Adding email encryption for Office 365 tenants by default


Last couple of weeks there have been several posts stating that Microsoft will add a transport rule to every Office 365 tenant to enable Office 365 Message Encryption (OME). For example: https://www.petri.com/microsoft-to-launch-automatic-email-encryption-office-365

Original statement

The first article which was published by Microsoft, has been removed and republished a couple of times and seems to be replaced by the following article: https://docs.microsoft.com/en-us/office365/securitycompliance/ome-sensitive-info-types

At first this article (09/01/2019) stated that all Office 365 will receive a transport rule to encrypt outbound email which contains one of the following sensitive information types:

  • ABA routing number
  • Credit card Number
  • Drug Enforcement Agency (DEA) number
  • U.S. / U.K. passport number
  • U.S. bank account number
  • U.S. Individual Taxpayer Identification Number (ITIN)
  • U.S. Social Security Number (SSN)

Of course, I like the idea to make OME more accessible for Office 365 tenants but enabling it by default is probably not the best route to do that. For example, it would be nice to communicate to your users what OME is, what it does and why some of their email will be encrypted this way. Customizing the OME templates with a company logo/information could be helpful as well before enabling it. This would probably also have resulted in some extra load on their service desk.

Thankfully Microsoft has listened to this feedback and changed their statement.

Current statement

The article has been changed on 16/01/2019 with a new statement.

This means that the default OME policy will only be applied to a small group of tenants which will be marked as eligible according to Microsoft.

If your tenant is selected by Microsoft for this roll out, you’ll receive a notification in the message center (30 days prior to roll out). Within 30 days you’ll be able to opt out or you can opt out in advance by running the following PowerShell command within your tenant:

Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: