Encrypted or protected email is becoming more common inside Office 365 with the advent of the Encrypt-Only feature available in Outlook 2016 (Click to Run) and OWA.
You can include a mixture of internal and external recipients, including those who do not use Office 365, in the recipient list for a protected message and, subject to scoping defined for the template used to protect the message, will be able to open and access the content. You can also send protected messages to other Office 365 destinations, but as explained below, some restrictions apply.
Office 365 Groups
Protected messages (and attachments) sent to an Office 365 group can be read by any member of the group, including guest users, because they authenticate their access through membership of the group.
Scoped Templates will Stop Access
The exception is when the template used to protect a message is scoped to assign permissions to specific recipients and a member of the Office 365 group is not included. In this case, the group member sees a conversation and who contributed to the conversation, but can’t see the content of the message (see below). if they click the banner telling them that a message can’t be displayed, they see the link to the Office 365 Message Encryption portal. However, this link won’t give them access because their account is not in the permissions list for the message.
Protected messages sent to a shared mailbox can be opened and read by those with access to the shared mailbox if they use OWA. However, the same people can’t read the messages if they use Outlook. The difference in behavior is explained by the way that OWA fetches use licenses. Microsoft has admitted that they need to make both clients work the same way.
Protected messages sent to the email address of a Teams channel (for example, firstname.lastname@example.org) are rejected by Exchange Online because the transport service cannot re-encrypt the message for delivery to the phantom mailbox used to route messages to Teams. As shown below, the sender receives a 5.7.1.Delivery Service Notification (DSN). Exchange Online decrypts protected messages as they pass through the transport service to allow transport rules to process the content.
The same happens if you try to post a protected message to a Yammer group (with an address like office365QAemail@example.com). Again, Exchange Online can’t re-encrypt the message to deliver it to Yammer, so it issues a 5.7.1. DSN.
Learn all about rights management, templates, and email protection in Chapter 24 of the Office 365 for IT Pros eBook.