Skip to main content
< All Topics
Print

How to Enable and Use Microsoft 365 Email Encryption

Posted
Updated
Bychris_fry

Microsoft 365 (O365) Email Encryption allows organizations to protect sensitive information sent via email. It ensures that only intended recipients can view message contents, helping meet compliance, privacy, and security requirements.

This guide walks through prerequisites, configuration, and usage of Microsoft 365 Email Encryption.

Prerequisites

Before enabling email encryption, ensure the following:

  • Microsoft 365 subscription that includes encryption:
    • Microsoft 365 E3 or E5
    • Office 365 E3 or E5
    • Microsoft 365 Business Premium (limited capabilities)
  • Exchange Online is in use
  • Azure Rights Management (Azure RMS) is activated
  • Admin permissions:
    • Global Administrator or Compliance Administrator

Step 1: Activate Azure Rights Management (Azure RMS)

  1. Sign in to the Microsoft 365 Admin Center
  2. Navigate to:
    • SettingsOrg SettingsServices
  3. Select Azure Information Protection
  4. Click Activate

Alternatively, via PowerShell:

Install-Module -Name AIPService
Connect-AipService
Enable-AipService

Step 2: Configure Microsoft Purview Message Encryption

  1. Go to the Microsoft Purview Compliance Portal
  2. Navigate to:
    • SolutionsInformation Protection
  3. Verify that encryption is enabled
  4. Review default templates:
    • Encrypt
    • Do Not Forward

You can also create custom templates if needed.

Step 3: Create Mail Flow Rules for Automatic Encryption

To automatically encrypt emails based on conditions:

  1. Go to Exchange Admin Center
  2. Navigate to:
    • Mail flowRules
  3. Click Add a rule
  4. Configure:

Example Rule: Encrypt emails containing sensitive data

  • Name: Encrypt Sensitive Emails
  • Apply this rule if:
    • Subject or body includes keywords (e.g., “confidential”)
  • Do the following:
    • Modify message security → Apply Office 365 Message Encryption
  1. Save the rule

Step 4: Enable End-User Encryption Options

Option A: Outlook Desktop

  1. Open Outlook
  2. Create a new email
  3. Click:
    • OptionsEncrypt
  4. Choose:
    • Encrypt
    • Do Not Forward
    • Confidential (if configured)

Option B: Outlook on the Web (OWA)

  1. Compose a new message
  2. Click the Encrypt button (padlock icon)
  3. Select desired encryption option

Step 5: Test Email Encryption

Send a test encrypted email to:

  • Internal user
  • External user (e.g., Gmail)

Expected behavior:

  • Internal recipients: Open normally (policy enforced)
  • External recipients:
    • Receive a secure message link
    • Authenticate via:
      • Microsoft account, or
      • One-time passcode

Step 6: Customize Branding (Optional)

You can customize the encryption experience:

  1. Go to Microsoft Purview
  2. Navigate to:
    • Information ProtectionCustomize branding
  3. Add:
    • Company logo
    • Custom disclaimer text
    • Portal colors

Step 7: Audit and Monitor

To track encrypted email usage:

  1. Go to Microsoft Purview
  2. Navigate to:
    • Audit
  3. Search for:
    • Message encryption activities
    • User actions

Common Use Cases

  • Sending financial or legal documents
  • Protecting personally identifiable information (PII)
  • Secure communication with external partners
  • Compliance with regulations (HIPAA, GDPR, etc.)

Troubleshooting

Issue: Encrypt option not visible

  • Ensure user has correct license
  • Verify Azure RMS is activated

Issue: External users cannot open email

  • Confirm they complete authentication
  • Check spam filters or blocked links

Issue: Rules not applying

  • Review rule priority and conditions
  • Ensure rule is enabled

Best Practices

  • Use automatic rules for consistency
  • Train users on when to encrypt manually
  • Regularly audit usage and policies
  • Combine with Data Loss Prevention (DLP)