Encrypting Emails from Anywhere!

***If you would like to help shape the future of OME, please fill out the survey at https://aka.ms/OMESurvey***

The Situation:

So, you recently purchased Microsoft 365 E3/E5 (or EMS E3/E5) and have started rolling out your pilot of Azure Information Protection.  Everything is going great until one of your executives approaches you and wants to know how to protect emails from their phone/tablet while they are relaxing on the beach.  You could always just hand them a shiny new Surface Pro with Office 365 Pro Plus, but they mentioned that sometimes they send emails while they are in the water (hey, I do that too!) and Surface Pro's aren't super tiny and waterproof (yet).  So, you need a different solution that will quickly enable said executive to classify and protect their emails right from their portable device.

The Solution:

The solution to this conundrum comes in the form of the new Office 365 Encrypt functionality and Exchange Online Mail Flow Rules (the feature formerly known as Exchange Transport Rules or ETRs).  By using a mail flow rule, you can allow your executives (and everyone else) to automatically encrypt emails and supported attachments by simply adding a keyword like #Encrypt to the bottom of their message.  I will walk you through this process in the rest of this post.

The Mail Flow Rule

We will now set up a super simple mail flow rule to accomplish this task.  Follow the steps below to set up your mail flow rule.

  1. Log into https://outlook.office365.com/ecp/ as either a Office 365 Global Admin or Exchange Admin
  2. On the left side, click mail flow
  3. This will default to the rules pane
  4. In the rules pane, click the  and click Create a new rule...
  5. In the new rule pane, name the rule #Encrypt and click the More options... link
  6. After clicking More options..., select the drop-down under *Apply this rule if...  and hover over The subject or body... and select subject or body includes any of these words
  7. In the specify words or phrases dialog, add #Encrypt (and optionally #ENC) and press then OK once finished
  8. Click the drop-down below the *Do the following... and hover over Modify the message security... and click Apply Office 365 Message Encryption and rights protection
  9. In the select RMS template dialog, click the drop-down below RMS template: and select Encrypt and click OK
  10. The completed rule should look like the image below. Click Save to finish creating the mail flow rule.


That's it!  Now that you have completed these steps, you have a keyword (#Encrypt) that you can use for mobile devices and any other clients that do not currently support the Encrypt Only protection template natively.  Hopefully this is helpful to get you set up to use the new Encrypt functionality.  Let me know in the comments if there is anything you didn't understand.



***Author's Note***

I know that the original version of this post included the set up of a unified classification label that can be used across any Office version.  It was brought to my attention that this was confusing so I have broken that information out into it's very own blog post! Please see my new blog post at https://blogs.technet.microsoft.com/kemckinn/2018/07/19/using-encrypt-only-even-on-older-office-versions for that information (currently in development).