NYES Digital Support

7

Secure Office 365 E-mail – Office Message Encryption (OME)

Last updated: 10-10-2018

What is Office Message Encryption?

Office Message Encryption (OME) lets you send encrypted e-mails from Office 365 Outlook. It is available to all schools as part of their standard Office 365 A1 subscription. This means that the ability to send encrypted e-mails is available to everyone in a school, not just those with specially assigned Egress licences. OME does not appear to have any adverse effect on the Egress encryption that is already in place on North Yorkshire school Office 365 tenancies.

 

Tell Me More About Office Message Encryption

Sending E-mails

A user can choose to encrypt any e-mail they send by clicking on a “Protect” button while they are composing the e-mail. This button is available from within Office 365 web based Mail. If using the Outlook for Windows Mail client, you can apply protection by clicking on Options > Permissions when composing an e-mail. (In addition an Azure Information Protection (AIP) client can be installed to make a Protect button available from within the Outlook for Windows Mail client – acheives the same thing but is less clicks for the user)

Alternatively, mail-flow rules can be configured within a schools Office 365 tenancy to automatically encrypt e-mail when certain conditions are met, for example an e-mail is sent to the northyorks.gov.uk domain, or the words [secure] or [restricted] are found in the subject line of the e-mail. Many other conditions can be configured beyond these simple examples.

OME allows users to do more than just encrypt messages. In fact, by default, clicking the ‘protect’ button will both encrypt an e-mail and not allow it to be copied, printed or forwarded. This is making use of the extended capabilities of AIP using Azure Rights Management Services (Azure RMS).

There are 4 ‘mail protection’ choices that are available out of the box when Azure Information Protection (AIP), (the technology underpinning OME), is enabled on an Office 365 tenancy.

  • Encrypt – This will only encrypt the message. The recipient will be able to do anything with it, except remove encryption.
  • Do Not Forward (Default) – The message is encrypted, and also cannot be copied, printed or forwarded.
  • Confidential \ All Employees – Grants read and modify permissions for the protected content. E-mail and content cannot be sent outside of the organisation (to an external e-mail address)
  • Highly Confidential \ All Employees – Grants read-only permission for the protected content. E-mail and content cannot be sent outside of the organisation (to an external e-mail address)

It is also possible to create bespoke protection templates (labels) within Office 365 to apply to e-mails and that you send. These bespoke templates can be used either via the ‘protect’ button, or as part of mail flow rules. For example a group of academy schools could have a protection template that they could apply to e-mails. This could restrict the viewing of those e-mails to just that group of academy schools. This would apply even if a protected e-mail was accidentally sent to a non-academy e-mail address. This is a significant upgrade over just encryption, which only ensures that an e-mail cannot be intercepted and read by someone it is not addressed to.

Encryption and any further protection from Azure RMS remains with the e-mail and any attached documents even if the e-mail is replied to or forwarded on to other users.

 

Receiving E-mails

In terms of receiving and viewing protected messages, the following applies:

Message is only encrypted

  • Other Office 365 e-mail accounts (e.g. other schools). These users will be able to view the message either in Office 365 Outlook on the web, or in the full Outlook client without the need to take any extra action to decrypt it.
  • Non Office 365 e-mail accounts (e.g. Gmail, Hotmail or any other e-mail address). These users will be able to access the e-mail via a secure mail portal by entering a one-time passcode. The initial e-mail they receive provides a link to request this passcode which is then sent to their e-mail address. The only variation to this is that Gmail or other Microsoft accounts (e.g. Hotmail) can view the e-mail by logging into their associated mail account, rather than having to request a passcode, thus making the process of viewing encrypted e-mails easier.
  • North Yorkshire e-mail accounts (northyorks.gov.uk e-mail addresses). These users will be able to view encrypted e-mail via the secure mail portal using a one-time passcode.

 Message is encrypted and has Azure RMS applied (e.g. Do Not Forward)

  • Other Office 365 e-mail accounts (e.g. other schools). So long as the recipients of the e-mail have been granted appropriate permissions*, these users will be able to view the message either in Office 365 Outlook on the web, or in the full Outlook client without the need to take any extra action to decrypt it.
  • Non Office 365 e-mail accounts (e.g. Gmail, Hotmail or any other e-mail address). So long as the recipients of the e-mail have been granted appropriate permissions*, these users will be able to access the e-mail via a secure mail portal by entering a one-time passcode. The initial e-mail they receive provides a link to request this passcode which is then sent to their e-mail address. The only variation to this is that Gmail or other Microsoft accounts (e.g. Hotmail) can view the e-mail by logging into their associated mail account, rather than having to request a passcode, thus making the process of viewing encrypted e-mails easier.
  • North Yorkshire e-mail accounts (northyorks.gov.uk e-mail addresses). So long as the recipients of the e-mail have been granted appropriate permissions*, these users will be able to view encrypted e-mail via the secure mail portal using a one-time passcode. However, this will only work if the e-mail is initially accessed via North Yorkshire’s ‘Outlook Web App Light’.**

* Remember, Azure RMS allows you to restrict access based on domain or whether a user is internal to the organisation, for example. The default ‘Do Not Forward’ setting allows access to external recipients.
** It may be possible to enable access via the full outlook client via integration with North Yorkshire’s Active Directory Federated Services (ADFS), as if you try to sign in to Office 365 with a northyorks.gov.uk account, you will be taken to North Yorkshire’s organisational (ADFS) sign in page. But this would require further investigation with North Yorkshire T&C to answer fully.

Finally, schools can brand the secure mail portal that e-mail recipients are directed to when they have been sent a secure message from a school. This branding can include the school logo, choice of colour for the header, custom text to display with encrypted messages, and a custom disclaimer.

 

Learn More About Office Message Encryption

Below are some short videos that demonstrate sending secure e-mails from Office 365, and what it is like to receive them for different e-mail systems, namely Office 365, North Yorkshire County Council, and G-mail. If you wuld like to read more about Office Message Encryption, please read Microsoft’s official documentation. 

Sending and Receiving secure e-mails between Office 365 accounts.
Demonstration of sending a secure e-mail from one Office 365 account to another, for example between two schools both using Office 365.

Sending an Office 365 Encrypted e-mail to a North Yorkshire e-mail account
Demonstration of sending an encrypted e-mail from Office 365 to a North Yorkshire e-mail account, and what viewing the e-mail is like for the recipient.

Sending a secure Office 365 e-mail to a G-mail account.
Demonstration of sending a secure e-mail from Office 365 to a g-mail account.

Sending an Office 365 “Do Not Forward” e-mail to a North Yorkshire e-mail account.
Demonstration of sending a “Do Not Forward” e-mail from Office 365 to a North Yorkshire e-mail account, and what viewing the e-mail is like for the recipient.