New IRM Option to Control Decryption of Attachments of Encrypted Messages


Encrypt Only

In March 2018, Microsoft introduced the ability for Office 365 users to use the Encrypt Only feature to encrypt email sent from Outlook 2016 and OWA. Part of Office 365 Message Encryption and included in the Office 365 E3 and E5 plans (also available as an add-on), the idea behind the Encrypt Only feature is to avoid the need for people to use S/MIME to protect their outbound email. Messages encrypted by Office 365 can be read by recipients in any email service.

Introducing DecryptAttachmentForEncryptOnly

On August 23, Microsoft updated the Information Rights Management (IRM) configuration for tenants with a new setting called DecryptAttachmentForEncryptOnly. The new setting controls if Exchange Online decrypts attachments of messages protected with Encrypt Only when opened by authenticated users.

The default is False, meaning that attachments remain protected when downloaded (Figure 1). In other words, the sender exerts control over the file.

Encrypted Word Attachment
Figure 1: Attachments remain encrypted

Change the setting to True if you want recipients to be able to do whatever they want after they download attachments. To update, connect to Exchange Online with PowerShell and run the command:

Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $True

Changes made to the IRM configuration are effective tenant-wide immediately.

No Online Edits for OWA

If you opt for unrestricted access, be aware that users cannot perform an online edit of an Office attachment protected by Encrypt Only with OWA. You’d expect that this would be the case, but OWA preserves encryption unless an attachment is downloaded. So if you click Preview for an Office attachment and then click Edit and reply, you’ll see:


The workaround is to download any attachment you want to edit as this forces Exchange Online to decrypt the file.

The DecryptAttachmentFromPortal Setting

The DecryptAttachmentFromPortal setting was introduced some time ago to allow recipients who don’t have an Azure Active Directory account (services such as Gmail, Yahoo!, and Yandex) to access encrypted message attachments. This setting is now deprecated in favor of DecryptAttachmentForEncryptOnly.

No Other IRM Templates Affected

The DecryptAttachmentForEncryptOnly setting only applies to attachments for messages sent using the Encrypt Only feature. They don’t apply to attachments protected with any other rights management template.

One Configuration

The new setting allows tenants to control how recipients interact with attachments protected by the Encrypt Only feature. It’s worth emphasizing that the IRM configuration applies tenant-wide and you cannot change a setting for one message, one sender, or a recipient. Once you change a setting, it applies for all messages.

For more information about protecting email and documents, see Chapter 24 of Office 365 for IT Pros.

3 Replies to “New IRM Option to Control Decryption of Attachments of Encrypted Messages”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.