I heard a great question today… “there are so many options for sending a secure email using Microsoft technologies… what’s the difference between them and which one is right for me?”
Sidebar: Whether we like it or not, email still accounts for a significant portion of external communication today. Technologies discussed in this post are built to help address the concern organizations have with sharing sensitive information via email.
Office Message Encryption, Advanced Message Encryption, and Sensitivity Labels can all apply a level of encryption and restrictions when sending an email message. To be clear, all 3 technologies use Microsoft’s Azure Rights Management Service as the encryption technology.
Although the documentation I link to for each option above describes the “how to configure” part, this post is answering the “why/when would you use one over the other?” question. Most practitioners are looking for this context and understanding to be able to provide their own guidance on the appropriate technology to choose for any given scenario.
When I heard this question, I remember having the same one when I first discovered the options for sending a secure email. Is there a difference? If so, what are the differences? This post will frame the options to show the commonalities and differences between them.
To lay the groundwork for wanting to have secure email communication, here are typical reasons why securing an email is something organizations want to do:
- avoid data spillage
- limit/eliminate policy violations
- avoid regulatory compliance violations
TLDR? Here’s my thoughts…
It’s not an “or”, it’s an “and/if/when”…
Some factors to consider:
- license available to users sending the secure email (i.e. are you able to auto-apply sensitivity labels with encryption when sensitive information is detected? If so, configure this to remove the reliance on an end-user to manually select the right label)
- end-user cyber-security training (i.e. do you have a governance training program/site? If so, include guidance on “Securely collaborating with external parties using email”)
- level of maturity on the larger Microsoft Information Protection (MIP) program (i.e. have you rolled out sensitivity labels yet? If so, use sensitivity labels to automatically apply encryption to the email and attachments as an additional option)
- your organization’s geo-diversity (i.e. do you require different languages in your OME branded template? If so, look to AME and Exchange mail flow rules to configure them… important: this is basing the template on the sender NOT the recipient)
The overall course of action for sending secure emails should be to work towards defining Sensitivity labels as a bi-product of your organization’s broader information protection strategy program. Here are some places to start:
- Identify and detect the content your organization deems sensitive in nature (“Know your data”)
- Automate the application of sensitivity labels to emails (and files) and apply encryption to them as required while end-users are composing their emails
- Leverage AME (if you have the license) to provide additional controls/branding to the encrypted email’s wrapper (expiry date, revoke email, multiple custom brands, etc.)
- Configure DLP policy rules to detect sensitive information and apply an encryption template
- Configure Exchange mail flow rules to apply OME and your custom-branded template for external recipients for conditions you specify
- Provide end-user cyber security training on knowing what the out-of-the-box and custom templates will provide for them and when to apply them to their emails as a final last-line-of-defense for securing email in case the content in the email/attachment will not be caught by the other automated tools (e.g. a confidential conversation that doesn’t contain a sensitive information type)
The next 3 sections describe OME, AME, and Sensitivity labels…
Office Message Encryption | OME
At the time of this writing, OME comes with an E1, E3, A3, G3, A5, E5, G5, M365 Business Premium, or AIP P1 license (License reference). By default, there are 2 OME rights-protected options available to use:
- Do Not Forward
- Encrypt only
These can be assigned to emails in several ways:
- AUTOMATED: DLP policy rule can encrypt email messages based on conditions you specify. Note: you will also see all Sensitivity labels with encryption configured appear in the dropdown for encrypting an email when defining the DLP rule
- AUTOMATED: Exchange mail flow rule(s) based on conditions you specify for emails sent from inside the organization (e.g. if a U.S. social security # is detected in an email, automatically apply the Encrypt-only restriction) Note: you will also see all Sensitivity labels with encryption configured appear in the dropdown for encrypting an email when defining the DLP rule. You can also apply a custom-branded OME template as a wrapper email around the encrypted message. This wrapper email will direct the recipient to an OME secure portal for your organization where they will open and read the rights-managed and encrypted email.
- MANUAL: An end-user can manually apply one to their email. This method provides an end user the freedom to determine themselves whether to apply any of these restrictions to an email they’re composing – a good option for them to be aware of.
Using Outlook Web Access (OWA) and the Outlook app, here is the end-user experiences for applying these options to an email:
Once selected, the sender will see this on the top of their email indicating it has the encryption template applied. In the example below, I’ve selected the Encrypt-Only option:
Applying an OME template thru either a mail flow rule or a DLP policy ensures OME will always be applied based on the conditions you specify. It’s best to automate this whenever possible, however recognize the need for end-users to be able to also do it manually on an as-needed basis.
Tip: Provide “Sending Secure Email” training to end-users in your organization so they can choose to manually apply OME to their email if required.
With OME, you can force the external recipient to receive a custom-branded email wrapper around their rights-protected email from one of the OME rights protection templates (Encrypt-only, Do Not Forward, or one of your other Sensitivity Label rights protection templates) via a mail flow rule. This email wrapper goes around the original email to force it to be read in a secure OME portal instead of the mail client/app. With this approach, you have more control over the recipient’s OME experience (image, introduction text, read button text, background color, email text, and disclaimer text) and it may also provide external recipients some peace-of-mind that the encrypted message they’re receiving is from your organization. OME allows you to brand the default template only (as opposed to AME which allows for multiple custom templates).
The default OME branding template is configured via PowerShell only.
Sample email wrapper with the un-customized default template:
Sample email wrapper with customization (everything circled in yellow has been customized via PowerShell):
You may want to update the default OME template as shown above to add brand recognition and custom messaging/privacy link to the email wrapper for external recipients.
Advanced Message Encryption | AME
AME is available with an E5 license and provides some additional features over and above OME. With AME, you can do these additional things for your custom-branded OME templates:
- proactively set an expiration date on the email
- brand multiple custom email wrapper templates for the encrypted email (image, introduction text, read button text, background color, email text, and disclaimer text) to customize per region/language of the sender (you cannot do this with standard OME)
- revoke an email after it’s been sent (administrator only)
- enforce a one-time passcode for all external recipients
Below is an example of a custom-branded template using AME. I have set the expiry date for 7 days from date sent (circled in yellow):
You will see all custom-branded templates in the mail flow rule wizard as an option to apply to any rights-management protected email.
Examples where multiple branding templates might come in handy:
- create a mail flow rule to detect the sender’s department or country and apply the appropriate language-friendly template
- create multiple sensitivity labels based on geo-location, then create mail flow rules to detect which sensitivity label was detected and apply the appropriate language-friendly template
Similar to the OME templates above, the AME templates are configured via PowerShell only.
Good Things to Know for both OME and AME:
- If the external recipient requests a 1-time passcode (OTP) to authenticate, it’s sent to the same email address as the original external recipient (I.e. no SMS which is an expectation of many these days). This behavior may change in the future.
- the external recipient experience will differ depending on the email address/client they are using. Refer to this post for further explanation: Learn about encrypted messages in Outlook
- Administrators can monitor emails sent using either an OME/AME template from the Office 365 message encryption report. It will specify the encryption template used, how it was applied, and who sent it.
Tip: Use the Office 365 message Encryption report to monitor when end-users are manually applying encryption templates to inform your strategy for building in conditions into your DLP policies
Sensitivity Labels
The King.
Sensitivity Labels are a superset of the functionality provided by OME/AME and are part of a much larger protection framework for your organization. Microsoft Information Protection (MIP) is a construct within Microsoft 365 that includes many protection controls working together… sensitivity labels are just one of those controls.
Sensitivity Labels are a bi-product of your organization’s data classification scheme and labeling/protection strategy. They can be applied to not only emails, as discussed in this post, but also files, Sites, Groups, Teams, and (currently in preview) data. The intent is to protect data on all fronts across all collaboration platforms, not just email. This is why sensitivity labels are considered a broad-based protection mechanism across your data landscape and Windows endpoints extending well beyond email and needs to be part of an organization’s overall protection strategy.
Due to this, the availability of this option is dependent on how mature/far along your organization is at defining a data classification and labeling strategy.
Each time you apply a sensitivity label marked with encryption to an email, it applies a RMS template to it. It will automatically use the default OME template (which you might have added custom branding to) or you can configure a mail flow rule to apply one of your custom branded templates if you have done so with AME.
You can configure a label to have pre-defined permissions or you can leave it up to the end-user to apply the permissions in-the-moment while composing their email.
As shown above for OME and AME, when configuring DLP policies targeting Exchange location(s), you have the option to restrict access to an email based on conditions you specify by applying an encryption template to the email. In addition to the 2 built-in encryption settings from OME (Encrypt and Do Not Forward), all sensitivity labels with the encryption (custom permissions) setting configured will show in your dropdown list as well. This will rights protect the email with the configuration associated with the label setting and add the OME wrapper around the email as described above. 
The external recipient will either authenticate or enter a 1-time passcode depending on your configuration and their email address.
Organizations should evolve their protection strategy over time to include sensitivity labels as an intelligent enhancement to the other OME/AME controls.
Thanks for reading.
-JCK
Hi Joanne! I’ve been looking into triggering encryption with a branded OME (so technically AME) experience when a message/doc has a label applied. I get the email message to encrypt so the rule is triggering properly, but I do no see where I can specify the OME configuration (therefore it uses the default OME configuration). I have transport rules to apply the branded OME for the usual items (keywords, patterns, attachment content, etc.) but triggering off the label has not been successful. I even tried adding a header in the DLP rule as the action in hopes that the transport rule picks it up but it looks like Mail Flow rules are evaluated prior to DLP so it never processes the header (I see the header in the message that is delivered). Any ideas/tips since you mention that branding can be applied to messages with labeled?
Hey Andy,
So have you created your custom-branded AME template (over and above the default one)? You should see it as an option in your mail flow rule.
-Joanne
Hey Andy, realized I probably didn’t answer your question. I have successfully been able to trigger off the sensitivity label in the email header but I recall having to use several conditions when checking for the different MSIP values on the header. Play with that a bit to make sure it finds a match.
-Joanne
Hi Joanne! Thanks for the reply (I didn’t get notified of your response for some reason) Yes, I’ve create the AME template and have had no issues triggering it with keywords, patterns, etc. via mail flow rules and those are working as expected. I was looking at using a “modern” DLP rule (compliance center, not EXO) to identity and act on the message, but it sounds like I just need to look at the header of the message and do it via another transport rule?
Hi Joanne, when automated rules are set for email encryption how can the user be alerted that the email will be sent securely prior to clicking the “Send” button in Outlook, We will be setting up rules in the background for encryption but I would like a visual to the user to see that a message will be sent encrypted prior to sending? Does that make sense?
Thanks
Danny Sutherland
Hi Danny, if you’re meaning mail flow rules to apply the encryption template then I don’t think you can warn the user once it’s at that point.
What you *can* do is configure an Outlook pop-up message associated to a sensitivity label that will either warn, justify, block an email when the send button is pressed. This is dependent on the UL client being in use and not the built-in (last time I checked).
I’ve worked with orgs that simply warn users that they’re about to send an encrypted email using this technique. You can selectively trigger the pop up to only shows when the email is being sent externally if required.
-Joanne
Link to the setting in referring to: https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-customizations#customize-outlook-popup-messages
Hi,
Hopefully, I can find an answer to my issue here. Any way to stop DLP notifications when I send Encryption messages? It doesn’t make sense to notify my users about their message content while they are encrypting their data.
I’m aware that OME and DLP are separate policies, but there should be a harmony between them somehow.
Thanks in advance!
Hi, Medo. I have a client that ran into the same thing. This is what I found in my web search … it looks like a higher priority DLP rule needs to be placed ahead of the DLP Exchange policy to ignore emails with OME applied or use a different action item in the DLP Exchange policy to recognize the RMS control (OME) added manually from the email: Permission Controlled instead of Encrypted. I haven’t tried either option, yet, but maybe a helpful reference for you to pursue, as well.
Fabulous article, Joanne! Thank you for taking the time to write it!