Skip to content

Enterprise Mobility + Security


We made some exciting announcements at Ignite that help you protect your sensitive information regardless of where it’s stored or shared. For detailed information on new capabilities in Office 365 Message Encryption (OME), please read this Office 365 blog and watch this Ignite session. We’re also hosting an Ask Me Anything (AMA) session on OME on Oct 26 that we encourage you to join.

This post dives deeper into some additional email security and compliance scenarios that are enabled with Azure Information Protection.

Exchange Online and Azure Information Protection BYOK

Though Azure Information Protection generates and manages your tenant key, some organizations have expressed a need to use their own key. This scenario of using a “customer-managed” key, is also known as “bring your own key (BYOK)”. While Azure Information Protection provided a BYOK solution (which uses the Azure Key Vault service) a while ago, this was incompatible with Exchange Online. Organizations were then left with a difficult choice.

We are glad to share that we’ve filled that gap. You can now use Azure Information Protection BYOK with Exchange Online. The feature is initially available for tenants who have previously not enabled rights management on Exchange Online – we are working hard to ensure that this is available to all our customers in near future.

For more information about BYOK and how to implement it for Azure Information Protection, see Planning and implementing your Azure Information Protection tenant key. For instructions to configure Exchange Online for this scenario, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection.

In a lot of cases, organizations would like emails to be automatically protected based on their sensitivity. Let’s see how Azure Information Protection can help in that case.

Automatic protection of emails based on sensitivity labels

As detailed in our recent blog series, Azure Information Protection enables you to classify, label, and protect your information. When this is clubbed with Office 365 Message Encryption, you now have an intuitive and powerful way to protect any email that flows within your organization, across other organizations, or to any email recipient.

Let’s walk through a couple of examples that highlight the simplicity of the workflow. For this blog, we will assume that the administrator of Contoso.com has already created some labels that are configured to apply protection.

George wants to send a sensitive email to his colleague Allie. George selects Highly Confidential \ Contoso FTE Only label, which automatically encrypts the email and applies corresponding permissions.

The protected message can be easily read by Allie across different platforms (Windows, iOS, Android), devices (desktop, web, mobile), and applications (Outlook, Outlook Web Access, iOS native client).

Custom protection templates for external collaboration

We recently introduced new collaboration features in this blog that enable admins to create custom protection settings for a label. This allows users in one organization to securely collaborate with users or groups in another organization. This is a great addition to the standard Do Not Forward policy.

The snip below shows a sample configuration in the Azure Information Protection blade in the Azure portal. The administrator for Contoso.com has created a Highly Confidential \ Fabrikam – Partner which is backed by custom protection permissions. This setting allows Contoso.com users to securely collaborate with their counterparts in Fabrikam.com – without giving them say ‘Print’ permission here.

When a user in Contoso needs to send a protected email to a user in Fabrikam.com, they select the appropriate label (Highly Confidential \ Fabrikam – Partner), which automatically applies protection.

The recipient (Jenn) can read this email across multiple devices and applications. From a sender’s perspective, the experience of sending an email to an internal user or an external user is the same.

Similarly, senders now have a consistent and easy way to send protected email to a user with a consumer IDs, such as Live or Gmail account. For example, Contoso.com administrator has created Confidential \ External recipients label, which automatically protects any content by using the Do Not Forward policy (or any appropriate policy).

The recipient can easily open the email and attachment.

It really is very easy to get started with Azure Information Protection. We have a lot of information available to help you, from great documentation, to engaging with us via Yammer and email. What are you waiting for? Get to it!