IT Partner

Building a future with Microsoft Cloud Technologies

Office 365 Encrypted Email - Initial Setup

category by product:
category by type:
  • Duration: 1 day;
  • Price: $450;

Office 365 uses encryption in two ways: in the service, and as a customer control. In the service, encryption is used in Office 365 by default. If you want to increase security level of messaging and protect extremly sensitive data we will provide implementation service to email encryption and rights protection capabilities.

  1. IT Partner is responsible for
  2. Client is responsible for
  3. Out of the scope of this project (additional cost items)
  4. Prerequisites
  5. Plan
  6. Results
  7. Relevant articles

Microsoft provides three email encryption options for your Office 365. IT Partner will be able to implement any of them. You might compare the options shown below. Also please check the YouTube video explanation.

Office 365 Message Encryption Information Rights Management in Exchange OnlineS/MIME for message signing and encryption
What is it?
Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail,, etc.).
As an admin, you can set up transport rules that define the conditions for encryption. When a user sends a message that matches a rule, encryption is applied automatically.
To view encrypted messages, recipients can either get a one-time passcode, sign in with a Microsoft account, or sign in with a work or school account associated with Office 365. Recipients can also send encrypted replies. They don’t need an Office 365 subscription to view encrypted messages or send encrypted replies.
IRM is an encryption solution that also applies usage restrictions to email messages. It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people.
IRM capabilities in Office 365 use Azure Rights Management (Azure RMS).
S/MIME is a certificate-based encryption solution that allows you to both encrypt and digitally sign a message. The message encryption helps ensure that only the intended recipient can open and read the message. A digital signature helps the recipient validate the identity of the sender.
Both digital signatures and message encryption are made possible through the use of unique digital certificates that contain the keys for verifying digital signatures and encrypting or decrypting messages.
To use S/MIME, you must have public keys on file for each recipient. Recipients have to maintain their own private keys, which must remain secure. If a recipient’s private keys are compromised, the recipient needs to get a new private key and redistribute public keys to all potential senders.
What does it do?
Encrypts messages sent to internal or external recipients.
Allows users to send encrypted messages to any email address, including, Yahoo! Mail, and Gmail.
Allows you, as an admin, to customize the email viewing portal to reflect your organization’s brand.
Microsoft securely manages and stores the keys, so you don’t have to.
No special client side software is needed as long as the encrypted message (sent as an HTML attachment) can be opened in a browser.
Uses encryption and usage restrictions to provide online and offline protection for email messages and attachments.
Gives you, as an admin, the ability to set up transport rules or Outlook protection rules to automatically apply IRM to select messages.
Lets users manually apply templates in Outlook or Outlook Web App.
S/MIME addresses sender authentication with digital signatures, and message confidentiality with encryption.
What does it not do?
OME doesn’t let you apply usage restrictions to messages. For example, you can’t use it to stop a recipient from forwarding or printing an encrypted message.
Some applications may not support IRM emails on all devices. For more information about these and other products that support IRM email, see Client device capabilities.
S/MIME doesn’t allow encrypted messages to be scanned for malware, spam, or policies.
Recommendations and example scenarios
We recommend using OME when you want to send sensitive business information to people outside your organization, whether they’re consumers or other businesses. For example:
A bank employee sending credit card statements to customers
A doctor’s office sending medical records to a patient
An attorney sending confidential legal information to another attorney
We recommend using IRM when you want to apply usage restrictions as well as encryption. For example:
A manager sending confidential details to her team about a new product applies the “Do Not Forward” option.
An executive needs to share a bid proposal with another company, which includes an attachment from a partner who is using Office 365, and require both the email and the attachment to be protected.
We recommend using S/MIME when either your organization or the recipient’s organization requires true peer-to-peer encryption.
S/MIME is most commonly used in the following scenarios:
Government agencies communicating with other government agencies
A business communicating with a government agency

Our objective is to enable Email Encryption in your Office 365 tenant and provide instruments to control sensitive data with flexible policies or ad hoc customer controls that are built into Office 365.

An implementation project will be considered successful when you:

  1. send encrypted emails from any device,
  2. easily navigate through encrypted messages,
  3. deliver encrypted email directly to recipients’ inboxes
  4. decrypt and read encrypted email with confidence, without installing client software.
  5. enjoy simplified user management that eliminates the need for certificate maintenance.

IT Partner is responsible for

  • Setup Email Encryption in Office 365
  • Creating mail flow rules that define the conditions for encryption
  • Bring your own key (BYOK) settings if needed

Client is responsible for

  • Provide a dedicated point of contact responsible for working with IT Partner. Coordinate any outside vendor resources and schedules.
  • Configure all networking equipment such as load balancers, routers, firewalls, and switches.
  • Set up and configure the email client(s) on end-user devices

Out of the scope of this project (additional cost items)

  • Mailbox migration to Office 365 (Exchange Online)
  • AD & group policy settings

Upon completion of the engagement, we will provide a Project Closeout Report. This document will indicate final project status including evidence of meeting acceptance criteria, outstanding issues and final budget. If you want more extensive documentation – this can be provided for an additional fee.


  • You must have global admin level access to the source Office 365 tenant.
  • You must have global admin level access to the destination Office 365 tenant with Exchange Online licenses available.

To use the new OME capabilities, you need one of the following plans:

  • Office 365 Message Encryption is offered as part of Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3, and A5, and Office 365 G3 and G5. Customers do not need additional licenses to receive the new protection capabilities powered by Azure Information Protection.
  • You can also add Azure Information Protection Plan 1 to the following plans to receive the new Office 365 Message Encryption capabilities: Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Office 365 Business Essentials, Office 365 Business Premium, or Office 365 Enterprise E1.
  • Each user benefiting from Office 365 Message Encryption needs to be licensed to be covered by the feature.
  • For the full list see the Exchange Online service descriptions for Office 365 Message Encryption.


May vary depending on your needs.

  1. Kickoff meeting.
  2. Pre implementation system health check.
  3. Сonfiguring OME and additional tools.
  4. Setting up an Exchange Online Transport Rules.
  5. Verify email encryption.
  6. Post implementation tasks.


You will be able to use Office 365 Message Encryption (OME) capabilities that protect your mails and mail flow rules that define the conditions for encryption. Your email recipients would be able to receive and reply to your secure emails using any device with any email client.

Relevant articles

  1. Office 365 Message Encryption FAQ
  2. Office 365 Message Encryption
  3. Email encryption in Office 365

Do you have questions? Want to discuss your project? Please schedule a call back.

Request a call back