Automatically encrypting Exchange Online emails with Office 365 Message Encryption

Last year Microsoft released additional functionality to Office 365 Message Encryption (OME) including a new encryption template “Encrypt Only” which, unlike “Do Not Forward”, only encrypts the email using OME. Once decrypted by the recipient, the message can be treated like any other. Later in 2018, Microsoft announced this had been trialed and that they would also be releasing default transport rules within Office 365 to automatically encrypt emails containing sensitive information types using the “Encrypt Only” template. However, following feedback from the community between December and the end of January, Microsoft announced on January 30^th this was no longer going ahead and provided guidance on how to implement the same rules yourself if this functionality is beneficial to your organization.

“In October 2018, we worked with a small sample of customers to understand if we can simplify protection by automatically encrypting sensitive emails based on certain sensitive information types. Based on positive feedback from this sample, we decided to expand to a more diverse profile of tenants in December 2018. After communicating the next roll-out to select tenants, we listened to your feedback and determined that customers with more complex environments wanted to implement the rules more cautiously, and we are therefore adjusting our plans.”

Clearly, there was a feeling that the move was going to cause too much disruption. For many organisations and users, this would have been challenging to prepare for because of the potentially large impact it not only had on them, but also their recipients. Although Microsoft’s intention was unquestionably good, as most organisations are constantly seeking ways to have better processes for sensitive information, it just wasn’t feasible at this time.

The original Microsoft intention was to encrypt messages that contained the following sensitive information types:

• ABA routing number
• Credit card number
• Drug Enforcement Agency (DEA) number
• U.S./U.K. passport number
• U.S. bank account number
• U.S. Individual Taxpayer Identification Number (ITIN)
• U.S. Social Security Number (SSN)

If you want to apply this transport rule you can still complete this by manually configuring the transport rule and message encryption settings in Office 365. Firstly, you should connect to Exchange Online PowerShell using instructions in this post. Then, run the following command to update the Office Message Encryption settings:

This command configures OME to only encrypt the email itself, and not the attachments contained within the email. This means that once the user has decrypted the email by logging in or verifying their identity, they have full access to open, edit, print or forward the attachment as with any other email. If you don’t run this command when the user decrypts the email, the attachments will remain protected and Read-Only.

Once the attachment configuration has been updated you can then create the transport rule using the following command:

You can then view and update the transport rule from within the Exchange Online Admin Center should you want to. You could also add any custom sensitive information types you might have configured in your tenant to this same rule should you want to.

Although there seems to be a general consensus that this rule shouldn’t be added or enabled by default, as I mentioned before, a move to encrypting more email by default should be considered, and you don’t need to limit the scope of this to only sensitive information type. You can apply the Encrypt template to any emails you can identify using an Exchange Online transport rule.

For example, you could target specific recipient domains:

Or you could encrypt messages with a specific subject string:

This is one of many ways for you to apply encryption automatically to best suit your organisation, and better yet to protect your users from data leaks and improve data security.