Last year Microsoft released additional functionality to Office 365 Message Encryption (OME) including a new encryption template “
Clearly, there was a feeling that the move was going to cause too much disruption. For many
The original Microsoft intention was to encrypt messages that contained the following sensitive information types:
- ABA routing number
- Credit card number
- Drug Enforcement Agency (DEA) number
- U.S./U.K. passport number
- U.S. bank account number
- U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. Social Security Number (SSN)
If you want to apply this transport rule you can still complete this by manually configuring the transport rule and message encryption settings in Office 365. Firstly, you should connect to Exchange Online PowerShell using instructions in this post. Then, run the following command to update the Office Message Encryption settings:
|
1 |
Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true |
This command configures OME to only encrypt the email itself, and not the attachments contained within the email. This means that once the user has decrypted the email by logging in or verifying their identity, they have full access to open, edit, print or forward the attachment as with any other email. If you don’t run this command when the user decrypts the email, the attachments will remain protected and Read-Only.
Once the attachment configuration has been updated you can then create the transport rule using the following command:
|
1 |
New-TransportRule -Name "Encrypt outbound sensitive emails (out of box rule)" -SentToScope NotInOrganization -ApplyRightsProtectionTemplate "Encrypt" -MessageContainsDataClassifications @(@{Name="ABA Routing Number"; minCount="1"},@{Name="Credit Card Number"; minCount="1"},@{Name="Drug Enforcement Agency (DEA) Number"; minCount="1"},@{Name="U.S. / U.K. Passport Number"; minCount="1"},@{Name="U.S. Bank Account Number"; minCount="1"},@{Name="U.S. Individual Taxpayer Identification Number (ITIN)"; minCount="1"},@{Name="U.S. Social Security Number (SSN)"; minCount="1"}) -NotifySender "NotifyOnly" |
You can then view and update the transport rule from within the Exchange Online Admin Center should you want to. You could also add any custom sensitive information types you might have configured in your tenant to this same rule should you want to.
Although there seems to be a general consensus that this rule shouldn’t be added or enabled by default, as I mentioned before, a move to encrypting more email by default should be considered, and you don’t need to limit the scope of this to only sensitive information type. You can apply the Encrypt template to any emails you can identify using an Exchange Online transport rule.
For example, you could target specific recipient domains:
Or you could encrypt messages with a specific subject string:
This is one of many ways for you to apply encryption automatically to best suit your organisation, and better yet to protect your users from data leaks and improve data security.
Mike is a Technical Architect at Content and Code, a multiple award-winning Microsoft Partner. He has spent the last five years working closely with Microsoft 365 technologies. Mike’s primary area of focus is in the delivery of the Microsoft 365 suite, including the Office 365 suite and Enterprise Mobility + Security, for a range of global enterprise clients. Mike blogs at www.mikeparker365.co.uk, speaks at internal and public events when time allows!
we have enabled this AIP flag but the end user not able to open the email in the outlook client. any thoughts
This is really useful, thanks
Microsoft also warned that OME won’t coexist normally with old on-premise RMS services, so RMS has to be deprovisioned first or OME should be disabled (at least partly, updates to OME functionality should be disabled with a command).