Email encryption in Office 365


OVERVIEW

Target audience: McGill students, faculty and staff

Microsoft Outlook provides the ability to encrypt email content via "Office 365 Message Encryption". This article explains how to use it to protect sensitive information in email messages. For examples of data you may consider encrypting see McGill's Standard on Enterprise Data Classification.

In this article:

Which Microsoft apps support email encryption

Levels of encryption

  • Encrypt - Recipients can read or forward this message or print or copy content from this message, but cannot remove protection. The conversation owner has full permission for their message and all replies.

  • Do Not Forward - Recipients can read the message, but cannot forward, print or copy content. The conversation owner has full permission for their message and all replies.

  • McGill University – Confidential - This content is proprietary information intended for internal users only. This content can be modified but cannot be copied and printed. Only for sending messages between McGill accounts

  • McGill University – Confidential View Only - This content is proprietary information intended for internal users only. This content cannot be modified. Only for sending messages between McGill accounts.

Sending encrypted messages from Outlook desktop application

Steps for Outlook 365 on Windows

Screenshots were taken on Windows, but they are similar on Mac.

  1. Start drafting a new email message and click on the Options tab in the menu; then select one of the following:

    • In Outlook 365 - Click Encrypt and select the permission/ encryption level you want for the message.

      Options - Encrypt - Set permission

    • In Outlook 2016 and Outlook 2019 - Click Permission and select the permission/ encryption level you want for the message.


    note

    NOTE:

    If you have multiple accounts configured on Outlook, they will all be listed under Set permission on this item; select the account you are sending from before selecting the encryption level.

  2. Once the message is encrypted, you will see an indication, at the top, above the Sender field. The text of the indication varies, depending on the encryption level you specified.

    Encrypted message notification


  3. Proceed to draft your email and send it as usual.
note

NOTE: About encrypting attachments

Some Microsoft file types (Word, Excel, PowerPoint and others) support encryption and will be restricted with the permissions you have selected for the email message. See the file types that support encryption in the Microsoft article Introduction to Information Rights Management (IRM) for email messages.

Sending encrypted messages on Outlook on the Web (OWA)

  1. Log in to outlook.com/mcgill.ca . Click on New Message, then Encrypt.

    Encrypt message in Outlook on the web

  2. An indication that the message is encrypted is displayed above the To field. The default level of encryption is "Encrypt". 

    Click on the words Change permissions if you want to select a different permission (encryption level).

    Change permissions

How someone at McGill receives your encrypted message

If you send an encrypted message to someone at McGill, they will be able to read it seamlessly in any version of Outlook, including Outlook for Windows, Outlook for Mac, Outlook on the web, Outlook for iOS, and Outlook for Android.

A lock icon next to the message indicates that it is encrypted, and in the Reading pane, there is a text notification above the message.

Outlook for desktop (Windows & Mac):

Encrypted message received from McGill

 

Outlook on the Web:

Encrypted message received on OWA

note

NOTE:

The default Mail apps on iOS and Android cannot open the encrypted message.

Mail app cannot open encrypted messages

How someone outside McGill receives your encrypted message

  1. The message will contain a button Read the message. The recipient should be expecting an encrypted message from a  sender they know and trust before clicking the button.

    Encrypted message from outside McGill

  2. A web page will open in the default browser. To be sure it is not a fraud, make sure the URL starts with "outlook.office365.com/encryption/authenticationpage.asp".

    Click Sign in with a One-time passcode.

    Web page to access encrypted message

  3. The recipient will receive an email with a one-time passcode that they can enter into the web page.

    Email with one-time passcode

  4. Enter the code in the web page.

    Enter one-time passcode


  5. After entering the code the encrypted message will be displayed in the browser.


 

references

ADDITIONAL REFERENCES:

From the Microsoft website: