OME – Office 365 Message Encryption (Safeguarding Email Communication, Next Game Changer by AIP)

OME – Office 365 Message Encryption (Safeguarding Email Communication, Next Game Changer by AIP)

Safeguarding Email Communication – Next Game Changer by AIP (Azure information Protection)

Safeguarding the email in Office 365 – eliminate the secure email!!! This is advanced solution from AIP team. Before we start exploring how security of email is structured, we will try to understand what is AIP?

Microsoft announced Azure Information Protection (AIP) last year, a new service that builds on both Microsoft Azure Rights Management (RMS) and their recent acquisition of Secure Islands.

Now AIP is Generally Available (GA)! and AIP will deliver the following:

– Classify, label, and protect data at the time of creation or modification.

– Persistent protection that travels with your data.

– Enable safe sharing with customers and partners.

– Simple, intuitive controls help users make the right decisions and stay productive.

– Visibility and control over shared data.

– Deployment and management flexibility. Protect data whether it is stored in the cloud or on-premises, and choose how your encryption keys are managed with Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) options.

Many changes have been made since AIP introduced, mainly on labeling and standardizing labels in global organization in data protection using Microsoft Cloud App Security (MCAS) tool and labels!

AIP team has new set of default labels within Azure.

  • Personal
  • Public
  • General
  • Confidential
  • Highly Confidential

You can have SUB labels too within the above listed labels.

Scope policies: This will help people to control specialized access policy which will have the default labels in it. There will be Global policy which is default and will have default labels.

Every policy which will be created, will also have default labels available and they are allowed to create their own labels likewise they create scope policy. These are all done under admin console in Azure.

Right User Behavior: Is large concern to organizations to allow users to manually classify something or automatically classify the data. Hence it is recommended to use R&R type!

  • Automatic: Automatically classified
  • User Set: User manually classified
  • Recommended & Reclassification: these two will use little bit of automation and user will be getting choice to choose the labeling automatically to classify the data properly if it is wrong.

Security of Email:

Be it a webmail, outlook or Gmail, yahoo etc. No need to buy an MS Office to read the secure email and reduce investment on the e-mail gateway!  This new feature is currently included under Azure Information Protection Premium P2 and some office 365 subscription might include this with Azure RMS.

Assume you sent a secure email to Gmail mailbox from your outlook/webmail using the exchange or office365,  the message say that buy/use a office product to decrypt the email, which was not having great customer experience and this had requirement of mail gateways.

All will be gone soon!

Moving forward AIP will give an option to read the encrypted mail by giving choice to prove who you are.


When a person sends a encrypted email to any end-user, who does not have outlook/webmail to decrypt the message, will be sent email with link, which allows user to access email in HTML format.

The link will have message similarly like below:

 ABC ( has sent you a message that was protected with Microsoft Office 365.

——-> Click Here to read your message <——-

  (This link will have 3 months validity)

We will Assume that the user is using google mail for now, when he/she hits the link above, it takes request to another tab of browser hitting source of encrypted message. It will allow user to use google account to view the encrypted message by similar process to SSO.

User will receive the code in email and user has to paste the same code in the link to read email online.

There you go! happy reading your secure emails!