Introducing the OME Test Tool

tldr; Send an email to OMETest@expta.com and the service will respond with an email encrypted by Office 365 Message Encryption. If your test email includes an attachment, that attachment will be included in the OME encrypted response as an encrypted attachment. Use this service to test how encrypted emails are handled by your email clients and mobile devices.

The well-intentioned folks over at Microsoft are doing it again, but you know what they say about the road to hell...

In late December message ID MC170958 showed up in the Office 365 Message Center entitled, "New Office 365 Message Encryption policy for sensitive information." This feature is intended to keep user emails that contain sensitive information safe by automatically encrypting them. This will be done by creating a new Exchange mail flow rule in your tenant to use Online Message Encryption (OME), which was recently renamed to Office 365 Message Encryption.

Message Center ID MC170958

The Message Center notice included a link to https://docs.microsoft.com/en-us/office365/securitycompliance/new-ome-encryption-policy, but that link no longer works for most users. Perhaps Microsoft is rethinking this, but it still shows in the Message Center for some customers.

While the idea of keeping users from doing something stupid is a noble one, to me this reeks of Skynet. I really don't like the idea of anyone or anything inserting logic and a new business process into my emails and mail flow. What if my emails to customers start being encrypted because my item numbers resemble a bank account number? What if I have a complex transport configuration?

It's easy enough to opt-out of this change by running Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false, but shouldn't I really have to opt-in instead of opt-out?

January 25 UPDATE: Microsoft has indeed rethought this a bit. They will still be creating the OME transport rule, but it will not be enabled by default:

Updated Message Center Notification

I'm sure automation like this might help small customers who don't have the time or skills to properly manage and secure their infrastructure, but for enterprise customers this could be a real disaster. OME encrypted emails require the recipient to authenticate with a Microsoft account to read them. Despite what Microsoft thinks, not everyone has (or wants) an account with them or uses Microsoft Office. This causes a barrier that a lot of email recipients will find difficult. It should be noted that one-time passwords are also supported. Read Microsoft Plans to Launch Automatic Email Encryption for Office 365 Tenants for Tony Redmond's take on this.

I created an OME test service in Office 365 that you can use to test the end-user experience of receiving an OME encrypted email. Simply send an email to ometest@expta.com. In a short while the service will automatically respond with an encrypted message. If you include an attachment with your email, that attachment will also be returned in the OME message as an encrypted attachment.

Note: The OME test service will not respond to messages that contain ": " in the subject. This prevents mail loops caused by rules that automatically reply or forward messages.

You should test access to this encrypted email from Outlook or any desktop email app, your mobile device, and your web browser to see how each client handles OME encrypted emails. You may be required to create a free Microsoft ID to view it.

You'll notice that you cannot preview OME encrypted emails in the Outlook preview pane. They must be opened to view them.

OME encrypted emails cannot be viewed in the preview pane

Outlook will attempt to download a rights management service user license to make the reading experience fairly straightforward, assuming you're signed into Office 365. Other email clients will be more cumbersome and recipients without a Microsoft account will need to sign up for one to read the email. Honestly, I can't imagine my parents having to deal with this from their mobile phones.

This is what an OME protected email looks like on an iPhone

I use the native Apple mail client, not the Outlook app. If you're like me, you have more than one email account on your mobile device. When you click "Read the message" you'll need to authenticate with the same email address it was sent to - something that may not be readily apparent from an "All Inboxes" view, like on the iPhone. If you use the wrong account you get an unhelpful "The item was not found" error.

Once you successfully sign-in to Office 365 you can view, reply, or forward the email via OWA. If you use the Outlook app for iOS or Android, your experience will be better.