Skip to main content
< All Topics
Print

Automatic email encryption in Microsoft 365 (O365)

Posted
Updated
Bychris_fry

๐Ÿ” Step-by-Step: Enable Auto Email Encryption in Microsoft 365

1. Verify Licensing & Prerequisites

Make sure you have one of these:

  • Microsoft 365 E3 / E5
  • Office 365 E3 / E5
  • Microsoft Purview Information Protection (included in many enterprise plans)

Also ensure:

  • Azure Information Protection is enabled
  • Exchange Online is in use

2. Enable Microsoft Purview Message Encryption

  1. Go to:
    ๐Ÿ‘‰ https://compliance.microsoft.com
    (Microsoft Purview portal)
  2. Navigate to:
    Solutions โ†’ Information Protection
  3. Ensure:
    • Sensitivity labels are enabled
    • Encryption policies are available

3. (Optional but Recommended) Create a Sensitivity Label

This gives you more control over encryption behavior.

  1. In Purview:
    • Go to Information Protection โ†’ Labels
  2. Click Create a label
  3. Configure:
    • Name: Encrypt - External
    • Encryption: โœ… Enable
    • Permissions:
      • Allow recipients to view only
      • Restrict forwarding (optional)
  4. Publish the label:
    • Assign to users/groups

4. Create an Auto-Encrypt Mail Flow Rule

This is the core of automatic encryption.

  1. Go to:
    ๐Ÿ‘‰ https://admin.exchange.microsoft.com
    (Exchange Admin Center)
  2. Navigate to:
    Mail flow โ†’ Rules
  3. Click Add rule

Example Rule: Encrypt Emails Sent Outside Organization

Name:
Auto Encrypt External Emails

Apply this rule if:

  • The recipient is located โ†’ Outside the organization

Do the following:

  • Modify the message security โ†’ Apply Office 365 Message Encryption

Optional Conditions:

  • Subject contains: [Encrypt]
  • OR message contains sensitive info (SSN, credit card, etc.)

Except if:

  • Sender is a service account (optional)

5. Advanced: Encrypt Based on Sensitive Data

Instead of encrypting everything external, you can use Data Loss Prevention (DLP):

  1. Go to Microsoft Purview
  2. Navigate to:
    Data loss prevention โ†’ Policies
  3. Create a policy:
    • Template: Financial / PII / HIPAA
  4. Configure:
    • Action: Encrypt email automatically

6. Test the Configuration

Send test emails:

  • To external Gmail/Yahoo account
  • With and without trigger conditions

You should see:

  • A secure message portal
  • Or encrypted message with access controls

7. End-User Experience (Training Tip)

Users will:

  • See a banner indicating encryption
  • External recipients:
    • Open via secure link
    • Authenticate via email or Microsoft account

๐Ÿง  Best Practice Setup

  • Use rules + sensitivity labels together
  • Avoid encrypting all external emails (can break workflows)
  • Use:
    • [Encrypt] keyword OR
    • DLP-based triggers