Revoke access to sensitive emails

Microsoft has started to roll out a lot of new features related to Information Protection. A  requested feature that was rolled out last week is the possibility to revoke protected emails that are sent externally.

As in the cases with new functionality, this feature has started to be rolled out in the cloud service, Outlook online!

Let me show how you how this works:

The senders experience

If I have protected an email to external recipients and I realize that this was a misstake or some other reason that the email needs to be revoked (prevented to be accessed).

I can go to my Sent-folder (In Outlook -online). There I will see an option (for protected emails that are sent to external users) to Remove external access for the specific email.

image image

When I click on “Remove external access” I get a prompt to confirm this action.

image

When the email is revoked, I can see in the specific email that this email is not accessible for external recipients anymore.

image

Recipient experience

The external recipient who got the email and try to read it will have the following experience.

When the recipient tries to access the protected email (hosted by the senders Exchange Online)

image image

He will get a message after signing in, that this email has been revoked by the sender.

image

Requirements and explanation of how it works

As you may understand by the above screen shoots, this works for emails protected by Office 365 Advanced Message Encryption. I have explained this concept earlier in this swedish article.
But let’s do a recap about what’s happening when you protect an email. In the same way as for almost 20 years ago when AD RMS was introduced, the protected email will end up in a protected format. A rights protected message with the file format .rpmsg. To be able to read (decrypt) this message there are two requirements:

1. The recipient needs to have an email application who understand the RPMSG-format to render this message

2. The recipient needs to be able to authenticate himself to Azure Active Directory

If these two requirements are fulfilled, this gives a really nice experience where the protected email is rendered in Outlook among the other emails, and the recipient does not need any additional step to access this protected email. But to be able to create a solution that make it possible to access a protected email without any requirements on the sender’s side, there is a plan B.

The protected email (the specific rpmsg-file) will be cached (by default in 90 days) in the senders Exchange Online environment. If either of the two requirements above is not met, the result for the recipient will end up with a customizable message. This email contains a link where the recipient can log on to the sender’s Exchange Online to read the email (and any attached document or pdf).

One great benefit with this is that the email remains in the sender’s tenant and the recipient can reply and have a secure email communication that is only stored in the recipient’s environment. And now, we also got another great benefit… These kinds of emails can now be revoked by the sender and an administrator(s)!

If there is a business need to require revocation possibilities, this behavior can be enforced for all external emails. As always when it comes to Information Protection the decisions need to come from the business itself!

When you have gathered all your business needs you can read more about license agreements and administrative routines for email revocations on Microsoft docs