Message Encryption - Do Not Want Encryption on Attachment

Jones, Xavier 20 Reputation points
2024-08-28T19:40:40.7433333+00:00

We are using Microsoft Purview for DLP and have been working to get a solution to support the following requirement, create a message encryption option to encrypt message only and not encrypt attachment (i.e. do not inherit IRM).

One option we found in a knowledge article is to modify the default message encryption option with Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true. However, we have business case for the default encrypt option so we can’t modify.

 

We are now trying to use sensitivity labels, however it appears the email documents are still inheriting IRM. During testing, we sent an email with a Word attachment and after Recipient downloads the email, the attachment was encrypted. https://video2.skills-academy.com/en-us/purview/encryption-sensitivity-labels#example-4-label-that-encrypts-content-but-doesnt-restrict-who-can-access-it

 

We tried using mail flow rules as per instruction, however there is no option to encrypt email only. https://video2.skills-academy.com/en-us/purview/define-mail-flow-rules-to-encrypt-email#use-the-eac-to-create-a-rule-for-encrypting-email-messages-with-microsoft-purview-message-encryption

 

Please advise on options to meet our requirements. Thank you!

Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,217 questions
Accepted answer
  1. Smaran Thoomu 16,555 Reputation points Microsoft Vendor
    2024-09-03T14:03:57.19+00:00

    Hi @Jones, Xavier

    Thank you for reaching out to us regarding your message encryption requirements. We understand that you are looking for a solution to encrypt the message body of an email without encrypting the attachment, and that you have tried modifying the default message encryption option with Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true, but you have a business case for the default encrypt option so you can't modify it.

    You have also tried using sensitivity labels, but the email documents are still inheriting IRM. During testing, you sent an email with a Word attachment and after the recipient downloads the email, the attachment was encrypted. You have tried using mail flow rules as per instruction, but there is no option to encrypt email only.

    Based on your requirements, we suggest that you consider using Azure Information Protection (AIP) to encrypt the message body of an email without encrypting the attachment. AIP allows you to apply encryption to specific parts of an email, such as the message body, while leaving the attachment unencrypted. This can be achieved by creating a custom AIP policy that applies encryption to the message body only.

    To create a custom AIP policy, you can follow the steps outlined in the following article: https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-classification. Once you have created the policy, you can apply it to your emails using the AIP client or the AIP scanner.

    We hope that this solution meets your requirements. If you have any further questions or concerns, please do not hesitate to reach out to us.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.