Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For more information about these technologies, see the Microsoft 365 service descriptions.
The Azure Rights Management service
The Azure Rights Management service is the encryption technology used by Microsoft Purview Information Protection. It uses encryption, identity, and authorization policies to help secure your files and email across multiple platforms and devices—phones, tablets, and PCs. Information can be protected both within and outside your organization because protection remains with the data.
For more information about the Azure Rights Management encryption service, including how it works, the cryptographic controls it uses, and the key management options available, see Learn about the Azure Rights Management encryption service.
Secure Multipurpose Internet Mail Extension
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and digital signing of MIME data. S/MIME is defined in RFCs 3369, 3370, 3850, 3851, and others. It allows a user to encrypt an email and digitally sign an email. An email that is encrypted using S/MIME can only be decrypted by the recipient of the email using their private key, which is only available to that recipient. As such the emails can’t be decrypted by anybody other than the recipient of the email.
Microsoft supports S/MIME. Public certificates are distributed to the customer's on-premises Active Directory and stored in attributes that can be replicated to a Microsoft 365 tenant. The private keys that correspond to the public keys remain on-premises and are never transmitted to Office 365. Users can compose, encrypt, decrypt, read, and digitally sign emails between two users in an organization using Outlook, Outlook on the web, and Exchange ActiveSync clients.
Microsoft Purview Message Encryption
Microsoft Purview Message Encryption built on top of the Azure Rights Management encryption service enables you to send encrypted and rights-protected mail to anyone. Message encryption mitigates threats such as wire-tapping and man-in-the-middle attacks, and other threats, such as unwarranted access of data by an unauthorized user who doesn't have appropriate permissions. We have made investments that provide you with a simpler, more intuitive, secure email experience built on top of the Azure Rights Management encryption service. You can protect messages sent from Microsoft 365 to anyone inside or outside your organization. These messages can be viewed across a diverse set of mail clients using any identity, including Microsoft Entra ID, Microsoft Account, and Google IDs. For more information on how your organization can use encrypted messages, see [Message encryption(./ome.md).
Transport Layer Security
If you want to ensure secure communication with a partner, you can use inbound and outbound connectors to provide security and message integrity. You can configure forced inbound and outbound TLS on each connector, using a certificate. Using an encrypted SMTP channel can prevent data from being stolen via a man-in-the-middle attack. For more information, see How Exchange Online uses TLS to secure email connections.
Domain Keys Identified Mail
Exchange Online supports inbound validation of Domain Keys Identified Mail (DKIM) messages. DKIM is a method for validating that a message was sent from the domain it says it originated from and that it wasn't spoofed by someone else. It ties an email message to the organization responsible for sending it, and is part of a larger paradigm of email encryption. For more information about the three parts of this paradigm, see: