Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Exchange Online|Office|Office 365

Microsoft Plans to Launch Automatic Email Encryption for Office 365 Tenants

Spoiling the Success of Information Protection

I like what Microsoft’s Information Protection team has done recently to make encryption more accessible to Office 365 tenants. Changes to Office 365 Message Encryption, including the introduction of the Encrypt-Only feature supported by Outlook clients, have improved the ability of Office 365 tenants to protect critical information.

And then something comes along to upset the apple cart. In this case, according to documentation published on 13 December 2018, it’s Microsoft’s plan to create a transport (mail flow) rule in Office 365 tenants to encrypt outbound messages that hold sensitive data.

According to the documentation, Microsoft “will be creating a new automatic policy in Office 365 tenants,” but they don’t say when. Microsoft does say that they will give tenants a 30-day notice via the Office 365 Message Center to prepare for the change and to opt-out if desired. I can’t find any evidence of the intention to introduce a new encryption policy in the Office 365 roadmap.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Good in Theory, Horrible in Practice

On the surface, this seems like a tremendous idea that demonstrates the value of integration of different components across the Office 365 suite. The transport rule will use the special Encrypt-Only template to encrypt all outbound email with a set of sensitive data types like credit card or password numbers (which might differ based on an organization’s locale). Office 365 tenants can sit back and relax and let Microsoft do the heavy lifting to protect their email traffic.

Using well-established sensitive data types proven in Office 365 Data Loss Prevention policies to detect email that should be protected is reasonable, even if some unexpected consequences can sometimes flow when these data types are used. For instance, last August Microsoft had to tweak the GDPR DLP policy because it blocked email that included mobile phone numbers.

But when you stand back and consider the idea in the round, many reasons exist why this plan should be consigned to the great byte wastebasket.

Opt-In Rather Than Opt-Out

First, although Microsoft gives tenants a way to opt out and avoid the creation of the transport rule, anything that introduces a new policy into a tenant should be an opt-in choice. Microsoft tells customers that data in Office 365 is their data. Tenants should always have the right to decide how their data is processed.

To opt-out, connect to Exchange Online with PowerShell and run the command:

Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false

You can apply the change to the IRM configuration now. It seems like a good idea to update your tenant’s configuration, just in case.

Messing with Email Transport is not a Good Idea

Second, like the ill-fated attempt to create Office 365 Groups for every manager and their direct reports that sank without trace in 2017, this is an idea that seems great on paper but quickly runs into practical difficulties in the field.

For instance, enterprise tenants often run quite complex sets of transport rules. Inserting an automatically-generated transport rule into the mix without warning or testing is a recipe for disaster that could interfere with the reliability of mail flow within the organization.

There’s also the case that many ISV products can’t deal with protected content. I recently pointed out the difficulties that autosignature products have in processing protected email. Introducing a transport rule to encrypt even more messages without knowledge of the ISV products in use by a tenant is simply inconceivable.

And Microsoft has no idea about the client or server mix used by important customers of an Office 365 tenant. Suddenly finding that email sent to an important customer or partner is encrypted and forces the recipient to go to the Office 365 Message Encryption portal to read the content is unlikely to be a popular advance.

Your Data

The biggest problem with the plan is that processing tenant data without their approval undermines the bond of trust that connects Microsoft as a service provider with their customers. The Office 365 Trust Center is clear on this point. It says that tenants own and control their data (Figure 1). Well, encrypting data without warning is not giving control to tenants.

Office 365 Trust Center
Figure 1: Office 365 tenants own their data (image credit: Tony Redmond)

Good Demo, Bad Plan

Overall, this is a plan that works well for greenfield tenants (or demo tenants shown at technology exhibitions) but not in production. Launching encryption upon email for Office 365 tenants without so much a by-your-leave is not what we expect from Microsoft. With nearly 23 years of experience of Exchange and how customers use Exchange, you’d expect a more measured and nuanced approach to helping customers protect email. The sentiments behind the idea are good; the implementation is horrible.

I hope Microsoft will do the right thing and pull the plug on this idea – or at least make it an opt-in choice for their customers.

 

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (7)

7 responses to “Microsoft Plans to Launch Automatic Email Encryption for Office 365 Tenants”

  1. <p><img src="">This was enabled in my tenant about a month ago without warning. It's called "Encrypt outbound sensitive emails (out of box rule)"</p>

    • <blockquote><em><a href="#16042">In reply to kalenv:</a></em></blockquote><p>Thanks for sending me the data. I have given it to Microsoft. They are checking…</p>

  2. <p>Tony i am getting a page cannot be found on the Microsoft announcement. Maybe they have reconsidered the impact of this? This is the link that worked a few days ago. docs.microsoft.com/en-us/office365/securitycompliance/new-ome-encryption-policy</p><p><br></p>

    • <blockquote><em><a href="#16044">In reply to cjwinkc:</a></em></blockquote><p>There have been some reports of 404 results when people tried to access the page. I told Microsoft about this and they said "that's odd"… and then the page came back. It seems to be offline again now, so I have pinged Microsoft to let them know. It could be that they've taken down the page to make some clarifications or changes, but they should have kept the page online and made the changes in the background – if this is what's going on.</p>

    • <blockquote><em><a href="#16044">In reply to cjwinkc:</a></em></blockquote><p>The page seems to have been taken offline for Microsoft to update with a new direction. We'll see.</p>

  3. <p>Noticing this MS link is still down as of today, our tenant has not received the new transport rule, trying to watch for it as I'd like to have it but will disable and examine it, when it does come. So not opting out.</p>

  4. <p>Looks like Microsoft changed their opinion to roll it out to all tenants. New statement:</p><p><br></p><p><em style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">For a select group of Office 365 tenants, we are doing a slow roll-out of a new automatic policy that will apply Office 365 Message Encryption to emails that contain certain types of sensitive information. This policy will not be rolled out to all organizations. Instead, we are testing this with a small group of tenants. We will consider your organization’s size and the complexity of your mail flow to determine eligibility for this roll-out. If your organization is selected for this roll-out, you’ll receive a notification in the Office 365 Message Center that tells you the date that we’ll create the automatic policy.</em></p><p><a href="https://docs.microsoft.com/en-us/office365/securitycompliance/ome-sensitive-info-types&quot; target="_blank">https://docs.microsoft.com/en-us/office365/securitycompliance/ome-sensitive-info-types</a></p><p><a href="https://wp.me/p1aUfK-cS&quot; target="_blank">https://wp.me/p1aUfK-cS</a></p&gt;

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.