Message revocation for encrypted e-mails

Posted by

Human error is one of the most common reasons for data loss. Even when using message encryption or information protection, e-mails may be delivered to the wrong recipient. A preview option now allows us to revoke such a message.

Office 365 Message Encryption (or OME) allows for the encryption and protection of e-mail messages to any recipient. Even if the recipient is not using Office 365, an encrypted message can be opened. This also goes for the more mainstream e-mail platforms like Microsoft, Google and Yahoo! But even if these aren’t used, an encrypted e-mail (with its attachments) can be opened.

Sending a link

The reason for this is simple. Instead of sending the e-mail to the recipient, a link to the secure portal is send. The recipient opens this link (and in some scenario’s needs to request a second confirmation code) and the original e-mail (and attachments) is opened.


This works great (albeit with some delay) – if the right recipients have been selected. But what if you made a typo and the e-mail was sent to the wrong recipient?



Revoke a message

Message revocation (or recalling) is not new. In Exchange this function has been around for some time. You can revoke an e-mail message when this has not yet been read by the recipient. This is relatively easy. You select the message and the appropriate options.

This kind of user-friendly option is not yet available for OME. It is only recently that the revocation option became available in preview. So, let’s take a look.

First of all, there’s no “Revoke” option available. The OME revocation (preview) function uses two components: message tracing in Office 365 and the Exchange Online PowerShell environment. Also, please note that this revocation is only available for link-based messages. Any message delivered to a recipient using a supported Outlook client cannot be revoked.

Message trace

In order to revoke a message, we will need the message id. And to get to this id, we will need the Office 365 message trace option. Starting the trace is straight forward. And in just a couple of seconds the results are displayed.


The trace details gives you an overview of status, events and more detailed information. The message id is a part of those details.



Now we have the message id, we can revoke the message. There’s two new Exchange Online PowerShell cmdlets for this.

Get-OMEMessageStatus -MessageID “message id”

This cmdlet displays the current status based on the id.


In order to revoke a message, we will need the second cmdlet.

Set-OMEMessageRevocation -Revoke $true -MessageID “message id”


At the moment the “Revoked” status has been set to True, the message cannot be opened (again). And an error message is displayed.

Message revoked


In the Microsoft documentation it is clearly stated that we should “expect updates and changes to the feature and the content as we continue to improve our offering.”. So please read this blog as-such. I expect that either Exchange or Compliance administrators will be given a more easy option to revoke OME protected e-mails. But in the end, I think this function will become available to the end-users as-well.


  1. How do you revoke a message for a single recipient. e.g. Message sent to 6 people, but access should only be revoked for one person.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s