Master & Cmd-R

Testing Office Message Encryption (OME)

Here is what the end to end experience looks like while using Office Message Encryption (OME).

First, a transport rule was created that encrypted any email between my Office 365 account and my Gmail account.

Secondly, create an email in OWA or Outlook and send it to the target address. The client (in this case, Gmail), receives the following email in their inbox:


Opening the email presents the user with the following message and the encrypted email attachment:


If the attachment is clicked on (opened without saving), this is what the user will see:


Note that mobile devices are prompted to install the OME viewer, which will simplify the process going forward.

Saving and opening the attachment, gives you the following experience:


If you chose the option to sign in, you’ll be prompted to sign in with a Microsoft Account, and it must be the same email address as the one the message was sent to. If a Microsoft Account doesn’t exist, the user is prompted to either create one, or use a one-time passcode:


I really like the flexibility provided by this option, as I can see not everyone wanting to create a new account for an encrypted email.

The user then enters their passcode, along with the option to remain logged in if at a trusted computer:


Since I selected the option that this is a private computer, my security token remains cached for 12 hours, and I don’t get prompted to request another code the next time I get an encrypted message.

Once this is done, the user is able to open the email and either reply, forward, or print – note that since this enables only encryption, these options are still available. If we want to restrict the ability to perform these functions, that would be achieved through Azure RMS policies.


Here’s what it looks like when a user replies from within the encryption window. Note that this email thread continues to be encrypted both ways for as long as it’s active.


Upon return, the original sender of the message gets the following prompt:


Clicking sign in takes you to this page – since we’re back on the corporate side now, the user would want to sign in with their Organizational account:



And now the message is decrypted and ready for viewing.


Now, if you routinely receive email from this person (or company), you can choose to have it decrypted once it arrives in your Exchange organization in order to decrease the steps the end users have to take.

To do this, create a new transport rule following the same steps to encrypt the email, except this time choose the option to remove Office Message Encryption. Give some time for the rules to take effect, and you should see the replies coming back automatically decrypted.



About the Author:


No comments yet

Leave a Reply