Sending encrypted messages with Exchange Online and Azure Information Protection

Recent changes on the regulations and amount of data moving from on-premises to Office 365 has forced companies to start focusing on a wave of concerns related to security and privacy. With the General Data Protection Regulation (GDPR) becoming active in May, many companies around the globe have updated their privacy statements and are looking for other ways to minimize the risks associated with the stiff penalties involved in the non-adherence to GDPR when managing users’ data. With this in mind, we will focus on a couple of the tools that Microsoft has provided to make Exchange Online meet some of the compliances organizations are now required to enforce.

Let’s start by putting together a few basic compliance and security scenarios that apply to many companies out there.

  1. Employees must be able to effortlessly send encrypted messages to their peers within the organization.
  2. Employees must be able to effortlessly send encrypted messages to external contacts that do not have their messaging system residing on Exchange Online.
  3. A specific group of users, namely a controlled group, should send all messages encrypted among themselves by default.
  4. The controlled group must be able to send non-encrypted messages to non-controlled and external users with minimum effort.
  5. When a user from the controlled group sends non-encrypted or external messages, logs must be available to be reviewed by the administrative staff as needed.

In this article, we will cover scenarios 1 and 2 by configuring the components in Exchange Online as well as Azure Information Protection (Azure IP). The other scenarios will be covered in future articles.

There have been many solutions, native and third party, that are available to organizations and individuals to allow encrypted messages to be sent and received with Exchange Online. One of the challenges of most of these solutions is the fact that the personnel with a deeper level of technical skills is required to configure client and server-side software that would make the adoption of such solutions difficult.

Fortunately, Microsoft has developed products and features to make this adoption easy for admins and users. Azure Information Protection (Azure IP) is one of the products containing seamless features that allow the users to achieve the organization desired goals with minimum effort.

What will be covered in this and subsequent sections of this article is the Azure IP configurations for an Exchange Online administrator to deploy message encryption compliance in their organizations.

One of the simple, basic, and great ways of communicating compliance sensitivity to users is via Policy Labels. These labels are well integrated with Microsoft Office when the Azure IP client is installed on a computer and gives the users an excellent visual method to select which sensitivity this specific email or document should have applied to it.

The steps and images coming next will explain how to install the Azure IP client on a workstation and how to check if it has been integrated with Outlook.

Installing Azure Information Protection

  1. In a computer running Windows 10 with Office 2016 installed, open Outlook and create a new email message.
    Note that the ribbon contains only the default items for an Outlook configuration.
    exchange online
  2. Download the Azure IP client and perform its installation following the steps highlighted below.
  3. Click on the download button.
    exchange online
    For the lab environment I created, I selected the AzInfoProtection.exe file. You might want to explore the .msi package for attendant install.
  4. Select the file and click on next and save the file in a desirable location.
    exchange online
  5. Once the download is completed, click on Run to execute the file.
    exchange online
  6. Click on the I agree button to begin the setup.
    exchange online
  7. Click on Yes to allow the setup to make changes on your computer.
    exchange online
  8. Wait until the installation completes and click on Close.
    exchange onlineexchange online
  9. Close all Office applications and open Outlook again. Click to create a new email message and note that now you have a new icon in the ribbon named Protect as well as a new bar under the ribbon listing default labels templates existent in your tenant.

exchange online

Exploring labels in Azure Information Protection

With the Azure IP installed and connected to the tenant, we can explore what the default labels configurations are by visiting the Azure Portal and searching for and opening Azure Information Protection.

exchange online

All labels listed in the Outlook message will be shown under labels in Azure IP.

exchange online

As seen in the image above, by default no labels are configured to protect email documents. Now, back to our first scenario, we would like to enable users to send encrypted messages to their corporate peers. To do this, we will be required to create a new label or change the existing ones to offer the required protection.

To avoid confusion, we will create a new label named Recipients Only, which will encrypt messages that can only be read by the recipient of the emails.

  1. Under labels, click on the + Add a new Label.
    exchange online
  2. Fill in the label display name and description as in the next example.
    exchange online
  3. Select a color and select Protect under Set permissions for documents and emails containing this label.
    exchange online
  4. Click on the Azure (cloud key,), select Set user-defined permissions (Preview), and leave only in Outlook apply Do Not Forward.
    exchange online
  5. Click on OK at the bottom right of the online
  6. Click on Save.
    exchange online
  7. The last step to publish this newly created label will be to enable it under the Global policy. To do this, Click on Policies.
    exchange online
  8. Select Global.
    exchange online
  9. Click on Add or remove labels, and mark the checkbox Recipient Only.
    exchange online
  10. Click OK and Save.
  11. To speed up things, close and reopen Outlook to get your new policies refreshed. Create a new message and note the new label named Recipient Only under the ribbon.
    exchange online

Sending an encrypted message with Exchange Online

With the new label created and the security settings configured, you can now send encrypted emails that only intended recipients can open. The following steps will show how a protected email looks like and its properties.

Our scenario here will include an external and internal recipient, and we will go about showing you the different behavior between them.

In our scenario, [email protected] is a TCPGuys’ traveling agency responsible for booking flights for the company and usually requires important personal data to book those hotels and tickets. [email protected] is the employee required to travel overseas for an important project.

Create a new message in Outlook, type the intended external address in the to: field, and internal address in Cc: field. Click on the Recipients only Label and click Send.

exchange online

Reading messages from internal user’s mailbox

As you can see in the image below, Nikola received a message containing a symbol indicating the message is protected. The information in it cannot be forwarded, copied, or printed as per the policy we configured previously.

exchange online

The details of the permissions assigned to the message can be reviewed by clicking on the information text just below the To: field and selecting View Permission as in the image below.

exchange online


exchange online

Let’s now look into the message xTravellCo received. Because the recipient is outside of the organization and is not hosted in Exchange Online, the authentication method used to authorize the user to access the email content is different.

The recipient of the message will be required to select one of two methods to prove that he or she is the intended recipient of the message. One of the methods is via Gmail federation with Office 365, which will leverage the users’ credentials in Google to authenticate the user. The alternative would be to request Office 365 to send a code to the user via email as a second form factor of authentication.

We will show you both methods in the next steps.

Open the message in Gmail and click on the link Read the message to use the federation option to authenticate the user.

exchange online

Click on Sign in with Google link.

exchange online

Select xTravell Co account.

exchange online

Because the user is using a browser session that has already been authenticated by Google, the email message will be displayed without further user interaction.

exchange online

As a second option, the message can be open by selecting Or, sign in with a one-time passcode.

exchange online

An email containing the one-time passcode will be sent to the desired recipient.

exchange online

This passcode must be entered in the text box displayed next to open the message.

exchange online

Coming attractions

This article covers the simple integration between Exchange Online and Azure IP. There are many configurations still required to manage more complex scenarios and compliances needs. In subsequent articles, we will detail the steps required to meet the remaining scenarios listed at the beginning of this article.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top