SC-400 Microsoft Information Protection Administrator – Planning and Implementing Encryption for Email Messages

1. Defining Requirements for Implementing Office 365 Message Encryption

Microsoft 365 Services offers an extremely awesome and powerful feature known as Ome, which is the Office 365 message encryption feature. What’s really cool about this is, is that you can send email to people who are outside your organization, and maybe they’re not part of another Office 365 subscription. They can be Gmail or something like that, and you can basically flag your email to be encrypted. It can be sent to the person and they can open it up in an encrypted Https session, even though, again, they’re not part of your organization. They may not even be using Office. And best of all, they don’t have what’s known as an S Mime certificate. So if you understand how email encryption normally has worked in the past, it usually utilizes something called an S Mime certificate. SMIME stands for Secure Multipurpose Internet Mail Extensions, and it usually requires both parties to have this type of certificate with a public private key known as an S Mime certificate.

So one person is emailing another person, they have to use the public key of the other person to encrypt the email and send it, and then the person on the other end would decrypt their private key. And it’s a big ordeal because it involves users having to have certificates on both ends. But what happens when you’re in a situation where somebody is like a salesperson and maybe they’re working with a customer and they need to send a form or something to that customer, and the form maybe contains some sensitive information that the customer needs to receive, fill out and then reply and send it back? But that customer does not have a certificate to encrypt the email. Well, this is where Ome really comes in and really shines for us. It makes it possible for us to send this encrypted email to somebody and they can open that email securely and they can actually download the form or whatever, fill it out, reply, and it can all be secure.

Whether this person is part of the organization, not part of the organization, whether they’re dealing with an Office 365 Outlook or whatever. Again, they could be Gmail, it doesn’t matter what kind of email they’re using. And this works through web based emails, mobile platforms, all that good stuff as well. All right, now the first thing we need to do to see how this works is just make sure that we have the proper license, all right? And so to do that, you’re just going to look and see what kind of licenses that you have available, all right? So you can go down to billing and you can click on licenses and you can see what licenses you have. So basically with this technology, you’re just going to need an Office license. And it doesn’t have to be even the Office 365 e Five. It can be e Three as well. So this is actually offered with the E Three licenses. With the e five licenses. All of that is going to get access to the OMB, but it doesn’t need to be like an e three or e five license to get it.

Once you have that license and you’ve assigned that license to your users, of course that’s the next step. You need to make sure that your users actually do have a license for this. So you want to make sure you have active users and then you assign those users the proper license. Okay? So you go through there and you select your user and you assign them whichever license that you’re going to assign them for this, which would be the Office 365 E Five. Okay? Now once the user has a license, they’ll be able to basically open up Outlook. In this case, we’ll go to Portal Office. com and we will pull up Outlook. All right, so we’ll go right here.

We’ll go into Outlook and then we’ll craft an email. So I’m going to go right here and I’m going to email, all right, I’m going to email JC at Exam lab, or actually in this case, I’ll do Examlabpractice because I’m emailing from my tenant. So I’m going to go to Examlabpractice, all right? And I’m just going to say this is a test to check encryption. And I’m just going to say blah, blah, blah. Testing encryption, just put in an email. Notice that also if I’ve applied sensitivity labels, I do have this sensitivity option up here for flagging this as sensitivity. But what I’m going to do is click this little ellipse symbol here and I’ve got an option that says encrypt.

So I’m going to go ahead and say encrypt this, okay? So at that point, this message is encrypted, and I’m going to go ahead and I’m going to send the email now popping over here to the Gmail account. There’s the email that I just received. I’m going to go ahead and open that up, all right? And notice that first off, I’ve got an option that says read this message, but I have this little attachment. This little attachment is actually what triggers this whole encryption session that’s going on. So I’m going to click to read the message. It’s going to open this up in an Https session. So if you look, it says Https at that point says, all right, sent you a protected message. All right. Now one thing that’s kind of neat about this is in your organization is if it’s something like Gmail, microsoft has a Federated connection with Gmail and you can sign in using your Gmail account. You can also have it send a one time password. And that’s another way to kind of verify it as well.

Okay, so I just told it to send a onetime password. Okay, popping back over into my inbox. Here’s the email from Microsoft. I’m just going to go into that and there is the code that they gave me. So I’m just going to right click and copy that code. And then I’m just going to paste that code inside this little box and I’m going to click continue. And I’ve now verified my identity. So at that point, I can now read the email and you can see blah, blah, blah, testing encryption. And if I want, I can reply back. All right? Now, one of the things that you can do that’s kind of cool when you get into the advanced settings of this is you can have things disabled.

Like, for example, maybe I’m going to allow reply and reply. Oh, maybe I’m not going to allow somebody to forward this email or print this email. Right now that’s turned on. That’s allowed. But I actually can set advanced settings with the ome that will prevent that. All right? So I’m just going to go here and I’m just going to say reply, and I’m going to say blah, blah, blah back at you. All right. And we’ll just hit send. So at that point, we’ve sent our email and we can pop back over into Outlook and we go to our inbox. And right here, as you can see, there’s the email. There’s even a little lock symbol on it. I can go ahead and click on that and I can open up the email. And this works very smoothly. So pretty straightforward, the using of this. It’s built in with your license. It’s very easy for users to use and there’s not a lot of configuration, at least if you’re using the basics of it, like I am here. There are some more advanced settings you can configure, but in this case, I’m just showing you the basics.

2. Using the classic or new portal for Advanced OME

So real quick guys, in this next video, you’re going to see me demonstrating advanced ome. And what I’m going to do is I’m going to go to show all and I’m going to go into Exchange when I demonstrate this. And I just wanted to kind of preface something. When you get into this next little video, there’s a couple of different ways you can do things with Exchange. There’s the classic portal method and then there’s the new portal method method.

And at some point I know Microsoft is going to start forcing everybody to go into the new portal. And so I just want to prepare you for that. Now this is the classic portal and you’ll see me in this next video to simply click on Mail Flow and then create the rules here.

But if you’re doing this in the new portal, I’m going to jump into the new portal just so you can see what it looks like. And again, this could be that your tenant is already using the new portal. It’s really not much different. You’re just going to drop down Mail Flow and you’re going to click on Rules. And this is basically the same thing. So my next video is still very relevant because it’s really the same thing once you get to this point. So I just wanted to kind of point that out to you guys just to make sure there was no confusion.

3. Implementing Office 365 Advanced Message Encryption

Okay? So with Ome right out of the gates, it’s very easy to use. If you’ve got the license, you’ve assigned it, you’ve assigned your Office 365 e three, E five whatever license out to your users. It should be activated for your users within about 30 minutes. And so the basics of it’s very easy. It’s very straightforward to use. There’s not a lot of complexity to it. Now if you’re wanting to do some of the more advanced capabilities, you have what’s known as Ome Advanced, which you can manage with Exchange online Mail Flow rules. So I want to show you a little bit about that. Now we’re going to go in and take a look at the advanced settings that we can configure with this using mail flow rules. So here we are on portal Microsoft. com.

We’re going to click the show all lips symbol. We’re going to go down to click Exchange and this is going to go open up the Exchange Admin Center. Okay? So once we get into the Exchange Admin Center, we can go over to Mail Flow. We can click right here where it’s talking about rules. And then you have this rule right here. Apply Office 365 Message Encryption Rights Protection Message let me warn you that if you just recently created your Office 365 tenant or Microsoft 365 tenant, sorry. If you just recently activated all of this, this may not show up very quickly. This can sometimes take a 24 hours before it appears. So just kind of a forewarning. Your tenant needs to be online for a while before this may show up. Okay? So here we are. We’re just going to go ahead and click this.

At that point we can give this a rule, a rule name and we can apply this to somebody. Let’s say we’re going to apply this to a sender and the sender is somebody that is inside our organization. So we want everybody that’s inside our organization. And then we’re going to do the following. We’re going to select it’s, going to pull the thing RMS template up. And again, this is another thing. This is part of what’s got to be you got to be activated for a while before it shows up. If you’ve got any sensitivity label policies and all that templates here, you’ll see those. I can work with that, work with the RMS here labeling. But let’s do this. I could force encryption, but how about we disable forwarding. We’re going to say do not forwarding. Do not forward. We’re going to make it where when somebody sends an email within the organization to a user, the user that’s going to receive it is not going to be able to forward the email. Again, I could force encryption on certain emails if I wanted. I might not want to force encryption on all of the emails in my organization, but I could. But in this case I’m going to say do not forward. If the sender is somebody within the organization. In other words, I’m going to send this email out to somebody. And if the email was received and it came from somebody within our organization, then I’m going to say do not forward. Okay? So we’re going to go ahead and enforce this.

We also could have policy tips where it messages the user that kind of gives them a tip. But we’re going to go ahead and enforce this policy. We’re going to hit save, and it’s going to go ahead and activate the policy. And at that point, this will get enabled within the Exchange online environment. Keep in mind, this is another thing that can take a little while. I’ve had it take an hour or so. This is one of those things that take an hour or so before it actually gets activated. And this is again, going back to the logic of make sure that you are patient when it comes with working with Exchange. Well, actually any of the cloud services, you need to be patient because unfortunately things don’t happen immediately. Okay? But again, one of the great things about working with these advanced settings here, you can come in here and set more specific rules on how you want things to handle. Whereas the basic way of working with Ome, there isn’t really a lot of configuration, it’s just there and it’s ready to go.

Okay? So again, if I wanted to go and create another rule, I could pull this up. And in this case, we could try to force encryption if we want. So let’s pull this back up. All right? We’d say encrypt, right? So RMS template encrypt and then we could select another rule and we could say maybe a certain recipient, maybe it’s a certain person. All right? In my case, I’ll say John Christopher ad. So I can make it where if an email is coming in email, the recipient is John Christopher, then the email has to be encrypted. So again, you can adjust these settings and you could really set different conditions here if you wanted. I could select things like the subject of the body has to have certain keywords in it. I could have certain attachments if I want. Maybe a file extension includes certain keywords, like we’ll say something like budget or something. So these are all conditions that I can set, that I can really improve the quality of that rule. And so this is where Ome advanced features and all that really, really come in handy.