Encrypting Emails from Anywhere!

The Situation:

So, you recently purchased Microsoft 365 E3/E5 (or EMS E3/E5) and have started rolling out your pilot of Azure Information Protection.  Everything is going great until one of your executives approaches you and wants to know how to protect emails from their phone/tablet while they are relaxing on the beach.  You could always just hand them a shiny new Surface Pro with Office 365 Pro Plus, but they mentioned that sometimes they send emails while they are in the water (hey, I do that too!) and Surface Pro's aren't super tiny and waterproof (yet).  So, you need a different solution that will quickly enable said executive to classify and protect their emails right from their portable device.

The Solution:

The solution to this conundrum comes in the form of the new Office 365 Encrypt functionality and Exchange Online Mail Flow Rules (the feature formerly known as Exchange Transport Rules or ETRs).  By setting up a label in the Azure Information Protection portal called Encrypt, you can allow your executives (and everyone else) to automatically encrypt emails and supported attachments by simply adding a keyword like #Encrypt to the bottom of their message.  I will walk you through this process in the rest of this post.

The Label

The way that I typically recommend that customers set up their label is as a sub-label of a Confidential and/or Highly Confidential top level label.  In the portal it would look like the image below.

If you need assistance creating a label, please see my previous post on the subject at http://blogs.technet.microsoft.com/kemckinn/2018/05/17/creating-labels-for-azure-information-protection/. However, as TL;DR, I will walk you through the simple steps of setting up this sub-label.

1. Log into https://portal.azure.com as an O365 Global Admin or Security Admin with rights to the AIP Portal
2. In the search bar at the top of the portal, type Inform and click on Azure Information Protection
   
3. In the AIP Portal, you should see the list of labels similar to the image above.  If you do not, under Classifications on the left, select Labels
   
4. Assuming you have a top level label similar to Confidential, click the ... on the right and click Add a sub-label
   
5. In the new Sub-label, give it the name Encrypt and the description This message is encrypted. Recipients can't remove encryption. and Save.  We are using this specific name and description because it mirrors the native Encrypt protection verbiage. Do not add any protection to this label (we will do that with the mail flow rule).
   
6. You should now have an unprotected sub-label that looks similar to the image at the beginning.

The Mail Flow Rules

Now that you have the label, you can set up your mail flow rules.  We will set up 2 seperate mail flow rules, one for the label, and one for the keyword.  Follow the steps below to set up your mail flow rules.

1. In the AIP Portal, click on the Encrypt label and scroll to the bottom where the label ID is shown
   
2. Copy this Label ID into a new notepad document and add the words MSIP_Label_ and _Enabled=True around the Label ID. In my case, I have MSIP_Label_18acc54a-e84e-4add-9fe5-36781d02b550_Enabled=True.
   
3. Next, log into https://outlook.office365.com/ecp/ as either a Office 365 Global Admin or Exchange Admin
4. On the left side, click mail flow
   
5. This will default to the rules pane
6. In the rules pane, click the  and click Create a new rule...
   
7. In the new rule pane, name the rule Encrypt and click the More options... link
   
8. After clicking More options..., select the drop-down under *Apply this rule if... and hover over A message header... and click includes any of these words
   
9. Click on the *Enter text... link and type msip_labels in the specify header name box and click OK
   
10. Next, click on the Enter words... link and copy/paste the label information you have stored in the notepad document and click the  then click OK
    
    
11. Click the drop-down below the *Do the following... and hover over Modify the message security... and click Apply Office 365 Message Encryption and rights protection
    
12. In the select RMS template dialog, click the drop-down below RMS template: and select Encrypt and click OK
    
13. The completed rule should look like the image below. Click Save to finish creating the first mail flow rule.
    
14. To create the second rule, highlight the Encrypt rule and click the  button
    
15. This will create a copy of the first rule named Copy of Encrypt and open it for editing
16. Rename the rule to #Encrypt then click the drop-down under *Apply this rule if... and hover over The subject or body... and select subject or body includes any of these words
    
17. In the specify words or phrases dialog, add #Encrypt (and optionally #ENC) and press then OK once finished
    
18. The completed second rule should look like the image below.  Click Save to complete creation of the rule.
    
19. You should now have two rules that can be used to apply the Encrypt protection to messages and supported attachments.
    

The Added Bonus

Ok, so you may have noticed that your really didn't need the label itself to use the #Encrypt function of the Mail Flow Rule.  That is true, but what you have now is a label that gives you the same functionality as the brand new Encrypt feature (that is in Office 365 ProPlus 2016 version 1804+) that you can use with any version of office that supports the AIP Client (that's all the supported versions of Office). So I might have added more functionality than you necessarily needed, but it was totally worth it.

Another fun bonus, is the #Encrypt tag can be used to encrypt emails from Mac Office clients where there is no AIP Client currently (that is coming later this year), so for all of you out there that use Office for Mac, this gives you that additional functionality too!

Hopefully this is helpful to get you set up to use the new Encrypt functionality.  Let me know in the comments if there is anything you didn't understand.