Message encryption version comparison - Microsoft Purview (compliance) (2022)

  • Article
  • 6 minutes to read

Important

On February 28, 2021, Microsoft deprecated support for AD RMS in Exchange Online. If you've deployed a hybrid environment where your Exchange mailboxes are online and you're using IRM with Active Directory RMS on-premises, you'll need to migrate to Azure. Organizations that have deployed into the GCC Moderate environment are also affected. See "Overview of AD RMS deprecation in Exchange Online" in this article for information.

The rest of this article compares legacy Office 365 Message Encryption (OME) to Microsoft Purview Message Encryption and Microsoft Purview Advanced Message Encryption. Microsoft Purview Message Encryption is merger and newer version of both OME and Information Rights Management (IRM). Unique characteristics of deploying into GCC High are also outlined. The two can coexist in your organization. For information on how the new capabilities work, see Office 365 Message Encryption (OME).

(Video) Microsoft Purview Compliance Manager

This article is part of a larger series of articles about message encryption. This article is intended for administrators and ITPros. If you're just looking for information on sending or receiving an encrypted message, see the list of articles in Message encryption and locate the article that best fits your needs.

Exchange Online includes Information Rights Management (IRM) functionality that provides online and offline protection of email messages and attachments. By default, Exchange Online uses Azure Information Protection. However, your organization may have configured Exchange Online IRM to use on-premises Active Directory Rights Management Service (AD RMS). AD RMS support in Exchange Online is retiring. Instead, Azure Information Protection will replace AD RMS entirely.

To assess whether this deprecation impacts your organization, see How to migrate AD RMS to Azure RMS in Exchange Online. This article provides recommendations on migration options.

Side-by-side comparison of message encryption features and capabilities

SituationLegacy OMEIRM in AD RMSMicrosoft Purview Message Encryption
Sending an encrypted mailThrough Exchange mail flow rulesEnd-user initiated from Outlook desktop or Outlook on the Web; or through Exchange mail flow rulesEnd-user initiated from Outlook desktop, Outlook for Mac, or Outlook on the Web; through Exchange mail flow rules (also known as transport rules) and data loss prevention (DLP)
Rights management templateN/ADo Not Forward option and custom templatesDo Not Forward option, encrypt-only option, and custom templates
Recipient typeInternal and external recipientsInternal recipients onlyInternal and external recipients
Experience for internal recipientRecipients receive an HTML message, which they download and open in a web browser or mobile appNative inline experience in Outlook clientsNative inline experience for recipients in the same organization using Outlook clients. Recipients can read message from OME portal using clients other than Outlook (no download or app required).
Experience for external recipientRecipients receive an HTML message, which they download and open in a web browser or mobile appN/ANative inline experience for Microsoft 365 recipients. All other recipients can read message from OME portal (no download or app required).
Attachment permissionsNo restrictions on attachmentsAttachments are protectedAttachments are protected for the Do Not Forward option and custom templates. Admins can choose whether attachments for the encrypt-only option are protected or not.
Bring your own key (BYOK) supportNoneNoneBYOK supported

Advantages of Microsoft Purview Message Encryption over legacy OME

The new capabilities provide the following advantages:

  • Ability to use the encrypt-only option (which enables secure collaboration), Do Not Forward option, and custom restrictions.
  • Senders can send mail encrypted with the new capabilities manually from Outlook Desktop, Outlook for Mac and Outlook on the web clients.
  • Microsoft 365 recipients get to use an inline experience in supported Outlook clients. Alternatively, admins can choose to show Microsoft 365 recipients a branded experience.
  • Accounts outside of Microsoft 365, such as Gmail, Yahoo, and Microsoft accounts, are federated with the OME portal, which provides a better user experience for these recipients. All other identities use a one-time pass code to access encrypted messages.
  • Admins can customize branding, and create multiple branding templates.
  • Admins can revoke emails encrypted with the new capabilities.
  • The new capabilities provide detailed usage reports through the Security & Compliance Center.

Microsoft Purview Advanced Message Encryption capabilities

Microsoft Purview Advanced Message Encryption offers additional capabilities on top of Microsoft Purview Message Encryption. You must have Microsoft Purview Message Encryption set up in your organization in order to use Advanced Message Encryption. Also, in order to use these capabilities, recipients must view and reply to secure mail through the Microsoft Purview Message Encryption Portal. The advanced capabilities include:

(Video) Simplify regulatory compliance with Microsoft Purview Compliance Manager

  • Message revocation

  • Message expiration

  • Multiple branding templates

Advanced Message Encryption is not supported in GCC High.

For information on using Advanced Message Encryption, see Microsoft Purview Advanced Message Encryption.

(Video) The future of data governance: introducing Microsoft Purview

Unique characteristics of Microsoft Purview Message Encryption in a GCC High deployment

If you plan to use Microsoft Purview Message Encryption in a GCC High environment, there are some unique characteristics regarding the recipient experience.

Encrypted email between GCC High and GCC High recipients

Senders can manually encrypt emails in Outlook for PC and Mac and Outlook on the web, or organizations can set up a policy to encrypt emails using Exchange mail flow rules.

Recipients inside GCC High receive the same inline reading experience in Outlook for PC and Mac and Outlook on the web as all other users.

Encrypted email between GCC High and Non-GCC High recipients

Senders inside GCC High can send encrypted email outside of the GCC High boundary and vice versa.

All recipients outside GCC High, including commercial Microsoft 365 users, Outlook.com users, and other users of other email providers such as Gmail and Yahoo, receive a wrapper mail. This wrapper mail redirects the recipient to the Microsoft Purview Message Encryption Portal where the recipient can read and reply to the message. This is also true for senders outside GCC High sending OME encrypted mail to GCC High.

(Video) Office 365 Essentials: Office Message Encryption

Coexistence of legacy OME and Microsoft Purview Message Encryption in the same tenant

You can use both legacy OME and Microsoft Purview Message Encryption in the same tenant. As an administrator, you do this by choosing which version of message encryption you want to use when you create your mail flow rules.

  • To specify the legacy version of OME, use the Exchange mail flow rule action Apply the previous version of OME.

  • To specify Microsoft Purview Message Encryption, use the Exchange mail flow rule action Apply Office 365 Message Encryption and rights protection.

Users can manually send mail that is encrypted with Microsoft Purview Message Encryption from Outlook Desktop, Outlook for Mac, and Outlook on the web.

Migrate from legacy OME to Microsoft Purview Message Encryption

Even though both versions can coexist, we highly recommend that you edit your old mail flow rules that use the rule action Apply the previous version of OME to use Microsoft Purview Message Encryption. Update these rules to use the mail flow rule action Apply Office 365 Message Encryption and rights protection, select "Encrypt" in the RMS template list. For instructions, see Define mail flow rules to encrypt email messages.

(Video) Compliance Program for Microsoft Cloud

Get started with OME

Typically, Microsoft Purview Message Encryption is automatically enabled for your organization. For more information about Microsoft Purview Message Encryption within your organization, see Set up Microsoft Purview Message Encryption.

The legacy version of OME is automatically enabled for your organization if you have enabled Azure Information Protection. In the past, legacy OME worked even if Azure Information Protection wasn't enabled. This is no longer the case.

To start using legacy OME, if you have enabled Azure Information Protection, configure mail flow rules that use the rule action Apply the previous version of OME. For instructions, see Define mail flow rules to encrypt email messages.

FAQs

What is Microsoft purview message encryption? ›

Microsoft Purview Message Encryption allows organizations to share protected email with anyone on any device. Users can exchange protected messages with other Microsoft 365 organizations, as well as third-parties using Outlook.com, Gmail, and other email services.

What is the difference between AIP and Ome? ›

OME vs AIP

If you want to protect documents attached to an E-Mail only on the transport layer or if you want to use the “Do not forward” feature OME is the way to do it. If you want to protect the document also after the E-Mail is received and the document is downloaded etc. then you need AIP.

What is E3 encryption? ›

We're building encryption infrastructure for developers. At the core of this infrastructure is E3, the Evervault Encryption Engine. E3 is a simple encryption service for performing cryptographic operations with low latency, high scalability and extreme reliability.

Does Microsoft 365 Business Standard have encryption? ›

Microsoft 365 users can use Outlook for PC versions 2019 and Microsoft 365 to create mail protected with the encrypt-only policy.

Which Microsoft 365 compliance feature can you use to encrypt? ›

Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 offers an added layer of encryption for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Microsoft Teams.

What is O365 advanced compliance? ›

Article Office 365 Advanced Compliance

O365 Advanced Compliance reduces the volume of data by eliminating duplicate files, reconstructing email threads and identifying key themes and data relationships.

What is AIP encryption? ›

AIP is a Windows plugin that classifies, protects and encrypts documents before sending them in email or posting them on a website. If you do not have a Windows computer you can still view protected files by installing the AIP Viewer App.

Who can use ome? ›

The new Office 365 Message Encryption (OME) capabilities allow organizations to share protected email with anyone on any device. Users can exchange protected messages with other Microsoft 365 organizations, as well as non-customers using Outlook.com, Gmail, Yahoo and other email services.

Does Office 365 Business Premium include encryption? ›

Message Encryption - Microsoft 365 Business Premium's built-in message encryption combines encryption and access rights capabilities to ensure only intended recipients can view the contents of the message. Message encryption is compatible with email services including Outlook.com, Yahoo!, Gmail, and more.

Does Office 365 E1 include email encryption? ›

Office 365 E1 doesn't support Office 365 message encryption feature. But this feature can be enabled via buying an add-on (Azure Information Protection) under the current Subscription.

Does Office 365 encrypt emails? ›

Microsoft 365 uses encryption in two ways: in the service, and as a customer control. In the service, encryption is used in Microsoft 365 by default; you don't have to configure anything. For example, Microsoft 365 uses Transport Layer Security (TLS) to encrypt the connection, or session, between two servers.

What is Microsoft IRM? ›

Information Rights Management (IRM) helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. The permissions are stored in the document, workbook, presentation, or e-mail message, where they are authenticated by an IRM server. WindowsMacOS.

What Office 365 license includes encryption? ›

Microsoft 365 Message Encryption is offered as part of Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3, and A5, and Office 365 G3 and G5. Customers do not need additional licenses to receive the new protection capabilities powered by Azure Information Protection.

Is Office 365 encryption Hipaa compliant? ›

Yes, with a signed BAA and proper usage, Office 365 is HIPAA compliant. It is the responsibility of the covered entity to ensure that a BAA is signed before Office 365 can be used to transmit, store, or maintain PHI.

Does Office 365 E3 include email encryption? ›

Here's the added good news: Office 365 E3 and E4 users will get Office 365 Message Encryption at no extra cost. We're including it in Windows Azure Rights Management, which is already part of E3 and E4 plans.

Which Microsoft 365 compliance Center feature can you use to identify all the documents on a Microsoft SharePoint online site that contain a specific keyword? ›

You can use the Content search eDiscovery tool in the Microsoft Purview compliance portal to search for in-place content such as email, documents, and instant messaging conversations in your organization. Use this tool to search for content in these cloud-based Microsoft 365 data sources: Exchange Online mailboxes.

What is AES 256 encryption algorithm? ›

The AES Encryption algorithm (also known as the Rijndael algorithm) is a symmetric block cipher algorithm with a block/chunk size of 128 bits. It converts these individual blocks using keys of 128, 192, and 256 bits. Once it encrypts these blocks, it joins them together to form the ciphertext.

How strong is Microsoft Word encryption? ›

How secure is the encryption? The encryption in Microsoft Office 2016 is considered safe (AES with 256-bit key) and takes a very long time to break with today's machine resources if the password is secure enough. See the Username and Password page for more information on how to make secure passwords.

What is o365 security and compliance? ›

The Microsoft Office 365 Security & Compliance Center is an enterprise email security and data protection solution purpose-built for organizations who use Office 365 business products, Outlook, and Exchange servers alike.

Do all users need E5 license? ›

E5 licenses are a great choice, however that does not mean every user within your organization needs an Office 365 E5 or Microsoft 365 E5 license. Users who only work with users within your organization probably have no need for PSTN conferencing capabilities and therefore a lower tier license may be appropriate.

Does E3 include DLP? ›

Office 365 and Microsoft 365 E3 include DLP protection for SharePoint Online, OneDrive, and Exchange Online. This also includes files that are shared through Teams because Teams uses SharePoint Online and OneDrive to share files.

How do I open a Microsoft encrypted message? ›

Create a Microsoft account for viewing encrypted messages
  1. Open the message in your Inbox. ...
  2. Select SIGN IN AND VIEW YOUR ENCRYPTED MESSAGE.
  3. Select the option to create a Microsoft account.
  4. Fill out the Create an account form. ...
  5. Review the summary page and select Verify your email address.
Sep 15, 2014

How does o365 message encryption work? ›

Office 365 Essentials: Office Message Encryption - YouTube

Does Microsoft Business Premium have email encryption? ›

Message Encryption - Microsoft 365 Business Premium's built-in message encryption combines encryption and access rights capabilities to ensure only intended recipients can view the contents of the message. Message encryption is compatible with email services including Outlook.com, Yahoo!, Gmail, and more.

What is Barracuda email encryption Service? ›

The Barracuda Email Security Service secures your mail by encrypting it during transport to the Barracuda Message Center, encrypting it at rest for storage in the cloud, and providing secure retrieval by your recipients through HTTPS Web access.

Videos

1. Planning your Security Compliance with Microsoft Purview
(Valto IT Services)
2. Content Search in Microsoft 365 | How Content Search works in Microsoft 365 Compliance Center
(Office 365 Concepts)
3. Enterprise Compliance: Insider Risk Management in Microsoft 365 from the field
(Commsverse)
4. Office365 Email Encryption Complete Setup & Customization (aka Office 365 Message Encryption) OME
(URTechDotCa)
5. Microsoft Purview: The Future of Compliance and Governance
(Insentra)
6. Peter Rising demonstrates Microsoft Purview eDiscovery (Premium) - Part 2
(Cloud Conversations)

You might also like

Latest Posts

Article information

Author: Rueben Jacobs

Last Updated: 06/28/2022

Views: 6028

Rating: 4.7 / 5 (57 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Rueben Jacobs

Birthday: 1999-03-14

Address: 951 Caterina Walk, Schambergerside, CA 67667-0896

Phone: +6881806848632

Job: Internal Education Planner

Hobby: Candle making, Cabaret, Poi, Gambling, Rock climbing, Wood carving, Computer programming

Introduction: My name is Rueben Jacobs, I am a cooperative, beautiful, kind, comfortable, glamorous, open, magnificent person who loves writing and wants to share my knowledge and understanding with you.