Send Encrypted Office365 Emails Based on Email Data

  • Home
  • /
  • Blog
  • /
  • Send Encrypted Office365 Emails Based on Email Data

In this blog post, we will talk about enabling conditional encryption on Office365 Email flowing inside and going outside your organization.

Office 365 Message Encryption is an online service which is built on Microsoft Azure Rights Management (Azure RMS) offering. That being said, you will need to have an Azure Rights Management Subscription (now called Azure Information Protection) to use this service.

Enabling encryption on emails requires the receiver to do a couple of extra tasks to view the message, so it becomes very crucial that the message containing confidential information only should get encrypted, or send should have the ability to define whether the email they’re sending needs to be encrypted or not. While Office365 includes advanced DLP Policies for protecting sensitive information, we can also have simple transport rules in exchange online to look for specific keywords in email subject or body and perform encryption accordingly.

For example, sender’s can be trained to include some specific word like “encrypt” in email subject/body if they want to send this email as encrypted. Other scenarios could be to look for keywords like SSN Number, DOB, Credit Card Number etc. which can be configured to enable conditional email encryption.

So here is what happens when a user sends email: –

  • User sends email
  • Exchange Online (Office365) filters the e-mails and look for admin defined rules to decide whether this rule needs to be enabled or not.
  • If rule matches with email, Office365 encrypts the message and send out for delivery
  • Recipient receives the message with an HTML attachment, message body including that this message is encrypted.
  • Recipient will need open the attachment in a browser, which opens up the message viewing portal.
  • Now, they’ll need to verify their authenticity by signing in using Microsoft account(created with the same email), or using a One-time passcode. If the user does not have a Microsoft account, they can create one during this time. In case of one-time passcode method, the recipient would receive another email with OTP which can be entered to view the message.
  • Once recipient verifies authenticity using any of this method, e-mail gets decrypted and becomes visible. Users can reply to the email with encryption using this portal reply button.

How to configure?

  • Ensure that you have required Azure Information Protection Subscription and users are assigned and enabled with the Azure Information Protection. Azure IPM is also included in EMS and Secure Productive Enterprise licenses.
  • Activate Azure Rights Management in Office365. Check this for step by step instructions.
  • Setup Azure Rights Management for Office365 Message Encryption. Check this for step by step instructions. This requires use of MS Online PowerShell.
  • Finally, create Exchange Online Transport Rule for enabling the conditional encryption. Detailed Options and Step by step instructions are available here. Following Screenshot includes a transport rule configuration which enables encryption for emails going outside the organization and includes any of pre-defined keywords (encrypt, SSN, DOB, Credit Card) in email subject or mail body.


  • You can also have more intelligent rule using “The message contains any of these type of sensitive information type” condition and add sensitive information types you want to protect such as US Driver License Number, US SSN No, Passport No etc.

That’s all it takes to enable conditional encryption on Office365 Emails. Feel free to reach us at in case of questions, or support related to Office365.