OME Encryption sending to external email address

Hello,

My agency recently started using Office 365 Mail Encryption to encrypt our emails. It was suggested that we use different levels because some of the people we interact with outside the agency sometimes need more or less restrictions on the email itself. Sometimes we send records to clients who then want to forward the email to their doctor (for example). So I thought I could customize a label in Azure to create a level of security to allow for that. No matter what I do, anything sent to an email address not within our agency, it's blocked. It asks for you to sign in,  or use the one time passcode. When either option is used it just states that they don't have permission to see the content. If I select Do Not Forward any external address can view the content just fine, however it restricts every option other than view.

If I put the specific address in the permissions of the label it seems to work just fine, but we can't do that for every address (we have thousands of clients and partners in the community that we exchange information with). There are also many different domains so it doesn't seem reasonable to enter each domain under permissions on the label. What am I overlooking?

Thank you,

 

Question Info


Last updated February 26, 2019 Views 658 Applies to:

Hi West,

 

According to your description, we know that you want to configure Office 365 Message Encryption to protect your email data.

 

Generally, we can define mail flow rules to encrypt email messages in Office 365. You can refer to the “To create a rule for encrypting email messages with the new OME capabilities by using the EAC” section of this article:

https://support.office.com/en-us/article/define-mail-flow-rules-to-encrypt-email-messages-in-office-365-9b7daf19-d5f2-415b-bc43-a0f5f4a585e8?ui=en-US&rs=en-US&ad=US

 

Meanwhile, we’d like to know the rules you set on your side. Could you give us some screenshots of the rules? We’d like to check if we can help you improve the rules and achieve your requirements.

 

Your cooperation is highly appreciated.

 

Thank you.

Barry

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Ok, maybe I wasn't clear and I apologize.

I have the mail flow rule set to encrypt emails going out. They send out and come in encrypted when the rule conditions are met. That part is working fine. The problem is the encryption labels (set through Azure) and the permissions they allow.

So just for an example, we set a label that when a keyword is used in the subject it applies. The permissions set in the label are that of 'Reviewer'. So the person receiving the encrypted email will be able to View, edit, save, reply, reply all and forward. You have to define users, so I can apply it to my domain so the messages get sent. But no matter what email I send it to, permission is denied when I try to access the message from that mail account.

The message I receive in my inbox:

After either signing in with gmail, or using the one time passcode I get this.

Now if I set it to use 'Do Not Forward' I can open it with my external email account. But that's all I'm able to do. The ability to forward is obviously not there, but also can't print and the stuff we are sending does need printed by the recipient. I know 'Do Not Forward' is what it is. I'm trying to set up another label to do what I'm asking. According to everything I'm reading it should be viewable by my recipients, regardless of if they are in my agency or not. The question I'm asking is is there a way to define the encryption for any outgoing mail, or do I have to give permissions to the individual domains we are sending to?

If you still need to see the rules after this reply that's fine, I can get them to you, but I've successfully set those just fine it seems. 

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi West,

Appreciation on your detailed description. 

Well, since you said it seems to be working, let's monitor further. We can continue to communicate here if you find any problem in the furture. With pleasure, I am always here for you.

Regards,

Alan

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.