Browse all topics
All guidesGlossary

Office 365 Message Encryption

OME is Microsoft's email encryption service — what it does, how to enable it, and what it looks like for recipients.

Office 365 Message Encryption (OME) is Microsoft's email encryption service for protecting messages and attachments in transit and at rest, including to recipients outside your organisation. It's used most commonly to send sensitive content (financial data, PII, contracts) to external parties without resorting to encrypted file attachments or third-party tools.

How OME works

When a user encrypts a message:

  1. The sender composes mail in Outlook and applies encryption via the Protect button or sensitivity label.
  2. Microsoft encrypts the message body and attachments using Microsoft Azure Information Protection.
  3. The encrypted message is delivered through normal Exchange mail flow.
  4. Internal recipients in the same Microsoft 365 tenant (or federated tenant) see the message decrypted automatically in Outlook.
  5. External recipients receive a message with a link to a secure web portal where they can authenticate (Microsoft account, Google, OTP) and read the message.

For Microsoft 365 recipients in any tenant, the decryption is invisible — the message just opens. For others, the portal experience handles authentication.

Sender-side controls

Senders can apply OME in several ways:

  • Encrypt — basic encryption that recipients can decrypt and forward.
  • Do Not Forward — encryption plus recipient-only restriction; no forwarding, no copy, no print.
  • Encrypt-Only, Confidential, Highly Confidential — sensitivity-label-driven templates configured by admins.

Sensitivity labels with encryption are the modern way — sender just picks the right label and OME applies automatically.

Admin-applied OME via transport rules

For consistent enforcement, admins set up transport rules that automatically encrypt messages matching conditions:

  • "If outbound message contains PCI data, encrypt with Do Not Forward."
  • "If subject contains [CONFIDENTIAL], encrypt."
  • "If recipient is on this list, encrypt outbound."

This catches users who forget to apply protection manually.

What recipients see

External recipients receive an email with a link to the secure portal:

  • They click the link, choose how to authenticate (use a Microsoft 365 account, Google account, or a one-time passcode).
  • After authenticating, the portal shows the message and attachments.
  • Replies and forwards (if allowed) happen through the portal — they don't go back through the recipient's email client.

It's a different experience from regular email, which sometimes generates support questions. Communicate to senders that recipients may need extra clicks.

Branding

OME supports custom branding — your organisation's logo and colours in the portal, customised wording in the notification email. Set up in the Microsoft 365 admin center.

Licensing

OME is included with Microsoft 365 E3, E5, Business Premium, Microsoft 365 Apps for Enterprise, and Office 365 E3 / E5. Recipients don't need any Microsoft licence — the portal handles them with whatever they have.

When OME is the right tool

  • Sending sensitive content externally — to partners, customers, regulators, advisors.
  • Compliance-driven encryption — DLP-triggered automatic encryption for regulated data.
  • Replacing third-party encrypted-email gateways — Mimecast Secure Messaging, Cisco Email Encryption.

For internal-only sensitive content, sensitivity labels with Encrypt-Only are usually enough without going through OME's external-recipient flow.