Select Page

What is Office 365 Message Encryption?

Office 365 Message Encryption allows organizations to send and receive encrypted email messages between people inside and outside their organization. This allows organizations to work with external collaborators in B2B and B2C business scenarios.  Office 365 Message Encryption builds off Microsoft Azure Information Protection (formerly called Rights Management Services).  Users can protect email using Azure Information Protection, and external collaborators will be able to open and view the protected content. Office 365 Message Encryption works with, Yahoo!, Gmail, and other email services. Via Azure Information Protection’s persistent encryption, Office 365 Message Encryption ensures that only intended recipients can view message content.

How does Office 365 Message Encryption Work?

Office 365 Message Encryption is designed to facilitate the secure exchange of information between internal users and external collaborators. The flow of information is usually from a business to another business partner, or from a business to its customers. The initiating business needs to have Office 365, Outlook (at the Professional Plus level) and Azure Information Protection.

To send protected information an internal user opens a new message in Outlook and applies protection via the Options tab and the Permissions button.  Users can elect to protect the message with the standard “Do Not Forward” permissions, or by selecting one of their company’s customized templates.

The external recipient can open the message in one of three ways depending on what type of mail client they are using.

  1. If they are using an Outlook or Outlook web client the user will open the message like any other Outlook message
  2. If they are using, Yahoo or Gmail they will be asked to authenticate to their email service (sign on to Gmail, Yahoo or Once authenticated the recipient will see the protected message in a separate browser window.
  3. If they are using some other mail service, the recipient will be asked to authenticate with a one-time passcode. When they click to open the message, a one-time password is sent to their email address. The user copies this one-time password and pastes it into a web form.  They can then view the protected message in a separate browser window.

Strengths of Office 365 Message Encryption

  • Facilitates the secure exchange of information with any external collaborator regardless of the recipients operating system platform or email client
  • The protection is persistent (message cannot be unencrypted and forwarded in the clear to others)
  • You can limit the permissions of the recipient (No Forward, No print etc)
  • There are no licensing costs for external collaborators

Weaknesses of Office 365 Message Encryption

  • Can be expensive as your users must be licensed for an Office 365 business subscription such as Office 365 E3 as well as an Azure Information Protection Subscription
  • Does not work in organizations using on-premise Microsoft Exchange
  • Does not allow customers to hold their own encryption key. The encryption key must be stored in the Microsoft Office 365 cloud.
  • Your sensitive data must all be stored in the Office 365 cloud. There is no option to store your protected messages on-premise (no Exchange on-prem support). As a result, your information could be subject to government warrant and seizure.