Microsoft Purview Message Encryption is a powerful tool for business leaders looking for effective ways to improve business security, compliance, and privacy. Even in a world where collaboration platforms like Microsoft Teams, Zoom, and Cisco Webex are taking over, email continues to play an essential role in business communications.
Professionals have used email for decades to exchange information, connect with colleagues, and preserve productivity. Now, in the hybrid and remote work world, emails are still utilized to exchange sensitive information, files, and reports.
Unfortunately, while some email services can offer more security than certain collaboration apps, they still pose a risk to business leaders. When mailboxes become repositories of sensitive data, business leaders need to ensure they’re taking extra steps to defend their employees and their information.
Microsoft Purview message encryption is one of the core tools offered by Microsoft to help businesses mitigate data leakage in the digital world. Here’s everything you need to know about leveraging the service for your team.
What is Microsoft Purview Message Encryption?
Microsoft Purview Message Encryption is an online service built on the Azure Rights Management framework. It enhances the existing encryption capabilities of Microsoft Office solutions, such as the Microsoft Outlook mailbox. While Microsoft does offer encryption for employee messages by default, Purview allows businesses to take their security standards to the next level.
Using the Purview platform, business leaders can configure security policies that allow email users to send and receive encrypted messages. These messages can be delivered securely to people inside and outside an organization.
Microsoft Purview administrators can create mail flow or transport rules that set the specific conditions for each encryption. When a user of the Microsoft client sends a message matching the conditions of these rules, the information is automatically encrypted.
The Purview Message Encryption solution combines identity, authorization, and encryption policies for more secure emails and even provides access to valuable rights templates. For instance, users can implement specific templates for “do not forward” and “encrypt only.”
Who Can Use Message Encryption on Purview?
There are a few prerequisites to using Microsoft Purview Message Encryption. First, you’ll need to ensure you have one of the correct Microsoft plans. Message Encryption is offered as standard as part of Office 365 Enterprise and Microsoft 365 Enterprise E3 and E5 plans. It’s also available on Office 365 A1, A3, and A5, Microsoft 365 Business Premium, Office Government G3, and G5.
Outside these plans, companies can add the Azure Information Protection Plan 1 to any existing Microsoft subscriptions for the Message Encryption service. Every user leveraging the service will need to have the correct license.
You’ll also need the Azure Rights Management service from Azure IP if you’ve previously used Office 365 Message Encryption (OME). Additionally, if you’re using Exchange Online with Active Directory Rights, you’ll need to migrate from AD RMS to Azure Information Protection.
How is Purview Message Encryption Different from OME?
Microsoft Purview Message Encryption isn’t the first enhanced security service offered to Microsoft mail users. The company previously provided message encryption via Office 365 Message Encryption which was deprecated on the 1st of July, 2023.
Microsoft says the Purview solution is a much more advanced alternative to the previous OME service. It’s enhanced with new capabilities to deliver a unified and streamlined sender experience for all users. Additionally, recipients who receive protected messages on Outlook won’t need to take further actions to view the statement, allowing for better recipient experiences too.
Compared to OME, Purview Message Encryption offers benefits like:
- An “encrypt-only” option for secure collaboration, custom restrictions, and do-not-forward.
- Manual encryption from Outlook Desktop, Outlook for Mac, and Outlook for the web.
- Inline experiences in supported Outlook clients.
- Federation for accounts outside of Microsoft 365 to improve recipient experiences.
- Customizable branding and multiple brand templates for emails.
- The ability to revoke email encryption through admin accounts.
- Detailed usage reports on the Microsoft Purview compliance portal.
How Does Microsoft Purview Message Encryption Work?
Since Microsoft designed the Purview Message Encryption feature to be as user-friendly as possible, its functionality is relatively straightforward. Administrators establish encryption mail flow rules; when someone sends a message matching those rules, it’s automatically encrypted.
Microsoft notes all users accessing Outlook clients will receive a simple, native reading experience for rights-protected mail, even if they’re not in the same organization as the sender. Recipients of encrypted messages on external accounts receive a “wrapper message.”
This message directs the user to an OME portal, where they can validate their right to access the message using their mail credentials.
The same wrapper mail process occurs when a recipient outside a GCC High client receives a message from a GCC High company.
What is Microsoft Purview Advanced Message Encryption?
Microsoft offers multiple levels of mail protection via Purview’s features. The Advanced option for Microsoft Purview Message Encryption gives admin users more options for creating various branding templates. This allows companies to fine-tune their control of recipient messages.
What’s more, the Advanced service helps companies meet compliance guidelines. It adheres to regulations that require more flexible control over access to messages. Administrators can control which sensitive data is shared outside of an organization. Automation tools allow the system to detect sensitive information types using keywords rapidly.
Admins can also revoke access to email anytime, using the Purview web portal. However, message revocation and “expiration” options only work for messages sent to users outside an organization. Additionally, recipients must receive the message through a web portal. Users can set up custom branding templates that apply the web portal wrapper to ensure this requirement is met.
How to Implement Microsoft Purview Message Encryption
Microsoft offers step-by-step instructions for all users leveraging its Purview ecosystem. If you want to start encrypting your messages, you’ll first need to activate Azure Rights Management. The Message Encryption service relies on the protection features within RMS.
Azure RMS is often activated automatically for most eligible plans. However, if you don’t have the service activated, you can take steps to enable it through PowerShell.
If you’re using Active Directory Rights Management, you must also migrate to the Azure Information Protection service before using message encryption.
Once you’ve activated Azure RMS, business leaders can take an additional optional step. By default, Microsoft manages the root key for Azure Information Protection for all organizations. However, if you want to change this setting, you can bring your own root key into the system before establishing your messaging encryption guidelines.
Configuring Purview Messaging Encryption
With your Azure RMS strategy in place, the next step in using Microsoft Purview Message Encryption is configuring your Microsoft 365 tenant. You’ll need to connect to Exchange Online PowerShell using a global administrator account to do this.
Next, run the Get-IRMConfiguration cmdlet. You should see the $true value for the AzureRMSLicensingEnabled parameter. This shows the encryption service is already configured for your tenant. If not, you’ll need to use the Set-IRMConfiguration step to update this value.
Using PowerShell code, you’ll need to implement security standards using the email address of any user within the Microsoft 365 tenant you’re using. You can then run a test within PowerShell to ensure the encryption option is ready to go. Microsoft offers step-by-step guidance on the PowerShell code you’ll need to use here.
Defining Mail Flow Rules
Once you’re done configuring PowerShell, the next step is to establish mail flow rules for your tenant. If you have previously configured rules for encryption in your organization, you’ll need to update these to leverage the Purview encryption services.
Mail flow rules define the conditions under which email messages should be encrypted. They also outline conditions for removing encryptions. Microsoft’s mail flow rules are flexible. This means users can combine conditions to meet specific security requirements.
For example, users can encrypt all messages containing a keyword or phrase. Plus, they can also ensure these messages are only encrypted for external contacts. To update your encryption rules:
- Visit the Microsoft 365 admin center, then click on Admin Centers > Exchange.
- Go to the “Mail Flow” section, and click “Rules.”
- For each rule, modify the message security, and apply Office 365 Message Encryption and Rights Protection.
- From the RMS template list, select “Encrypt” followed by “Save” then “Ok.”
You can find a complete guide on how to adjust rules and conditions here.
Applying Advanced Messaging Encryption in Purview
As mentioned above, Microsoft Purview Message Encryption has an “Advanced” option. If you want to leverage the advanced features the service offers, you’ll need a supported subscription. You’ll also need to set up Office 365 Message Encryption capabilities if you haven’t done so already.
With the Advanced Purview options, users aren’t limited to just one branding template. You can create and use multiple different templates. Plus, you’ll be able to enable tracking and revocation of encrypted messages to external parties.
When you use a custom branding template with Microsoft Purview, your external recipients receive a notification. This notification contains a link to the OME portal. Your mail flow rules (See above) will define which template the notification email and portal use.
Using the advanced settings, you can set expiration dates for emails sent to external parties and revoke email access anytime through a secure portal. Plus, Microsoft allows users to monitor encrypted message activity.
Upgrading your Message Encryption with Microsoft
Microsoft Purview Message Encryption gives business users more control over how information is shared inside and outside an organization. If, like many companies, you still rely heavily on email to share sensitive information, this could be a crucial tool for your team.
Although Microsoft does encode and encrypt messages in Outlook by default, it doesn’t provide the high-level security standards some regulated businesses need. To boost your encryption standards and secure your messages on a deeper level, you’ll need the Purview service.
from UC Today https://ift.tt/qO8x5Lw
0 Comments