Office 365 Message Encryption (Part 2)

If you would like to read the other parts in this article series please go to:


This is part two in a three-part article series on the Office 365 Message Encryption service. In part one, I introduced Office 365 Message Encryption, went on to connect to my Office 365 lab tenant, and finished the part by configuring Azure Rights Management Services for the purposes of using Office 365 Message Encryption.

Here in part two, I’ll move on to show how Exchange Online’s transport rules can be used to actually determine to which messages encryption will be applied. I will then move on to see how encrypted messages are sent and received, including the very useful one-time passcode feature that recipients can use to read encrypted messages.

Message Encryption Transport Rules

How might a user go about sending a message encrypted by Office 365 Message Encryption? The answer to that lies in transport rules in Exchange Online, which must be setup first by the tenant administrator before any messages can be encrypted. First, I will look at a rule where I can give the users the choice of whether the message is encrypted by looking for a specific key word in the message subject. Later in this article, I will look at a rule that encrypts messages sent to a particular external address, regardless of whether the user requires message encryption or not. This particular configuration is still based on whether that message meets certain conditions though, so the principles used across the two different transport rules are largely the same.

For the scenario where I will give the users the choice of whether the message is encrypted or not, I will instruct the users to put the string ENCRYPT: at the beginning of the message subject line. It’s possible to use any key word or string, but of course it needs to be such that the rule doesn’t fire against common words that might be found in message subject lines of messages that I don’t want encrypted. I’m just keeping things simple with a single key word that is meaningful to the users regarding what action will be taken to the message. Then, our transport rule will be configured to check the message subject line for this string. If the string is detected, the message will be encrypted. Here’s how I did this:

  1. Log into the Office 365 portal
  2. Click Admin, then click Exchange to navigate to the Exchange Administration Center
  3. In the navigation pane, select Mail Flow. By default, the Rules tab should be displayed as shown in Figure 2-1. If not, select the Rules tab now

Figure 2-1:
Transport Rules in Exchange Online

  1. Click the + symbol and choose Create a new rule… from the displayed list of options
  2. In the resulting New Rule window, it is important to first click the More options… link found towards the bottom of the window. This allows for more granular configuration options, which I require in this example

Figure 2-2:
Creating a New Transport Rule

  1. Next, give the rule a meaningful name. I’m going to call mine Per-User Encryption in this example, but equally it’s likely that I will probably require something with a fuller explanation for a production system so that other administrators can easily identify what this transport rule does just from the name
  2. From the Apply this rule if… drop-down box, choose the option called The subject or body… and then from the resulting additional window choose the option called Subject includes any of these words
  3. In the resulting Specify Words or Phrases window, enter ENCRYPT: into the field and click the + symbol to add this word to the list. Then, click the OK button to close this window
  4. Back at the New Rule window, click the Do the following… drop-down box and choose the Modify the message security… option. From the resulting additional window, choose the option called Apply Office 365 Message Encryption as you see from Figure 2-3. Note that the option to apply message encryption will only be displayed if I’ve enabled Office 365 Message Encryption in my Office 365 tenant, which I did back in part one of this article series

Figure 2-3:
Specifying Office 365 Message Encryption

  1. At this time, I can review the other rule properties to further refine the conditions if desired. For this article, the current configuration is good enough to demonstrate the encryption feature so at this point I’ll simply save the rule
  2. Back at the transport rules tab in the Exchange Administration Center, check that the rule has been created successfully

Encrypting to a Specific Recipient

As we have seen, the rule I just created is configured to only apply Office 365 Message Encryption if any message has the string ENCRYPT: in the subject line. Of course, I may also require a different configuration such as the ability to encrypt messages to a particular external recipient. In that case, my process is as follows:

  1. Create an external mail contact for that recipient
  2. Create a transport rule to encrypt messages to that mail contact

I can essentially follow the same process I just covered above to create the transport rule, except this time the condition I choose will be the The recipient is… condition. From the resulting window displayed when selecting this condition, I can then choose the external mail contact created earlier. The completed rule template is shown below in Figure 2-4.

Figure 2-4:
Encrypting to a Specific Recipient

Sending and Receiving an Encrypted Message

Now that I’ve created my transport rules to encrypt messages under certain conditions, let’s now look at what happens when a user sends a message with the requirement to have it encrypted. In this example, I will make use of the first transport rule I created above to allow the user to encrypt the message by using a subject line that contains the string ENCRYPT: in it. As you can see from Figure 2-5, I’m sending a simple message with the appropriate string at the start of the message subject.

Figure 2-5:
Message Before Encryption

Once this message was sent, the transport rule I created earlier detected the ENCRYPT: string in the message subject line and applied Office 365 Message Encryption to the message. The result was that when the recipient opened the message, they saw an encrypted message notification as shown in Figure 2-6.

Figure 2-6:
Received Encrypted Message

As an administrator, I can always trace messages to see if the transport rule has been applied to a message correctly if I am suspecting that the message has not been encrypted for example; I will cover this later in part three of this
article series.

As you can see from Figure 2-6, the received message contained an HTML attachment that the recipient must first save, then open. Figure 2-7 shows what the recipient saw when they did this.

Figure 2-7:
Options to Decrypt Message

At this point, the recipient needed to sign in using their Microsoft account and once they did that, the message was displayed correctly as you can see from Figure 2-8.

Figure 2-8:
Decrypted Message

In my example above, the recipient was another internal user on the same Office 365 lab tenant. Therefore, it was easy for the recipient to sign in using their Microsoft account because they’ve obviously already been set up with one in the tenant. What if I sent my email to an external recipient who does not use Office 365, for example? In this case, there are two options for the recipient to open the message:

  1. The external recipient can create a Microsoft account
  2. Look again at Figure 2-7. At the bottom of the screen, you might have noticed the link stating Don’t want to sign in? Get a one-time passcode to view the message. Let’s now have a look at this option

One-Time Passcodes

When the one-time passcode option was clicked, the recipient was presented with the information that a one-time passcode had been sent to their mailbox. This one-time passcode includes a reference code to tie the two pieces of information together and overall the one-time passcode is valid for a period of 15 minutes. The recipient saw the screen presented in Figure 2-9.

Figure 2-9:
One-Time Passcode Prompt

The recipient therefore checked their mailbox and located the one-time passcode message, which looks similar to the one shown in Figure 2-10. It was then just a case of entering the passcode to view the message.

Figure 2-10:
One-Time Passcode Details

Upon letting the 15 minute period expire, I saw the following message at which point a new one-time passcode must be requested.

Figure 2-11:
Expired One-Time Passcode


That completes part two of this look at the Office 365 Message Encryption service. In this part, I covered the transport rules required to trigger the encryption of the messages and then moved on to primarily see how the recipients viewed and opened these messages, including use of the one-time passcode feature. In the final part of this series, I will look at encrypted messages on mobile devices, cover decrypting replies to messages, how I was able to brand some elements of message encryption and finally finish with a little troubleshooting information.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top