Email Encryption Solutions in Microsoft 365 looks at how messages and attachments are protected both within the Microsoft 365 ecosystem and when they are sent to external recipients. This course outlines the various protection mechanisms at play, how they work, and how to use them. In addition to encryption and information rights management, we see how encrypted messages can be customized with an organization’s branding and what additional functionality comes with custom branding.

Learning Objectives

  • Gain an overview of Microsoft 365 email encryption
  • Learn how to implement email encryption
  • Understand advanced message encryption

Intended Audience

This course is intended for students working towards the SC-400: Microsoft Information Protection Administrator exam or those students wanting to learn about Microsoft 365 email message encryption.


There are no mandatory prerequisites required to take this course, but an understanding of how email works and previous experience with PowerShell would be beneficial.


Email encryption solutions in Microsoft 365 fall under the umbrella service Microsoft Purview Message Encryption, formerly Office Message Encryption - OME. We’ll see the old acronym crop up when we look at PowerShell commands, and OME is extensively referenced in Microsoft documentation.  The Microsoft Purview Message Encryption service is based on the Azure Rights Management Service, which is, in turn, part of Aure Information Protection. The service encrypts message content (it is in the name), provides email sender identity verification, and protects against the unauthorized sending or exfiltration of content that should not be shared. Microsoft Purview message encryption has three functions that broadly map to these use cases. Message content encryption, secure multipurpose internet mail extensions, and information rights management.


Email encryption involves several stages and components. A message is initially encrypted from plain or HTML text into unintelligible ciphertext. This can happen within the sender’s email client or at the email server. When the message is received, it is decrypted back to its plain text format by the email server, which may or may not be the same as the sending server, or the receiver’s email client uses a key to decrypt the message. In addition to message content encryption, Microsoft 365 transmits the message over a TLS (Transport Layer Security) connection. TLS connections are the de facto standard for most email services. While TLS is on by default, message content encryption needs to be configured.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.