Revoke email encrypted by Office 365 Advanced Message Encryption
Email revocation is offered as part of Office 365 Advanced Message Encryption. Office 365 Advanced Message Encryption is available on top of Office 365 Message Encryption in certain subscriptions. Advanced Message Encryption is included in Microsoft 365 Enterprise E5, Office 365 Enterprise E5, and Office 365 Education A5. If your organization has an Office 365 subscription that does not include Office 365 Advanced Message Encryption, you can purchase Advanced Message Encryption as an add-on with E5 Compliance of the Advanced Compliance SKU.
This article is part of a larger series of articles about Office 365 Message Encryption.
You may find it necessary to revoke an email that has already been sent. If the email was encrypted using Office 365 Advanced Message Encryption, and you are an Office 365 admin, you can do this for email under certain conditions. This article describes under what circumstances this is possible and how to do it.
Encrypted emails that you can revoke
You can revoke encrypted emails if the recipient received a link-based, branded encrypted email. If the recipient received a native inline experience in a supported Outlook client, then those emails cannot be revoked.
Whether a recipient receives a link-based experience or an inline experience depends on the recipient identity type: Office 365 and Microsoft Account recipients (for example, outlook.com users) get an inline experience in supported Outlook clients. All other recipient types, such as Gmail recipients, get a link-based experience.
Recipient experience for revoked encrypted emails
Once an email has been revoked, the recipient will get an error when trying to access the encrypted email through the Office 365 Message Encryption portal: “The message has been revoked by the sender”.
How to revoke an encrypted email
Step 1. Obtain the Message ID of the email
Before you can revoke an encrypted mail you need to gather the Message ID of the mail. The MessageId is usually of the format:
There are multiple ways to find the Message ID of the email that you want to revoke. This section describes a couple of options, but you can use any method that provides the ID.
To identify the Message ID of the email you want to revoke by using Message Trace in the Security & Compliance Center
Search for the email by sender or recipient using New Message Trace in Office 365 Security & Compliance Center.
Once you've located the email, select it to bring up the Message trace details pane. Expand More Information to locate the Message ID.
To identify the Message ID of the email you want to revoke by using Office Message Encryption reports in the Security & Compliance Center
In the Security & Compliance Center, navigate to the Message Encryption Report.
Choose the View details table and identify the message that you want to revoke.
Double-click the message to view details that include the Message ID.
Step 2. Verify that the mail is revocable
To verify whether you can revoke a particular email message, check whether the Revocation Status field is visible in the Details table in the Security & Compliance Center.
To verify whether or not you can revoke a particular email message by using Windows Powershell, complete these steps.
Using a work or school account that has global administrator permissions in your Office 365 organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see Connect to Exchange Online PowerShell.
Run the Set-OMEMessageStatus cmdlet as follows:
Get-OMEMessageStatus -MessageId "<message id>" | ft -a Subject, IsRevocable
This returns the subject of the message and whether the message is revocable. For example,
Subject IsRevocable ------- ----------- “Test message” True
Step 3. Revoke the mail
Once you know the Message ID of the email you want to revoke, and you have verified that the message is revocable, you can revoke the email.
To revoke the email in the Security & Compliance Center, in the Details table, choose Revoke.
You can revoke an email by using Windows Powershell by using the Set-OMEMessageRevocation cmdlet.
Run the Set-OMEMessageRevocation cmdlet as follows:
Set-OMEMessageRevocation -Revoke $true -MessageId "<messageId>"
To check whether the email was revoked, run the Get-OMEMessageStatus cmdlet as follows:
Get-OMEMessageStatus -MessageId "<messageId>" | ft -a Subject, Revoked
If revocation was successful, the cmdlet returns the following result:
More information about Office 365 Advanced Message Encryption
Send feedback about: