OFC-B332

Encryption in
Microsoft Office 365
Tariq Sharif
Why is encryption needed?
Medical Records
Bank Statements
Inter Company Confidential Memos

Departmental Only Emails

Design Documents
Trade Secrets
Encryption Solutions in Office 365
Office 365 Message Encryption – Encrypt messages to any
SMTP address
Personal account statement from a financial institutions

Information Rights Management – Encrypt content and restrict

usage; usually within own organization
Internal company confidential memo

S/MIME – Sign and encrypt messages to users using certificates

Peer to peer signed communication within a government agency
Office 365 Message Encryption
Admin:
Simple to provision and configure
Policy driven via Transport Rules
Customizable branding of encrypted emails and mail reading portal
Allows for Enterprise content inspection and compliance

Sender:
Ability to send encrypted messages to any SMTP address regardless of recipient’s client or service
provider

Recipient:
View encrypted messages on Office 365 Message Encryption portal after sign-in
Office 365 Message Encryption portal has rich OWA controls for viewing and composing messages
Replies from the portal are also encrypted
Office 365 Message Encryption
How do recipients sign-in to view messages? – 2 ways
Microsoft account – used for sign-in to Microsoft services like OneDrive,
XBOX Live, etc…
Microsoft account for hotmail.com, outlook.com, live.com already exists
User can create Microsoft account for any SMTP address, like gmail.com, mycustomdomain.com –
address verification done as part of account creation process
If recipient does not have a Microsoft account, recipients are navigated through the process of
creating one
For a given email address, a single Microsoft account is used to access all Microsoft services and
view future encrypted emails
Organizational Account – used for sign-in to workloads like Exchange Online,
SharePoint Online, etc…
As Office 365 embraces additional identity providers, so will Office 365
Message Encryption.
Demo

• Contoso Pharma wants to send encrypted emails to its partner doctors

• Administrator has configured an ETR to encrypt any message going to Dr
Toni when the subject contains the word “Encrypt”
• Dr Toni gets the encrypted email at his hotmail address and follows
instructions to view the encrypted message send from Serena
Office 365 Message Encryption – Admin Configuration
New ETR actions configurable via UI or PowerShell

New-TransportRule –Name EncryptRule <Condition for which to apply

encryption> -ApplyOME $true

New-TransportRule –Name DecryptRule <Condition for which to remove

encryption> -RemoveOME $true
Office 365 Message Encryption – Admin Configuration
Customize opening text in encrypted email and disclaimer
statement

Set-OMEConfiguration -Identity default

-EmailText "Encrypted message from
ContosoPharma secure messaging system"

Set-OMEConfiguration -Identity default

-DisclaimerText “This email message and
its attachments are for the sole use of
the …"
Office 365 Message Encryption – Admin Configuration
Customize portal text and logo

Set-OMEConfiguration -Identity default

-PortalText "ContosoPharma secure e-
mail portal"

Set-OMEConfiguration -Identity default -

Image (Get-Content "C:\Users\admin\
Desktop\contoso.png” -Encoding byte)
Office 365 Message Encryption – Modern UI
Modern O365 UI and rich OWA controls
Office 365 Message Encryption - Under the hood

Exchange Online
Policy detection and
Enforcement

d Delive
O365 User
Sen r
Internet User
Mail Reading Portal

t
Tenant
configuration
Pos

Microsoft
account/Organization
Account
Office 365 Message Encryption - Under the hood
Office 365 Message Encryption uses IRM as a platform to encrypt message
Sending organization needs to have purchased and configured Azure Rights Management Services (RMS)
Keys imported from Azure RMS are 2048 bit and use SHA-256 encryption (Crypto Mode 2)

Encrypted messages are wrapped in an HTML file and sent as an

attachment to intended recipients
HTML file contains the encrypted message along with other metadata
Messages can be viewed on any device that can open and post from an HTML file

When user opens and clicks on link in the attachment, encrypted content is
posted and held temporarily while user authenticates
User authenticates using a Microsoft account or Organizational Account
If user has neither, user is told and asked to create a Microsoft account before viewing
Any email address (@yahoo.com, @gmail.com, etc…) can be used to create a Microsoft account

Once the authentication completes, message is decrypted and shown in

modern UI with all rich OWA controls
Messages replied from the portal are also encrypted
Purchasing Office 365 Message Encryption

Office 365 Message Encryption is included with Azure RMS

Plan Requires Price

Office 365 E3, E4 Windows Azure Rights Management is Included
included
Office 365 E1, K1 Windows Azure Rights Management $2 PUPM
Office 365 Exchange Online Plan 2, Plan 1, Kiosk Windows Azure Rights Management $2 PUPM

Office 365 SharePoint Plan 2, Plan 1 Windows Azure Rights Management $2 PUPM
Office 365 Midsize Business Windows Azure Rights Management $2 PUPM
Exchange on-premises Windows Azure Rights Management $2 PUPM
* On-premise customers need to route mails through Exchange Online
** Windows Azure Rights Management is not available for Office 365 Small Business plans
Upgrade: Exchange Hosted Encryption to Office 365 Message
Encryption
Customers using EHE will be upgraded to Office 365 Message Encryption at
no additional cost
Awareness and transition emails will be sent prior to transition – Transitions
started for Q1CY14
No action required on tenant admins – existing EHE policies will be
automatically migrated to Office 365 Message Encryption policies
EHE mail recipients will continue to have access to view their old encrypted
emails
EHE account store and emails already encrypted with EHE will not be
migrated to Office 365 Message Encryption
Upgrade: Exchange Hosted Encryption to Office 365 Message
Encryption

Feature Exchange Hosted Office 365 Message

Encryption Encryption
Send Encrypted Mail to anyone Available Available
Custom Branding Not Available Available
Message attachment size limit 10 MB 25 MB
Integration with Exchange transport Available, but complex headers Available and simplified
rules involved
User experience Custom EHE portal Enhanced Office 365 UI
Integration with Data Loss Prevention Available Available
Purchase Option Sold Standalone Included with Azure RMS
Information Rights Management
Information Protection technology
Protection is persisted with the data, content can travel anywhere (desktops, file shares, USB keys,
cloud drives, network and devices)

Combines encryption and usage restrictions

Prevent accidental disclosure of sensitive data by applying usage polices (cannot forward, cannot
print, read-only)

Simple to use
Authors just select a policy option, consumers just open documents
Administrators can configure policies to protect content automatically
Securely share data with individuals within organization
Information Rights Management – Exchange Online
Admin:
Simple to provision and configure using Windows Azure Rights Management – No on-premises
RMS server required
Policy driven via Transport Rules
Allows for Enterprise content inspection and compliance

Sender:
Ability to send IRM protected messages to recipients in the organization using supported clients -
OWA and Microsoft Office 2010 and 2013

Recipient:
Ability to view IRM protected content just like regular emails using supported clients (OWA,
Microsoft Office 2010 and 2013, EAS)
Information Rights Management – ETR & DLP
Automatically protect email with IRM using Exchange Transport
Rules
Information Rights Management – OWA
Protect email with IRM right from the Outlook Web App.
Information Rights Management – SharePoint Online
Admin:
Simple to provision and configure using Windows Azure Rights Management – No on-premises
RMS server required
Protection managed at individual library level protecting Office and Adobe pdf file formats

End-user:
Documents are protected at the time of download from a library and rights given to appropriate
user accounts per the library settings
User can edit the document in supported office clients and protection is removed at time of upload
S/MIME
Government preferred way to secure email
communication
Based on a published and broadly supported standard
Must know recipients public cert to send them encrypted mail
Must have private key associated with sending email address to sign email
Without having recipients private key, no one can open and view the message

Exchange on-prem continues to support S/MIME

OWA 2013 support added in SP1
S/MIME in Exchange Online

Admin:
Admin provisions certificates to users and synchronizes them with Exchange Online
Simple Exchange Online configuration for S/MIME OWA behavior

Sender:
Ability to send signed and encrypted email to intra organization recipients who are properly
configured

Recipient:
Ability to view signed and encrypted emails using OWA and supported clients and reply
S/MIME in Exchange Online
Admin Exchange Online configuration options
Demo

• Contoso Pharma researchers want to discuss and talk about a research drug
securely
• Serena sends email to Rosella using OWA
• Rosella views the email on OWA and responds
Summary
Office 365 Message Encryption – Encrypt messages to any SMTP
address
Personal account statement from a financial institution

Information Rights Management – Encrypt content and restrict

usage; usually within own organization or trusted partners
Internal company confidential memo

S/MIME – Sign and encrypt messages to users using certificates

Peer to peer signed communication within a government agency
Q/A
Resources
Learning
Sessions on Demand Microsoft Certification & Training Resources
http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning

TechNet msdn
Resources for IT Professionals Resources for Developers
http://microsoft.com/technet http://microsoft.com/msdn
Complete an evaluation and enter to win!
Evaluate this session

Scan this
QR code
to evaluate
this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.