Exploring The New Office 365 Email Protection and Encryption Options

If you saw my previous post on setting up message encryption to allow users to encrypt emails containing sensitive information like me you found it a great feature but now its got even better.

The new system uses Azure Information Protection (AIP) to protect emails from being viewed by external contacts to the company, stops emails from being copied or printed and allows you to send encrypted emails to external contacts simply by setting a protection option when writing an email.

Email just got a whole lot more secure and I’m sure its going to get even better as time goes on.

With the new Protect options you now have three default protection options, each include encryption ensuring that the data is protected and its read by the intended recipient.

Do Not Forward

This option will:

  • Prevents the recipients from forwarding the email to anyone else
  • Prevents printing
  • Protects the contents using encryption.

Confidential \ All Employees

This option will:

  • Prevents external recipients from being able to view the email
  • Prevents the recipients from forwarding the email to anyone else
  • Prevents printing
  • Protects the contents using encryption.

Highly Confidential \ All Employees

This option will:

  • Prevents external recipients from being able to view the email
  • Prevents the recipients from forwarding the email to anyone else
  • Prevents recipients from replying
  • Prevents printing
  • Protects the contents using encryption.

I’m using web mail here but the new Protect option is also available in the Outlook application. Start a new email and click on the Protect button.

Along the top of the email it will set the default permissions of ‘Do Not Forward’. Click change Permissions if you want to set any other from the selection. Here I select ‘Do Not Forward’ to demonstrate how the email will look to an external recipient.

Here I send a test email to a gmail account

The recipient will receive an email from me with the subject line visible but the content is protected. The recipient simply clicks on the read message link to start the authentication process.


Next the recipient is asked to sign in using their google account or by using a One-time passcode. The passcode is an email sent to them containing a pin number which needs to be entered to authenticate the user.

Once authenticated the user will now be able to read the content of the email and notice they cannot forward or print the content directly from the webpage.

Next lets try sending another test email using the Confidential – All employees permissions.

Here I send an email to an external recipient and also someone within the same domain.

The external recipient will still receive the email to their account.

Once authenticated the recipient will be presented with this message stopping them from reading the content. The internal recipient was able to read and view the email with no issues.

And finally our last test, sending an email using the Highly Confidential permission. As before this setting only permits internal contacts from being able to read the message.

Here the internal recipient received the email and they are unable to reply, forward or print the email helping to protect the data. Also notice how internal recipients are not required to authenticate to view the email.



Email has been a security risk for a long time but now with the great work the Office 365 development teams are doing we have more ways of protecting data. The new protection framework is so easy to use it’s silly to not make use of it so give it a try now.

Here is a copy of Microsoft’s PowerShell script which will enable the new protect features in your Office 365 tenant. If you have any issues with it let me know. Also a special thank you to Salah Ahmed at Microsoft for sharing this content with me so I can help spread the word about the new features!

#Step 1: Connect to the Azure Rights Management service.
$cred = Get-Credential
Get-Command -Module aadrm
Connect-AadrmService -Credential $cred
#Step 2: Activate the service.
#Step 3: Get the configuration information needed for message encryption.
$rmsConfig = Get-AadrmConfiguration
$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
#Step 4: Disconnect from the service.
#Step 5: Create a remote PowerShell session and connect to Exchange Online.
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session
#Step 6: Collect IRM configuration for Office 365.
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
if (!$list) { $list = @() }
if (!$list.Contains($licenseUri)) { $list += $licenseUri }
#Step 7: Enable message encryption for Office 365.
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true
#Step 8: Enable the Protect button in Outlook on the web (Optional).
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
#Step 9: Enable server decryption for Outlook on the web, Outlook for iOS, and Outlook for Android.
Set-IRMConfiguration -ClientAccessServerEnabled $true


Author: Ian@SlashAdmin

Share This Post On
468 ad


  1. Hello,

    is it possible to configure:

    Confidential \ Recipients Only
    Highly Confidential \ Recipients Only

    with possibility to disable mail view for external users even in the recipients list

    Post a Reply
    • Hi Giedrius,

      If you select the ‘Do Not Forward’ option it will prevent printing or copying of content so no reason to create a new policy.

      The Confidential and Highly Confidential policies will prevent any recipients from viewing the message if they are external to the tenant.

      So if you want to prevent external users reading the mail just choose one of the Confidential policies.

      If I’ve miss understood the question please clarify for me.

      Thanks for checking out the blog! 🙂

      Post a Reply
  2. Hello, how to protect the attached document in the email with these permission function?


    Post a Reply
  3. Thank you for this helpful information! Do you happen to know if the Do Not Forward (which includes encryption) meets HIPPAA requirements for sharing private health information?

    Post a Reply
  4. Is it possible to automate the process via Powershell to send emails ? We used a template in the past using send-mailmessage but I’m looking into sending “encrypted do not forward” and can’t figure out how to

    Post a Reply

Submit a Comment

Your email address will not be published.