Table of Contents
Design and implement encryption for email messages
Design an email encryption solution based on methods available in Microsoft 365
Features
Feature | Description |
---|---|
Message Encryption (OME) | – Encrypts messages for internal and external recipients. – Allows encrypted messages to any email address, including Gmail, Yahoo! Mail, etc. – Customizable email viewing portal. – Microsoft manages and stores encryption keys. – No special client-side software required (HTML attachment). |
Information Rights Management (IRM) | – Uses encryption and usage restrictions for email and attachments protection. – Admin can set up rules to apply IRM. – Users can manually apply templates. |
S/MIME | – Provides sender authentication with digital signatures. – Ensures message confidentiality with encryption. – Requires public keys for recipients. – Recipients manage private keys. |
Limitations | OME | IRM | S/MIME |
---|---|---|---|
Usage Restrictions | Cannot apply usage restrictions. | Usage may not be supported on all devices. | Cannot scan for malware, spam, or policies. |
Recommendations | Use when sending sensitive info outside the organization. | Use when both encryption and usage restrictions are needed. | Use for true peer-to-peer encryption scenarios. |
OME Example Scenarios:
- Bank sending credit card statements.
- Doctor’s office sending medical records.
- Attorney sending confidential legal information.
IRM Example Scenarios:
- Manager sharing confidential details with a team.
- Executive sharing a protected bid proposal.
S/MIME Common Scenarios:
- Government agencies communication.
- Business communication with government agencies.
Protecting Data at Rest
“Data at rest” pertains to data that is not actively moving or being transmitted. Within the Microsoft 365 ecosystem, email data at rest receives encryption through BitLocker Drive Encryption. BitLocker is employed to encrypt the hard drives within Microsoft’s data centers, thereby bolstering security measures against unauthorized access.
- BitLocker Overview: BitLocker is a Microsoft security feature that encrypts entire hard drives, protecting data at rest.
- Encryption Strength: BitLocker uses Advanced Encryption Standard (AES), a highly secure encryption algorithm, to make data inaccessible without the right decryption key.
- Microsoft 365 Integration: It’s a crucial part of securing email data at rest in Microsoft 365’s cloud environment.
- Data Center Security: BitLocker encrypts Microsoft data center hard drives, ensuring protection even if server hardware is compromised.
- Access Control: It works with access controls and authentication methods to limit data access to authorized users.
- Comprehensive Security: Part of Microsoft’s holistic security strategy for safeguarding data from unauthorized access or breaches.
What does encryption do?
Encryption transforms your data (plaintext) into unreadable ciphertext, which requires a decryption key held by authorized users to become legible. While encryption enhances security, it’s just one part of a broader information protection strategy for your organization, ensuring only authorized parties can access the encrypted data.
M365 Crypto Updates
In late August 2023, Microsoft Purview Information Protection will begin to use Advanced Encryption Standard (AES) with 256-bit key length in Cipher Block Chaining mode (AES256-CBC). By October 2023, AES256-CBC will be the default for encryption of Microsoft 365 Apps documents and emails.
Comparison of different methods
Scenario | Legacy OME | IRM in AD RMS | Microsoft Purview Message Encryption |
---|---|---|---|
Sending Encrypted Mail | Via Exchange mail rules | User-initiated (Outlook desktop/Outlook on the Web) or via Exchange rules and DLP | User-initiated (Outlook desktop, Outlook for Mac, Outlook on the Web) via Exchange rules and DLP |
Rights Management | Not applicable | Do Not Forward and custom templates | Do Not Forward, encrypt-only, and custom templates |
Recipient Type | Internal and external recipients | Internal recipients only | Internal and external recipients |
Internal Recipient Exp. | HTML message opened in a web browser | Native inline experience in Outlook clients | Native inline experience for Outlook users, web portal for others |
External Recipient Exp. | HTML message opened in a browser | Not applicable | Inline experience for Microsoft 365 recipients, web portal for others |
Attachment Permissions | No restrictions | Attachments are protected | Attachments protected based on template, admin choice for encrypt-only |
BYOK Support | None | None | Bring your own key (BYOK) supported |
Now we have an overview of the different methods, let’s how you can deploy them.
Implement Microsoft Purview Message Encryption
The first step is to try is your tenant enabled for it.
1 2 3 4 5 |
Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName <YourOwnSpecialUPN> Test-IRMConfiguration -Sender <email address> -Recipient <email address> |
If the test is successful, it will the display similar result to this.
If not, you can check the config with this
1 |
Get-IRMConfiguration |
To enable do this.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# Install the module Install-Module -Name AIPService # Connect to AIP Connect-AipService # Get status Get-AipService # Enable if status is Disabled Enable-AipService # Get status Get-IRMConfiguration |
Once done open https://admin.exchange.microsoft.com/#/transportrules and modify message security to add Encryption.
You can choose the different RMS templates directly from there.
And how does it look like, when you open RMS templates
Implement Microsoft Purview Advanced Message Encryption
Using Advanced Message Encryption, you have the flexibility to employ multiple branding templates instead of being confined to just one. Incorporating custom branding not only offers this versatility but also enables tracking and revocation of encrypted messages.
Here are the features that in contain in a table format.
Feature | Description |
---|---|
Multiple Branding Templates | Create and use multiple branding templates in Advanced Message Encryption. Custom branding enables tracking and message revocation. |
External Recipient Notification | Custom branding sends notification emails to external recipients with OME portal links, controlled by mail flow rules. |
Message Revocation and Expiry | Revocation and expiration apply to messages with custom branding received via the portal. |
Enhanced Control and Protection | Microsoft Purview Advanced Message Encryption offers control and protection, including setting expiration dates and revoking access to secure emails. |
Encrypted Message Portal Activity Log | Monitor external activities in the encrypted message portal with Microsoft Purview Advanced Message Encryption. |
So, let’s see how it works.
Creating a template
Again, you must login with EXO PowerShell and you get the existing Default config with
And create a new one in example with the following.
1 2 3 4 5 6 7 8 9 10 |
New-OMEConfiguration -Identity "My OME Configuration" ` -BackgroundColor "#32cd32" ` -DisclaimerText "Your eyes only!" ` -Image (Get-Content "C:\ps1\Logo.png" -Encoding byte) ` -EmailText "To access the content of this email, please verify your identity." ` -IntroductionText "You've received an encrypted email. Verify your identity using the link below to access it." ` -OTPEnabled:$True ` -PortalText "Message Encryption Portal." ` -ReadButtonText "View Encrypted Email." ` -SocialIDSignIn:$True |
How does it look like when you run it.
The limit for the picture is 40kb and if you are trying to upload too big, this error will appear during the process.
And then you can see both configs.
See more here on the custom configuration.
You can also define External email expiration for you OME configuration with -ExternalMailExpiryInDays switch.
ExternalMailExpiryInDays
identifies the number of days that recipients can keep mail before it expires. You can use any value between 1–730 days.
Enforcing encryption
You can enforce Encryption to all message sent Externally with a Transport Rule
1 2 3 4 |
New-TransportRule -Name "All outgoing mail" ` -FromScope "InOrganization" ` -ApplyRightsProtectionTemplate "Encrypt" ` -ApplyRightsProtectionCustomizationTemplate "My OME Configuration" |
Once done you will see following inside PowerShell.
And it’s also visible under EXO Admin center.
Read more from Learn
End-user view
Once we have the Encryption in place and we send email, your personal template will be used.
And when the click the message open. Auth note! Really annoying color !!
Revoking a message
You can also revoke a message that is sent with Encryption but you cannot revoke a mail that you sent to a recipient that uses a work or school account from Microsoft 365 or a user that uses a Microsoft account, for example, an outlook.com account.
This is how it looks like when user falls under these conditions
When the user has Gmail and they login, you can revoke the access.
To revoke the access, just browse to Sent items in Outlook and open the sent message and you will find the “Remove external access” from there.
And what a bummer, recipient will see just this, no access anymore. So sad.
Admins can also Revoke the message, see more form Learn on this.
Audit logs
You can also use audit logs. Access log records various activities related to messages sent via the encrypted message portal, including:
- Timestamps and authentication methods for external user logins.
- External user interactions with read messages or attachments.
- Downloads of attachments.
- Actions such as email replies and forwards.
First see if they are enabled
If not, enable them with
1 |
Set-IrmConfiguration -EnablePortalTrackingLogs $true |
And then open Compliance portal -> Solutions -> Audit to perform the search.
Closure
Like before, let’s see what we learned.
Feature | Description |
---|---|
Message Encryption (OME) | – Encrypts messages for internal and external recipients. – Allows encrypted messages to any email address, including Gmail, Yahoo! Mail, etc. – Customizable email viewing portal. – Microsoft manages and stores encryption keys. – No special client-side software required (HTML attachment). |
Information Rights Management (IRM) | – Uses encryption and usage restrictions for email and attachments protection. – Admin can set up rules to apply IRM. – Users can manually apply templates. |
S/MIME | – Provides sender authentication with digital signatures. – Ensures message confidentiality with encryption. – Requires public keys for recipients. – Recipients manage private keys. |
Limitations | OME | IRM | S/MIME |
---|---|---|---|
Usage Restrictions | Cannot apply usage restrictions. | Usage may not be supported on all devices. | Cannot scan for malware, spam, or policies. |
Recommendations | Use when sending sensitive info outside the organization. | Use when both encryption and usage restrictions are needed. | Use for true peer-to-peer encryption scenarios. |
OME Example Scenarios:
- Bank sending credit card statements.
- Doctor’s office sending medical records.
- Attorney sending confidential legal information.
IRM Example Scenarios:
- Manager sharing confidential details with a team.
- Executive sharing a protected bid proposal.
S/MIME Common Scenarios:
- Government agencies communication.
- Business communication with government agencies.
“Data at rest” pertains to data that is not actively moving or being transmitted. Within the Microsoft 365 ecosystem, email data at rest receives encryption through BitLocker Drive Encryption.
Feature | Description |
---|---|
Multiple Branding Templates | Create and use multiple branding templates in Advanced Message Encryption. Custom branding enables tracking and message revocation. |
External Recipient Notification | Custom branding sends notification emails to external recipients with OME portal links, controlled by mail flow rules. |
Message Revocation and Expiry | Revocation and expiration apply to messages with custom branding received via the portal. |
Enhanced Control and Protection | Microsoft Purview Advanced Message Encryption offers control and protection, including setting expiration dates and revoking access to secure emails. |
Encrypted Message Portal Activity Log | Monitor external activities in the encrypted message portal with Microsoft Purview Advanced Message Encryption. |
ExternalMailExpiryInDays
identifies the number of days that recipients can keep mail before it expires. You can use any value between 1–730 days.- You can also revoke a message that is sent with Encryption but you cannot revoke a mail that you sent to a recipient that uses a work or school account from Microsoft 365 or a user that uses a Microsoft account
- You can also use audit logs. Access log records various activities related to messages sent via the encrypted message portal.