified by the email address "DrToniRamos@hotmail.com".

    • The -SentToScope parameter specifies a condition that looks for the location of recipients. In this example, the recipient's mailbox is in hotmail and is not part of the Office 365 organization, so the "NotInOrganization" value is used.

    For more information about the conditions you can set on mail flow rules using this cmdlet, see New-TransportRule.

Remove encryption from email replies encrypted without the new OME capabilities

When your email users send encrypted messages, recipients of those messages can respond with encrypted replies. You can create mail flow rules to automatically remove encryption from replies so email users in your organization don’t have to sign in to the encryption portal to view them. You can use the EAC or Windows PowerShell cmdlets to define these rules. If you are not yet using the new OME capabilities, you can only decrypt messages that are either sent from within your organization or messages that are replies to messages sent from within your organization. You cannot decrypt encrypted messages originating from outside of your organization.

To create a rule for removing encryption from email replies encrypted without the new OME capabilities by using the EAC

  1. In a web browser, using a work or school account that has been granted admin permissions, sign in to Office 365.

  2. Choose the Admin tile.

  3. In the Office 365 admin center, choose Admin centers > Exchange.

  4. In the EAC, go to mail flow > rules > + (New) > Create a new rule. For more information about using the EAC, see Exchange Admin Center in Exchange Online.

  5. In Name, type a name for the rule, such as Remove encryption from incoming mail.

  6. In Apply this rule if select the conditions where encryption should be removed from messages, such as The recipient is located > Inside the organization.

  7. In Do the following, select Modify the message security > Remove Office 365 Message Encryption.

  8. Select Save.

To create a rule to remove encryption from email replies encrypted without the new OME capabilities by using Windows PowerShell for Exchange Online

  1. Use Windows PowerShell on your local computer to create a remote PowerShell session to Exchange Online. For more information, see Connect to Exchange Online PowerShell.

  2. Define a rule by using the New-TransportRule    cmdlet and set the RemoveOME    attribute to true.

    For example, to remove the encryption from all mail sent to recipients in your Office 365 organization, type:

    New-TransportRule – Name "Remove encryption from incoming mail" –SentToScope "InOrganization" -RemoveOME $true

    In this example:

    • The name of the new rule is "Remove encryption from incoming mail".

    • The -SentToScope    parameter specifies a condition that looks for the location of recipients. In this example, the "InOrganization" value is used which indicates that:

      • The recipient is a mailbox, mail user, group, or mail-enabled public folder in your organization, or

      • The recipient's email address is in an accepted domain that's configured as an authoritative domain or an internal relay domain, and the message was sent or received over an authenticated connection.

    For more information about the conditions you can set on mail flow rules using this cmdlet, see New-TransportRule.

Related Topics

Encryption in Office 365
Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection
Add branding to encrypted messages
Mail flow rules (transport rules) in Exchange Online
Mail flow rules (transport rules) in Exchange Online Protection

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×