Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for Australian Government organizations on the use of Microsoft Purview Message Encryption (PME). Its intent is to help Australian Government organizations to strengthen their approaches to data security. Recommendations in this guide are intended to align with requirements outlined in the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM).
Microsoft Purview Message Encryption is a Microsoft 365 encryption capability built on Azure Rights Management. As with label-based Azure Rights Management encryption (as discussed in Sensitivity label encryption for Australian Government), PME confirms identity through recipient authentication and can control usage via the application of permissions to items.
PME is configured differently to label-based encryption as it applies during transport when configured criteria are met, rather than via sensitivity label application.
For more detailed information on Microsoft Purview Message Encryption, see how message encryption works.
Purview Message Encryption scenarios for Australian Government
Purview Message Encryption provides an alternative method of meeting PSPF requirements for the encryption of information during transmission. These requirements can be found in section 9.3 of the Protective Security Policy Framework (PSPF) and are discussed in Microsoft 365 encryption capabilities for Australian Government.
For most organizations, Transport Layer Security (TLS) based encryption methods discussed in Requiring TLS encryption for email transmission act as the primary method of encrypting email during transmission. Organizations should consider extending protections for security classified items by implementing Sensitivity label encryption, which will ensure encryption both during transmission and at rest.
There are some scenarios that these two encryption methods might have trouble meeting. For example:
Consider a recipient on an external email service that we need to share sensitive information with. This recipient could be a member of the public. We could be unable to guarantee their email platform's security, therefore there's risk that TLS couldn't apply during transmission. Adding their email domain to your organizations RMS permissions could also be risky, particularly if they're utilizing a widely used email domain.
Consider a sensitive or security classified email or email attachment that we need to securely deliver to an external organization. You might not wish to encrypt the item internally, due to its low risk within the organization, but you need to ensure that it's appropriately protected during transmission and that the email content isn't forwarded on to other parties.
Purview Message Encryption provides an alternative method for encrypting email and attachments for transmission.
Configuration to apply PME to email can be applied via Exchange Mail Flow Rules. Any messages matching a configured criteria, such as the item containing a sensitivity label or sensitive information type, can trigger the mail flow rule, which applies a Microsoft Purview Message Encryption template to the email.
Note
Rules applying Purview Message Encryption based on sensitivity label requires use of the GUID-based method of identifying labeled emails.
When recipients receive a PME encrypted email, user experience varies depending on their situation:
In situations where both sender and recipient mailboxes are hosted in Exchange Online, with clients that support Microsoft Purview Message Encryption (including Microsoft 365 Apps, mobile and web-based clients), the encryption process including recipient access to the received email, is seamless. The recipient can receive and view the message as they would any nonencrypted email.
In situations where the recipient isn't using Exchange Online and/or a Microsoft Purview Message Encryption capable email client, rather than receiving a full email message, they receive a wrapper that advises them of their receipt of a protected email and directs them to a Microsoft portal where they can authenticate in order to access the information in a secure manner. These wrapper messages are fully customizable so can be modified to suit your organization..
Authentication for Microsoft Purview Message Encryption for users with external (non-Microsoft 365) identities is handled differently depending on recipient email services. Those with supported external identities, such as those provided by Gmail or Yahoo, will be asked to authenticate via these credentials in order to access the wrapper email and connect to the Microsoft 365 provided portal to access the message. Those with other identities will be required to set up their email address as a Microsoft account (MSA). This Microsoft account will associate a password and other information with the user's email address, which is used for future authentication.
An advantage of Purview Message Encryption is that it helps to ensure confidentially and provides recipients with assurance that their information is being treated securely. For example, HR teams can use of Microsoft Purview Message Encryption when discussing potential employment with a job candidate. Microsoft Purview Message Encryption is useful when discussing sensitive financial matters with a member of the public. Universities and other education providers can utilize Microsoft Purview Message Encryption when corresponding with students regarding academic matters.
The following are use cases for Microsoft Purview Message Encryption that are relevant to Australian Government organizations:
- Application of Microsoft Purview Message Encryption to all emails with a label (for example, OFFICIAL Sensitive), sent to a list of external organizations. This list includes other Government organizations that the organization has formalized agreements with (as per PSPF 2024 Requirement 77).
- Application of Microsoft Purview Message Encryption to emails containing sensitive information (identified via Sensitive Information Type), that are being sent to a list of other non-Government organizations where there's a relationship. Due to these organizations not necessarily requiring to comply with Australian Government security requirements, these environment's status is unknown.
For more information on Microsoft Purview Message Encryption capabilities and potential uses, see Set up Microsoft Purview Message Encryption