Office 365 Message Encryption allows your users to easily send encrypted messages to recipients without the additional configuration of traditional encryption technologies such as S/MIIME or an encrypted transport connector. This opens secure transport on an ad-hoc basis, without pre-configuration or intervention from IT departments, which has got to be a good thing.

By default, the Office 365 email and portal templates are branded, which could potentially look like a phishing email, especially as Office 365 or Gmail users will be prompted to sign in to view the email. So, many organisations are likely to want to implement a custom branding option for Office 365 message encryption to eliminate the assumption it’s a potential threat or to avoid future confusion. In this article, I will explain the available customisation options and demonstrate how to implement them.  

If you would like to find out more about phishing emails, check out Tony Akers blog below.

https://www.practical365.com/security/how-to-improve-reporting-of-phishing-attacks/

The first thing to note is that Office 365 Message Encryption is included with Office 365 Enterprise E3 and E5, and therefore also as part of Microsoft 365 E3 and E5. Users with Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Office 365 Business Essentials, Office 365 Business Premium, or Office 365 Enterprise E1 subscriptions can also benefit from Office Message Encryption with the addition of an Azure Information Protection P1 subscription.

You can see the default Office 365 branded email and portal in the screenshots below.

Default OME portal branding

Figure 1 Default OME Portal Branding
Office 365 Message Encryption screenshot
Figure 2 Default OME Email Branding

How you can use branding for Office 365 Message Encryption

The branding options can only be set using Exchange Online PowerShell. For more information on connecting to Exchange Online PowerShell see the article below.

https://www.practical365.com/blog/office-365-administration-portals-powershell-connections/

You can see the various elements of both the portal and the email notification that can be customised in the table below.

Office 365 message encryption table

Although you can have several OME Configurations within an Office 365 tenant, you should update the default configuration to affect the branding recipients.

The following command is what I used to configure my custom branding, updating all the customisable attributes within the OME Configuration.

Set-OMEConfiguration -Identity "OME Configuration" -BackgroundColor "#F39C12" -DisclaimerText "This email is only intended for the addressed recipient. Attempting to access the encryped email with an unauthorised account or permission is against the rules, and will not work anyway! For more information see Information Link." -Image (Get-Content "C:\Mike\Logo.jpg" -Encoding byte) -EmailText "You have been sent an email that has been encrypted. You will need to validate your identity in order to access the content of the message." -IntroductionText "has sent you an encrypted email. Please verify your identity at the link below to access the encrypted email." -OTPEnabled:$True -PortalText "MP365LAB Office 365 Message Encryption Portal" -ReadButtonText "View encrypted email" -SocialIDSignIn:$True

The images below shows the result of the custom branding settings on the email and in the portal.

Custom branding through Office 365 Message Encryption on email
Office 365 Message Encryption on portal

You can recreate the default configuration by creating a new OME Configuration using the New-OMEConfiguration command within Exchange Online PowerShell or reverting all settings of the “OME Configuration” to the default values.

As you can see the portal can be completely changed to align with your corporate branding, including the tone or standard disclaimers your users or partners will normally see when accessing the organisation’s other assets. Hopefully this will help you when looking to align your encrypted emails from Office 365 to your own corporate branding.

About the Author

Mike Parker

Mike is a Technical Architect at Content and Code, a multiple award-winning Microsoft Partner. He has spent the last five years working closely with Microsoft 365 technologies. Mike’s primary area of focus is in the delivery of the Microsoft 365 suite, including the Office 365 suite and Enterprise Mobility + Security, for a range of global enterprise clients. Mike blogs at www.mikeparker365.co.uk, speaks at internal and public events when time allows!

Comments

  1. Freddie Mac

    The Real Person!

    Author Freddie Mac acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

    Hi Mike,

    Great post.

    I would just like to ask a few things things.

    When creating a custom branding template, this new template will be the default template used for all encrypted messages sent out? unless this new branding template is associated to a mail flow rule or a DLP policy using certain conditions? I just want to be clear on that so customers are not shocked when their custom branding template is being used by default unless they configure the use of a mail flow rule or DLP policy to enforce that template, leaving the default template being used for encrypted emails that do not match the conditions.

    A custom branding template is also a prerequisite for users being able to “remove external access” to encrypted email via the sent items in OWA?

    End users can revoke emails themselves that they’ve sent to non Microsoft services such as Gmail, Yahoo etc. Whereas Emails sent to Microsoft service such as Exchange Online and the recipient is using Outlook cannot be revoked by the sender, only the admin can do so via PowerShell (if the email was sent as a link based email enforced by a DLP policy for example).

    Cheers Mike,

    Freddie

  2. kursko

    How to set EmailText to let user click in the text and send to a specific link?
    Like, for example, configure EmailText as : Need help ? Click here. Where “click here” open a specific link?

  3. Traci G.

    Can this only be set for the parent tenant? I would need to create separate ones for the domains under my tenant.

Leave a Reply