Office 365 Message Encryption Policies

In my last post, I walked through the process of enabling the message encryption ability in your Office 365 tenant. In this post I’ll walk through the process of creating the actual policies to perform the message encryption.

There are two ways to create rules that will encrypt messages.

  • A Transport Rule
  • A Data Loss Prevention Policy

Transport Rule
A transport rule is probably the simplest way to encrypt a message. I typically use a transport rule to manually force encryption using a ‘keyword’ in the subject of outgoing messages. The rule I create will encrypt the message if the word “Secure” is in the subject line and the message is being sent outside the organization. I also want to ensure I use the Office 365 message encryption.

Log in to the Exchange Admin Center and go to mail flow and rules. Select + to create a new Transport rule. At the bottom click More options, This will allow us to select the more detailed conditions and add more than one condition to the Transport rule.

Assign a name to the Transport Rule. I’ve named my rule Keyword Message Encryption.

In the Apply this rule section, Create the conditions that you want to trigger the policy. In this example the two conditions I want are, the subject includes the word ‘Secure’ and the recipient is located outside the organization.

The Do the following section is where we set the rule to encrypt the messages. To have the rule encrypt the message using Office 365 Message Encryption, select Modify the message security and choose Apply Office 365 Message Encryption.

We can use PowerShell to create the transport rule.
[PS] C:\> New-TransportRule "Keyword Message Encryption" -SubjectContainsWords "Secure" -SentToScope "NotInOrganization" -ApplyOME $true

Data Loss Prevention Policy
We can use a DLP policy to ensure that any messages sent out containing sensitive info are automatically encrypted, even if we forget to use our keyword. For my rule, I want to ensure that any messages that include a SSN or Credit Card number are automatically encrypted. I also want to create an exception so if I use the keyword ‘Unencrypt’ in the subject it will send the message in the clear. And as before, I want to use Office 365 Message Encryption.

Log in to the EAC and go to compliance management and data loss prevention. Select + and New Custom DLP Policy to create a new DLP rule.

Name the Policy and chose whether it’s enabled or not and how to implement the policy. I’ve named mine ‘Auto Encrypt for SSN and CC’. I’ve Enabled the policy and selected to Enforce.

We need to Save the new policy and then edit the policy to create the rules. Select the pencil icon with the newly created policy selected.

Select rules on the left and select + and create a new rule.

I’ve named the new rule ‘SSN and Credit Card’. Select More options at the bottom of the page, this will allow us to create the encryption rule later. Apply this rule if should be changed to The message contains any of these sensitive information types. We then need to chose the sensitive information types we want to include. Select + and choose Credit Card Number and U.S. Social Security Number (SSN) and hit OK and then OK again.

Under Do the following we should choose Modify the message security and Apply Office 365 Message Encryption.

Under Except if, choose add exception. Select The subject or body and subject includes any of these words. Specify the keyword of ‘Unencrypt’.

Save the rule. And then Save the Policy.

Now any messages that are sent containing a SSN or credit card number will be encrypted.

Finally, Office 365 Message Encryption uses an Encryption Portal to control the encrypted messages. To view and reply to messages encrypted by Office 365, you need to log in to the portal. Some tenants may not want their users to have to do this. To remove this requirement and have the messages show up in the users inbox, we can create an additional transport rule to remove encryption. It is important to note, we can only decrypt messages that originated inside the organization, or that are reply’s to messages that originated inside the organization. Encrypted messages that originated outside the organization can not be decrypted and the Encryption Portal will have to be used.

The new transport rule will follow the same process as above, but with some rule changes.

I’ve named my rule ‘Decrypt inbound Office 365 message encryption. Apply this rule if the message recipient is located Inside the organization. Under Do the following, choose Modify the message security and Remove Office 365 Message Encryption. Save the rule and you should be set.

We can use PowerShell to create this policy.
[PS] C:\> New-TransportRule "Decrypt inbound Office 365 message encryption" -SentToScope "InOrganization" -RemoveOME $true