Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information. Microsoft 365 uses encryption in two ways: in the service itself and as a customer control.
In the Service
Microsoft uses Transport Layer Security (TLS) by default to encrypt connections between servers, ensuring secure communication within the service. This is part of the built-in encryption that Microsoft 365 provides without requiring any additional configuration from the user. For example, Microsoft 365 uses TLS to encrypt the connection, or session, between two servers.
Customer Control
Microsoft Purview Message Encryption is a customer control that allows organizations to encrypt email messages and apply additional protection policies. This feature requires configuration by the customer to set up and manage encryption policies according to their specific needs.
How Email Encryption Works
Encryption: A message is encrypted, transforming it from plain text into unreadable ciphertext. This can happen either on the sender's machine or by a central server while the message is in transit.
In Transit: The message remains in ciphertext while it's in transit to protect it from being read if intercepted.
Decryption: Once the message is received by the recipient, it is transformed back into readable plain text in one of two ways:
The recipient's machine uses a key to decrypt the message.
A central server decrypts the message on behalf of the recipient after validating the recipient's identity.
The Evolution of Email Encryption
Before the introduction of Microsoft Purview Message Encryption, Microsoft offered two primary methods for securing emails: Office 365 Message Encryption (OME) and Information Rights Management (IRM).
Office 365 Message Encryption (OME): Designed to encrypt emails with options like "Do Not Forward" and "Encrypt-Only" to control access.
Information Rights Management (IRM): Applied additional usage restrictions, such as preventing recipients from forwarding, copying, printing, and editing the encrypted email.
OME and IRM are not deprecated. While OME can still be applied through mail flow rules in the Exchange admin center, the Encrypt button in Outlook is now exclusively available with Microsoft Purview Message Encryption. This button uses IRM and allows users to apply encryption and usage restrictions directly from the email interface.
A Unified Approach
In April 2022, Microsoft unveiled the Microsoft Purview suite, which includes the Microsoft Purview Message Encryption. This new service combines the capabilities of OME and IRM, providing a comprehensive solution for email encryption and rights management.
Microsoft Purview Message Encryption combine the capabilities of both OME and IRM into a single, unified solution. This integration enhances the user experience, allowing them to easily encrypt and protect their emails with the rights management features of IRM.
Built on Azure Rights Management Services (Azure RMS)
Azure Rights Management Services (Azure RMS) is a component of Azure Information Protection.
In the background, Microsoft Purview Encryption uses Azure RMS to manage encryption keys and policies. When a user sends an encrypted email, Azure RMS applies the appropriate encryption rules and manages the decryption process for authorized recipients.
Azure RMS also powers the IRM features within Microsoft 365 applications, helping to prevent sensitive information from being printed, forwarded, or copied by unauthorized people.
Encryption Technologies
Microsoft Purview Message Encryption leverages several encryption technologies to ensure robust protection for data at rest and in transit:
Transport Layer Security (TLS): Encrypts data in transit between servers. Microsoft 365 stopped supporting TLS 1.0 and 1.1 on October 31, 2018, and completed disabling TLS 1.0 and 1.1 in all environments since 2022. To maintain a secure connection to Microsoft 365 services, all client-server and browser-server combinations use TLS 1.2 and modern cipher suites.
IPSec: In the context of Microsoft Purview Message Encryption, IPSec is not directly used for encrypting email messages. Instead, Microsoft Purview Message Encryption relies on Azure RMS to provide encryption, identity, and authorization policies. However, IPSec can be used to secure the network connections over which these encrypted emails are transmitted, ensuring that the data remains protected during transit.
Advanced Encryption Standard (AES): The primary cipher used for encrypting emails is AES with a 256-bit key length in Cipher Block Chaining mode (AES256-CBC). By October 2023, AES256-CBC will be the default for encryption of Microsoft 365 Apps documents and emails.
Encryption of Data at Rest: In Microsoft 365, email data at rest is encrypted using BitLocker Drive Encryption. BitLocker encrypts the hard drives in Microsoft data centers to provide enhanced protection against unauthorized access.
You can also use third-party encryption tools with Microsoft 365, such as PGP (Pretty Good Privacy). Microsoft 365 does not support PGP/MIME, and you can only use PGP/Inline to send and receive PGP-encrypted emails.
Subscription Plans
Microsoft Purview Message Encryption is included in the following subscription plans:
Office 365 Enterprise E3 and E5
Microsoft 365 Enterprise E3 and E5
Microsoft 365 Business Premium
Office 365 A1, A3, and A5
Office 365 Government G3 and G5
Activation and Configuration
You do not need to perform any manual configuration to enable Microsoft Purview Message Encryption for your users. Once you assign them one of the above subscriptions with the Microsoft Purview Message Encryption feature, all required features and services should automatically be enabled and ready to use. However, since Microsoft Purview Message Encryption works on Azure RMS, you will need to ensure Azure RMS is active in your tenant. Azure RMS is also activated automatically for most subscriptions, so you probably don't have to do anything in this regard either. If you disabled Azure RMS, or if it was not automatically activated for any reason, you can activate it manually.
You must use PowerShell to activate the Azure RMS service. You can no longer activate or deactivate this service from the Azure portal.
Run Get-AipService to confirm whether the protection service is activated.
To activate the service, run Enable-AipService
You can verify that your Microsoft 365 tenant is properly configured to use Microsoft Purview Message Encryption using the Exchange Online PowerShell module.
Run the Get-IRMConfiguration
You should see a value of $True for the AzureRMSLicensingEnabled parameter, which indicates that Microsoft Purview Message Encryption is configured in your tenant. If it is not, use Set-IRMConfiguration to set the value of AzureRMSLicensingEnabled to $True to enable Microsoft Purview Message Encryption.
Run the Test-IRMConfiguration cmdlet using the following syntax:
Test-IRMConfiguration [-Sender <email address> -Recipient <email address>]Example:
Test-IRMConfiguration -Sender securityadmin@contoso.com -Recipient securityadmin@contoso.comFor sender and recipient, use the email address of any user in your Microsoft 365 tenant.
Your results should be similar to:
Results : Acquiring RMS Templates ... - PASS: RMS Templates acquired. Templates available: Contoso - Confidential View Only, Contoso - Confidential, Do Not Forward. Verifying encryption ... - PASS: Encryption verified successfully. Verifying decryption ... - PASS: Decryption verified successfully. Verifying IRM is enabled ... - PASS: IRM verified successfully. OVERALL RESULT: PASSYour organization name will replace Contoso and the default template names may be different from those displayed above.
Troubleshooting
If the test fails with an error message "Failed to acquire RMS templates," execute the following cmdlets in the AIPService module in the specified order:
$RMSConfig = Get-AipServiceConfiguration
$LicenseUri = $RMSConfig.LicensingIntranetDistributionPointUrl
Set-IRMConfiguration -LicensingLocation $LicenseUri
Set-IRMConfiguration -InternalLicensingEnabled $true
Run the Test-IRMConfiguration cmdlet again to verify that it passes.
Microsoft Purview Advanced Message Encryption
So far, we have been talking about Microsoft Purview Message Encryption (Basic). There is also Microsoft Purview Advanced Message Encryption.
Microsoft Purview Advanced Message Encryption is included in:
Microsoft 365 Enterprise E5
Office 365 E5
Microsoft 365 E5 (Nonprofit Staff Pricing)
Office 365 Enterprise E5 (Nonprofit Staff Pricing)
Office 365 Education A5.
If your organization has a subscription that does not include Microsoft Purview Advanced Message Encryption, you can purchase it with:
Microsoft 365 E5 Compliance SKU add-on for Microsoft 365 E3 and Microsoft 365 E3 (Nonprofit Staff Pricing)
Office 365 Advanced Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing) and Office 365 SKUs
Microsoft 365 E5/A5 Information Protection and Governance SKU add-on for Microsoft 365 A3/E3.
Differences in Features Between Microsoft Purview Message Encryption and Advanced Message Encryption:
Microsoft Purview Advanced Message Encryption includes all the features of Microsoft Purview Message Encryption, plus several advanced capabilities. Here are the additional features:
Automatic Policies: Configure policies to automatically encrypt emails containing sensitive information such as Personally Identifiable Information (PII), financial data, or health records.
Expiration and Revocation: Set expiration dates for encrypted emails and revoke access to them at any time, providing additional control over sensitive information.
Tracking and Reporting: Track activities related to encrypted emails through access logs, ensuring compliance and security.
Multiple Branding Templates: Use multiple branding templates for customized email experiences, enhancing the recipient's experience.
Alternative Options:
If you cannot use Microsoft Purview Message Encryption for some reason, you can consider the following alternatives:
Varonis Data Security Platform
Virtru Email Encryption
Acronis Cyber Protect Cloud
Druva Data Security Cloud
S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) is completely separate from Microsoft Purview Message Encryption and is its own method of sending encrypted emails. In addition to encrypting emails, it also digitally signs them so the recipients can verify the sender's identity.
If you want to encrypt emails using the S/MIME method when sending emails from your Microsoft 365 email account (Exchange Online), you do not need to purchase any add-on license or specific Microsoft 365 subscriptions. You only need to purchase an S/MIME certificate from any Certificate Authority (CA) or set up your own CA within your organization. You can then set up S/MIME in users' Outlook desktop app or Outlook on the web.
Please note: Recipients should also have S/MIME configured on their end to read your encrypted email using this method.