Advanced Message Encryption
Office 365 Advanced Message Encryption is included in Microsoft 365 Enterprise E5, Office 365 E5, Microsoft 365 E5 (Nonprofit Staff Pricing), Office 365 Enterprise E5 (Nonprofit Staff Pricing), and Office 365 Education A5. If your organization has a subscription that does not include Office 365 Advanced Message Encryption, you can purchase it with the Microsoft 365 E5 Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), or the Office 365 Advanced Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), Office 365 SKUs, or the Microsoft 365 E5/A5 Information Protection and Governance SKU add-on for Microsoft 365 A3/E3.
Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. With Advanced Message Encryption in Office 365, you can control sensitive emails shared outside the organization with automatic policies. You configure these policies to identify sensitive information types such as PII, Financial, or Health IDs, or you can use keywords to enhance protection. Once you've configured the policies, you pair policies with custom branded email templates and then add an expiration date for extra control of emails that fit the policy. Also, admins can further control encrypted emails accessed externally through a secure web portal by revoking access to the mail at any time.
You can only revoke and set an expiration date for emails sent to external recipients.
Get started with Office 365 Advanced Message Encryption
The following articles describe how you set up and use Advanced Message Encryption.
Your organization must have a subscription that includes Office 365 Advanced Message Encryption. For detailed information about supported subscriptions, see the Message policy and compliance service description.
If you do not have Office 365 Message Encryption set up already, see Set up new Office 365 Message Encryption capabilities.
With Advanced Message Encryption, you're not limited to a single branding template. Instead, you can create and use multiple branding templates. For information, see Add your organization's brand to your encrypted messages. When you use custom branding, external recipients receive a notification email that contains a link to the OME portal. The mail flow rule determines which branding template the notification email and OME Portal use. This way, your secure content isn't sent outside your organization.
You can only revoke messages and apply expiration dates to messages that users receive through the portal. In other words, email that has a custom branding template applied. For more information and an example, see the guidance in Ensure all external recipients use the OME Portal to read encrypted mail.
Set an expiration date for email encrypted by Office 365 Advanced Message Encryption. Control sensitive emails shared outside the organization with automatic policies that enhance protection by expiring access through a secure web portal to encrypted emails.
Revoke email encrypted by Office 365 Advanced Message Encryption. Control sensitive emails shared outside the organization and enhance protection by revoking access through a secure web portal to encrypted emails.