Encrypting Emails from Anywhere!


***If you would like to help shape the future of OME, please fill out the survey at https://aka.ms/OMESurvey***

The Situation:

So, you recently purchased Microsoft 365 E3/E5 (or EMS E3/E5) and have started rolling out your pilot of Azure Information Protection.  Everything is going great until one of your executives approaches you and wants to know how to protect emails from their phone/tablet while they are relaxing on the beach.  You could always just hand them a shiny new Surface Pro with Office 365 Pro Plus, but they mentioned that sometimes they send emails while they are in the water (hey, I do that too!) and Surface Pro's aren't super tiny and waterproof (yet).  So, you need a different solution that will quickly enable said executive to classify and protect their emails right from their portable device.

The Solution:

The solution to this conundrum comes in the form of the new Office 365 Encrypt functionality and Exchange Online Mail Flow Rules (the feature formerly known as Exchange Transport Rules or ETRs).  By using a mail flow rule, you can allow your executives (and everyone else) to automatically encrypt emails and supported attachments by simply adding a keyword like #Encrypt to the bottom of their message.  I will walk you through this process in the rest of this post.

The Mail Flow Rule

We will now set up a super simple mail flow rule to accomplish this task.  Follow the steps below to set up your mail flow rule.

  1. Log into https://outlook.office365.com/ecp/ as either a Office 365 Global Admin or Exchange Admin
  2. On the left side, click mail flow
  3. This will default to the rules pane
  4. In the rules pane, click the  and click Create a new rule...
  5. In the new rule pane, name the rule #Encrypt and click the More options... link
  6. After clicking More options..., select the drop-down under *Apply this rule if... and hover over The subject or body... and select subject or body includes any of these words
  7. In the specify words or phrases dialog, add #Encrypt (and optionally #ENC) and press then OK once finished
  8. Click the drop-down below the *Do the following... and hover over Modify the message security... and click Apply Office 365 Message Encryption and rights protection
  9. In the select RMS template dialog, click the drop-down below RMS template: and select Encrypt and click OK
  10. The completed rule should look like the image below. Click Save to finish creating the mail flow rule.

 

That's it!  Now that you have completed these steps, you have a keyword (#Encrypt) that you can use for mobile devices and any other clients that do not currently support the Encrypt Only protection template natively.  Hopefully this is helpful to get you set up to use the new Encrypt functionality.  Let me know in the comments if there is anything you didn't understand.

Thanks!

Kevin

***Author's Note***

I know that the original version of this post included the set up of a unified classification label that can be used across any Office version.  It was brought to my attention that this was confusing so I have broken that information out into it's very own blog post! Please see my new blog post at http://blogs.technet.microsoft.com/kemckinn/2018/07/19/using-encrypt-only-even-on-older-office-versions for that information (currently in development).

Comments (7)

  1. This is the workaround we’ve been following for non-supported clients. Any timeframe on AIP client for MACs?

    1. I believe we are currently targeting Office for Mac native functionality for around the Ignite (late September) time frame but should be available by the end of the year at the latest.

  2. Hi,

    I can create a new label as you describe but whatever i do, i can never see it in choice listed in combobox of “Apply OME protection” option
    Any ideas that could help me ?

    Regards,
    Laurent

    1. Correct,

      The label itself is not protected. You create an unprotected label and select the Encrypt RMS Template in the Mail Flow rule under Apply OME protection.

      Thanks,
      Kevin

      1. I understand that i should select le RMS template in mail flow, but my problem is the RMS template doesn’t appear in mail flow rules

        1. Labels are not the same as RMS Templates. Only labels that have protection policies applied to them have RMS Templates associated. Additionally, any scoped labels (ones assigned to a scoped policy or not assigned to a policy) will not show in the RMS Templates even if they do have protection. Hopefully this helps you understand why your labels are not appearing in the RMS Templates in EXO. Thanks!

  3. Hi Kevin,
    Thanks for you answer but i still have pb.
    I follow you first tutoriel with label creation
    I created a sublabel Encrypt under confidential.
    As in you screenshot, this label does not belong to any policy, protection and marking are not checked
    But this label does not appear as a choice when i’m create a new rule in ECP in the action “Apply OME 365 and right protection”.
    Still not found out why.

    Regards,
    Laurent

Skip to main content