Skip to main content

Encrypting Email in Office 365: Licensing, Transport Rules, and What Recipients See

Nick Ross3 min read
Set Up Office 365 Encryption

TL;DR

  • Office 365 Message Encryption requires an Azure Information Protection license: the AIP Add-On, E3 or greater, EMS+E3 or greater, Office 365 G3/G5, Microsoft E3/E5, or Office 365 A1/A3/A5.
  • Encrypted messages can be sent to recipients on any service, including Google, Yahoo, AOL, and hosted Exchange, and those recipients can reply encrypted without an Office 365 subscription.
  • Admins set up transport rules that define the conditions for encryption, so when a user sends a message that matches a rule, encryption is applied automatically.
  • Data at rest in Office 365 is encrypted using BitLocker Drive Encryption on the hard drives in Microsoft datacenters.
  • As of June 2018, recipients view encrypted mail by signing in with a Microsoft, Google, Yahoo, or work/school account, or by requesting a one-time passcode that expires in 15 minutes.

Sending sensitive email through Office 365 securely takes three things most teams handle out of order: the right license, a one-time activation, and transport rules that apply encryption without the user having to think about it. Get the order right and encryption becomes invisible to senders and painless for recipients, even recipients who have never heard of Office 365. This guide covers the licensing, the activation, the automatic rules, and exactly what people see at the other end.

What you need before you start

Licensing

Office 365 Message Encryption rides on Azure Information Protection. You need one of:

  • Azure Information Protection Add-On
  • E3 or greater
  • EMS+E3 or greater
  • Office 365 G3 and G5
  • Microsoft E3 and E5
  • Office 365 A1, A3, and A5

Who you can send encrypted mail to

You can send encrypted messages inside and outside your organization, to recipients on:

  • Google
  • Yahoo
  • AOL
  • Hosted Exchange

What admins control

  • Set up transport rules that define the conditions for encryption.
  • When a user sends a message that matches a rule, encryption is applied automatically.

How recipients view encrypted mail

  • One-time passcode
  • Sign in with a Microsoft, Google, or Yahoo account
  • Sign in with a work or school account associated with Office 365

Recipients can also send encrypted replies without an Office 365 subscription.

Data at rest

  • Data at rest is data that is not actively in transit.
  • In Office 365, email data at rest is encrypted using BitLocker Drive Encryption.
  • BitLocker encrypts the hard drives in Office 365 datacenters to provide enhanced protection against unauthorized access.

Activating encryption in the admin center

Open the admin center

After you have the proper licensing, log in to Office.com and click the Admin tile.

Office.com Admin tile

Go to Services & Add-Ons

Go to Settings > Services & Add-Ons.

Services and Add-Ons settings

Find Azure Information Protection

Locate Azure Information Protection in the list.

Azure Information Protection in Services and Add-Ons

Open its settings

Click Manage Microsoft Azure Information Protection settings.

Manage Azure Information Protection settings

Activate

Click Activate.

Activating rights management

Making encryption automatic with transport rules

Open the admin center

Log in to Office.com and click the Admin tile.

Office.com Admin tile

Go to the Exchange Admin Center

Go to Admin Centers > Exchange.

Exchange Admin Center

Add a new mail flow rule

Click Mail Flow > Rules, click the + icon, then click Apply Office 365 Message Encryption.

Adding a mail flow rule to apply Office 365 Message Encryption

Define the auto-apply conditions

The fields get very granular for your if-then statements. Apply policies based on senders, recipients, sensitive information, subject line, and more.

PII protection mail flow encryption rule

Sending and viewing encrypted mail inside Office 365

Encrypt from Outlook on the Web

After you draft a new message in OWA, click the Protect button at the top of the page, then select "Change Permissions."

Protect button in Outlook on the Web

Choose to encrypt the message

From there you can choose to encrypt the message.

Choosing encryption permissions

Viewing encrypted messages

  • Encrypted messages can only be viewed in OWA, Outlook for iOS, and Outlook for Android, unless you are a member of the Office Insider (opens in new tab) program.
  • The message contains a lock icon and has no preview functionality.
  • Once the message is opened, it can be read just like any other message.
Encrypted message on iOS

What a recipient outside Office 365 sees

The encrypted notification

If you are on Google, Yahoo, or another service, you receive a message in your inbox like the following.

Encrypted message notification in Gmail

Choose how to read it

You can sign in to view the message, or get a one-time passcode.

Choosing to sign in or get a one-time passcode

Use the one-time code

  • Check your email for the single-use code and copy it.
  • Enter the code in your browser, then select Continue to read your message.
  • The code expires in 15 minutes.
Entering the one-time passcode

Once the license, activation, and transport rules are in place, encryption stops being a button a user has to remember and becomes an automatic property of the messages that need it. The part worth auditing later is whether the rules still fire the way you intended, because a transport rule that quietly stops matching looks identical to one that is working.

Frequently asked questions

What license do I need for Office 365 message encryption?

An Azure Information Protection entitlement: the AIP Add-On, E3 or greater, EMS+E3 or greater, Office 365 G3 and G5, Microsoft E3 and E5, or Office 365 A1, A3, and A5.

Can people outside Office 365 read and reply to encrypted messages?

Yes. Recipients on Google, Yahoo, AOL, or hosted Exchange can open encrypted mail by signing in or using a one-time passcode, and they can send encrypted replies without an Office 365 subscription.

How does encryption apply automatically?

Admins create transport (mail flow) rules that define the conditions for encryption. When a user sends a message matching a rule, encryption is applied automatically based on senders, recipients, sensitive information, subject line, and more.

Confirm encryption is actually enforced, not just configured

A transport rule that exists is not the same as a transport rule that fires correctly across every tenant. CloudCapsule checks encryption, DLP, and 250+ other controls in 60 seconds, so 'we set that up' becomes 'here is the proof.'

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading