Office 365 Message Encryption FAQ

Have a question about how the new message protection capabilities in Office 365 work? Check for an answer here. Also, take a look at Frequently asked questions about data protection in Azure Information Protection for answers to questions about the data protection service, Azure Rights Management, in Azure Information Protection.

What is Office 365 Message Encryption?

Office 365 Message Encryption combines email encryption and rights management capabilities. Rights management capabilities are powered by Azure Information Protection.

Who can use Office 365 Message Encryption?

You can use the new capabilities for OME under the following conditions:

  • If you have never set up OME or IRM for Exchange Online in Office 365.

  • If you have set up OME and IRM, you can use these steps if you are using the Azure Rights Management service from Azure Information Protection.

  • If you are using Exchange Online with Active Directory Rights Management service (AD RMS), you can't enable these new capabilities right away. Instead, you need to migrate AD RMS to Azure Information Protection first. When you've finished the migration, you can successfully set up OME.

    If you choose to continue to use on-premises AD RMS with Exchange Online instead of migrating to Azure Information Protection, you will not be able to use these new capabilities.

What subscriptions do I need to use the new OME capabilities?

To use the new OME capabilities, you need one of the following plans:

  • Office 365 E3 and above, Office 365 A1 and above, Office 365 US Government Community G3 and above.

  • Office 365 Message Encryption is also offered as an add-on. For the full list see the Exchange Online service descriptions for Office 365 Message Encryption.

Can I use Exchange Online with bring your own key (BYOK) in Azure Information Protection?

Yes! Microsoft recommends that you complete the steps to set up BYOK before you set up OME.

For more information about BYOK, see Planning and implementing your Azure Information Protection tenant key.

How is this feature related to legacy Office 365 Message Encryption (OME) and Information Rights Management (IRM) features?

The new capabilities for Office 365 Message Encryption are an evolution of the existing IRM and legacy OME solutions. The following table provides more details.

Comparison of legacy OME, IRM, and new OME capabilities


Previous versions of OME


New OME capabilities

Sending an encrypted email

Only through Exchange mail flow rules

End-user initiated from Outlook for PC, Outlook for Mac, or Outlook on the web; or through Exchange mail flow rules

End-user initiated from Outlook for PC, Outlook for Mac, or Outlook on the web; or through mail flow rules

Rights management template


Do Not Forward option and custom templates

Do Not Forward option, default and custom templates

Supported recipient type

External recipients only

Internal recipients only

Internal and external recipients

Experience for recipient

External recipients received an HTML message which they downloaded and opened in browser or downloaded mobile app.

Internal recipients only received encrypted email in Outlook for PC, Outlook for mac, and Outlook on the web.

Internal and external recipients receive email in Outlook for PC, Outlook for Mac, Outlook on the web, Outlook for Android, and Outlook for iOS, or through a web portal regardless of whether or not they are in the same Office 365 organization or any Office 365 organization. The OME portal requires no separate download.

Bring Your Own Key support

Not available

Not available

BYOK supported

How do I enable the new OME capabilities for my organization?

See Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection.

Will the previous version of OME be deprecated?

You can still use the previous version of OME, it will not be deprecated at this time. However, we highly encourage organizations to use the new and improved OME solution. Customers that have not already deployed OME cannot set up a new deployment of the previous version of OME.

My organization uses Active Directory Rights Management, can I use this functionality?

No. If you are using Exchange Online with Active Directory Rights Management service (AD RMS), you can't enable these new capabilities right away. Instead, you need to migrate AD RMS to Azure Information Protection first. 

My organization has not adopted Office 365 and Exchange Online, or has an Exchange Hybrid deployment. Can I use this feature?

Today, the sender needs to be in Exchange Online. We plan to support other topologies in the coming months.

What email client do I need to use in order to create an OME encrypted message? What applications are supported for sending protected messages?

You can create protected messages from Outlook 2016, and Outlook 2013 for PC and Mac, and from Outlook on the web.

What email clients are supported to read and reply to protected emails?

You can read and respond from Outlook for PC and Mac (2013 and 2016), Outlook on the web, and Outlook mobile (Android and iOS) if you are an Office 365 user. You can also use the iOS native mail client if your organization allows it. If you are a non-Office 365 user, you can read and reply to encrypted messages on the web through your web browser.

What file types are supported as attachments in protected emails? Do attachments inherit the protection policies associated with protected emails?

You can attach any file type to a protected mail, however protection policies are applied only on the file formats mentioned here

If a file format is supported, such as a Word, Excel, or PowerPoint file, the file is always protected, even after the attachment has been downloaded by the recipient. For example, if an attachment is protected by Do Not Forward, and the original recipient downloads and forwards the attachment to a new recipient, the new recipient will not be able to open the protected file.

Are PDF file attachments supported?

If you attach a PDF file to a protected message, the message itself will be protected, but no additional protection will be applied to the PDF file after the recipient has received it. This means that the recipient can Save As, Forward, Copy, and Print the PDF file.

Are OneDrive for Business attachments supported?

Not yet. OneDrive for Business attachments are not supported and end-users can't encrypt a mail that contains a cloud OneDrive for Business attachment.

Can I automatically encrypt messages by setting up policies?

Yes. Use mail flow rules in Exchange Online to automatically encrypt a message based on certain conditions. For example, you can create policies that are based on recipient ID, recipient domain, or on the content in the body or subject of the message.

Can I automatically encrypt messages by setting up policies in Data Loss Prevention (DLP) through the Security & Compliance Center?

Not yet. Currently you can only set up mail flow rules in Exchange Online. Encryption is currently not supported in DLP through the Security & Compliance Center.

Can I customize encrypted messages with my company branding?

Yes! For information on customizing email messages and the OME portal, see Add your organization's brand to your encrypted messages.

Are there any reporting capabilities or insights for encrypted emails?

Not at this time.

Can I use message encryption with compliance features such as eDiscovery?

Yes. All encrypted email messages are discoverable by Office 365 compliance features.

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.