How to encrypt emails with M365 Message Encryption

Microsoft Email Encryption allows users to send encrypted messages and attachments to recipients inside and outside of the University. It is available through desktop and web clients but not on mobile devices.

Prerequisites

A compatible version of Outlook (2016, version 1804 or later)
Access to Microsoft 365 via desktop or web clients

Encryption Options

There are four email message protection options available:

Encrypt: Allows you to send encrypted messages to any recipient, whether inside the organization or not.
- If the recipient uses Microsoft 365 (Outlook, Outlook on the Web, or Outlook for mobile), they can open the encrypted email without extra steps.
- For recipients outside Microsoft 365, they will receive an email with a link to the encrypted message, securely stored on Microsoft 365 servers. Recipients with a Gmail address must sign in with their Google credentials, and those using other email services must use a Microsoft account or a one-time access code.
Do Not Forward: Sends an encrypted message with restricted content, preventing it from being forwarded, printed, or copied. Note that a camera can still capture the message content.
Colorado State University – Confidential: Grants read and modify permissions for the protected content to recipients using CSU M365 only.
Colorado State University – Confidential View Only: Grants read-only permission for the protected content (cannot reply, forward, save, or export) for recipients using CSU M365 only.

Instructions

Note: You can access Microsoft email encryption only through the desktop or web versions of Microsoft 365. Email encryption is not available on mobile devices.

How to Encrypt Email Using Outlook on Windows

Check that you are using Outlook 2016, version 1804 or later by selecting File > Office Account and reviewing the version under "About Outlook." If you have an earlier version, contact your local IT support.
Open an email message in Outlook.
Select Options, then click Encrypt.
Choose the encryption type, such as Encrypt-Only or Do Not Forward.

New message in Outlook, Options tab, Encrypt drop-down menu showing "Encrypt-Only", "Do Not Forward", "Colostate - Confidential", and "Colostate - Confidential View Only"

Note: If you encounter a “Connect to Rights Management Servers and get templates” message, please contact your local IT support.

New message in Outlook, Options tab, Encrypt drop-down menu showing "Connect to Rights Management Servers and get templates" message

How to Send Protected Messages Using the Office 365 Portal

Sign in to the Outlook web portal with your NetID@colostate.edu email address and password.
Click New message to compose a new email.
Select the Options tab, then click the lock icon to open encryption options.
Choose the Encrypt option (recommended in most cases).

New message in Outlook, Options tab, Encrypt drop-down menu highlight the "Encrypt" option

Note: If you are replying to an email, you can also encrypt it by following the same instructions.

How to Send Protected Messages Using Office for Mac

Compose a message in the Outlook client.
Click on the Options tab in the ribbon.
Click the Permissions button to choose the desired encryption setting.

New message in Outlook, Options tab, Permissions/lock icon drop-down menu showing "Encrypt-Only", "Do Not Forward", "Colostate - Confidential", and "Colostate - Confidential View Only"

How to Identify a Protected Message

Protected messages will have a padlock icon and a header indicating the protection policy, depending on the client being used.

Outlook inbox, showing an encrypted email with a lock icon in the preview and a "Do Not Forward - Recipients can't forward, print, or copy content" message in the reading screen Protected Message Example

Email in Outlook showing "Encrypt: This message is encrypted. Recipients can't remove encryption." message at top of email. Protected Message Example

Outlook email showing a "Do Not Forward - Recipients can't forward, print, or copy content" message at the top of the email. The Reply options also show that forwarding and printing is unavailable Protected Message Example

How External Users Can Open a Protected Message

The external user receives a normal-looking message, but all content is removed, leaving only a link.
Authenticate with a Microsoft account or request a one-time access code, which is sent to the original recipient's email.

Note: External recipients may need to follow different steps depending on their email provider. A Microsoft account or one-time access code is required to access the message. Gmail or Yahoo users can use their respective credentials to access the message.

Gmail email encrypted email shows that all content is removed and a "Read the message" button is added. When hovering over the link, it should look something like "outlook.office365.com/Encryption/retrieve..."

Troubleshooting Common Issues

Error After Duo Authentication: If you receive an internal server error after authenticating with Duo, close Outlook and relaunch the service. You may need to authenticate again. If the issue persists, contact your local IT support.
Other Error Messages: If you encounter any other type of error message, follow up with your IT liaison for further assistance.

Outcome

After following these steps, users will be able to send encrypted emails securely, ensuring that only the intended recipients can view or interact with the content.