Browse all topics
All guidesGlossary

Office 365 Message Encryption deep dive

How OME works under the hood — encryption flow, branding, custom templates, and the recipient experience.

Office 365 Message Encryption (OME) is Microsoft's email encryption service. Beyond the basic "click Protect to encrypt," knowing how it works enables advanced configurations for branding, custom templates, and specific recipient experiences.

The encryption flow

When a user encrypts a message:

  1. Sender composes email in Outlook (desktop, web, or mobile).
  2. Sender applies encryption via Protect button or sensitivity label with encryption enabled.
  3. Outlook encrypts the message body and attachments using Azure Information Protection / Microsoft Purview Information Protection under the hood.
  4. The encrypted message is sent via standard Exchange Online mail flow.
  5. Delivery happens normally.

For recipients in the same Microsoft 365 tenant: their Outlook decrypts transparently — no portal, no friction.

For recipients in different Microsoft 365 tenants: same — federated trust between tenants enables transparent decryption.

For external recipients (Gmail, etc.): the encrypted message arrives with a link to the OME portal at outlook.office365.com/encryption. The recipient:

  1. Clicks the link.
  2. Signs in using their own Microsoft account, Google account, or one-time passcode sent to their email.
  3. Views the message in the secure portal.
  4. Can reply through the portal (with their reply also encrypted).

Available protections

OME supports multiple protection levels:

  • Encrypt — encryption only; recipient can forward (though forwarded copies are still encrypted).
  • Do Not Forward — encryption plus the recipient can't forward, copy, or print.
  • Confidential — admin-configured template with corporate-specific restrictions.
  • Highly Confidential — stricter admin template.
  • Custom templates — admin-defined for specific business scenarios.

Branding the OME portal

For external recipients, the OME portal is brandable:

  • Logo at the top.
  • Background image for the portal page.
  • Sender name and corporate identity.
  • Disclaimer text.
  • Custom email body for the notification email.

Configured via Exchange Online PowerShell:

Set-OMEConfiguration -Identity "OME Configuration" `
    -EmailText "Encrypted message from Contoso" `
    -PortalText "Contoso secure messages" `
    -DisclaimerText "This message is confidential..." `
    -OTPEnabled $true `
    -SocialIdSignIn $true `
    -BackgroundColor "#003366"

For consistent corporate experience, configure branding before deploying OME tenant-wide.

Custom templates

Beyond the built-in templates, custom templates allow specific business scenarios:

New-RMSTemplate -Name "Legal Privilege" `
    -DepartmentName "Legal" `
    -RightsDefinitions @(
        New-Object Microsoft.Online.Administration.RightsDefinition `
            -Property @{
                EmailAddress = "everyone@contoso.com"
                Rights = "VIEW","REPLY","REPLYALL","EDIT","EXPORT","EXTRACT","FORWARD"
            }
    )

Custom templates appear in the sender's encryption-options dropdown.

Sensitivity-label integration

The modern pattern: configure OME via sensitivity labels rather than templates directly:

  • Create a sensitivity label "Confidential — External."
  • Configure encryption with appropriate permissions.
  • Apply via Office apps Protect menu or auto-apply policy.

When a user applies the label, OME encryption applies automatically. The label is the user-facing concept; OME is the underlying mechanism.

Auto-encryption via transport rules

For consistent enforcement, Exchange transport rules can auto-apply OME:

  • Condition: outbound message contains "Credit Card" sensitive information type AND recipient is external.
  • Action: apply OME with "Encrypt-Only" template.

The user doesn't need to remember to encrypt — the tenant ensures it for matching content.

Operational considerations

  • Test recipient experience with users on Gmail, Apple Mail, Yahoo — verify the portal flow works.
  • Communicate the experience to senders so they understand what recipients will see.
  • One-time passcode (OTP) is the most universal recipient auth — enable it.
  • Audit OME usage — Purview audit logs show every encryption event.
  • Mobile experience — verify OME works for recipients on iOS and Android Outlook.

Limitations

  • Encrypted attachments the recipient downloads may be inaccessible outside the portal — depends on the protection template.
  • Forwarding by recipients works (within encryption restrictions) but second-recipient sees the same OME portal experience.
  • PGP / S/MIME are separate encryption mechanisms — OME doesn't interoperate with them.

For organisations needing to send encrypted email externally — financial services, healthcare, legal, regulated communications — OME is the right Microsoft-native solution. The setup is moderate; the user experience is reasonable; the audit trail is solid.