0

I want to add the encryption or the "do not forward" option to a mail message like in Outlook to mail messages using the send mail Graph API module. This is for a short term staging migration where we need to distribute sensitive information to particular recipients. I'm essentially looking for a way to implement one of the email encryption methods described here.

I've set up an application registration with application level API permissions to mail.send. I'm working in PowerShell using hashtables for the body/MIME parameters and converting to JSON. I'm also using Invoke-Restmethod to call the API. I've looked over all the supported parameters in the Messages MS Graph module, and they don't provide a solution there for adding this.

Essentially, I'm trying to add the end-to-end encryption solutions that are available in Outlook as parameters to the body (as I don't know that it's possible any other way). I've tried adding extended properties but cannot find the right attributes to key in on. Is there another API module that can add this functionality?

$message = @{
    "message" = @{
        "subject"= "Confidential Information: $($adUser.userprincipalname)"
        "body" = @{
            "contentType"= "html"
            "content"= "
                <p>Listed below is the confidential information.</p>
                <table>
                    <tr>
                        <td>UserPrincipalName: </td>
                        <td>$($adUser.UserPrincipalName)</td>
                    </tr>
                    <tr>
                        <td>Confidential Information</td>
                        <td>$($Confidential)</td>
                    </tr>
                </table>
            "
        }
        "toRecipients"= @(
            $formatRecipients
        )
    }
}
$jsonMessage = $message | ConvertTo-Json -Depth 10

$mailuri = "https://graph.microsoft.com/v1.0/users/automated.mail@company.com/sendMail"

# send mail with MS Graph send.mail permissions
$mailSend = Invoke-RestMethod -Uri $mailuri -Headers $headerParams -Method Post -Body $jsonMessage -ContentType application/json

This example is sending mail to the given recipients that are fed to the script, but it is only using the default mail protocols in Exchange for sending mail messages to users. I would like to set it so the messages cannot be forwarded or read if intercepted.

Thomas Janosek
  • 1
  • 1

1 Answers1

0

As for this ...

'I would like to set it so the messages cannot be forwarded or read if intercepted.'

... it is explicitly why Exchange RMS and O365 encryption rules and policy settings and MIP (aka AIP) exists. You can't enforce such policies at the Outlook client that are not pushed down by the Exchange server/O365 service. It is there where the enforcement happens. This is called DLP of course. So, controlling data at rest, data in use and data in transit. You protect the pipe or the data or both.

Microsoft Information Protection and Unified Labeling

Office 365 compliance controls: Data Loss Prevention

Unifying Data Loss Prevention in Office 365

Nothing in Outlook proper does the encryption of mail flow, based on sender/receiver/content, Exchange/O365 proper settings /rules/flow does. All mail from Outlook and to go through an Exchange Send-Connector and controlled by mail flow/transport rules.

This is not a PowerShell issue or focus. You set encryption settings in Exchange / O365 proper using the Exchange/O365 EMC, admin console or the Exchange cmdlets. It's a transport/mail flow rules/setting, based on mail inspection by Exchange/O365.

This is for O365, but the same items apply to Exchange on-prem deployment or Hybrid O365 deployments.

Define mail flow rules to encrypt email messages in Office 365

You can't encrypt inbound mail from senders outside of your organization.

New-TransportRule -Name "Encrypt rule for Dr Toni Ramos" -SentTo "DrToniRamos@hotmail.com" -SentToScope "NotinOrganization" -ApplyOME $true

Other approaches to mail encryption use cases have been items like this...

How to sign and encrypt a message using S/MIME in PowerShell

postanote
  • 15,138
  • 2
  • 14
  • 25