Microsoft Purview Message Encryption is an intuitive service that enables email users to send encrypted messages to people inside and outside their organization. Selected recipients can easily view their encrypted messages and return encrypted replies. This is done regardless of the destination email service, whether it's Microsoft 365, Outlook.com, Yahoo, Gmail, or another service.

Microsoft Purview Advanced Message Encryption provides organizations with greater control. It can be used to create multiple templates for encrypted emails originating from within the organization. These templates can be used to control parts of the end-user experience.

• Check if Azure RMS is enabled using AIP PowerShell:

Install-Module -Name AIPService -Scope CurrentUser
Connect-AipService
Get-AipService

• If Azure RMS is not enabled for some reason for you tenant, enable it by running:

Enable-AipService

• Check if Purview Encryption is enabled using EXO PowerShell:

Get-IRMConfiguration

• If it is disabled, enable it by running:

Set-IRMConfiguration -AzureRMSLicensingEnabled $true

• Test IRM configuration by running:

Test-IRMConfiguration [-Sender <email address> -Recipient <email address>]

• If the test FAILS, disable with an error message Failed to acquire RMS templates, run:

$RMSConfig = Get-AipServiceConfiguration
$LicenseUri = $RMSConfig.LicensingIntranetDistributionPointUrl
Set-IRMConfiguration -LicensingLocation $LicenseUri
Set-IRMConfiguration -InternalLicensingEnabled $true

One of the key strengths of Purview Message Encryption is that it works across many platforms, including Outlook for desktop, mobile, and web. External recipients using Gmail, Yahoo, or other services can access encrypted messages through a secure web portal. They don't need to install special apps or sign in with a Microsoft 365 account.

The reading experience varies depending on the client. Users in Outlook often see the message natively, while other recipients receive a wrapper message with a link to the secure portal.

You can customize the look and feel of encrypted messages by modifying the branding template used in the encrypted message portal. This helps ensure that external recipients know the message is legitimate and tied to your organization.

If you plan to use Advanced Message Encryption features, such as message expiration or revocation, custom branding is required. This branding is what allows the portal wrapper to be applied consistently and trigger the desired behavior.

• Encrypt-only option. This option enables organizations to encrypt data without other restrictions. The recipients have all usage rights except Save As, Export and Full Control. This combination of usage rights means the recipients have no restrictions except that they can't remove the protection.

• Do Not Forward option. When the system applies this option to an email message, the email is encrypted. This process forces the recipients to authenticate. Recipients can't forward the message, print it, or copy from it.

• The attached document in both the case does not inherit the access rights and can be printed:

You can create mail flow rules to protect email messages you send and receive. For example, you can:

• Set up rules to encrypt outgoing email messages.
• Remove encryption from encrypted messages coming from inside your organization.
• Remove encryption from replies to encrypted messages sent from your organization.
• You can't encrypt inbound mail from senders outside your organization.

• Go to EAC > Mail Flow > Rules > Add a new rule > Create a new rule
• Define the conditions when to apply encryption. Example, I have set the condition to encrypt the emails sent from the members of the 'Finance' group
• Under 'Do the Following' select 'Modify the Message Security' and then select 'Apply Office 365 Message Encrption and rights protection'
• Then select the RMS template you want to apply. In this case, I will be applying the 'Encrypt' template
• Click Next and Create. The rule will be disbaled by default, make sure to Enable it.

• Sending the email without encryption to Gmail:

• Performing the message trace to verify the rule was applied:

• And as expected, received the email as encypted in Gmail:

You can apply your company branding to customize the look of your organization's email messages and the encryption portal. To do so, you must first apply Global Administrator permissions to your Microsoft 365 account before you can get started. Once you have these permissions, you can customize the follwing parts of encrypted email messages:

• Introductory text.
• Disclaimer text.
• URL for Your organization's privacy statement.
• Text in the message encryption portal.
• Logo that appears in the email message and encryption portal, or whether to use a logo at all.
• Background color in the email message and encryption portal.

• Let us cutomize our branding template:

Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is the property of IdiotBox Ltd." -PortalText "IdiotBox Secure Portal" -BackgroundColor "#096B18" -Image ([System.IO.File]::ReadAllBytes('C:\Users\aaqib\OneDrive\Pictures\download.png')) -IntroductionText "sent you a secure message." -ReadButtonText "Click to Read" -EmailText "Encrypted message from IdiotBox secure messaging system" -PrivacyStatementURL "https://idiotbox.in/privacystatement.html" 

Microsoft Purview Advanced Message Encryption provides additional protection and control for email messages sent to external recipients. The key features in Microsoft Purview Advanced Message Encryption include:

• Create multiple branding templates.
• Revoke encrypted email.
• Set an expiration date for encrypted email.
• Monitor encrypted message activity

The following subscriptions include Microsoft Purview Advanced Message Encryption:

• Microsoft 365 Enterprise E5
• Office 365 E5
• Microsoft 365 E5 (Nonprofit Staff Pricing)
• Office 365 Enterprise E5 (Nonprofit Staff Pricing)
• Office 365 Education A5

If your organization has a subscription that doesn't include Microsoft Purview Advanced Message Encryption, you can purchase it with one of the following add-on's:

• Microsoft 365 E5 Compliance SKU add-on for Microsoft 365 E3
• Microsoft 365 E3 (Nonprofit Staff Pricing)
• Office 365 Advanced Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), Office 365 SKUs,
• Microsoft 365 E5/A5 Information Protection and Governance SKU add-on for Microsoft 365 A3/E3

Microsoft Purview Advanced Message Encryption doesn't limit you to a single branding template. Instead, you can create and use multiple branding templates.

Let's create a new OME template that we will use for Finance users, disable the social sign in and set the expiry as 7 days.

New-OMEConfiguration -Identity "Finance Template" -DisclaimerText "This message is the property of IdiotBox Ltd. Finanace Department" -PortalText "IdiotBox Finance" -BackgroundColor "#096B18" -Image ([System.IO.File]::ReadAllBytes('C:\Users\aaqib\OneDrive\Pictures\download.png')) -IntroductionText "sent you a secure message." -ReadButtonText "Click to Read" -EmailText "Encrypted message from IdiotBox financing secure messaging system" -PrivacyStatementURL "https://idiotbox.in/privacystatement.html" -SocialIdSignIn $false -ExternalMailExpiryInDays 7 

I will modify the rule created in the previous step and add the new custom branding template 'Finance template':

IMPORTANT: To use the custom branding template, it is required to use the condition "Sender is in Organization" in addition to other conditions as required. To ensure that the rule encrypts the email either have another rule with higher priority or add the condition like below:

The additions I made to the above rule are highlighted:

Now when I send the email from a user who is part of the Finance group, this is what the receipint will see. Notice the Expiry and changes the the branding:

And since I disabled social sign in on this template, I only get an option to authenticate using an OTP:

You can only revoke messages that users receive through the message encryption portal. In other words, email that has a custom branding template applied.

Let's assume a message was encrypted using Microsoft Purview Advanced Message Encryption. Either a Microsoft 365 administrator or the sender of the message can revoke the message under certain conditions:

• Microsoft 365 administrators can revoke messages using PowerShell.
• The sender can revoke a message if they sent it directly from Outlook on the web.
• Administrators and message senders can revoke encrypted emails if the recipient received a link-based, branded encrypted email. If the recipient received a native inline experience in a supported Outlook client, then they can't revoke the message.

Connect to EXO PowerShell and run:

Get-OMEMessageStatus -MessageId "<message id>" | ft -a  Subject, IsRevocable

If the IsRevocable field is True, you can revoke the access to the encrypted email:

Set-OMEMessageRevocation -Revoke $true -MessageId "<messageId>"
Get-OMEMessageStatus -MessageId "<messageId>" | ft -a  Subject, Revoked