Encrypting Email in Office 365: Licensing, Transport Rules, and What Recipients See

TL;DR
- Office 365 Message Encryption requires an Azure Information Protection license: the AIP Add-On, E3 or greater, EMS+E3 or greater, Office 365 G3/G5, Microsoft E3/E5, or Office 365 A1/A3/A5.
- Encrypted messages can be sent to recipients on any service, including Google, Yahoo, AOL, and hosted Exchange, and those recipients can reply encrypted without an Office 365 subscription.
- Admins set up transport rules that define the conditions for encryption, so when a user sends a message that matches a rule, encryption is applied automatically.
- Data at rest in Office 365 is encrypted using BitLocker Drive Encryption on the hard drives in Microsoft datacenters.
- As of June 2018, recipients view encrypted mail by signing in with a Microsoft, Google, Yahoo, or work/school account, or by requesting a one-time passcode that expires in 15 minutes.
Sending sensitive email through Office 365 securely takes three things most teams handle out of order: the right license, a one-time activation, and transport rules that apply encryption without the user having to think about it. Get the order right and encryption becomes invisible to senders and painless for recipients, even recipients who have never heard of Office 365. This guide covers the licensing, the activation, the automatic rules, and exactly what people see at the other end.
What you need before you start
Licensing
Office 365 Message Encryption rides on Azure Information Protection. You need one of:
- Azure Information Protection Add-On
- E3 or greater
- EMS+E3 or greater
- Office 365 G3 and G5
- Microsoft E3 and E5
- Office 365 A1, A3, and A5
Who you can send encrypted mail to
You can send encrypted messages inside and outside your organization, to recipients on:
- Yahoo
- AOL
- Hosted Exchange
What admins control
- Set up transport rules that define the conditions for encryption.
- When a user sends a message that matches a rule, encryption is applied automatically.
How recipients view encrypted mail
- One-time passcode
- Sign in with a Microsoft, Google, or Yahoo account
- Sign in with a work or school account associated with Office 365
Recipients can also send encrypted replies without an Office 365 subscription.
Data at rest
- Data at rest is data that is not actively in transit.
- In Office 365, email data at rest is encrypted using BitLocker Drive Encryption.
- BitLocker encrypts the hard drives in Office 365 datacenters to provide enhanced protection against unauthorized access.
Activating encryption in the admin center
Open the admin center
After you have the proper licensing, log in to Office.com and click the Admin tile.

Go to Services & Add-Ons
Go to Settings > Services & Add-Ons.

Find Azure Information Protection
Locate Azure Information Protection in the list.

Open its settings
Click Manage Microsoft Azure Information Protection settings.

Activate
Click Activate.

Making encryption automatic with transport rules
Open the admin center
Log in to Office.com and click the Admin tile.

Go to the Exchange Admin Center
Go to Admin Centers > Exchange.

Add a new mail flow rule
Click Mail Flow > Rules, click the + icon, then click Apply Office 365 Message Encryption.

Define the auto-apply conditions
The fields get very granular for your if-then statements. Apply policies based on senders, recipients, sensitive information, subject line, and more.

Sending and viewing encrypted mail inside Office 365
Encrypt from Outlook on the Web
After you draft a new message in OWA, click the Protect button at the top of the page, then select "Change Permissions."

Choose to encrypt the message
From there you can choose to encrypt the message.

Viewing encrypted messages
- Encrypted messages can only be viewed in OWA, Outlook for iOS, and Outlook for Android, unless you are a member of the Office Insider (opens in new tab) program.
- The message contains a lock icon and has no preview functionality.
- Once the message is opened, it can be read just like any other message.

What a recipient outside Office 365 sees
The encrypted notification
If you are on Google, Yahoo, or another service, you receive a message in your inbox like the following.

Choose how to read it
You can sign in to view the message, or get a one-time passcode.

Use the one-time code
- Check your email for the single-use code and copy it.
- Enter the code in your browser, then select Continue to read your message.
- The code expires in 15 minutes.

Once the license, activation, and transport rules are in place, encryption stops being a button a user has to remember and becomes an automatic property of the messages that need it. The part worth auditing later is whether the rules still fire the way you intended, because a transport rule that quietly stops matching looks identical to one that is working.
Frequently asked questions
What license do I need for Office 365 message encryption?
An Azure Information Protection entitlement: the AIP Add-On, E3 or greater, EMS+E3 or greater, Office 365 G3 and G5, Microsoft E3 and E5, or Office 365 A1, A3, and A5.
Can people outside Office 365 read and reply to encrypted messages?
Yes. Recipients on Google, Yahoo, AOL, or hosted Exchange can open encrypted mail by signing in or using a one-time passcode, and they can send encrypted replies without an Office 365 subscription.
How does encryption apply automatically?
Admins create transport (mail flow) rules that define the conditions for encryption. When a user sends a message matching a rule, encryption is applied automatically based on senders, recipients, sensitive information, subject line, and more.
Confirm encryption is actually enforced, not just configured
A transport rule that exists is not the same as a transport rule that fires correctly across every tenant. CloudCapsule checks encryption, DLP, and 250+ other controls in 60 seconds, so 'we set that up' becomes 'here is the proof.'
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


