In today's digital age, protecting sensitive information is crucial. One of the most common ways of communicating is through email, and with the rise in cyber attacks, email encryption has become an essential tool to secure communication. Microsoft 365 offers a variety of encryption options that can help you meet your business needs for email security.
Types of Email Encryption in Microsoft 365
There are three ways to encrypt email in Microsoft 365:
Microsoft Purview Message Encryption: This service is built on Azure Rights Management (Azure RMS) and allows you to send encrypted emails to anyone, including those outside your organization. You can set up transport rules to define the conditions for encryption, and encryption is applied automatically if a user sends a message that matches a rule. To view encrypted messages, recipients can get a one-time passcode, sign in with a Microsoft account, or sign in with a work or school account associated with Office 365.
Secure/Multipurpose Internet Mail Extensions (S/MIME): S/MIME is a certificate-based encryption solution that allows you to encrypt and digitally sign a message. It ensures that only the intended recipient can open and read the message and helps the recipient validate the identity of the sender. To use S/MIME, you must have public keys on file for each recipient, and recipients must maintain their own private keys.
Information Rights Management (IRM): IRM is an encryption solution that applies usage restrictions to email messages, preventing sensitive information from being printed, forwarded, or copied by unauthorized people. IRM capabilities in Microsoft 365 use Azure Rights Management (Azure RMS), and you can set up transport rules or Outlook protection rules to automatically apply IRM to select messages. Users can also manually apply templates in Outlook or Outlook on the web.
How Microsoft 365 Uses Email Encryption
Encryption is used in Microsoft 365 in two ways: in the service and as a customer control. In the service, encryption is used by default, and you don't have to configure anything. For example, Microsoft 365 uses Transport Layer Security (TLS) to encrypt the connection, or session, between two servers.
Email Encryption Options in Microsoft 365: A Comparison Here's a comparison of the email encryption options available in Microsoft 365:
Microsoft Purview Message Encryption:
- Encrypts messages sent to internal or external recipients.
- Allows users to send encrypted messages to any email address, including Outlook.com, Yahoo! Mail, and Gmail.
- Lets you customize the email viewing portal to reflect your organization's brand.
- Microsoft securely manages and stores the keys, so you don't have to.
- Does not allow you to apply usage restrictions to messages.
S/MIME:
- Addresses sender authentication with digital signatures and message confidentiality with encryption.
- Requires public keys on file for each recipient.
- Recipients must maintain their own private keys.
- Does not allow encrypted messages to be scanned for malware, spam, or policies.
Information Rights Management (IRM):
- Uses encryption and usage restrictions to provide online and offline protection for email messages and attachments.
- Allows you to set up transport rules or Outlook protection rules to automatically apply IRM to select messages.
- Lets users manually apply templates in Outlook or Outlook on the web.
- It may not be supported by some applications on all devices.
Recommendations and Example Scenarios We recommend using Microsoft Purview Message Encryption when you want to send sensitive business information to people outside your organization, including consumers and other businesses. For example:
- A bank employee sending credit card statements to customers
- A doctor's office sending medical records to patients
- An attorney sending confidential documents to clients
In summary, email encryption is a crucial tool in securing communication and protecting sensitive information. With the various encryption options available
