Revoke email encrypted by Advanced Message Encryption

Email revocation is offered as part of Microsoft Purview Advanced Message Encryption. Microsoft Purview Advanced Message Encryption is included in Microsoft 365 Enterprise E5, Office 365 E5, Microsoft 365 E5 (Nonprofit Staff Pricing), Office 365 Enterprise E5 (Nonprofit Staff Pricing), and Office 365 Education A5. To use the Advanced Message Encryption revocation and expiration functions, enable the Premium Encryption in Office 365 option in your E5 license.

If your organization has a subscription that does not include Microsoft Purview Advanced Message Encryption, you can purchase it with the Microsoft 365 E5 Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), or the Office 365 Advanced Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), or Office 365 SKUs.

This article is part of a larger series of articles about Microsoft Purview Message Encryption.

If a message was encrypted using Microsoft Purview Advanced Message Encryption, and you are a Microsoft 365 admin or you are the sender of the message, you can revoke the message under certain conditions. Admins revoke messages using PowerShell. As a sender, you revoke a message that you sent directly from Outlook on the web. This article describes the circumstances under which revocation is possible and how to do it.

Note

To guarantee that the ability to track and revoke encrypted messages is available, you must add a custom branding template. See Add your organization's brand to your encrypted messages

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Encrypted emails that you can revoke

Admins and message senders can revoke encrypted emails if the recipient received a link-based, branded encrypted email. If the recipient received a native inline experience in a supported Outlook client, then you can't revoke the message.

Whether a recipient receives a link-based experience or an inline experience depends on the recipient identity type: Microsoft 365 and Microsoft account recipients (for example, outlook.com users) get an inline experience in supported Outlook clients. All other recipient types, such as Gmail and Yahoo recipients, get a link-based experience.

Admins and message senders can revoke messages that are encrypted using encryption applied directly from Outlook on the web. For example, messages encrypted with the Encrypt Only option.

Screenshot showing Encrypt Only option in Outlook on the web.

Recipient experience for revoked encrypted emails

Once an email has been revoked, the recipient receives an error when they access the encrypted email through the encryption portal: "The message has been revoked by the sender".

Screenshot that shows a revoked encrypted email.

How to revoke an encrypted message that you sent

You can revoke a mail that you sent to a single recipient that uses a social account such as gmail.com or yahoo.com. In other words, you can revoke an email sent to a single recipient that received the link-based experience.

You cannot revoke a mail that you sent to a recipient that uses a work or school account from Microsoft 365 or a user that uses a Microsoft account, for example, an outlook.com account.

To revoke an encrypted message that you sent, complete these steps

  1. In Outlook on the web, in your Sent folder, browse to the message you want to revoke.

    If the mail is revocable, you'll see the "Remove external access" link at the top of the message.

    Screenshot showing encrypted mail that you want to revoke in Outlook on the web.

  2. Click Remove external access to revoke the message.

    The message shows that its status is revoked.

    Screenshot showing revoked encrypted message in Outlook on the web.

How to revoke an encrypted message as an administrator

Microsoft 365 administrators follow these general steps to revoke an eligible encrypted email:

  • Get the Message ID of the email.
  • Verify that you can revoke the message.
  • Revoke the mail.

Step 1: Obtain the Message ID of the email

Before you can revoke an encrypted mail, gather the Message ID of the mail. The MessageId is usually of the format:

<xxxxxxxxxxxxxxxxxxxxxxx@xxxxxx.xxxx.prod.outlook.com>

There are multiple ways to find the Message ID of the email that you want to revoke. This section describes a couple of options, but you can use any method that provides the ID.

To identify the Message ID of the email you want to revoke by using Message Trace in the Microsoft Purview compliance portal

  1. Search for the email by sender or recipient using New Message Trace in Microsoft Purview compliance portal.

  2. Once you've located the email, select it to bring up the Message trace details pane. Expand More Information to locate the Message ID.

To identify the Message ID of the email you want to revoke by using Message Encryption reports in the Microsoft Purview compliance portal

  1. In the Microsoft Purview compliance portal, navigate to the Message encryption report. For information on this report, see View email security reports in the Security & Compliance Center.

  2. Choose the View details table and identify the message that you want to revoke.

  3. Double-click the message to view details that include the Message ID.

Step 2: Verify that the mail is revocable

To verify whether you can revoke a message, check whether the Revocation Status field is visible in the Encryption report, in the Details table in the Microsoft Purview compliance portal.

To verify whether you can revoke a particular email message by using Windows PowerShell, complete these steps.

  1. Using a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see Connect to Exchange Online PowerShell.

  2. Run the Get-OMEMessageStatus cmdlet as follows:

    Get-OMEMessageStatus -MessageId "<message id>" | ft -a  Subject, IsRevocable
    

    This command returns the subject of the message and whether the message is revocable. For example,

    Subject        IsRevocable
    -------        -----------
    "Test message" True
    

Step 3: Revoke the mail

Once you know the Message ID of the email you want to revoke, and you have verified that the message is revocable, you can revoke the email using the Microsoft Purview compliance portal or Windows PowerShell.

To revoke the message using the Microsoft Purview compliance portal

  1. Using a work or school account that has global administrator or compliance administrator permissions in your organization, connect to the Microsoft Purview compliance portal.

  2. In the Encryption report, in the Details table for the message, choose Revoke message.

To revoke an email by using Windows PowerShell, use the Set-OMEMessageRevocation cmdlet.

  1. Using a work or school account that has global administrator, compliance administrator, or Exchange administrator permissions in your organization, connect to Exchange Online PowerShell.

  2. Run the Set-OMEMessageRevocation cmdlet as follows:

    Set-OMEMessageRevocation -Revoke $true -MessageId "<messageId>"
    
  3. To check whether the email was revoked, run the Get-OMEMessageStatus cmdlet as follows:

    Get-OMEMessageStatus -MessageId "<messageId>" | ft -a  Subject, Revoked
    

    If revocation was successful, the cmdlet returns the following result:

    Revoked: True
    

More information about Microsoft Purview Advanced Message Encryption