​For those of you who have been concerned about email security for a number of years, you may remember a solution from Microsoft called Exchange Hosted Encryption (EHE).  This was a cloud based service which allowed organizations to encrypt emails according to certain defined rules.  For example, you could encrypt emails where the intended recipient was outside of your organization and certain keywords or regular expressions where detected such as a credit card number.  This was a very useful service for protecting emails sent to ANY user, regardless of the relationship with the user’s company.  There was no need to set up federation between the two organization.  All certificates were stored and maintained in the cloud which made it very simple to administer compared to an on-premises solution.

The problem with EHE was that it was a separate service.  It required a completely separate console to configure and administer .  Moreover, using EHE required an additional licensing cost for every user that needed to send encrypted email.  As a result, adoption of EHE was low except for industries where data security was paramount.  Some examples of industries where EHE is very popular include:

1) Financial services including banking and insurance

2) Healthcare

3) Lawyers

4) Contract management

Microsoft recently announced Office 365 Message Encryption as the next release of EHE.  There are a number of improvements in this release which make it far more appealing to deploy and utilize.  First, the service is based on Microsoft Azure Rights Management Services (RMS).  Office 365 integrates beautifully with Azure AD and Azure AD (RMS).  This means that Office 365 Message Encryption is a built-in capability of Office 365.  Deployment and configuration of the service can be performed directly from the Exchange Online Admin Console. 

The following plans include Office 365 Message Encryption:

1) Office 365 E3

2) Office 365 E4

3) Azure AD RMS

4) Enterprise Mobility Suite (Exchange Online not included)

Other Office 365 plans can add Message Encryption as an additional subscription SKU.  Running Exchange Online Protection (EOP) is a pre-requisite to running Message Encryption.

The behavior of Office 365 Message Encryption is controlled by Exchange transport rules.  These rules are configured by an Exchange Online administrator and apply across the organization.  Here are some examples of popular transport rules:

1) Encrypt all emails sent from legal council to a user external to the organization

2) Encrypt all emails sent to a user external to the organization where the phase “encrypt” appears in the subject line

3) Encrypt all emails sent to a user external to the organization where the body contains the number pattern XXXX-XXXX-XXXX-XXXX which resembles a credit card PAN.

When a user sends an email that matches one of these transport rules, the message is encrypted, converted into an HTML attachment, and then transmitted to the recipient.  When the message is received, the end user is given instructions on how to open the encrypted message.  The recipient does NOT require an email account that is trusted by the sender or federated with his organization.  The only requirements is that the email address of the recipient is configured as either a:

1) Microsoft Account

2) Microsoft Organization ID

If the email address of the recipient is NOT configured as one of the above accounts, he will be presented with instructions on how to do so.  This is required before the encrypted message can be opened.

To improve the Office 365 Message Encryption experience for end users, I recommend that you set up at least two transport rules:

1) Transport rule for outbound email based on business rules for data protection

2) Transport rule to decrypt inbound email on delivery to save internal users the extra step

Organizations using Office 365 Message Encryption can customize the experience for the end user.  They can add a corporate logo or standard disclaimer text to every encrypted email.  Customizing the experience requires the user of PowerShell as there is no UI available for message customization in the current release.

If you need assistance securing your corporate email, please contact Kloud solutions at the following URL:


Azure Platform, Communication and Collaboration, Exchange, Office 365

Comments are closed.