AIP label-based encryption

If you visited my session @Experts Live 2018, you saw the possibility to integrate Azure Information Protection with Office Message Encryption. Basically, this means that you can encrypt e-mails based on a chosen AIP label.

At first, this is officially not supported but it’s working flawlessly and since you make use of the e-mail header, it’ll always work.

Lets pick a label in Word, for example “Confidential”. I have configured that Outlook automatically takes over the label from the document as you can see in below screenshots:



Now we want to make sure that this e-mail is encrypted, without the need for the user to select the “Do Not Forward” button (which is also only available with the AIP client) and without the need for the AIP client to be installed.

Go to “Exchange admin center > mail flow > new rule > select Apply Office 365 Message Encryption and rights protection to messages…”

If you check the e-mail header from an e-mail where you selected “Confidential”, you will see that the sensitivity is set to “Confidential”:

So we have to make sure that OME is applied when an e-mail header matches “Confidential”.

the header name is called “msip_labels”

Configure it like this (make sure you configure multiple if you use multiple languages with AIP):

Now wait a few minutes (can take up to one hour before your changes are synced through the 220 thousand Exchange servers) and try it out! You should you receive the e-mail now as a protected e-mail:

Note that if you encrypt the e-mail, by default it will also encrypt Office documents. And because they are encrypted by OME, you cannot track the document (yet).