Office 365 Enterprise Mobility and Security (EMS) suite – it’s more than just email encryption

Many people using Office 365 will be unaware of a number of data security features that can be implemented.  Many of these are included in the Enterprise Mobility and Security suite (EMS).  In this article we will introduce you to some useful features if you are looking to add extra precautions around authorised data and systems access including:

  1. Email encryption
  2. Multi factor authentication (Azure Active Directory Premium)
  3. Data loss protection (Azure Information Protection) - controlling where your data goes
  4. Managing devices (Intune)


Where to find EMS

EMS is available in two EMS plans - the E3 plan and also the E5 plan.  Both plans include the same basic functionality, with the E5 plan including some enhanced features as described below.

Until September 2018, EMS E3 plan was available to non-profits at £1.90 ex VAT per email per month (the commercial price is £6.60 per email per month).  But since then, it's fantastic that Microsoft have made a 50 seat donation of the EMS E3 plan available to non-profits - in other words it is now free to switch on for up to 50 email accounts even if you are using the fully donated (free) Office 365 E1 plan. The enhanced EMS E5 is available to non-profits for £4.50 ex VAT per email per month. 

Complicated isn't it!

The subscription to EMS can be added to your non-profit Office 365 organisational account, but note that it can take a little while for it to become fully activated.  


1. Email encryption

The objective of email encryption is to ensure that the intended recipient of the email is the actual recipient. Watch the following short explainer video to understand better how this works.


In Office 365, this is achieved by the recipient being required to authenticate themselves, by logging in to their email account as proof (which must be either a Microsoft account or a Google account).


Sending an encrypted email

To encrypt an email when using Outlook desktop (Office 2016 & 2019) select the 'Options' tab and then select the 'Permissions' button. The list of options will be the four encryption templates set up by default. The main two that you will use are 'Encrypt' which just encrypts the email and its contents and 'Do not forward' which encrypts the email and also prevents the recipient forwarding on the email to someone else, or editing or printing the email and its contents.

When using Outlook in the browser - also know as Outlook Web Access (OWA) you will see the 'Protect' (or 'Encrypt' if using the new version of OWA) tab. Click either and the email will be encrypted. 

To Change to a different encryption label, click on the 'Change Permissions' button and select the required protection level from the dropdown list.  Once this has been selected, complete the email and click 'Send'.

Encrypting your emails is a really useful feature if you need to e.g. include client details when communicating with a professional or send new log in details to a team member.  In the past you might have attached a document with a password or take out identifiable information - but now the contents of your email will be protected by encryption during transit.


Receiving an encrypted email

What the recipient sees when they receive an encrypted email will depend on where their email account is hosted and what email client they are using.  If the recipient is using an Office 365 email account in Outlook desktop 2016 or OWA, and is logged in, they shouldn't have to do anything special to read the message. 

In all other scenarios when the recipient receives the email, they will see a message which says that that the sender has sent them a protected message. Within the message will be a button to 'Read the Message'. 

To read the message the recipient should click the 'Read the Message' button and this will then open up another browser window in which will ask the user to authenticate themselves, in order to prove that they are the authorised recipient. The options that the recipient will be given depends upon what type of email account they are using - Microsoft (Office 365, Hotmail, Outlook, Live), Gmail, Yahoo or all others.

Sometimes recipients will be offered the option of using a 'One time passcode'.  If this is selected, then a further email will be sent to the recipient with a code that will allow access for 15 minutes.  When the passcode is entered into the original window, the encrypted message contents are displayed.

With either method, the recipient will connect to an office365 OWA page, which displays the message and attachments. Any restrictions on the message and attachments will remain in force e.g. Do not forward or Do not download or print. 

Effectively the email is not leaving your organisation's Office 365 environment - rather the recipient is being sent to an online page displaying the message.

Here is a video from Microsoft with an overview of the email encryption in action (they call it Office Message Encryption) 365 Email Encryption Essentials, it’s a bit fast paced and a high-level overview, but it will show you what the recipient would see when receiving an encrypted email.

Do watch out for Phishing emails which may disguise themselves as authentic emails and request that you click on a link.  You will never be asked for your Office 365 log in credentials through an Office 365 form for example - see more on phishing emails here.


Replying to an encrypted email

The recipient can reply to the message in the same Office365 browser window. The message will have the same encryption profile and this cannot be changed or removed.



Other features of Enterprise Mobility and Security

2. Azure Active Directory Premium

Azure Active Directory (AAD) Premium not only provides a single sign-on feature for each user in the organisation, it also adds various levels of security that provide conditional access, multi-factor authentication, and reporting facilities on user access.

  • Single sign-on allows you to log on to Windows 10 with an Office 365 email account
  • Multi-Factor Authentication (MFA) - this is a method of authentication that requires the use of more than one verification method and adds a second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
    • A password
    • A randomly generated pass code
    • A phone call
    • A smart card (virtual or physical)
    • A biometric device

For example, for a user to sign in to Office 365 with MFA enabled, they could use their password and a passcode provided by the authenticator app on their smartphone. Codes can be sent by SMS text message or by phone call.  These options however are seen as less secure, as the code sent can often be viewed with the smartphone still locked.

Multi Factor Authentication ensures that, without the second authentication method, access to a users account with just a password is prevented.

Some additional functionality is available with the EMS E5 subscription (which includes Azure AD Premium P1) through the Security Centre, by running reports manually, for example ‘Users flagged for risk’ and ‘Risky sign-ins’, but the automatic notification of suspicious activity is not available with the Azure AD Premium P1.


3. Data Loss Protection

Azure Rights Management is now incorporated into Azure Information Protection. 

This provides document-level security for an organisation. By creating restriction policies, you can ensure that documents containing sensitive information - are for authorised access only. Restrictions can be set for a document to be Viewed, Emailed or for example Restricted to View only internally or by a specific group of people internally. 

Manual classification is available with EMS E 3 (Azure AD Premium P1), whereas automatic classification is only available with EMS E5 (Azure AD Premium P2). e.g. every document that contains a certain word, phrase, authored by someone, then has these settings / restrictions applied.  When you open a document for example, you may see a strip under the menu bar saying CONFIDENTIAL - ALL EMPLOYEES.

Microsoft Advanced Threat Analytics provides organisations with a simple way to identify suspicious user and device activity.


4. Managing Devices

Microsoft Intune provides Office 365 administrators with complete control over device and application access, while also assessing the risk profile of devices that connect to sensitive information.  So for example whether you supply staff with organisational mobile phone or they use their own devices. you can set up options to ensure access is compliant with security policies and for example if someone loses their mobile phone - you could block access to email from that device (OWA).


For further information visit the Microsoft Enterprise Mobility + Security Documentation webpage


And if you're a small charity that's paying for Office 365 - do you need to be? Read our article on how you can switch to a donated programme and get Office 365 for free.