Recently, we published a blog post that outlines how strongly committed we are to protecting our customers’ information. A key aspect of our strategy is to expand encryption across all our services. Earlier this month, we announced Office 365 Message Encryption, a new service that allows you to send encrypted mail to anyone. As part of our ongoing focus on encryption, we announced yesterday that we’re bringing S/MIME capability to Office 365 and Exchange Server 2013 Service Pack 1. With this release, customers will have S/MIME support across Outlook, Outlook Web App (OWA), and Exchange ActiveSync clients. S/MIME for Outlook and EAS is already available on Exchange Online and S/MIME on OWA is being rolled out and is expected to be completed by early April.
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and digital signing of MIME data, and it is defined in a number of Requests for Comments (RFCs): 3369, 3370, 3850, and 3851. S/MIME allows a user to: (1) encrypt an email and (2) digitally sign an email, and thus provides cryptographic security services such as authentication, message integrity, and non-repudiation of origin (using digital signatures). It also helps enhance privacy and data security (using encryption) for electronic messaging. You can learn more about S/MIME in this technet article.
After S/MIME is enabled, customers who have a hybrid setup of Exchange Online and on-premises Exchange Server 2013 can have their online and on-premises users send S/MIME emails to one another. This means that online and on-premises users will be able to:
- Compose, send, receive, encrypt, and decrypt S/MIME-encrypted email via Outlook, OWA, and Exchange Active Sync (EAS) clients that support S/MIME.
- Send and receive digitally signed email via Outlook, OWA, and EAS clients.
Let’s look at how this works in OWA.
Using S/MIME in OWA
In OWA, users can choose different options to encrypt the message and/or digitally sign it using S/MIME.
You can select the S/MIME options to encrypt or digitally sign the message when you send a message in OWA.
When a digitally signed S/MIME mail is sent, the receiver sees the valid digital signature on the received message.
When you receive a digitally signed and encrypted S/MIME email, the digital signature is displayed on the message.
Users are also able to select and make changes to their S/MIME settings in OWA.
In OWA, to change your S/MIME settings, click the down arrow next to your name and select S/MIME settings.
You can choose to encrypt all the messages you send or digitally sign all messages with S/MIME. In addition, the S/MIME settings page provides a link so you can reinstall S/MIME control directly through OWA.
On the S/MIME settings page in OWA, you can change your settings and reinstall S/MIME.
Online scenarios, a new OWA control, and options for administrators
For online scenarios, DirSync is used to synchronize certificates from on-premises to the Exchange Online Active Directory. When DirSync is used, certificates are pushed from the on-premises Active Directory to Azure Active Directory. Microsoft Exchange then syncs the user certificates from Active Azure Directory to Exchange Online Active Directory. Additionally, we’re introducing a new OWA control that helps in creating and consuming S/MIME mails.
We’re also including options for administrators to manage OWA/SMIME behavior by using PowerShell commands for both Exchange Online and Exchange Server 2013 SP1. In the past, these settings were managed by registry keys on individual clients.
Admins can now use PowerShell to manage OWA/SMIME behavior.
We’re excited to bring S/MIME to Office 365 and Exchange Server 2013 for you as we continue to invest heavily in encryption technologies to help secure your data.
Frequently asked questions
Q. What are the technical requirements for using S/MIME?
A: In order to use S/MIME, you must meet following technical requirements:
- Set up a Certificate Authority (CA) to issue certificates for users on-premises for S/MIME purposes.
- Publish the user certificate in an on-premises Active Directory account in the UserSMIMECertificate and/or UserCertificate attributes.
- Use an appropriate version of DirSync to synchronize certificates from on-premises Active Directory to Azure Active Directory. These certificates will then get synchronized from Azure Active Directory to Exchange Online directory and will be used when encrypting a message to a recipient.
- IT administrators need to configure their tenant in Exchange Online with certificate information, including information about about the CA who issues their signed certificates and any intermediate certificates. This information is used by OWA when validating the signature of an email and ensuring that it was signed by a trusted certificate.
Q: How is S/MIME different from Office 365 Message Encryption?
A: S/MIME requires a certificate and publishing infrastructure that is often used in business-to-business (B2B) and business-to-consumer (B2C) scenarios. It is also a requirement for certain government business cases. The user controls the keys in S/MIME. Outlook searches the local client machine (trusted root CA store) to perform digital signing and verification of the signature.
Office 365 Message Encryption is a policy-based encryption service that can be configured and enforced by an administrator to encrypt mail sent to anyone inside or outside of the organization. Office 365 Message Encryption also provides additional capabilities, such as the capability to customize the mail with organization’s brand.
Q. How does S/MIME work across different browsers?
A: S/MIME is supported by Internet Explorer 9 and above. Currently S/MIME is unsupported for Firefox, Opera, or Chrome.