Advanced Message Encryption
Start course

Email Encryption Solutions in Microsoft 365 looks at how messages and attachments are protected both within the Microsoft 365 ecosystem and when they are sent to external recipients. This course outlines the various protection mechanisms at play, how they work, and how to use them. In addition to encryption and information rights management, we see how encrypted messages can be customized with an organization’s branding and what additional functionality comes with custom branding.

Learning Objectives

  • Gain an overview of Microsoft 365 email encryption
  • Learn how to implement email encryption
  • Understand advanced message encryption

Intended Audience

This course is intended for students working towards the SC-400: Microsoft Information Protection Administrator exam or those students wanting to learn about Microsoft 365 email message encryption.


There are no mandatory prerequisites required to take this course, but an understanding of how email works and previous experience with PowerShell would be beneficial.


Templates are not just about looks. You can use a template to have messages sent to external recipients expire within a predefined number of days. This applies to messages accessed through the encryption portal. The expiration day value can be between 1 and 730. Message expiration values can only be set on custom templates, so that’s why this functionality is only available with advanced message encryption. To create a template to expire external messages, use the New-OMEConfiguration command. Give the template a name with the identity parameter and set the expiry days with the external mail expiry in days parameter.

Under a specific set of conditions, it’s possible to revoke an encrypted message using Microsoft Purview advanced messaging encryption. This feature is available to Microsoft 365 administrators and the message sender. It applies to messages viewed through the encryption portal when the recipient receives a linked-based branded encrypted email, and the message was encrypted in Outlook for the web using the encrypt-only option. Messages sent to an office or Microsoft 365 account cannot be revoked. To misquote Liam Neeson from the movie Taken, these are indeed a set of very specific circumstances.


If a user needs to revoke an email from Outlook on the web, it’s a simple case of clicking the revoke link on the message from within the sent items folder. For an administrator, the process involves getting the message’s id. This can be done through the message trace facility within the Exchange admin center or using the Get-MessageTrace PowerShell cmdlet. Once you have the message Id, you can check whether the message is, in fact, revokable with Get-OMEMessageStatus. If it is, then execute the Set-OMEMessageRevocation cmdlet.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.