Examine Microsoft Purview Message Encryption
Microsoft Purview Message Encryption is an online service that's built on Microsoft Azure Rights Management (Azure RMS). Azure RMS is part of Azure Information Protection. Microsoft Purview Message Encryption includes encryption, identity, and authorization policies to help organizations secure their email. They can encrypt messages by using:
- Rights Management templates. These default templates make it easy for organizations to immediately start protecting their sensitive data. They can be used with Azure Information Protection labels, or by themselves with applications and services that can use Rights Management templates. When an organization obtains its subscription for Azure Information Protection or for a Microsoft 365 subscription that includes the Azure Rights Management service, two default templates are automatically created for its tenant. These templates restrict access to authorized users in the organization. These templates are configured to allow offline access for seven days and don't have an expiration date. Organizations can also create their own custom templates.
- Do Not Forward option. When this option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients can't forward it, print it, or copy from it.
- Encrypt-only option. This option enables organizations to encrypt data without other restrictions. The recipients have all usage rights except Save As, Export and Full Control. This combination of usage rights means the recipients have no restrictions except that they can't remove the protection.
Additional reading. For more information on these encryption features, including the permissions assigned to Rights Management templates, see Configure usage rights for Azure Information Protection.
Users can encrypt email messages and various attachments by using these options. Administrators can define mail flow rules to apply this protection. For example, an administrator can create mail flow rules that:
- require the encryption of all messages addressed to a specific recipient.
- contain specific words in the subject line.
- restrict recipients from copying or printing the contents of the message.
The predecessor to Microsoft Purview Message Encryption was Office 365 Message Encryption (OME). Unlike OME, Microsoft Purview Message Encryption provides a unified sender experience whether you're sending mail inside your organization or to recipients outside of Microsoft 365. In addition, recipients who receive a protected email message sent to a Microsoft 365 account in Outlook 2016 or Outlook on the web, don't have to take any other action to view the message. It works seamlessly. Recipients using other email clients and email service providers also have an improved experience.
Additional reading. For a detailed list of the differences between OME and Microsoft Purview Message Encryption, see Compare versions of message encryption.
When someone sends an email message that matches a mail flow rule that invokes Microsoft Purview Message Encryption, the message is encrypted before it's sent.
All Microsoft 365 end users that use Outlook clients to read mail will receive native, first-class reading experiences for encrypted and rights-protected mail. And they do so even if they aren't in the same organization as the sender. Supported Outlook clients include:
- Outlook desktop
- Outlook Mac
- Outlook mobile on iOS and Android
- Outlook on the web (formerly known as Outlook Web App)
Recipients of encrypted messages who receive encrypted or rights-protected mail sent to their Outlook.com, Gmail, and Yahoo accounts receive a wrapper mail that directs them to the message encryption portal where they can easily authenticate using a Microsoft account, Gmail, or Yahoo credentials.
End users that read encrypted or rights-protected mail on clients other than Outlook also use the message encryption portal to view encrypted and rights-protected messages that they receive.
Sending, viewing, and replying to encrypted email messages
With Microsoft Purview Message Encryption, users can send encrypted email from Outlook and Outlook on the web clients. Additionally, admins can set up mail flow rules in Microsoft 365 to automatically encrypt emails based on keyword matching or other conditions.
Recipients of encrypted messages who are in organizations will be able to read those messages seamlessly in any version Outlook, including Outlook for PC, Outlook for Mac, Outlook on the web, Outlook for iOS, and Outlook for Android. Users that receive encrypted messages on other email clients can view the messages in the message encryption portal.
For detailed guidance about how to send and view encrypted messages, see the following articles.
| Read this article... | If you are... |
|---|---|
| Learn about protected messages in Office 365. | An end user who wants to learn more about how encrypted messages work and what options are available to you. |
| How do I open a protected message? | An end user who wants to read a protected message that was sent to you. This article includes information about reading messages in several versions of Outlook and from different email accounts, including those accounts outside of Microsoft 365 such as gmail and Yahoo! accounts. |
| Send, view, and reply to encrypted messages in Outlook. | An end user who wants to send, view, or reply to an encrypted message from Outlook. Even if you're not a member of an organization, you still receive notification of encrypted messages sent to you in Outlook. Use this article for instructions on how to view and reply to encrypted messages sent from Microsoft 365. |
| Send a digitally signed or encrypted message. | An end user who wants to send, view, or reply to encrypted messages using Outlook for Mac. This article also covers using encryption methods other than Microsoft Purview Message Encryption, such as S/MIME. |
| View encrypted messages on your Android device. | An end user who has received a message encrypted with Microsoft Purview Message Encryption on your Android device, you can use the free OME Viewer app to view the message and send an encrypted reply. This article explains how. |
| View encrypted messages on your iPhone or iPad. | An end user who has received a message encrypted with Microsoft Purview Message Encryption on your iPhone or iPad, you can use the free OME Viewer app to view the message and send an encrypted reply. This article explains how. |
Apply Microsoft Purview Message Encryption templates to a mail flow rule
The following example shows how to create mail flow rules to apply custom templates to email messages sent from your organization. Such a rule will apply custom branding, for example to senders from a specific department or members of a specific distribution group. You can also configure all mails from inside an organization to be encrypted when sent.
In the following example, you'll configure a mail flow rule that encrypts all mails sent to the external partner organization Fabrikam, Inc., with the domain "fabrikam.com".
Perform the following steps to create a mail flow rule in the Exchange Admin Center (EAC):
In a web browser, navigate to the Exchange admin center at https://admin.exchange.microsoft.com/.
Sign in using a work or school account that has been granted Exchange administrator permissions.
In the EAC, go to Mail flow > Rules and select Add a rule > Apply Office 365 Message Encryption and rights protection to messages…
Enter the following information:
In Name, type a name for the rule, such as Encrypt all mail to Fabrikam.
In Apply this rule if…, select the condition The recipient, and domain is.
Enter fabrikam.com and select the Add sign and then select Save.
From Do the following…, select the Select one… text and from the RMS template list, Encrypt.
Select Save.
The list of templates includes default templates and options and any custom templates you create. If the list is empty, ensure that you have set up Microsoft Purview Message Encryption with the new capabilities and IRM is activated for your tenant.
You can also perform this operation with Exchange Online PowerShell. If you use PowerShell you wouldn't be using the RMS template named "Encrypt", but the OME Configuration name you want to configure instead. Use the following cmdlet to create a new mail flow rule to encrypt all messages sent to fabrikam.com:
New-TransportRule -Name "Encrypt all mail to Fabrikam" -FromScope InOrganization -RecipientDomainIs "fabrikam.com" -ApplyRightsProtectionCustomizationTemplate "OME Configuration"