BEMO Announces SOC 2 Type II Attestation
At BEMO, we are driven by a relentless pursuit of excellence in everything we do. Today, we are thrilled to share a significant milestone in our...
In this blog post, we'll be giving you the step-by-step instructions for configuring Office Message Encryption. I have to say they aren't for the faint at heart! Enabling OME is much more difficult than the other Microsoft email security products such as Office 365 ATP, Exchange Online Protection, or configuring DKIM, DMARC, and SPF.
This blog is the 3rd post of a 5 post series titled Your Complete Guide to Microsoft Email Security. The 5 steps to email security are:
Note: This blog was last reviewed 2/2022. We do our best to keep all of our blogs up to date to offer you the best, most accurate guidance possible. If you notice otherwise, please drop a comment so we can update the blog. Thank you!
Short answer: yep.
If you're still not convinced why you need email security Microsoft breaks it down here nicely:
"People often use email to exchange sensitive information, such as financial data, legal contracts, confidential product information, sales reports and projections, patient health information, or customer and employee information. As a result, mailboxes can become repositories for large amounts of potentially sensitive information and information leakage can become a serious threat to your organization."
Office Message Encryption (OME) allows your organization to send and receive encrypted messages, even to people outside of your organization. Encryption makes it so that only your intended audience can view the sensitive information your messages contain.
Alright, now that we've got the basics under our belts, let's get started!
You will be sent to:
If your organization uses multi-factor authentication (MFA) to connect to Exchange Online PowerShell, follow the instructions: MFA requires you to install the Exchange Online Remote PowerShell Module, and use the Connect-EXOPSSession cmdlet to connect.
You will get the following prompt:
Click Install
Once done, a similar screen will open
Once done, you should see the screen below
Connect to Exchange Online PowerShell by using MFA
Once logged in, you will get a screen similar to:
By default, when you set up the new Office 365 Message Encryption capabilities, users in your organization can send messages to recipients that are outside of your Office 365 organization. If the recipient uses a social ID such as a Google account, Yahoo account, or Microsoft account, the recipient can sign in to the OME portal using the social ID.
By default, if the recipient of a message encrypted by OME doesn't use Outlook, regardless of the account used by the recipient, the recipient receives a limited-time web-view link that lets them read the message. This includes a one-time passcode. As an administrator, you can manage whether or not one-time passcodes can be used to sign-in to the OME portal.
To manage whether or not one-time passcodes are generated for Office Message Encryption
By default, the Encrypt button in Outlook on the web is not enabled when you set up OME. As an administrator, you can manage whether or not to display this button to end-users. To manage whether or not the Protect button appears in Outlook on the web:
The iOS mail app can't decrypt messages protected with Office 365 Message Encryption. As an Office 365 administrator, you can apply service-side decryption for messages delivered to unenlightened clients like the iOS mail app. When you choose to do this, the service will send a decrypted copy of the message to the iOS device. The message is stored decrypted on the client device. The message also retains information about usage rights even though the iOS mail app doesn't apply client-side usage rights to the user. This means that the user can copy or print the message even if they did not originally have the rights to do so.
However, if the user attempts to complete an action that requires the Office 365 mail server, such as forwarding the message, the server will not permit the action if the user did not originally have the usage right to do so. Still, end-users can work around Do Not Forward usage restriction by forwarding the message from a different account in their iOS mail app.
Regardless of whether you set up service-side decryption of mail, any attachments to encrypted and rights protected mail cannot be viewed in the iOS mail app. If you choose not to allow decrypted messages to be sent to iOS mail app users, users receive a message that states that they don't have the rights to view the message. By default, service-side decryption of email messages is not enabled.
As you can see, setting up OME is no small undertaking but hopefully, these steps got you through to the other side. If you have any questions or thoughts, please feel free to comment below.
We implement OME with all of our cybersecurity plans. Check them out 👉 here
Questions? Schedule a meeting by clicking the button below:
Curious how your current security stacks up? Take our 5-minute cybersecurity risk calculator quiz to find out:
At BEMO, we are driven by a relentless pursuit of excellence in everything we do. Today, we are thrilled to share a significant milestone in our...
In the world of business regulations, where laws and guidelines can become as complex as a mystery, there exists a steadfast guardian – the...
If you are in the market for a Compliance Provider to help you achieve attestation with a framework like SOC 2, HIPAA, NIST 800-171, ISO 27001, or...
Leave us a comment!