The ability to encrypt email is a critical feature. So much information gets sent via email — corporate secrets like specifications, private content like pretty much anything from your accountant or lawyer, or maybe just something you’d like to keep between you and the recipient. Email encryption is a fact of life. Recently, Microsoft moved email encryption into Azure but instead of being called Office 365 email encryption, it’s now Azure Information Protection (AIP).
In doing so, they also simplified the process for users. Reading an encrypted message no longer requires the person receiving it to open an attachment. Instead, they will click on the link in the body of the email. And when a reply is made to the email, the original sender does not have to do anything to open that reply. It is decrypted for viewing automatically. If they send a reply it will again be encrypted automatically. Messages can be encrypted between internal users too. And they’ve even made the third-party authentication easier to use too.
However, while simplifying the email encryption process for users, they’ve added to the workload of administrators because you need to set up your email encryption again to use the new version.
What follows is a step-by-step guide for completely configuring or reconfiguring email encryption in your Office 365 tenant.
For previously configured tenants
I like to start from a clean slate, so for this reason, I’m going to recommend that you remove any encryption rules you previously created from Exchange. After that disable encryption, wait 30 minutes then reenable it. This will make sure that your tenant gets switched over to the new version.
To do that, go to the admin portal/ Settings/Services and add-ons. Click on Azure information protection and disable it. Don’t forget to turn it back on 30 minutes later.
For tenants created after February 2018
Azure Information Protection should be enabled by default so you won’t need to turn it on. You can move straight into configuration.
Check that AIP is working
Before we try to configure anything, let’s take a moment to make sure that it’s working correctly. You’ll need PowerShell for all of the configurations from here on out. First you need to connect to your Exchange Online Service. Be sure to run PowerShell as an administrator then run the following commands.
Set-ExecutionPolicy RemoteSigned [when it asks for a no, yes or all, select all]
$UserCredential = Get-Credential [you’ll get a pop-up authentication window. Enter your global admin credentials]
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
You should now be connected to the tenant. Now run the test. Make sure you use an active mailbox for the test, not just the admin account. Oftentimes the admin account does not have a mailbox anyway.
Test-IRMConfiguration -Sender email@example.com
Results : Acquiring RMS Templates …
– PASS: RMS Templates acquired. Templates available: youdomain – Confidential View Only, yourdomain – Confidential, Do Not
Verifying encryption …
– PASS: Encryption verified successfully.
Verifying decryption …
– PASS: Decryption verified successfully.
Verifying IRM is enabled …
– PASS: IRM verified successfully.
OVERALL RESULT: PASS
We’re ready to configure
Now that we know that AIP is working, we are ready to configure it. There are several pieces to this. There’s creating the rule for when encryption gets applied to an email, allowing attachments to be unencrypted by the recipient, customizing the email, and optionally setting up a super-admin to decrypt messages and files encrypted by your staff. Leave your PowerShell session open until you’ve completed the entire process.
Create an Exchange rule
You need a mail rule to tell Exchange when you expect messages to be encrypted. The rule I suggest uses a keyword to trigger the encryption. In the example that follows, when the word securemail is present anywhere in the email, Exchange will encrypt the message.
Open the Exchange online administrator console.
Go to Mailflow/Rules.
Click the arrow next to the + sign and choose Add new Rule type Apply Office 365 Message Encryption and rights protection to messages.
Name the rule Encrypt on Demand or anything that you’ll remember.
In the Apply this rule if…box select The subject or body includes the word securemail (or any other word of your choosing but it will need to be a word that someone won’t type by accident).
In the Do the following…box select Apply Office 365 Message Encryption and rights protection to the message with and select the Encrypt template
Admin control for attachments
By default, attachments to your encrypted email are also encrypted and can’t be opened outside of your company. They say that there is an option to change this but I don’t think that your users will feel that way. It is very common that the reason for sending an encrypted message is because of the content of the attachment. Microsoft’s reasoning for not making this the default setting is that once decrypted the message is plainly available to the recipient to do with as they choose.
By default, the email message gives the recipient that phishy feeling, so you will want to customize the content to indicate that they email is legitimate. In addition, I recommend that anyone using encryption get in the habit of first sending a regular email letting them know that an encrypted email is about to follow.
Here I am simply sharing Microsoft’s instructions for these customizations. I’ve added a couple of tips to their chart and provided a sample.