Are Office 365 emails encrypted?

Lennart W├Ârmer


This post will be updated soon.

Data protection, security and encryption - three topics that have grown in importance in recent years. With an increasingly networked world, the challenges of making an intuitive and at the same time safe change in the world into the digital age are growing. With the General Data Protection Regulation (GDPR), the European Union has already set a framework schedule that, among other things, stipulates the encryption of personal data. Today we're looking at an important part of it - email encryption for Microsoft Office 365 with Office 365 Message Encryption (OME).

Office 365 Message Encryption (OME)


Microsoft offers with Office 365 Message Encryption (OME) a fully integrated solution for the encryption and decryption (internal and external) of emails for Office 365 users. The solution offers a secure communication in harmony with GDPR regulations as well as a seamless integration in Office 365 and Microsoft apps. Depending on the Office 365 plan, the solution can already be included and can therefore be used free of charge. Office 365 Message Encryption is part of Azure Information Protection (AIP) - a service of the Microsoft cloud that allows documents and messages to be classified and protected according to individually defined guidelines. These are inAzure Rights Management (RMS) configured.


Allow custom policies individually tailored scenarios and rights for documents and e-mails, such as the following:

[su_list icon = "icon: angle-right"]

  • Only internal employees are allowed to read an encrypted email.
  • Each recipient can read the encrypted e-mail, but not forward it.
  • Emails to external parties are automatically encrypted.
  • An incoming reply to an e-mail initially encrypted by us should be decrypted for internal processing.
  • If an email is sent with an attachment, it should be encrypted automatically.
  • Attachments to an e-mail can inherit the protection (encryption, guidelines) of e-mails.

[/ su_list]

With the use of Office 365 Message Encryption, Data effectively protected, as the following scenarios show:


To Encryption of emails the following products can be used:

[su_list icon = "icon: angle-right"]

  • Microsoft Outlook 2013/2016/2019 for macOS and Windows
  • Microsoft Outlook OWA (Outlook Web Access)

[/ su_list]

The Authentication as a prerequisite forDecryption of emails can be done natively from Microsoft Outlook. The following products are supported:

[su_list icon = "icon: angle-right"]

  • Microsoft Outlook 2013/2016/2019 for macOS and Windows
  • Microsoft Outlook for Android and iOS
  • Outlook OWA (Outlook Web Access)

[/ su_list]

If no product listed above is used, the e-mail cannot be displayed. Instead, the user is presented with email content that enables him to send aalternative authentication perform. This can optionally be carried out by one of the following providers (if the e-mail address can be assigned to a provider) and always with a one-time code:

[su_list icon = "icon: angle-right"]

  • Yahoo account
  • Google account
  • Microsoft account
  • One-time identification by email

[/ su_list]

In the case of authentication using a one-time code, this is sent to the email address of the recipient of the encrypted email. In this respect, the user who opens the e-mail verifies himself as the person who originally received it and is authorized to do so.

You can find more information about opening encrypted emails here:

Implementation and configuration


If your Office 365 plan does not yet contain Office 365 Message Encryption or if you need additional functions, you must first buy an Azure Information Protection Premium plan. You do this in the Microsoft 365 admin center. If your Office 365 plan already contains the necessary functionalities, simply skip this step.

Enable Azure Information Protection (AIP)

in the Azure portal you are now looking forAzure Information Protection and select the service. Under the pointProtective activation must the Protection status active ring.

Enable Azure Rights Management (RMS)

Now make sure that Azure Rights Management is activated. You can either use the Microsoft 365 admin center to RMS search and Azure rights management settings select or follow this link.

Creation and modification of designations and guidelines

Azure Information Protection already brings predefined guidelines with himself. These are partly configurable and partly fixed as they are hardwired with other functions. The following two names are predefined and can therefore only be viewed when creating rules for applying protection:

[su_list icon = "icon: angle-right"]

  • Encrypt only
  • Do Not Forward

[/ su_list]

Under Azure> Azure Information Protection> Designations become new Designations created or existing ones modified or deleted:

The Action taken when the label is applied:

[su_list icon = "icon: angle-right"]

  • Not configured (quick deactivation of a policy if necessary; no solution for productive operation)
  • Protect (Encrypt)
  • Remove protection (decrypt)

[/ su_list]

Likewise, a intelligent classification for the industries Finance, Medicine and healthcare and privacy If, for example, credit card information is identified in an email, a selected designation can automatically be applied. However, this requires an additional license (AIP P2).

After completing the configuration, the new names can be included in a guidelineso that they can be actively used. Under Azure> Azure Information Protection> Policies this can be done.

You need one comprehensive implementation and configuration?

Rules for encryption and decryption for Exchange Online

Rules and conditions for labeling and thus encrypting e-mails can be configured in the Office 365 Exchange admin center. This is where you get over Microsoft 365 admin center > Admin centers > Exchange. Under the menu item Message flow rules are executed and created with which the use of encryption can be activated and deactivated:

About the plus+ new rules are created.

Prices and availability

In Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3 and A5, and Office 365 G3 and G5 is Office 365 Message Encryption for Office 365 already an integral part. No new licenses need to be purchased to use the basic encryption capabilities. If you have Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Office 365 Business Essentials, Office 365 Business Premium or Office 365 Enterprise E1, you can get one Azure Information Protection plan purchase to implement the service: