Sign In

Encrypted Email Handling (Microsoft 365)

The way OneDesk handles encrypted emails from MS 365 depend largely on the type of encryption being used. 

About email encryption in Microsoft 365

There are 3 levels/methods of encryption in MS 365:

OME - Allows users to send encrypted emails to non-Microsoft clients and devices. To view the encrypted email, the recipient can receive a one time passcode or sign in with a Microsoft account. 

IRM - Uses Azure Rights Management and requires an MS365 client. IRM might not work on all devices or clients.

S/MIME - Allows for a certificate-based encryption where each recipient receives a key. 

Visit Microsoft’s Email Encryption documentation to learn more. 

How OneDesk handles OME

If you use OME, the 'original' email is encrypted and attached to the email as an HTML document. The expected behavior on OneDesk's side is that we capture this email as a ticket and we create an attachment on it with the HTML document. When someone opens this attachment (either straight from the email or from us) they are prompted for an OTP or to sign-in to MS 365. When they do that, the HTML self-decrypts. 

There is no need for a OneDesk email to be added as a contact in the tenant, because we do not perform such a decryption. It is always the end-user that will perform the decryption.

How OneDesk handles IRM

If you use IRM, we cannot do anything on our end, as we are not an Microsoft 365 client. We cannot decrypt these emails for you and in any case this would break the intended chain of security. 

Other encryption types

Other encryption types largely depend on the and state of the email being sent. If desired, send us an encrypted email (both to support@onedesk.com and to one of our direct emails, such as hello@onedesk.com) and provide us with the OTP code. We will test on our side if we are able to open the attachment from the email (expected to succeed) and from the attachment on the item (expected to succeed again).