Office 365 offers multiple options for providing
an encrypted mail service to users. Office 365 Message Encryption (OME) offers
the best flexibility as Office 365 automatically trusts many of the main stream
mail system providers for message decryption. S/MIME still requires a complex
certificate exchange to be done between sender and recipient to ensure messages
can be decrypted.
Mail providers Outlook.com, Yahoo and Gmail are
automatically trusted by Office 365 and can automatically decrypt messages.
Other mail services which cannot automatically
decrypt OME messages present a different set of challenges. One Time Passwords
(OTP) are issued by Microsoft when an encrypted message is received by a mail
server that cannot automatically decrypt messages. The OTP is sent directly
from Microsoft to a user’s inbox (using the email address which was set as the recipient
of the encrypted message). This way Microsoft can authenticate that only the
intended recipient has received the OTP to decrypt the secured message.
Office 365 OME is a feature which is available in
the following SKU’s Office 365 E3/E5, Microsoft E3/E5, A1, A3, A5 and G3/5. No
licenses are required on the receiving side to accept encrypted mail. In this
example we are going to make use of the Microsoft managed keys, however
understand that it’s possible to BYOK to Azure Information Protection.
Go to the Azure Portal when you are logged in
with your Office 365 credentials. Find Azure Information Protection from the
portal.
Click on Protection
Activation, if this is not active, go ahead and activate it.
Open the Exchange Admin Center and go to Rules.
We are going to create a new Transport Rule to apply the encryption policy to
emails that contain certain words. Click the + icon and select Apply Office
365 Message Encryption and Rights Protection to Messages.
Label the Transport Rule something sensible and
click the Apply this rule if...and select The subject or body...then
subject includes any of these words.
Enter all the key words in which you want to be
used to encrypt mail. I think it's generally good to use "encrypted", if you do this ensure
you put in all the obvious spelling mistakes for "encrypted" so that
users don't send clear-text messages because of typo's.
It's very easy to send encrypted email from
Outlook with a Transport Rule in place to apply the encryption rule. Simply
ensure the work "encrypted" is in the subject line, this words that
is looks for before encrypting the message are user-defined in the steps above.
When a recipient is also on Office 365 the
message is automatically decrypted. You will notice the red marker to outline
that this message is encrypted. Please note that when a single message (or
reply) is encrypted, the entire conversation/message chain is encrypted.
If an encrypted message is viewable to a recipient,
it's automatically opened into OWA. For some reason the message does not open
directly in Outlook. This does ensure that the encrypted message cannot be
forwarded.
What happens if your send an encrypted email to a
mail service which cannot automatically decrypted the message?
The encrypted message is opened in the browser.
The OTP is sent to the inbox.
The recipient can respond to the message securely in the browser.
