Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail,, etc.). As an admin, you can set up transport rules that define the conditions for encryption. When a user sends a message that matches a rule, encryption is applied automatically.


To view encrypted messages, recipients can either get a one-time passcode, sign in with a Microsoft account, or sign in with a work or school account associated with Office 365. Recipients can also send encrypted replies. They don't need a Microsoft 365 subscription to view encrypted messages or send encrypted replies.

What does it do? 

Encrypts messages sent to internal or external recipients.
Allows users to send encrypted messages to any email address, including, Yahoo! Mail, and Gmail.
Allows you, as an admin, to customize the email viewing portal to reflect your organization's brand.
Microsoft securely manages and stores the keys, so you don't have to.
No special client side software is needed as long as the encrypted message (sent as an HTML attachment) can be opened in a browser.

What does it not do? 

OME doesn't let you apply usage restrictions to messages. For example, you can't use it to stop a recipient from forwarding or printing an encrypted message.


Recommendations and example scenarios

We recommend using OME when you want to send sensitive business information to people outside your organization, whether they're consumers or other businesses. For example:

  • A bank employee sending credit card statements to customers
  • A doctor's office sending medical records to a patient
  • An attorney sending confidential legal information to another attorney