This post has been republished via RSS; it originally appeared at: Security, Privacy and Compliance Blog articles.
EDITORS NOTE 1/3/2019
We have updated the blog to reflect that we've expanded the ability to control if Office attachments are protected for recipients inside Office 365 - previously this was only supported for non-Office 365 users. Changes are reflected below in the blog.
Summary
Administrators can now control whether Office attachments are protected for recipients inside and outside of Office 365 when the Encrypt-Only template is used. This was a key ask from Office 365 Message Encryption customers and is now available as a tenant-level setting.
Background
We have now made it possible for administrators to control how Encrypt-Only behaves for attachments. By default, when a user sends an email and attachments using Encrypt-only, the Office attachments are also protected with Encrypt-Only permissions and that encryption persists throughout lifecycle of the content. To provide more flexible controls for recipients, organizations can control if recipients have unrestricted permissions on the attachment or not for Encrypt-Only emails. For example, one scenario this is valued is when a doctor shares a protected attachment to her patient, and the patient wants to share this with his family, the attachment is no longer encrypted so they can open the attachment without any additional steps.
What is available
Admins can control whether attachments have unrestricted permissions for Encrypt-Only emails. Details on implementing the settings are below.
When the recipient signs-in to the Office 365 Message Encryption portal, they can preview attachments as before.
If the control to unrestrict the attachment is enabled, the document will be decrypted and the recipient will be able to view it normally. Additionally, the content will remain decrypted and unrestricted unless additional protections are applied.
Scope
This setting is available for the Encrypt-only template and not for the Do Not Forward or Custom templates.
It’s enforced at the tenant level.
How to control the setting
To manage whether to allow recipients to download Encrypt-only attachments without encryption, follow these steps:
Connect to Exchange Online Using Remote PowerShell (see https://aka.ms/exopowershell)
Run the Set-IRMConfiguration cmdlet with the DecryptAttachmentForEncryptOnly parameter as follows:
Set-IRMConfiguration - DecryptAttachmentForEncryptOnly <$true|$false>
For example, to allow download of attachments without protection for Encrypt-only:
Set-IRMConfiguration - DecryptAttachmentForEncryptOnly $true
If you decide that you want to revert the setting and keep attachments protected even after download:
Set-IRMConfiguration - DecryptAttachmentForEncryptOnly $false
Please note, as of 12/13/18, we have deprecated DecryptAttachmentFromPortal. It will continue working for existing customers who have run the old cmdlet but new customers should start using the new cmdlet (DecryptAttachmentForEncryptOnly) updated above.
Additional Resources
This was a key ask from organizations that had a broad set of scenarios which requires email recipients to "own" the attachment by unrestricting permissions on the attachment. We hope this additional control can provide more flexibility in collaborating on protected content for all users. Your feedback matters- leave us a comment below or go to uservoice and submit your feedback/vote!
For additional resources on Office 365 Message Encryption - you can find them below:
- Manage Office 365 Message Encryption settings such as branding, decryption on download for Encrypt-only, etc.
- Office 365 Message Encryption FAQ
- Blog Encrypt only rolling out starting today in Office 365 Message Encryption
- Azure Information Protection - Configure usage rights for encrypt only option for emails