With Office 365 Message Encryption, your organization can send and receive encrypted email messages between people inside and outside your organization. Office 365 Message Encryption works with Outlook.com, Yahoo, Gmail, and other email services. Email message encryption helps ensure that only intended recipients can view message content.
Here are some examples:
A bank employee sends credit card statements to customers
An insurance company representative provides policy details to customers
A mortgage broker requests financial information from a customer for a loan application
A health care provider sends health care information to patients
An attorney sends confidential information to a customer or another attorney
How Office 365 Message Encryption works
Office 365 Message Encryption is an online service that’s built on Microsoft Azure Rights Management (Azure RMS). With Azure RMS, administrators can define transport rules to determine the conditions for encryption. For example, a rule can require the encryption of all messages addressed to a specific recipient.
Watch this short video to see how Office 365 Message Encryption works.
When someone sends an email message in Exchange Online that matches an encryption rule, the message is sent with an HTML attachment. The recipient opens the HTML attachment and follows instructions to view the encrypted message on the Office 365 Message Encryption portal. The recipient can choose to view the message by signing in with a Microsoft account or a work or school associated with Office 365, or by using a one-time passcode. Both options help ensure that only the intended recipient can view the encrypted message.
The following diagram summarizes the passage of an email message through the encryption and decryption process.
For more information, see Service information for Office 365 Message Encryption.
Preparing for Office 365 Message Encryption
Office 365 Message Encryption requires that you have an Exchange Online or Exchange Online Protection subscription and that you’ve set up Azure Rights Management. To set up Azure Rights Management, you choose between two options:
Set up Azure Rights Management for Office 365 Message Encryption, but prevent Information Rights Management (IRM) templates from being available to users by disabling them in Outlook and Outlook on the web. To do this, see Set up Microsoft Azure Rights Management for Office 365 Message Encryption.
Set up Azure Rights Management for Office 365 Message Encryption and enable IRM templates for Outlook and Outlook on the web. To do this, see Configure IRM to use Microsoft Azure Rights Management.
After you have set up Azure Rights Management, your next step is to define rules to enable Office 365 Message Encryption.
Defining rules for Office 365 Message Encryption
To enable Office 365 Message Encryption, Exchange Online and Exchange Online Protection administrators define Exchange transport rules. These rules determine under what conditions email messages should be encrypted, as well as conditions for removing message encryption. When an encryption action is set for a rule, any messages that match the rule conditions are encrypted before they’re sent.
Transport rules are flexible, letting you combine conditions so you can meet specific security requirements in a single rule. For example, you can create a rule to encrypt all messages that contain specified keywords and are addressed to external recipients. Office 365 Message Encryption also encrypts replies from recipients of encrypted email, and you can create a rule that decrypts those replies as a convenience for your email users. That way, users in your organization won’t have to sign in to the encryption portal to view replies.
For more information about how to create Exchange transport rules, see Define Rules for Office 365 Message Encryption.
Customize encrypted messages with Office 365 Message Encryption
As an Exchange Online and Exchange Online Protection administrator, you can customize your encrypted messages. For example, you can add your company’s brand and logo, specify an introduction, and add disclaimer text in encrypted messages and in the portal where recipients view your encrypted messages. For more information about how to customize encrypted messages, see Brand Encrypted Messages.
Sending, viewing, and replying to encrypted email messages
With Office 365 Message Encryption, email messages are encrypted automatically, based on administrator-defined rules. An email that bears an encrypted message arrives in the recipient’s Inbox with an attached HTML file.
Recipients follow instructions in the message to open the attachment and authenticate by using a Microsoft account or a work or school associated with Office 365. If recipients don’t have either account, they’re directed to create a Microsoft account that will let them sign in to view the encrypted message. Alternatively, recipients can choose to get a one-time passcode to view the message. After signing in or using a one-time passcode, recipients can view the decrypted message and send an encrypted reply.
For detailed guidance about how to send and view encrypted messages, see Send, View, or Reply to Encrypted Messages. To learn how to get a one-time passcode instead of signing in, see Use a one-time passcode to view an encrypted message.