In March 2018, Microsoft introduced the ability for Office 365 users to use the Encrypt Only feature to encrypt email sent from Outlook 2016 and OWA. Part of Office 365 Message Encryption and included in the Office 365 E3 and E5 plans (also available as an add-on), the idea behind the Encrypt Only feature is to avoid the need for people to use S/MIME to protect their outbound email. Messages encrypted by Office 365 can be read by recipients in any email service.
On August 23, Microsoft updated the Information Rights Management (IRM) configuration for tenants with a new setting called DecryptAttachmentForEncryptOnly. The new setting controls if Exchange Online decrypts attachments of messages protected with Encrypt Only when downloaded by recipients who have an Azure Active Directory account, such as those belonging to an Office 365 tenant or Outlook.com.
The default is False, meaning that attachments remain protected when downloaded (Figure 1). In other words, the sender exerts control over the file.
Change the setting to True if you want recipients to be able to do whatever they want after they download attachments. To update, connect to Exchange Online with PowerShell and run the command:
Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $True
Changes made to the IRM configuration are effective tenant-wide immediately.
No Online Edits for OWA
If you opt for unrestricted access, be aware that users cannot perform an online edit of an Office attachment protected by Encrypt Only with OWA. You’d expect that this would be the case, but OWA preserves encryption unless an attachment is downloaded. So if you click Preview for an Office attachment and then click Edit and reply, you’ll see:
The workaround is to download any attachment you want to edit as this forces Exchange Online to decrypt the file.
The DecryptAttachmentFromPortal Setting
The DecryptAttachmentFromPortal setting is also available in the IRM configuration. Microsoft introduced this setting some time ago to allow recipients who don’t have an Azure Active Directory account (services such as Gmail, Yahoo!, and Yandex) to access encrypted message attachments.
The default for DecryptAttachmentFromPortal is False. Recipients can access the text of an encrypted message via the Office 365 Message Encryption (OME) portal, but they can’t decrypt attachments. If you change the setting to True, Exchange Online decrypts attachments on behalf of the recipients when they download encrypted messages from the OME portal. To update the IRM configuration, run this command:
No Other IRM Templates Affected
The DecryptAttachmentFromPortal and DecryptAttachmentForEncryptOnly settings only apply to attachments for messages sent using the Encrypt Only feature. They don’t apply to attachments protected with any other rights management template.
These settings allow tenants to control how recipients interact with attachments protected by the Encrypt Only feature. It’s worth emphasizing that the IRM configuration applies tenant-wide and you cannot change a setting for one message, one sender, or a recipient. Once you change a setting, it applies for all messages.
For more information about protecting email and documents, see Chapter 24 of Office 365 for IT Pros.