In many organizations we’ve seen, the greatest barrier to better email security is the fear of reducing ease of use. It was great, therefore, to find one encryption technology, Azure RMS, that is both safe and easy to use. And it fills a need.

It’s amazing how many organizations are still using password-protected spreadsheets to send confidential information. Even if they’ve Googled “decrypt spreadsheet” and seen the dozens of easy ways to break in, they still use the devil they know. Now there’s something to protect email attachments that is much stronger and no more difficult to use.

Using Azure RMS with Office 365

At this point, Azure RMS is only available if you have subscriptions to Office 365 and Azure Rights Management, or if you have Active Directory RMS locally. Here, we’ll just discuss Office 365. For most of our customers, being nonprofits, this isn’t too much of a challenge: Azure Rights Management is included in the E3, E4 and E5 Office 365 bundles, and the main one Microsoft donates to nonprofits is E3. If you have another plan, adding Azure Rights Management costs $2 per user per month.

If you are running an eligible version of Office 365, here’s what you get. Azure Rights Management, also called Azure RMS, will encrypt any file that you attach to an Outlook message and also allow you to specify how the recipient can use it (e.g. can they print it, forward it?). It’s pretty strong encryption, too, either 128- or 256-bit AES, depending on the document. The files can be decrypted on iOS, Android and Windows Phone mobile devices and on Macs, as well as on Windows.

Azure RMS can also be used in other ways in Office 365, such as with SharePoint. If you want a lot more details, check out the section in TechNet: Azure Rights Management.

Users install a little app that puts a button in the ribbon of each Office desktop application, so they can encrypt a document and send it with a few clicks. If they’re using Outlook, the button shows up on the message screen and applies to any document attached to the message.

At this point, recipients are limited to those with organizational domains; you can’t send to Gmail or iCloud, for example. Although I haven’t been able to test it yet, I also suspect the recipient may have to be using an Exchange server.

What the Recipient Sees

Once the message is received, the recipient is notified that “The sender has protected the attachments with Microsoft RMS. You must sign in to open them.” Clicking on “sign in” sends recipients to a Web page where they can sign up for an RMS account. One this has been done, however, the next time the recipients get an RMS-encrypted message, they may be able to ignore the message text and just click on the attachment to open it. At least, it works that way between users within our domain.

Setting up RMS is very simple, if you’re an Office 365 administrator. Microsoft has produced very good instructions for doing this: Quick Start Tutorial for Azure Rights Management. It really does only take 15 minutes. Check it out.

It’s important to mention that this encryption applies only to the email attachment. In other words, since you’re just encrypting the attachment, don’t put anything confidential in the message text. In order to encrypt the message content itself, you have to implement Office 365 Message Encryption, or something like it. This is more complicated to set up and administer and generally requires more strategic thinking about your encryption.

For just allowing users to encrypt attachments whenever they want, however, implementing this part of RMS is really flexible and convenient. It sure beats password-protected spreadsheets.