ENow Blog | M365 - Exchange Online Center

New Features in Office 365 Message Encryption

Written by Nathan O'Bryan MCSM | Nov 29, 2017 2:00:00 PM

I have long been interested in encryption. I started off my IT career in the United States Marine Corps where I had a Top-Secret security clearance and frequently worked with classified message traffic. During this time, I learned a lot about the rules of encryption and security. Most of what I learned, however, is that encryption is incredibly hard to do correctly.

Today information is more important than ever, and that makes encryption more important than ever. The ability to protect your organization's sensitive information is essential to keeping your organization running smoothly. Any organization that cannot protect its sensitive data, be that customer records, accounting records, or proprietary product information, isn't going to last very long.

In some ways, technology has made encryption easier to use. In this blog post I’m going to talk about some new features in Office 365 Message Encryption that make using encryption a bit easier on some levels. None of the new features are “magic bullets” that make encryption completely fool proof in all situations at all times.

What information should be encrypted?

Before we start talking about the features that help you encrypt your data, lets first think about what data should be encrypted.

I’m not going to be able to provide an easy answer in a blog post about which of your data should be encrypted. I can’t even give you general categories that should be encrypted like “customer information” or “product data.” What I can tell you, however, is that the only way your going to be able to figure out what data should be encrypted is by first classifying your data.

You must set out specific conditions and circumstances under which your data must needs be encrypted and ensure that those conditions are clear to your employees who work with that data. Azure Information Protection is an Office 365 service that can help with that process, but it is never going to be the final solution. Planning, training, education, and communication between all the responsible parties is the only way to ensure that the data your organization needs to be protected stays protected.

When is Office 365 Message Encryption the best choice?

One of the big difficulties with encrypting email is that there isn’t one solution. Even within Office 365 encryption options include OME, S/MIME, TLS, or a whole host of third party add-ons. Keeping all these options straight is difficult for IT pros, but it’s impossible for end-user communities.

Microsoft realizes this. To that end, they are working on rolling all the encryption features that you need into the single package of Office 365 Message encryption. Rome wasn’t built in a day, and we’re not to a point where OME is a one stop shop for all your message encryption needs, but Microsoft is working in that direction.

Another difficultly is that people don’t just use one client. Outlook Web App, regular phat client Outlook, Outlook for the iPhone, Outlook for Android, and various native client apps on devices of all sorts. Microsoft wants encryption to work the same on all devices and to be accessible for anyone regardless of the device or application they choose to use. We’re not there yet either, but that is the plan Microsoft is working toward.

What’s New?

Here are a few of the new features in Office 365 Message encryption you may not be aware.

Federation with Google – Now, when you send an OME protected message to a recipient on Gmail, that user can verify their identity with their Google account. There is no need for them to have a Microsoft account of any type. There are people out there who don’t want to create Microsoft accounts, and this makes sending them OME protected messages much easier.

Rights Management – Working toward the goal of simplifying encryption for end-users, Microsoft has integrated some of the Rights Management features of Azure Information Protection into Office 365 Message Encryption. Now an OME protected message can have rights management applied to it without any additional steps. This isn’t really a revolutionary new feature from an admin perspective, but it is a great simplification of the process of protecting messages from an end-user stand point.

“Protect” button in OWA – Originally the only way to trigger OME protection for messages was via a transport rule. As an admin, you could setup a transport rule so that when messages meet specific conditions, they were encrypted with OME. I usually setup a rule that said any messages with “Secure” as the first word of the subject line were protected with OME. Now you have the ability to turn on a “protect” button in OWA that will allow your end-users to apply OME protection to a message.

Turning on new OME features

To access all of these new Office 365 Message Encryption features, you will need to use PowerShell to turn them on. A more detailed explanation of these steps can be found on TechNet.

 #Step 1: Connect to the Azure Rights Management service.
$cred = Get-Credential
Get-Command -Module aadrm
Connect-AadrmService -Credential $cred
#Step 2: Activate the service.
Enable-Aadrm
#Step 3: Get the configuration information needed for message encryption.
$rmsConfig = Get-AadrmConfiguration
$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
#Step 4: Disconnect from the service.
Disconnect-AadrmService
#Step 5: Create a remote PowerShell session and connect to Exchange Online.
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session
#Step 6: Collect IRM configuration for Office 365.
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
if (!$list) { $list = @() }
if (!$list.Contains($licenseUri)) { $list += $licenseUri }
#Step 7: Enable message encryption for Office 365.
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true
#Step 8: Enable the Protect button in Outlook on the web (Optional).
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
#Step 9: Enable server decryption for Outlook on the web, Outlook for iOS, and Outlook for Android.
Set-IRMConfiguration -ClientAccessServerEnabled $true

Once these commands have been run, you can verify your configuration with the Test-IRMConfiguration PowerShell cmdlet.

Wrapping it up

These are not huge changes to Office 365 Message Encryption, but they are important. I think these changes make the feature much more usable for end-users, and that is always of huge importance when we are talking about encryption.

The best encryption is useless if end-users don’t or won’t take the time to use it to protect the information that your organization needs to secure. These new features make that more likely.

Want more visibility into you Hybrid Office 365 Environment?