January 3, 2019


We have updated the blog to reflect that we’ve expanded the ability to control if Office attachments are protected for recipients inside Office 365 – previously this was only supported for non-Office 365 users. Changes are reflected below in the blog. 



Administrators can now control whether Office attachments are protected for recipients inside and outside of Office 365 when the Encrypt-Only template is used.  This was a key ask from Office 365 Message Encryption customers and is now available as a tenant-level setting.




We have now made it possible for administrators to control how Encrypt-Only behaves for attachments. By default, when a user sends an email and attachments using Encrypt-only, the Office attachments are also protected with Encrypt-Only permissions and that encryption persists throughout lifecycle of the content. To provide more flexible controls for recipients, organizations can control if recipients have unrestricted permissions on the attachment or not for Encrypt-Only emails. For example, one scenario this is valued is when a doctor shares a protected attachment to her patient, and the patient wants to share this with his family, the attachment is no longer encrypted so they can open the attachment without any additional steps.


What is available 


Admins can control whether attachments have unrestricted permissions for Encrypt-Only emails. Details on implementing the settings are below.


When the recipient signs-in to the Office 365 Message Encryption portal, they can preview attachments as before. 


Preview attachments _1.png



If the control to unrestrict the attachment is enabled, the document will be decrypted and the recipient will be able to view it normally. Additionally, the content will remain decrypted and unrestricted unless additional protections are applied.


Document is decrypted_2.png




This setting is available for the Encrypt-only template and not for the Do Not Forward or Custom templates.


It’s enforced at the tenant level.


How to control the setting


To manage whether to allow recipients to download Encrypt-only attachments without encryption, follow these steps:


Connect to Exchange Online Using Remote PowerShell (see https://aka.ms/exopowershell)

Run the Set-IRMConfiguration cmdlet with the DecryptAttachmentForEncryptOnly parameter as follows:


Set-IRMConfiguration – DecryptAttachmentForEncryptOnly <$true|$false>


For example, to allow download of attachments without protection for Encrypt-only:

Set-IRMConfiguration – DecryptAttachmentForEncryptOnly $true


If you decide that you want to revert the setting and keep attachments protected even after download:

Set-IRMConfiguration – DecryptAttachmentForEncryptOnly $false


Please note, as of 12/13/18, we have deprecated  DecryptAttachmentFromPortal. It will continue working for existing customers who have run the old cmdlet but new customers should start using the new cmdlet (DecryptAttachmentForEncryptOnly) updated above.


Additional Resources


This was a key ask from organizations that had a broad set of scenarios which requires email recipients to “own” the attachment by unrestricting permissions on the attachment. We hope this additional control can provide more flexibility in collaborating on protected content for all users. Your feedback matters- leave us a comment below or go to uservoice and submit your feedback/vote! 


For additional resources on Office 365 Message Encryption – you can find them below:




You May Also Like…