Menu Close

How To Encrypting Office 365 Emails Effectively?

Here’s what you should know about encrypting office 365 emails with Azure Information Protection.

What is Azure Information Protection?

Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.

Azure Information Protection Client

  • To provide the service of Email Encryption, we are leveraging the Microsoft Azure Information Protection cloud service and its existing integration with the Office 365 Identity management service and the Office 365 Pro Plus suite of client software.
  • AIP service policies, and labels defining the collection of restrictions, to be assigned to client documents and emails are managed in the Azure Cloud service.
  • To take advantage of these AIP policies and labels, the AIP client software must be installed on the Windows OS workstation.  Currently, only Windows 7 OS and Windows 10 PCs, as well as macOS workstations can apply these restrictions to documents or emails.

Encrypting Office 365 Emails: Setup

To enable and configure Office 365 Message Encryption for secure message delivery, the following steps are necessary:

  • Subscribe to Azure Information Protection
  • Activate OME

Subscribe to Azure Information Protection

  • The Azure Information Protection suite is an add-on subscription for Office 365 that will allow users to perform some very useful functions with their email. It also integrates with SharePoint and OneDrive to act as a Data Loss Prevention tool.
  • With AIP, users can flag messages or files so that they cannot be copied, forwarded, deleted, or a range of other common actions. For email, all messages that have specific classification flags or that meet specific requirements are encrypted and packaged into a locked HTML file that is sent to the recipient as an attachment.
  • When the recipient receives the message, they have to register with Azure to be assigned a key to open the email.
  • The key is tied to their email address and once registered the user can then open the HTML attachment and any future attachments without having to log in to anything.

Again, if you have E3 or higher subscriptions assigned to your users, they don’t need to have AIP. However, each user that will be sending messages with confidential information in them will need either an AIP license or an E3/E5 license to do so. To subscribe to AIP, perform these steps:

  • Launch “Microsoft 365 admin center
  • Go to the “Subscriptions” list
  • Click on “Add a Subscription” in the upper right corner
  • Scroll down to find the Azure Information Protection
  • Click the Buy Now option and follow the prompts or select the “Start Free Trial” option to get 25 licenses for 30 days to try it out before purchasing
  • Wait about an hour for the service to be provisioned on your O365 tenant
  • Once provisioned, you can then move on to the next step in the process.

Encrypting Office 365 Emails: Activate

This part has changed very recently. Before 2018, Activating Office 365 Message Encryption took a lot of Powershell work and waiting for it to function properly. MS changed the method for activating OME to streamline the process and make it easier to work with. Here’s what you have to do:

  1. Open the Settings option in the Admin Portal
  2. Select Services & Add-ins
  3. Find Azure Information Protection in the list of services and click on it
  4. Click the link that says, “Manage Microsoft Azure Information Protection settings” to open a new window
  5. Select the Activate button under “Rights Management is not activated”
  6. Choose Activate in the Window that pops up

Once this is done, you will be able to use AIP’s Client application to tag messages for right’s management in Outlook. There will also be new buttons and options in Outlook Web App that will allow you to encrypt messages.

Encrypting Office 365 Emails: Protection

The basic function of the Email Encryption Service is to provide protection to prevent unwanted individuals from being able to read the content of your email while in transit and while at rest in a mailbox. To gain access to the content of your email, the recipient must be validated.  When using Office 365 Pro Plus applications, such as Microsoft Outlook, this validation process is performed behind the scenes and the recipient is not prompted for their credentials.  In all other cases, the recipient will be challenged to verify their identity.

Using the “Encrypt” Label

  • To apply encryption to an email using the Microsoft Outlook application installed on a Windows OS workstation, you need only select the “Encrypt” label on the “Sensitivity Bar” as shown below:
encrypting office 365 emails
  • This “Encrypt” label is also accessible from the Menu – Message button ribbon “Protect” button drop-down menu as shown below:
office 365 email encryption
  • Once selected, the Sensitivity Bar will reflect the choice made and will hide the other choices. The details of the permissions assigned will be shown as a “tool tip” just under the “Sensitivity Bar” in the upper left of the email window as shown below:
office 365 email encryption
  • You may choose to modify your choice of protection by clicking the “pencil” icon next to the label chosen to reveal the other choices as shown below. This pencil icon can also be used to hide other choices once more.
  • Once a label is set, a “trash can” icon will be available in addition to the other labels to allow you to remove the selected label and return the “sensitivity” of the email to “not set”. You will be prompted to record the reason for removing the label. (For future use)
  • Once set, your email will be protected whether it sits in your Drafts folder before you send it, your Sent Items folder after you have sent it, or in your recipient’s mailbox. Microsoft Outlook helps to identify this protection by using the following icons:
  • Regardless of the protections you choose to apply, you retain “Full Control” rights over the email. Only named identities in the From, To, Cc and Bcc fields will have access.
  • Using the “Encrypt” selection allows the recipient to forward your email to others who will then also have full access to the email contents, each being required to authenticate to gain access. Recipients will not be able to remove the encryption requirement.

Using the “Do Not Forward” label

The “Do Not Forward” protection is the basic email protection provided by Microsoft.  Selecting this protection will prevent recipients from being able to do the following:

  •  Forward your email to another person (as well as to prevent adding new recipients to the “to”, “cc”, or “bcc” fields when replying)
  •   Print your email, or copy the contents of the email text body to the clipboard.

These protections can be set either by selecting the sensitivity label: “Do Not Forward.”, or by selecting the “Do Not Forward” button on the Menu – Message button ribbon as shown below:

office 365 email encryption

Please note the “Tool Tip” describing the protections set that appears just below the sensitivity bar.

CAUTION: It is possible to accidentally remove your intended protections by deselecting the “Do Not Forward” button on the Menu – Message button ribbon as shown below. Note also that the “Tool tip” is removed BUT the “Do Not Forward”. The label is still set. This email would NOT be protected.

We do not currently have a method to prevent you from deselecting the “Do Not Forward” button so please be careful.

PLEASE NOTE: Microsoft Outlook allows attachments to be downloaded regardless of these restrictions applied.  Please see “Protecting Attachments” later in this document.

Using the “Encrypt – Protect” label

  • The “Encrypt – Protect” label is customized protection for email that adds an additional restriction to prevent the recipients from being able to edit or modify your original email. 
  • This label should ONLY be used when you want the recipient to have “View Only” rights to your email.  When replying, your recipient will be forced to attach your original email as an attachment to a new message as they will be prevented from being able to add to the thread of your original email. 
  • This label also applies the restrictions to Printing and Copying as described in the Using “Do Not Forward” label section above.

PLEASE NOTE: Microsoft Outlook allows attachments to be downloaded regardless of these restrictions applied.  Please see “Protecting Attachments” later in this document.

Protecting Attachments

The Azure Information Protection client is REQUIRED to decrypt and open a document protected. A “reader” is already included in the Office 365 Pro Plus software for Windows OS, macOS, iOS, and Android. However, a separate application is needed to read encrypted Non-Microsoft Office Pro Plus documents (available here). The AIP Reader is available for the PC, iPhone, iPad, and Android.

Protecting a Non-Microsoft Office 365 Pro Plus Document

  • Non-Microsoft Office documents can be protected using the additional “Hot Menu” selection called: “Classify and Protect” found by right-clicking a document in Windows Explorer as shown below:
  • This application (shown below) will create a “wrapper” to encase the file and add encryption, as well as the protections you select
  • For each desired use, you will want to first select the sensitivity label desired for your email. This label will be inherited by your email once your protected file is attached. There are two pieces required to install your desired protections: “Permissions” and “Identity

The “permissions” available to be granted are:

  • Viewer – View Only
    This permission is equivalent to the Email Protection: “Encrypt – Protect
  • Reviewer – View, Edit
    This permission is equivalent to the Email Protection: “Do Not Forward.”
  • Co-Author – View, Edit, Copy, Print
    This permission is equivalent to the Email Protection: “Encrypt
  • Co-Owner – Full Permissions
  • This permission is also equivalent to the “Encrypt” label however this permission grants the user the ability to remove the set permissions AND the encryption.
  • Only for me – This setting has no value for sending documents to others, but it may have use for you to protect your individual documents.

Although not recommended to avoid confusion, it is possible to select permissions that are stricter than the email encryption label desired (e.g. “Viewer – View Only” document permissions with the “Encrypt” Email Protection label). This combination would restrict the document to prevent viewing by unwanted identities, as well as restrict recipients from copying, printing, or editing while granting the recipient all functions to the email text body. Again, as stated above, this can become confusing and is not recommended.

“Identity” can be set to the following types:

Users – This is the email address(es) of the individual user(s) receiving the document. This is the primary method that you will use to identify who can access your document.

Groups – This is the email address(es) of the Distribution List(s) to which your intended recipients belong.  PLEASE NOTE: this will ONLY work for recipients.

Organizations – You can also grant access to EVERYONE within an Active Directory domain

Identities can be typed directly into the box provided, or you can select your recipients from the Outlook Address Book (provided the Outlook app is already launched and running) by clicking on the “book” icon.

There is a third control available for Protecting Attachments. You can set an Expiry Date for the permissions granted either by typing in the date directly or by selecting the date by clicking on the “calendar” icon. Once the expiry date is reached, ALL PERMISSIONS are revoked for the selected users.

Regardless of the settings above, you retain Full Control over your document. Once you “Apply” the protections to your document, your document is REPLACED with the “wrapped” file and the file extension is changed (file name modified manually ONLY for example purposes)

The Azure Information Protection client is REQUIRED to decrypt and open this file.

Protecting a Microsoft Office 365 Pro Plus Document

Microsoft Office documents can be protected from within the Office Application. As with Microsoft Outlook, the Home button ribbon hosts the “Protect” button drop-down menu. This allows for “Custom Permissions” to be applied to Office documents. Applying a Sensitivity Label will cause Outlook to apply the same permissions restrictions to any email to which the document is attached.

CAUTION: You will want to select your Sensitivity Label BEFORE assigning your Custom Permissions. Otherwise, selecting the label after the fact will OVERWRITE and apply ONLY the default “permissions” of the label allowing ANYONE to decrypt the document.

As with “Protecting a Non-Microsoft Office 365 Pro Plus Document” above, you will want to protect your document by identifying the “identity” of the person allowed to interact with your document, and the “permissions” you wish to grant. The choices for permissions and the process to assign the identity use virtually the same graphic user interface as when “Protecting a Non-Microsoft Office 365 Pro Plus Document

PLEASE NOTE: Once protected and saved, note that the file type IS NOT CHANGED:

You will need to save your Office Documents in their native format. If you attempt to save the file in a “compatible” format, the restrictions you configured will be removed.

Once saved, you will now see a new information bar alerting you to the fact that the document now has Restricted Access.

Managing Protected Documents

Once protections are set on a document, you can “Track” the views of that document as well as the ability to “Revoke” access to your document. For a Microsoft Office Document, you can access this feature from within the Office Application.

For a Non-Microsoft Office Document, you can access this feature either by double-clicking or right-clicking the document within Windows Explorer.

Both will launch your web browser and take you to the AIP Document Tracking center

From here you can:

  • Review the Summary of Interaction of your document by your recipients
  • List who has viewed your document and the date is was viewed
  • Review the Timeline of interaction with your document
  • Set notifications Settings to alert you when someone tries to interact with your document
  • Revoke Access to your document so it is no longer accessible by a recipient

You can also export these statistics to a CSV file.

Mac Users have the added task of “Verifying Credentials” before their protection options are retrieved from the Microsoft Office 365 Cloud services.

Once set; to remove or change protection you must set the “No Restrictions” selection under the Protection button.

To set protections on a Microsoft Office 365 Document, use the “Restrict Permission” button on the “Review” menu.

Select the “Restricted Access…” menu option to grant the customized access desired.

Use the “More Options…” button to set Print and Copy permissions.

Congratulations! Now you know how to encrypting office 365 emails with Azure Information Protection. If you have any further questions, please let me know.

Want to improve your Exchange Online experience for better productivity? Check out the tips and tricks mentioned here.

I’d like to hear from you:

Which finding from today’s report did you find most interesting? Or maybe you have a question about something that I covered.

Either way, I’d like to hear from you. So go ahead and leave a comment below.

Related Posts

10 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *