If you’ve noticed this option in Outlook, you might wonder where it comes from:
On a new/reply email window in Outlook, under the ‘Options’ tab is a button called ‘Permission’ (which in the future based on the time of writing, is changing to be called ‘Security’). This by default has three or four options, which seem to be dependent on the version of Outlook being run (MSI vs CTR). Click To Run has another called ‘Encrypt-Only’ which I haven’t tested yet.
These options are actually using Azure Information Protection (AIP) to encrypt your email. That’s a giant topic in itself, but the one liner is that wherever you send an encrypted email to, needs to sign in to view the message. In some scenarios this works seamlessly, such as sending to an external user also using Exchange Online. In other scenarios they’ll need to click a button to log in and view the email via their browser.
The ‘Tenant name – Confidential’ and ‘Tenant name – Confidential View Only’ are default AIP labels. You can view/edit these by going to your Azure portal and looking under Azure Information Protection > Classifications > Labels.
As you’ll see in the screenshot above, the two labels I mentioned are listed, and you can go into those and disable them if you don’t want them to appear for your users (there’s a toggle for ‘Enabled’ set to ‘On’, set that to ‘Off’). You could also completely disable Azure Information Protection, but that might cause you other problems if you want to use AIP in any way.
You might be wondering why you’d want to turn these off, encryption and security is good right? You might not be ready for users to start using this yet for support reasons, you might have a different method of securing emails, or you might be using a 3rd party backup system. That backup system won’t be able to read encrypted emails by default – so unless you can get that working somehow, you will only have copies of emails that contain a link to the actual content that require the right access to get to the contents – not a true backup.
Getting back to the title of this article – Do No Forward. If you’re at this stage, you may have noticed that it’s not actually a label listed. As covered in this documentation, it’s inbuilt rather than being a customisable policy, template or tag.
You can turn off this single function in the Azure portal under Azure Information Protection > Policies > Policy: Global and toggling the ‘Add the Do Not Forward button to the Outlook ribbon’ to Off:
There is a registry trick to disable this from Outlook too, which was given to me by Microsoft Support:
Open registry key editor:
14.0 = 2010
15.0 = 2013
16.0 = 2016
2.On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type DisableDNF, and then press ENTER.
In the Detailspane, right-click DisableDNF, and then click Modify.
In the Value databox, type 1, and then click OK.
Exit Registry Editor.
This will at least grey out the option so it can’t be used. The option will still be usable in Outlook via Web, and if I find a solution to that I’ll update this post. As far as I know at this stage, it can’t be hidden or removed.
Update: It’s possible to hide this in OWA also.
The ‘Encrypt’ or ‘Protect’ button (Right now I see different options in different tenants) can be hidden with this PowerShell command:
Set-IRMConfiguration -SimplifiedClientAccessEnabled $false
Although this hides the option, there’s also a ‘Set Permissions’ menu options in the ellipsis that can be hidden with this PowerShell command:
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -IRMEnabled $false
Those two together should stop any user being able to encrypt an email themselves via OWA.
Finally, you could look at completely disabling rights management in all forms on Azure Active directory, which can be done here: