Announcing Office 365 Advanced Message Encryption

April 30, 2019
The original article is published on the Microsoft Tech Community Security, Privacy and Compliance Blog.

A year and a half ago, we launched new Office 365 Message Encryption capabilities, and at the heart of these updates, we made it easier for users to collaborate on protected messages with anyone and on any device. These updates included empowering end users to apply encryption and read encrypted emails directly in Outlook, and also making it easier for non-Office 365 recipients to use their Google or Yahoo identities to authenticate and read encrypted messages.

Our goal continues to be to protect our customers’ sensitive data, by making it easier to apply and consume encrypted messages, regardless if your recipient is inside or outside your organization. Unfortunately, protecting and controlling sensitive data that’s shared outside your organization is more challenging than if it was shared inside your organization.

That’s why we are investing in capabilities that not only enhance encryption, but also provide more control over access to encrypted emails by external recipients.

Today, we are excited to share new Office 365 Advanced Message Encryption capabilities that enable admins to apply multiple custom email templates, and to expire and revoke encrypted emails accessed through the Office 365 web portal.

Read further to understand what’s available in Advanced Message Encryption.

Apply multiple custom email templates

Many organizations require custom email templates that reflect the unique brand, logo or text of the department or region the encrypted email came from. For example, a regional office in France may require that the email template that external recipients receive are in French.

With Advanced Message Encryption, customers can apply more than one custom email template. That means you can change, for example, the logo, color, text of email template. Today, this is done through a PowerShell cmdlet.

Once the template is created, in the Exchange admin center, you can create a mail flow rule that applies the template based on set conditions. For example, if the message contains the key word, such as ‘confidentiel’, the email will be automatically be applied with the desired encryption policy and custom template.

template.png

Expire access to encrypted emails

Another benefit to creating custom branded email template is the ability to set expiration date as an added option to the template.

This may be valuable for organizations that have compliance obligations that require you to restrict how long external recipients can access sensitive emails per organizational policies or regulatory requirements.

Admins can control sensitive emails shared outside the organization with automatic policies that can detect sensitive information types (e.g. PII, Financial or Health IDs) or keywords to enhance protection by expiring access through the Office 365 web portal to encrypted emails.

Once the custom email template is created in PowerShell with the desired expiration date, in the Exchange admin center, you can apply the template.

expiration_Health ID.png

After the template is applied, the sender can send email normally, and if the email meets the conditions of the policy, the expiration date will be invoked.

From the perspective of the recipient, after the message is sent, they would see the branded template with the expiration date. Once the encrypted email has expired, the email will no longer be accessible through the Office 365 web portal.

expiration recipient.png

Revoke access to encrypted emails

For organizations that collaborate and share sensitive emails with external recipients, we are also enabling the ability to revoke encrypted emails accessed through the Office 365 web portal.

Whether it’s due to malicious attack, accidental sharing of encrypted emails, or changes in who is authorized to view encrypted emails, admins can now go into the encryption report to find encrypted emails and revoke access through a new UI experience  inside the Office 365 Security and Compliance Center.

Revocation_5_Updated with names.png

Once the message is revoked, the external recipient  no longer access the sensitive email through the Office 365 web portal.

Revocation_9.png

Get started

Advanced Message Encryption is rolling out and will be available in eligible tenants by the end of May. Get started by leveraging the resources such as support documentation and interactive labs provided below. 

Note, you must set up Office 365 Message Encryption to leverage Advanced Message Encryption capabilities, which provide added protection on top of encrypted messages shared externally. If you do not have Office 365 Message Encryption learn how to set it up here.

Office 365 Advanced Message Encryption requires an Office 365 E5 subscription or an Office 365 E3 subscription with the E5 Compliance add-on or Advanced Compliance add-on. If you don't have that plan and want to try Advanced Message Encryption, you can sign up for a trial of Office 365 Enterprise E5.

Resources

Documentation: coming soon

Interactive guide: Enhance protection with Advanced Message Encryption in Office 365

Discuss this article in the Microsoft Technical Community.