Explore Microsoft Purview Advanced Message Encryption

10 minutes

Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. With Advanced Message Encryption in Microsoft 365, you can:

Control sensitive emails shared outside the organization with automatic policies.
Track those activities through the encrypted message portal access logs.
Configure these policies to identify sensitive information types such as customer information, financial information, health IDs, and so on.
Use keywords to enhance protection.

Once you configure the policies, you pair them with custom branded email templates. You can then add an expiration date for extra control of emails that fit the policy. Admins can further control encrypted emails accessed externally through a secure web portal. They can do so by revoking access to the mail at any time.

Note

You can only revoke and set an expiration date for emails sent to external recipients.

To use Microsoft Purview Advanced Message Encryption, an organization must have:

A subscription that includes Microsoft Purview Advanced Message Encryption.
Microsoft Purview Message Encryption already set up.

The key features in Microsoft Purview Advanced Message Encryption include:

Create multiple branding templates.
Revoke encrypted email.
Set an expiration date for encrypted email.

The following sections examine these features.

Multiple branding templates

Microsoft Purview Advanced Message Encryption doesn't limit you to a single branding template. Instead, you can create and use multiple branding templates. Adding custom branding also lets you enable tracking a revocation of encrypted messages. When you use custom branding, external recipients receive a notification email that contains a link to the message encryption portal. The mail flow rule determines which branding template the notification email and Microsoft Purview Message Encryption portal uses. This way, users can't send secure content outside their organization.

If you have Microsoft Purview Advanced Message Encryption, you can create custom branding templates for your organization by using the New-OMEConfiguration cmdlet. Once you create the template, you must use the Set-OMEConfiguration cmdlet to modify it. You can create multiple templates.

To create a new custom branding template:

Using a Microsoft 365 account that has Global Administrator permissions, start a Windows PowerShell session and connect to Exchange Online.
Use the New-OMEConfiguration cmdlet to create a new template.
```
New-OMEConfiguration -Identity "{OMEConfigurationName}"
```
For example:

New-OMEConfiguration -Identity "Custom branding template"

Revoke encrypted email

You can control sensitive emails shared outside the organization and enhance protection by revoking access through a secure web portal to encrypted emails. You can only revoke messages that users receive through the message encryption portal. In other words, email that has a custom branding template applied.

Let's assume a message was encrypted using Microsoft Purview Advanced Message Encryption. Either a Microsoft 365 administrator or the sender of the message can revoke the message under certain conditions:

Microsoft 365 administrators can revoke messages using PowerShell.
The sender can revoke a message if they sent it directly from Outlook on the web.
Administrators and message senders can revoke encrypted emails if the recipient received a link-based, branded encrypted email. If the recipient received a native inline experience in a supported Outlook client, then they can't revoke the message.

Whether a recipient receives a link-based experience or an inline experience depends on the recipient identity type:

Office 365 and Microsoft account recipients (for example, outlook.com users) get an inline experience in supported Outlook clients.
All other recipient types, such as Gmail and Yahoo recipients, get a link-based experience.

Administrators and message senders can revoke messages that are encrypted using encryption applied directly from Outlook on the web. For example, messages encrypted with the Encrypt Only option appear similar to the following screenshot.

Screenshot showing Encrypt Only option in Outlook on the web.

How to revoke an encrypted message that you sent

You can revoke an email that you sent to a single recipient that uses a social account such as gmail.com or yahoo.com. In other words, you can revoke an email sent to a single recipient that received the link-based experience.

You can't revoke an email that you sent to a recipient that uses either:

A work or school account from Office 365 or Microsoft 365.
A Microsoft account, such as an outlook.com account.

To revoke an encrypted message that you sent, complete the following steps:

In Outlook on the web, in your Sent folder, browse to the message you want to revoke.
If the mail is revocable, the Remove external access link appears at the top of the message. Select this link to revoke the message.
The message shows that its status is revoked.

Recipient experience for revoked encrypted emails

Once you revoke an email, the recipient receives the following error when they access the encrypted email through the Microsoft Purview Message Encryption portal: The message has been revoked by the sender.

Screenshot showing the error that a recipient receives when they access a revoked encrypted email.

Set an expiration date for email encrypted by Microsoft Purview Advanced Message Encryption

You can use message expiration on emails that your users send to external recipients who use the Microsoft Purview Message Encryption portal to access encrypted emails. Recipients must use the Microsoft Purview Message Encryption portal to view and reply to encrypted emails sent by your organization. They do so using a custom branded template that specifies an expiration date in Windows PowerShell.

As a Microsoft 365 Global Administrator, when you apply your company brand to customize the look of your organization's email messages, you can also specify an expiration for these email messages. With Microsoft Purview Advanced Message Encryption, you can create multiple templates for encrypted emails that originate from your organization. Using a template, you can control how long recipients have access to mail sent by your users.

When an end user receives mail that has an expiration date set, the user sees the expiration date in the wrapper email. If a user tries to open an expired mail, an error appears in the message encryption portal.

You can only set expiration dates for emails to external recipients.

With Microsoft Purview Advanced Message Encryption, anytime you apply custom branding, Microsoft 365 applies the wrapper to email that fits the mail flow rule to which you apply the template. In addition, you can only use expiration if you use custom branding.

Create a custom branding template to force mail expiration by using PowerShell

Connect to Exchange Online PowerShell using a Microsoft 365 account with Global Administrator permissions.
Run the New-OMEConfiguration cmdlet.
```
New-OMEConfiguration -Identity "Expire in 7 days" -ExternalMailExpiryInDays 7
```
Where:
- Identity is the name of the custom template.
- ExternalMailExpiryInDays identifies the number of days that recipients can keep mail before it expires. You can use any value between 1–730 days.

Ensure all external recipients use the message encryption portal to read encrypted mail

Organizations can use custom branding templates to force recipients to receive a wrapper mail that directs them to read encrypted email in the Microsoft Purview Message Encryption portal. The templates force them to use the portal instead of Outlook or Outlook on the web. Organizations may want to take this action if they want greater control over how recipients use the mail they receive.

For example, if external recipients view email in the web portal, you can set an expiration date for the email, and you can revoke the email. Only the Microsoft Purview Message Encryption portal supports these features. You can use the Encrypt option and the Do Not Forward option when creating the mail flow rules.

Complete the following steps to use a custom template to force all external recipients to use the message encryption portal and for encrypted email:

Connect to Exchange Online PowerShell using a Microsoft 365 account with Global Administrator permissions.
Run the New-TransportRule cmdlet:
```
New-TransportRule -name "{mail flow rule name}" -FromScope "InOrganization" -ApplyRightsProtectionTemplate "{option name}" -ApplyRightsProtectionCustomizationTemplate "{template name}"
```
Where:
- {mail flow rule name} is the name you want to use for the new mail flow rule.
- {option name} is either Encrypt-Only or Do Not Forward.
- {template name} is the name you gave the custom branding template; for example, Message Encryption Configuration.
For example, to encrypt all external email with the "Message Encryption Configuration" template and apply the Encrypt-Only option:
```
New-TransportRule -name "{All outgoing mail}" -FromScope "InOrganization" -ApplyRightsProtectionTemplate "Encrypt" -ApplyRightsProtectionCustomizationTemplate "Message Encryption Configuration"
```
To encrypt all external email with the "Message Encryption Configuration" template and apply the Do Not Forward option:
```
New-TransportRule -name "{All outgoing mail}" -FromScope "InOrganization" -ApplyRightsProtectionTemplate
```

Microsoft Purview Advanced Message Encryption licensing

The following subscriptions include Microsoft Purview Advanced Message Encryption:

Microsoft 365 Enterprise E5
Office 365 E5
Microsoft 365 E5 (Nonprofit Staff Pricing)
Office 365 Enterprise E5 (Nonprofit Staff Pricing)
Office 365 Education A5

If your organization has a subscription that doesn't include Microsoft Purview Advanced Message Encryption, you can purchase it with one of the following add-on's:

Microsoft 365 E5 Compliance SKU add-on for Microsoft 365 E3
Microsoft 365 E3 (Nonprofit Staff Pricing)
Office 365 Advanced Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), Office 365 SKUs,
Microsoft 365 E5/A5 Information Protection and Governance SKU add-on for Microsoft 365 A3/E3

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

Office 365 Advanced Message Encryption offers extra capabilities on top of the standard Office 365 Message Encryption capabilities. Which of the following items is a feature of Office 365 Advanced Message Encryption?

Recipients must view and reply to secure mail through the encrypted message portal

Message revocation and expiration only work for emails that users send to recipients inside their Microsoft 365 organization

Organizations can revoke messages and apply expiration dates to any messages that users receive

You must answer all questions before checking your work.

Continue