Easier Than Ever to Protect Email with Office 365

windows10 data protection

Offices 365 Refreshes Its Protection Capabilities

Information rights management (IRM) has been available for on-premises deployments for years, yet relatively few companies use the technology to protect confidential material. Cost and complexity are often reasons cited for why companies avoid IRM. Both are less of an issue inside Office 365 as IRM (or Azure Rights Management) is part of the E3 and E5 plans and Microsoft does the heavy lifting to configure and run the service.

At Ignite 2017, Microsoft shared details of how they have improved rights management for Exchange Online with a new simplified setup that makes it easier for users and tenants to protect email. Smarter clients create and consume protected messages and the Office 365 Message Encryption service gets a refresh. It’s all good stuff.


Rights management uses protection templates to define a set of rights that a recipient has for a file or message. When you enable rights management for a tenant, three default templates are available: Do Not Forward, Confidential, and Confidential – View Only. For instance, if you receive a message stamped as Confidential, you cannot print or copy its content. IRM also protects attachments, if they are in a format that supports IRM (like Word, PowerPoint, or Excel).

You can create custom templates to meet different business needs, including templates scoped to certain users or groups. For example, you could have a template designed to protect ultra-confidential information belonging to those working on a specific project. If they are authorized in the template, external recipients can read protected messages, even if they use a consumer email system like Outlook.com or Gmail.

Users apply protection templates to individual messages with Outlook or OWA. In addition, a tenant can configure transport rules to protect outgoing messages based on any of the criteria supported by rules. For instance, a rule might apply a template to all email to a domain belonging to a partner. Because all email flows through the transport system, you can be certain that Exchange processes any message meeting rule criteria.

Configuring Exchange Online

Even if you used IRM with Exchange Online in the past, you must refresh the configuration to switchover to the new stack. Previously, code running inside Exchange did most IRM processing. The new configuration means that Exchange interacts with the Azure Information Protection service to process protected messages. Apart from anything else, this means that Exchange Online now fully supports Bring-Your-Own-Key (BYOK), a feature needed by tenants who want end-to-end control over encryption keys.

To configure IRM, install the Azure Information Protection module for PowerShell and then connect a PowerShell session to Exchange Online to run the commands below.

[PS] C:\> Connect-AadrmService
#Activate the service
#Get the configuration information needed for message protection.
$rmsConfig = Get-AadrmConfiguration
$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
#Collect IRM configuration for Office 365.
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
if (!$list) { $list = @() }
if (!$list.Contains($licenseUri)) { $list += $licenseUri }
#Enable message protection for Office 365.
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -AzureRMSLicensingEnabled $True -InternalLicensingEnabled $true
#Enable new Protect button in Outlook on the Web
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
Afterwards, to test that the IRM configuration is good, run the Test-IRMConfiguration cmdlet for a user in your tenant:
[PS] C:\> Test-IRMConfiguration -Sender [email protected]

Results : Acquiring RMS Templates ...
              - PASS: RMS Templates acquired.  Templates available: Redmond & Associates - Confidential View Only, Redmond & Associates - Confidential, Do Not Forward.
          Verifying encryption ...
              - PASS: Encryption verified successfully.
          Verifying decryption ...
              - PASS: Decryption verified successfully.
          Verifying IRM is enabled ...
              - PASS: IRM verified successfully.

At Ignite 2017, Microsoft announced that they will soon enable rights management automatically for Exchange Online for new Office 365 tenants. When this happens, you won’t have to perform the steps outlined above

Inline Reading for Clients

Part of the upgrade is to improve the client experience to make it easier for users to read protected messages. Outlook desktop (Windows and Mac), OWA, and the Outlook iOS and Android clients support inline reading, meaning that protected messages appear as normal, even if the message comes from another Office 365 tenant. The only sign that anything is different is the Permissions label (Figure 1).

IRM Outlook iOS
Figure 1: Reading a protected message with Outlook for iOS (image credit: Tony Redmond)

Different clients use different visual indicators to remind users about protected messages. Apart from highlighting the template name and permissions when reading email, OWA displays padlock icons for protected items in folders while Outlook uses various icons to show their status.

OWA’s New Protect Button

After you configure IRM, OWA includes Protect in the options for the New Message window. By default, clicking Protect applies the Do Not Forward template to a message. The Do Not Forward template is special because it exists in every Office 365 tenant. As such, you can use this template to protect messages to any Office 365 recipient. If you use a different template to protect messages that you send outside your tenant, the recipients will not be able to read the content unless their account receives permissions in the template.

You can click Change Permissions to select a different template (Figure 2) or Remove to unprotect the message.

Figure 2: Protecting a message with OWA (image credit: Tony Redmond)

Outlook desktop clients continue to work as before. You create a message, select Options, Permissions, and select the template you want to use to protect a message.

Messages carry the template for their entire lifetime. Any replies to messages inherit the same template to protect the complete conversation.

Dealing with the iOS Mail App

As obvious when the Apple iOS mail app ran into problems at the launch of iOS 11, many people use the mail app instead of Outlook to connect to Exchange Online. Forcing those users to go to the OME portal to read protected messages might not be the experience that you want to deliver.

If you are willing to compromise message security, you can force Exchange to apply server-side decryption for messages delivered to these “unenlightened” clients. The downside is that decrypted copies of messages exist on those devices. The mail app will not apply the permissions given to the user, so they can copy or print the message. However, Exchange Online knows that the original message is protected and if the user attempts to do something without permission that involves the server, like forwarding the message, the action is blocked when the server processes that message.

To enable server-side decryption for “unenlightened” apps (those who do not use the rights management API), run this command:

[PS] C:\> Set-ActiveSyncOrganizationSettings –AllowRMSSupportForUnenlightenedApps $True

External Recipients

Recipients outside Office 365 obviously have no knowledge of rights management. To solve the problem of how to give external recipients access protected to messages, Exchange notifies the recipient to go to the Office 365 Message Encryption (OME) portal to view the protected content there (Figure 3). If the recipient has a Microsoft, Google, or Yahoo! Account, they can sign in with their identity provider. If not, they can get a one-time code. This approach works for all non-Office 365 email systems.

IRM Outlook.com
Figure 3: An Outlook.com user receives notification of a protected message (image credit: Tony Redmond)

Protected Email to Groups, Teams, and Yammer

You can include a mixture of internal and external recipients, including those who do not use-Office 365. You can send protected messages to Office 365 Groups. However, Teams does not have the ability to read protected message in the client and therefore the message appears in the target channel like it appears to a non-Office 365 recipient. If you send protected email to a Yammer group, Yammer responds via email to ask whether you really want to post the message. If you do, Yammer decrypts the message and posts the content as text or a PDF file.

Encrypting Outbound Messages with Rules

Microsoft introduced Office 365 Message Encryption (OME) in mid-2015. Once a standalone function, OME is now tightly integrated with IRM. Microsoft’s focus for protecting email sent outside the tenant is simplified as templates are now the only answer.

To create a transport rule with OME, go to the Mail Flow section of EAC, and select Rules. You can use any available predicate to set the conditions for the rule to fire and then select Add rights protection to the message as the action (Figure 4) and select the template you want to use for protection. After you save the rule, it takes a little while before it is effective because Exchange caches transport rules for performance. Once the rule is active, Exchange protects any message meeting the criteria set in the rule. The notifications delivered to recipients tell them how to access the content.

Apply Transport Rule
Figure 4: Protecting messages with a transport rule (image credit: Tony Redmond)

The older form of OME protection (V1) uses the Apply Office 365 Message Encryption action and this action is still available. However, Microsoft recommends that you upgrade any transport rules using this action to use protection templates instead. Indeed, “Microsoft no longer supports setting up new deployments of OME without the new capabilities,” which means that you should use templates if you want to run a supported configuration.

Customizing the OME Configuration

You can customize the OME configuration using the Set-OMEConfiguration cmdlet to change in notifications and the OME portal seen by those who receive encrypted messages. For example, you can add a disclaimer or a corporate logo.

Support for Compliance

Protecting messages with encryption is great, but will protection hide user activities from compliance? In the earlier generation, you could find protected messages with eDiscovery searches, but you could not decrypt them. Now, Exchange Online makes protected messages fully available to compliance features such as content searches, eDiscovery cases, and supervision policies.

Protection for All

Protecting email is easier in Exchange Online than ever before. There is no reason why you should not use rights management within your Office 365 tenant. What have you got to lose?

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.