Encryption in Exchange Online Part 2

Encryption in Exchange Online Part 2

In the first article in this series, I gave a very basic explanation of how a couple of different types of encryption work. This explanation will serve as the foundation for us to talk about how the different encryption features of Exchange Online work, and how you can best use them.

Let’s get started.

There are 5 different types of encryption that are or can be used within Exchange Online; BitLocker, TLS, Office 365 Message Encryption, Information Rights Management, and S/MIME. In this series of articles I am going to dive into each one of these encryption technologies and explain what they do for you, and how you can best use them to keep your information private. For each of these five encryption types I will explain what it is, what it does, what problem it solves, and how you can set it up.

Before we get into the specific types of encryption, I want to start off with a bit of a legal disclaimer. It should be noted that while I am a messaging architect with more than twenty years of experience and all kinds of fancy certifications, I am not a lawyer. Some of the topics I am going to get into will touch on areas where legal experience would be of great value. Unfortunately, I am utterly bereft of any such experience, and anything I say that might sound like I know what I am talking about in regards to the law should be considered utter nonsense.

With that preamble out of the way, let’s get into the first type of encryption used in Exchange Online; BitLocker.

BitLocker is a drive encryption technology included in Windows Server 2008 and newer (as well as Window Vista and newer client operating systems). BitLocker provides AES (Advanced Encryption Standard) encryption of your email data at rest. That means that if, for some crazy reason, someone managed to break into an Office 365 data center and steal the hard drive that contains your Exchange Online database, they would not be able to access the data on that hard drive unless they also had the encryption key.

AES is a synchronous key (meaning it uses the same key to encrypt and decrypt the data. See part 1 of this series for more information) encryption protocol. I’m not going to spend much time on the specifics of how this type of encryption works because there is nothing for you to configure in Exchange Online, but you can find more information on AES in this Wikipedia article.

BitLocker is a great example of one of the reasons to go to Office 365; a lot of the configuration work of setting up Exchange is done for you. BitLocker is already setup on your tenant, and all your data is encrypted at rest. While there is no way for you to directly verify this, Microsoft does comply with a number of different 3rd party auditing procedures to verify things like this. You can find more information on this subject at the Office 365 Trust Center website.

The next type of encryption I want to talk about is TLS.

TLS, or Transport Layer Security, allows two separate Exchange organizations to transfer mail between them over an encrypted connection. Without getting into the weeds, TLS works very similarly to the way SSL works in your web browser. For you the administrator, this means it’s pretty easy to setup TLS.

Before I get into the process of setting up TLS in Exchange Online, I want to quickly highlight the differences between TLS in Exchange Online and Domain Security in Exchange 2010 and 2013.

Domain Security is a set of functionality in the on-premises version of Exchange that started with Exchange 2010 and Outlook 2007 that is intended to provide a lower cost alternative to S/MIME or other message level security solutions. Domain Security combines the functionality of mutual TLS with client notification to show the user that their message is being sent over a secure connection. The client notification part of Domain Security not available in Exchange Online.

Transport Layer Security (TLS) is an encryption protocol designed to create a secure communication tunnel over the public internet. Exchange Online gives you the option to setup send and receive connectors to specific partners that are always encrypted. If, for example, your company is working with another company on a big project that includes a number of people you can configure specific send and receive connectors between your two Exchange organizations to ensure all email traffic going back and forth is always encrypted.

Setting up TLS is a matter or creating a send and receive connector, then scoping them to a specific partner organization.

  1. In the Exchange Admin Console (EAC) portal in Office 365 navigate to mail flow > connectors. Under Inbound Connectors click the + symbol to add a new connector

  1. Give your connector a name and choose “partner” as the type. For Connection Security choose “Force TLS”

  1. Under domain restrictions choose either; None, restrict domains by certificate, or restrict domains by IP addresses

  1. Under domains click the + icon to add a domain (email domain such as @contoso.com)
  2. Click save and ensure the connector is enabled.


The process to configure an Outbound connector is very similar

  1. In the Exchange Admin Console (EAC) portal in Office 365 navigate to mail flow > connectors. Under Outbound Connectors click the + symbol to add a new connector
  2. Give your connector a name and choose “partner” as the type
  3. Under connection security choose “Self-signed certificate” or “Trusted certification authority (CA)” depending on if your partner is using a 3rd party public certificate or a self-signed certificate.


You can specify “Recipient certificate matches domain” for an additional level of security. The domain listed in the much match the common name (CN) in the certificate subject. Subject Alternate Names (SAN) will not work.

  1. Add a domain with the + icon under domains, then save your new connector.

Once your send and receive connectors are setup to your partner organization, you’re done. Again, there is no notification to the end users that their message has or will be sent via a secure connection. As an administrator you will need to provide information for your users about what partner organizations.

TLS encrypts your message traffic from organization to organization over the internet. The messages you send over TLS are not encrypted in your users Outlook client, or anywhere inside your Exchange Online tenant (except for the above mentioned encryption at rest provided by BitLocker). In the circumstance of a rogue administrator who grants himself permissions to someone ones mailbox improperly TLS does not provide any protection at all.

So our first two types of encryption for Exchange Online are BitLocker and TLS. In the next article we’ll cover Office 365 Message Encryption, which is really what people think about when they are thinking of encrypted email.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.