Thursday 3 May 2018

Help! Where's my Office 365 Message Encryption Encrypt Button in Outlook

Office 365 Message Encryption v2 based on AIP offers improved capability over the v1 release. Including automatic protection for documents and also encryption functionality.

However there are some user experience differences based on what client you are using if you are specfically looking to deploy the encrypt functionality OMEv2 provides.

If we take a look in Outlook Web App / Outlook on the Web for an Office 365 with AIP and OMEv2 capabilitites we will see the Encrypt is available in the Protect function

But the confusion lies in where that functionality is for Outlook. First of all you won't have any AIP functionality inside Office or integrated into your Windows experience unless you deploy Azure Information Protection.

        Outlook 2016 without Azure Information Protection

         Outlook 2016 with Azure Information Protection

 You can grab the installer here. There's both the executable and an MSI if you're looking to auto-deploy with Intune or another MSI deployment tool.

However, even with AIP installed there is no encrypt functionality that is availabine in OWA/OotW

I've seen some instances where users find the security properties for the message and try to utilise encryption this way.

But of course that's for certificate signed email S/MIME

So is there an OME configuration setting to expose it to Outlook clients? Well the answer is no. There's a universal setting in Get-OMEConfiguration that exposes the message encryption capability to clients, but by default this is set to $True

So where is the Outlook client encrypt button? Well the answer is it isn't availble yet. Expect an update to the AIP installer with integrated functionality into the Office suite coming at a later date - a bit like Rights Management already has been doing for some years to come pretty quick too.

So how can we help Outlook clients utilise this feature? Well the answer at this time is to create an OMEv2 capable Transport Rule in the Office 365 Exchange Admin Centre. We can create self service capability to any destination recipient, for example setting it up to auto-encrypt by putting the word encrypt into the subject line, or we could utilise domain enforcement to encrypt messages going to certain domains and/or email addresses.

Have fun!


1 comment:

qqqq said...

Be warn that AIP v2 does NOT support custom RMS templates at this time.
If you have any transport rule configured to apply custom RMS, all messages will permanently fail transport.
Learnt it the hard way...