Table of Contents
Exchange Online - Message Encryption
There are several ways to encrypt your email using Exchange Online. See here for more information but it comes down to:
- E-mail encryption:
- OME: Encrypts messages sent to internal or external recipients.
- S/MIME: User based encryptie; To use S/MIME, you must have public keys on file for each recipient. Recipients have to maintain their own private keys, which must remain secure.
- IRM: Uses encryption and usage restrictions to provide online and offline protection for email messages and attachments. It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people.
- Secure connection:
- Office 365 email internal and external: Exchange Online servers always encrypt connections to other Exchange Online servers in our datacenters with TLS 1.2.
- External email: By default, Exchange Online always uses opportunistic TLS. This means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. No agreement means unencrypted.
- Force TLS; this requires an encrypted connection or the email will not be sent or received.
- Data in Rest: Encryption using Bitlocker Drive Encryption
This page describes how to use the OME message encryption capabilities with Exchange Online. Follow these steps to configure the service.
Activate Azure Rights Management
Note that you need a E3 or E5 license to do this, as well as a global administrator account.
* Log in to the Office 365 adminportal https://portal.office.com/adminportal/home * Navigate: Settings > Services & add-ins > Microsoft Azure Information Protection > Manage Microsoft Azure Information Protection settings
- On the rights management page, click activate, and confirm
This automatically enables the OME (Office 365 Message Encryption)
Activate User Licenses
This might not be strictly necessary. I need to test this next time I do this.
All users need the Azure Rights Management license
- Log into the azure portal with proper admin account
- Go to Azure Active Directory
- Go to Licenses
- Go to All Products
- Click on your E5 Product. (or e3 as it has the license required as well)
- Go to Licensed Groups
- Click on Office365_Rings_Production
- Click on Office 365 Enterprise E5
- Set Azure Rights Management to On
- Click Save
It could take a while for the setting to propagate.
Verify Office365 Message Encryption
You can verify the settings using PowerShell:
PS C:\Users\sjoerdadmin> Test-IRMConfiguration -sender sjoerd@shift.com Results : Acquiring RMS Templates ... - PASS: RMS Templates acquired. Templates available: Shift - Confidential, Shift - Confidential View Only, Encrypt, Do Not Forward. Verifying encryption ... - PASS: Encryption verified successfully. Verifying decryption ... - PASS: Decryption verified successfully. Verifying IRM is enabled ... - PASS: IRM verified successfully. OVERALL RESULT: PASS
Verify OME Default Settings
You can check the settings using PowerShell using the Get-OMEConfiguration and the Get-IRMConfiguration commandlets:
PS C:\Users\sjoerdadmin> Get-OMEConfiguration RunspaceId : 00dc7da4-e429-4d7f-a8dc-3c0632432691 Image : ImageUrl : EmailText : PortalText : DisclaimerText : BackgroundColor : IntroductionText : ReadButtonText : OTPEnabled : True SocialIdSignIn : True ClientEncryptionEnabled : True ExpirationOptionEnabled : True Identity : OME Configuration IsValid : True ObjectState : Unchanged PS C:\Users\sjoerdadmin> Get-IRMConfiguration InternalLicensingEnabled : True ExternalLicensingEnabled : True AzureRMSLicensingEnabled : True TransportDecryptionSetting : Optional JournalReportDecryptionEnabled : True SimplifiedClientAccessEnabled : True ClientAccessServerEnabled : True SearchEnabled : True EDiscoverySuperUserEnabled : True DecryptAttachmentFromPortal : False DecryptAttachmentForEncryptOnly : False AutomaticServiceUpdateEnabled : True RMSOnlineKeySharingLocation : RMSOnlineVersion : ServiceLocation : PublishingLocation : LicensingLocation : {https://1152aa96-bcfb-4cfb-XXXX-fb049201e412.rms.eu.aadrm.com/_wmcs/licensing}
Depending on your needs you might want to change these settings:
- SocialIdSignIn : True
- Users that receive encrypted messages can use the their social ID accounts (currently Yahoo/Microsoft/Google) to decrypt messages
- OTPEnabled : True
- Users can use a one-time pass code to decrypt messages
- SimplifiedClientAccessEnabled : True
- Enabled the protect button in Outlook Web Access
Add SHIFT Brand
We can use powershell to add some branding to the wrapper email and portal:
PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is confidential and only for the intended recipient. " PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Secured Message from SHIFT. You will only receive secure messages if previously agreed on. Please contact SHIFT in case you have questions regarding the source or confidentiality of this message. " PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -PortalText "SHIFT Portal for secure email messages." PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "D:\sjoerdadmin\shift-logo.png" -Encoding byte)
Test
Now considering the many possibilities in sending and receiving email with different clients and recipients I strongly advise you to test at least the following scenarios so you can provide in depth information to your users:
Sending Email
- Encryption Policy: Do not forward
- Outlook
- Outlook online
- Outlook mobile
- Encrypt
- Outlook (watch out; different behavior between client versions)
- Outlook online
- Outlook mobile
- Confidential policies
- Outlook
- Outlook online
- Outlook mobile
- Attachments: Office files
- Attachments: Pdfs
Receiving Email
- All encryption policies as an internal user
- Outlook
- Outlook Online
- Outlook Mobile
- All encryption policies as en external user
- Office 365 users
- Microsoft users (hotmail; live; msn; outlook; etc.)
- Google and yahoo users
- Users with independent email accounts
- Attachments: Office files
- Attachments: Pdfs
Resources
https://docs.microsoft.com/en-us/office365/securitycompliance/encryption
https://docs.microsoft.com/en-us/azure/information-protection/activate-office365
https://docs.microsoft.com/en-us/office365/securitycompliance/manage-office-365-message-encryption
https://docs.microsoft.com/en-us/office365/securitycompliance/add-your-organization-brand-to-encrypted-messages
https://docs.microsoft.com/en-us/office365/securitycompliance/exchange-online-uses-tls-to-secure-email-connections
https://docs.microsoft.com/en-us/office365/securitycompliance/email-encryption