Examine Microsoft Purview Message Encryption

Completed

Microsoft built Purview Message Encryption on Microsoft Azure Rights Management (Azure RMS). Azure RMS is part of Microsoft Entra ID Protection.

Note

Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.

Microsoft Purview Message Encryption includes encryption, identity, and authorization policies to help organizations secure their email. They can encrypt messages by using:

  • Rights Management templates. These default templates make it easy for organizations to immediately start protecting their sensitive data. Organizations can use these templates with Microsoft Entra ID Protection labels, or by themselves with applications and services that can use Rights Management templates. The system automatically creates two default templates for an organization's tenant when the organization obtains a subscription for either:
    • Microsoft Entra ID Protection
    • Microsoft 365 that includes Azure Rights ManagementThese templates restrict access to authorized users in the organization. They allow offline access for seven days and don't have an expiration date. Organizations can also create their own custom templates.
  • Do Not Forward option. When the system applies this option to an email message, the email is encrypted. This process forces the recipients to authenticate. Recipients can't forward the message, print it, or copy from it.
  • Encrypt-only option. This option enables organizations to encrypt data without other restrictions. The recipients have all usage rights except Save As, Export and Full Control. This combination of usage rights means the recipients have no restrictions except that they can't remove the protection.

Additional reading. For more information on these encryption features, including the permissions assigned to Rights Management templates, see Configure usage rights for Microsoft Entra ID Protection.

Users can encrypt email messages and various attachments by using these options. Administrators can define mail flow rules to apply this protection. For example, an administrator can create mail flow rules that:

  • Require the encryption of all messages addressed to a specific recipient.
  • Contain specific words in the subject line.
  • Restrict recipients from copying or printing the contents of the message.

The predecessor to Microsoft Purview Message Encryption was Office 365 Message Encryption (OME). Unlike OME, Microsoft Purview Message Encryption provides a unified sender experience whether you're sending mail inside your organization or to recipients outside of Microsoft 365. In addition, recipients who receive a protected email message sent to a Microsoft 365 account in Outlook 2016 or Outlook on the web don't have to take any other action to view the message. It works seamlessly. Recipients using other email clients and email service providers also have an improved experience.

Additional reading. For a detailed list of the differences between OME and Microsoft Purview Message Encryption, see Compare versions of message encryption.

Microsoft 365 invokes Microsoft Purview Message Encryption if someone sends an email message that matches a mail flow rule. Microsoft Purview Message Encryption then encrypts the message before the system sends it.

All Microsoft 365 end users that use Outlook clients to read mail receive native, first-class reading experiences for encrypted and rights-protected mail. And they do so even if they aren't in the same organization as the sender. Supported Outlook clients include:

  • Outlook desktop
  • Outlook Mac
  • Outlook mobile on iOS and Android
  • Outlook on the web (formerly known as Outlook Web App)

Recipients of encrypted messages who receive encrypted or rights-protected mail sent to their Outlook.com, Gmail, and Yahoo accounts receive a wrapper mail. This message directs them to the message encryption portal where they can easily authenticate using a Microsoft account, Gmail, or Yahoo credentials.

End users can read encrypted or rights-protected mail on clients other than Outlook. When doing so, they can also use the message encryption portal to view encrypted and rights-protected messages that they receive.

Sending, viewing, and replying to encrypted email messages

With Microsoft Purview Message Encryption, users can send encrypted email from Outlook and Outlook on the web clients. Additionally, admins can set up mail flow rules in Microsoft 365 to automatically encrypt emails based on keyword matching or other conditions.

Employees in an organization who receive encrypted messages can read those messages seamlessly in any version Outlook, including:

  • Outlook for PC
  • Outlook for Mac
  • Outlook on the web
  • Outlook for iOS
  • Outlook for Android

Users who receive encrypted messages on other email clients can view the messages in the message encryption portal.

For detailed guidance about how to send and view encrypted messages, see the following articles.

Read this article... If you are...
Learn about protected messages in Office 365. An end user who wants to learn more about how encrypted messages work and what options are available to you.
How do I open a protected message? An end user who wants to read a protected message that you received. This article includes information about reading messages in several versions of Outlook and from different email accounts. They include accounts outside of Microsoft 365, such as gmail and Yahoo! accounts.
Send, view, and reply to encrypted messages in Outlook. An end user who wants to send, view, or reply to an encrypted message from Outlook. Even if you're not a member of an organization, you still receive notification of encrypted messages sent to you in Outlook. Use this article for instructions on how to view and reply to encrypted messages sent from Microsoft 365.
Send a digitally signed or encrypted message. An end user who wants to send, view, or reply to encrypted messages using Outlook for Mac. This article also covers using encryption methods other than Microsoft Purview Message Encryption, such as S/MIME.
View encrypted messages on your Android device. An end user who received a message encrypted with Microsoft Purview Message Encryption on your Android device. You can use the free OME Viewer app to view the message and send an encrypted reply. This article explains how.
View encrypted messages on your iPhone or iPad. An end user who received a message encrypted with Microsoft Purview Message Encryption on your iPhone or iPad. You can use the free OME Viewer app to view the message and send an encrypted reply. This article explains how.