Let’s create a custom branding template to use with emails sent to external recipients. I’ll use the New-OMEConfiguration cmdlet, giving my template the imaginative name of my branding template. Next, I’ll give it a background color with Set-OMEConfiguration specifying the template name and the color in HEX format. While we’re at it, we might as well give the template a logo. The logo is an image of a cloud uploaded from my computer, so not a hyperlink to an image. When I run the Get-OMEConfiguration cmdlet, we can see the background color but no image URL.

Let’s head over to the exchange admin center and create a mail flow rule to use the custom template. Expand mail flow and select rules. Click the add rule button and select Create a new rule. Give the rule a name and set up its conditions. I want the custom branding to apply to messages sent to recipients within the gmail.com domain, so the first condition is if the recipient followed by domain is. I’ll enter gmail.com into the specify domain field and add it. You can add multiple domains here. Once the domain is added, select it and click save. We need to add another rule, which is not intuitive, but kind of makes sense. We need to say the sender is external/internal, which covers everyone. You could be more specific if you need to be, but at the same time, you’d think the default behavior would be anyone from this domain. Anyway, without a sender condition, the rule won’t pass the validation. Inside the organization is the default sender location, which is at least something. Click save. Now the action. We want to modify the message security by applying custom branding to the OME messages. Our new branding template is presented as the default option, although that might be due to the templates being listed in alphabetical order. We could select the default OME configuration if we wanted. Click save. In terms of settings, I’ll activate the rule from now and check stop processing more rules. Click next to review and then finish to save the rule. Once the new rule has been created, click done to return to the rule home page. Rules aren’t automatically enabled, so we need to do that before trying it out. Select the rule and switch it on in the details pane. With the rule enabled, let’s send an encrypted message.

I want to demonstrate revoking a message, so I’ll send an email from the Outlook for the web client. The recipient is in the Gmail.com domain, which will activate our mail flow rule. To be able to revoke a message, the email must be encrypted. We do that from the message’s options by selecting encrypt from the encrypt menu. With our secret message composed and encrypted, let’s send it. If I go to the sent items folder and select the message, we can see the remove external access hyperlink at the top of the message. So very easy for the user to revoke the email. It’s a bit more involved for an administrator.

The first thing an administrator needs to do is get the message’s unique id. This can be found using the message trace facility within the Exchange admin center or using PowerShell commands. Let’s first look at the portal. Under message trace, start a trace specifying as many details as possible to limit the number of messages returned. I’ll enter the sender and recipient and limit the time range to the last 6 hours and begin the search. In the search results, select the message. Under the message details, expand more information to reveal the message id. Alternatively, we can use the PowerShell cmdlet Get-MessageTrace. Specify the recipient’s address and a date range. You must enter an end date when using the date range, and it needs to be in month, day, year format. I’ll get the results outputted in list format with “fl” for format list. The results come out in date descending order, so the first entry is the one we’re interested in. I’ll copy the message id for use with the next commands. We can use the Get-OMEMessageStatus command with the message id to check that the message is revokable. The command’s output is piped into a table format with the FT attribute, where we’ve asked for the Subject and IsRevokable properties to be listed. Finally, we revoke the message with the Set-OMEMessageRevocation cmdlet. It would be helpful to provide the message id. Let’s try that again. With the message successfully revoked, let’s see what that looks like. Looking at the message in Gmail, we can see the customized background and logo we set up in the “My branding template.” When I click on the link to view the message, the Outlook encryption portal tells us the message has been revoked.