Office 365 Encryption Options

Office 365 Encryption Option

Office 365 Encryption Options

Encryption is the process by which information is encoded so that only an authorized recipient can decode and use the information. Microsoft offered multiple Office 365 encryption options to their customers. Office 365 encryption Option is used in two ways, One is by implementing encryption in the service and the second is by offering it to you as a customer control. In the service, Microsoft make use of encryption in the platform, where it works by default and you don’t have to configure anything. For example, Office 365 uses Transport Layer Security (TLS) to encrypt the connection / session between two servers.

Why we need Office 365 Encryption?

At times, organizations needs to communicate with external organizations on a secure encrypted channel to meet their regulatory / compliance requirements. To fulfill the compliance requirements organizations opt office 365 encryption options. Office 365 encryption options provide their customers the benefit to stay ahead to gain control and improve security and reliability of their system. Encryption options offers following benefits to the customers:

  • To stay in control by automatically protecting sensitive information
  • To meet compliance / regulatory requirements
  • To secure confidential information

We currently have 5 different types of Office 365 message encryption option that we can configure to secure our messages in office 365.

  • Office Message Encryption
  • S/MIME
  • Transport Layer Security (TLS)
  • BitLocker
  • Information Rights Management

Office Message Encryption

In November 2013, Microsoft announced Office 365 Message Encryption to send encrypted email messages to people inside or outside of the organization regardless of the destination email service.

Office 365 Message Encryption is designed to help organizations to send confidential messages to people outside your company simply and securely, without the administrative overhead required to use S/MIME or similar technologies. It’s an outside-the-company companion to Information Rights Management, which is why it’s included as part of the Windows Azure Rights Management offering as well.

There are many scenario’s when you need to encrypt your email like

  • Sending credit card statements to customers over email.
  • Sharing confidential information with someone like Social Security number, credit card number etc.
  • Sharing financial information for a loan application.
  • An attorney sending confidential information to a client or another attorney.
  • Sending a contract to someone else.
  • Sharing a company policy with someone.

Office 365 Message Encryption is an enhanced version of Exchange Hosted Encryption (EHE), with the addition of a new set of features. To learn more about all security features in Office 365, kindly visit the Office 365 Trust Center

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Second Message Encryption option in office 365 that we have is S/MIME, which is a widely accepted method / protocol used to send encrypted and digitally signed messages to the recipient using Rivest-Shamir-Adleman (RSA) encryption system. S/MIME is a client-side encryption technology that requires a certificate management and publishing infrastructure.

S/MIME is as important a standard as SMTP because it brings SMTP to the next level, allowing widespread e-mail connectivity without compromising security.

Before S/MIME, administrators used a widely accepted e-mail protocol SMTP, which was inherently not secure, or they used more secure but proprietary solutions. Administrators chose a solution that emphasized either security or connectivity. S/MIME requires Exchange 2013 SP1 or Exchange online with outlook 2010, outlook 2013, OWA and EAC to work properly.

Transport Layer Security (TLS)

TLS, or Transport Layer Security, allows two separate Exchange organizations to transfer mail between them over an encrypted connection. TLS works very similarly to the way SSL works in your web browser.

By default office 365 uses TLS connections to send/receive email messages. TLS in Exchange Online and Domain Security in Exchange 2010 and 2013 are two different concepts and let’s have a high level overview of both technologies.

Domain Security is a set of functionality in the on-premises version of Exchange that started with Exchange 2010 and Outlook 2007 that is intended to provide a lower cost alternative to S/MIME or other message level security solutions.

Transport Layer Security (TLS) is an encryption protocol designed to create a secure communication tunnel over the public internet. Exchange Online gives you the option to setup send and receive connectors to specific partners that are always encrypted.

TLS encrypts the tunnel between mail server to help prevent snooping/eavesdropping.


BitLocker is a drive encryption technology included in Windows Server 2008 and newer versions. BitLocker provides AES (Advanced Encryption Standard) encryption of your email data at rest. That means if for some reason, someone managed to break into an Office 365 data center and steal the hard drive that contains your Exchange Online database, they would not be able to access the data on that hard drive unless they also had the encryption key.

AES uses the same key to encrypt and decrypt the data. I’m not going to spend much time on the specifics of how this type of encryption works because there is nothing for you to configure in Exchange Online, but you can find more information on BitLocker on TechNet.

BitLocker is a great example of one of the reasons to go to Office 365. Microsoft has already performed a lot of the configuration work for setting up secure Exchange for you. BitLocker is already setup on your tenant and all your data is encrypted in Microsoft data center but there is no way for us verify this. Microsoft does comply with a number of different 3rd party auditing procedures to verify things like this. You can find more information on this subject at the Office 365 Trust Center website.

BitLocker Encryption has already been applied to all office 365 tenants and managed by Microsoft.

Information Rights Management

Information Rights Management (IRM) provides the world of Office 365 with far more control over the degree of document access and security allowed. Information Rights Management in Office 365 prevents sensitive information from being printed, forwarded, or copied by unauthorized people inside the organization. Information Rights Management (IRM) enables content owner / publisher to create rights protected content such as an email message or document.

IRM helps individuals enforce their personal preferences regarding the transmission of personal or private information. It also helps organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information within the organization and with customers and partners. More information on Information Rights Management can be found on TechNet.

Microsoft has two methods to enable IRM within the Office 365 productivity suite (Word, Excel and PowerPoint). The first is to install the IRM services on a Windows 2003 or 2008 server, which enables integration within a corporate Windows domain. This integration allows a content author to select which users and groups from Active Directory have access to their content. The second method is to use a Windows Live ID. This enables companies without an Active Directory environment to restrict user access based on a user’s email address.