Using a Custom Template in a Mail Flow Rule DEMO
Start course

Email Encryption Solutions in Microsoft 365 looks at how messages and attachments are protected both within the Microsoft 365 ecosystem and when they are sent to external recipients. This course outlines the various protection mechanisms at play, how they work, and how to use them. In addition to encryption and information rights management, we see how encrypted messages can be customized with an organization’s branding and what additional functionality comes with custom branding.

Learning Objectives

  • Gain an overview of Microsoft 365 email encryption
  • Learn how to implement email encryption
  • Understand advanced message encryption

Intended Audience

This course is intended for students working towards the SC-400: Microsoft Information Protection Administrator exam or those students wanting to learn about Microsoft 365 email message encryption.


There are no mandatory prerequisites required to take this course, but an understanding of how email works and previous experience with PowerShell would be beneficial.


Let’s create a custom branding template to use with emails sent to external recipients. I’ll use the New-OMEConfiguration cmdlet, giving my template the imaginative name of my branding template. Next, I’ll give it a background color with Set-OMEConfiguration specifying the template name and the color in HEX format. While we’re at it, we might as well give the template a logo. The logo is an image of a cloud uploaded from my computer, so not a hyperlink to an image. When I run the Get-OMEConfiguration cmdlet, we can see the background color but no image URL.

Let’s head over to the exchange admin center and create a mail flow rule to use the custom template. Expand mail flow and select rules. Click the add rule button and select Create a new rule. Give the rule a name and set up its conditions. I want the custom branding to apply to messages sent to recipients within the domain, so the first condition is if the recipient followed by domain is. I’ll enter into the specify domain field and add it. You can add multiple domains here. Once the domain is added, select it and click save. We need to add another rule, which is not intuitive, but kind of makes sense. We need to say the sender is external/internal, which covers everyone. You could be more specific if you need to be, but at the same time, you’d think the default behavior would be anyone from this domain. Anyway, without a sender condition, the rule won’t pass the validation. Inside the organization is the default sender location, which is at least something. Click save. Now the action. We want to modify the message security by applying custom branding to the OME messages. Our new branding template is presented as the default option, although that might be due to the templates being listed in alphabetical order. We could select the default OME configuration if we wanted. Click save. In terms of settings, I’ll activate the rule from now and check stop processing more rules. Click next to review and then finish to save the rule. Once the new rule has been created, click done to return to the rule home page. Rules aren’t automatically enabled, so we need to do that before trying it out. Select the rule and switch it on in the details pane. With the rule enabled, let’s send an encrypted message.

I want to demonstrate revoking a message, so I’ll send an email from the Outlook for the web client. The recipient is in the domain, which will activate our mail flow rule. To be able to revoke a message, the email must be encrypted. We do that from the message’s options by selecting encrypt from the encrypt menu. With our secret message composed and encrypted, let’s send it. If I go to the sent items folder and select the message, we can see the remove external access hyperlink at the top of the message. So very easy for the user to revoke the email. It’s a bit more involved for an administrator.


The first thing an administrator needs to do is get the message’s unique id. This can be found using the message trace facility within the Exchange admin center or using PowerShell commands. Let’s first look at the portal. Under message trace, start a trace specifying as many details as possible to limit the number of messages returned. I’ll enter the sender and recipient and limit the time range to the last 6 hours and begin the search. In the search results, select the message. Under the message details, expand more information to reveal the message id. Alternatively, we can use the PowerShell cmdlet Get-MessageTrace. Specify the recipient’s address and a date range. You must enter an end date when using the date range, and it needs to be in month, day, year format. I’ll get the results outputted in list format with “fl” for format list. The results come out in date descending order, so the first entry is the one we’re interested in. I’ll copy the message id for use with the next commands. We can use the Get-OMEMessageStatus command with the message id to check that the message is revokable. The command’s output is piped into a table format with the FT attribute, where we’ve asked for the Subject and IsRevokable properties to be listed. Finally, we revoke the message with the Set-OMEMessageRevocation cmdlet. It would be helpful to provide the message id. Let’s try that again. With the message successfully revoked, let’s see what that looks like. Looking at the message in Gmail, we can see the customized background and logo we set up in the “My branding template.” When I click on the link to view the message, the Outlook encryption portal tells us the message has been revoked.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.