Using S/MIME with the Azure Information Protection Client

S/MIME and the Unified Labeling Client

One of the interesting aspects of the latest release of the Azure Information Protection (AIP) client  (version is its ability to use an existing S/MIME deployment instead of cloud-based rights management to sign and encrypt email.  The integration is only supported for the click-to-run version of Outlook 2016 for Windows.

The idea is that you can create a custom configuration for Outlook to call S/MIME instead of the normal rights management templates to encrypt an outbound message (read the online instructions). The custom configuration associates an S/MIME action (sign, encrypt, or both) with an AIP label. When the user applies the label to a message, the AIP client updates the message properties with the label metadata and applies whatever S/MIME action is defined.

The idea is not to replace rights management with S/MIME. Instead, it’s to help a small group of customers who have invested to deploy an S/MIME infrastructure. The custom AIP configuration does nothing to help customers manage S/MIME; it simply applies the S/MIME protection if it is available and functional.

Not for Most Office 365 Tenants

Although this feature proves the flexibility of the AIP client, I don’t think it is of much interest to the majority of Office 365 tenants. Here’s why:

  • The solution only works for Outlook for Windows.
  • Cloud-based rights management is built into and enabled for every Office 365 E3 and E5 tenant. You don’t have to do any work to encrypt messages with Outlook and OWA (or read those messages on any email client).
  • The advent of Office 365 sensitivity labels, which will work for Office applications (Windows, Mac, and Online) in addition to email, makes rights management even more valuable. It’s not hard to see how Microsoft will extend coverage of sensitivity labels to other Office 365 data (like Teams conversations or channels) in the future.
  • Rights management makes it easy to protect messages with transport rules.

So, a nice feature if you use S/MIME and have invested in that technology – but maybe it’s time for you to think about using something more modern and functional to protect more than just email?

To read more about sensitivity labels, rights management, and encryption, go to Chapter 24 of the Office 365 for IT Pros eBook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.