Microsoft Purview Message Encryption will replace and retire the legacy Office 365 Message Encryption (OME) in the Exchange admin center. If you don’t do anything, Microsoft will process all mail flow rules that currently applies OME protection to Microsoft Purview Message Encryption protection. With this change, recipients will receive a much more customizable notification mail.
Starting April 1, 2023, admins will no longer be able to make configuration changes to apply or remove Office 365 Message Encryption protection in mail flow rules. Deployment will begin to automatically apply Microsoft Purview Message encryption in mail flow rules. The deployment will be completed by July 1, 2023.
How this will affect your organization
Microsoft Purview Message Encryption is a more secure and flexible solution to provide encrypted mail to anyone inside or outside your organization, with an enhanced user experience for recipients. For example, with OME, all recipients receive an HTML attachment to open an encrypted mail. This has been greatly improved with Outlook clients for Microsoft 365 users who can now view the message inline. Non-Microsoft 365 users will instead receive a linked-based experience to open the mail. Additionally, supported attachments are also encrypted on download to protect sensitive data at rest.
Office 365 Message Encryption
Microsoft Purview Message Encryption
The behavioral differences and different types of recipients are described in the following table.
Currently OME mail flows Deprecated OME mail flows Mail body branding “Office 365 Message Encryption” “Microsoft Purview Message Encryption” Internal M365 recipients experience Any client will contain an html attachment, open the attachment to open mail in OME portal. Supported Outlook client with inline experience with a message.rpmsg. Any unsupported client will show notification mail with URL link to open mail in Outlook on the Web. (This is also true for users on Exchange on-premises mailbox.” External M365 recipients experience Any client will contain an html attachment, open the attachment to open mail in OME portal. Any client will show notification mail with URL link to open mail in Microsoft Purview encrypted message portal; there is no attachment in mail. Mail flow rules can be modified to provide same behavior as internal recipients above.** (External) Non-M365 recipients experience
Any client will contain an html attachment, open the attachment to open mail in OME portal.
After mail is opened in the portal, mail and attachment can be viewed. All attachments are downloaded without encryption
Any client will show notification mail with URL link to open mail in Microsoft Purview encrypted message portal; there is no attachment in mail. After mail is opened in the portal, mail and attachment can be viewed. Office documents are downloaded with encryption if no changes are made by admins.*
*The encrypted attachments provide extra security by protecting the stored file at rest. Applications that can open Office documents may not be compatible with RMS protected Office documents. Admins can provide the same behavior as OME by enabling a global configuration to download Encrypt-only attachments without encryption: Set-IrmConfiguration – DecryptAttachmentForEncryptOnly $true
**By modifying existing the mail flow rules to apply Purview Message Encryption protection, external M365 recipients will receive encrypted mail containing a message.rpmsg attachment and supported Outlook clients can provide show the mail content directly in the application.
What you need to do to prepare
If you want to compare the behavior before the deprecation, you can modify and test the changes with your mail flow rules by following the steps outlined in this documentation: Define mail flow rules to use Microsoft Purview Message Encryption
Learn more
Message ID: MC455516
Published: 2022-11-04
Updated: 2022-11-04
Product: Exchange, Microsoft 365 admin center, Microsoft 365 suite, Outlook, Purview Communication Compliance, Purview Information Protection
Platform: Web, World tenant
Change type: User impact, Admin impact, Retirement
