Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As an Exchange administrator, you can set up Outlook on the web (OWA) to allow sending and receiving S/MIME-protected messages. Use the Get-SmimeConfig and Set-SmimeConfig cmdlets to view and manage this feature in the Exchange Management Shell. To open the Exchange Management Shell, see Open the Exchange Management Shell.
For detailed syntax and parameter information, see Get-SmimeConfig and Set-SmimeConfig.
Make sure that you already have configured the S/MIME prerequisites as outlined in the article S/MIME for message signing and encryption.
Note
A complete list of browsers that support S/MIME is available in the Exchange Server supportability matrix.
Configure policies to install the S/MIME extensions in Web Browsers
S/MIME in Outlook on the web in the Chromium-based Microsoft Edge or in Google Chrome requires specific policy settings that are configured by an admin.
Specifically, you need to set and configure the policy named ExtensionInstallForcelist to install the Microsoft S/MIME extension in the browser.
The policy value for the OWA S/MIME extension is: maafgiompdekodanheihhgilkjchcakm;https://outlook.office.com/owa/SmimeCrxUpdate.ashx.
Applying this policy requires domain-joined computers, so using S/MIME in Chrome effectively requires domain-joined computers.
To ensure that the correct S/MIME extension is fetched for update, it's important to also add the following ExtensionSettings:
Registry path: SOFTWARE\Policies\Microsoft\Edge\ExtensionSettings\maafgiompdekodanheihhgilkjchcakm
Value type: DWORD
Value name: override_update_url
Value data: 1
To elaborate, maafgiompdekodanheihhgilkjchcakm is the extension id for S/MIME managed extension.
Install the S/MIME Control in Web Browsers
The policy is a prerequisite for using S/MIME in Outlook on the web. It doesn't replace the S/MIME control that's installed by users. Users are prompted to download and install the S/MIME control in Outlook on the web during their first use of S/MIME. Or, users can proactively go to S/MIME in their Outlook on the web settings to get the download link for the control.
Ensure your admin hasn't configured NativeMessagingUserLevelHosts policy to be disabled. This is to ensure communication is established with S/MIME control.
In case your organization has configured the Browser with a NativeMessagingBlocklist policy, you must make sure to allowlist the S/MIME control there.
Your admin can use the NativeMessagingAllowlist policy to allow the Microsoft S/MIME Control. The value for the Microsoft S/MIME Control is: com.microsoft.outlook.smime.chromenativeapp.
Allow the S/MIME Interaction with your OWA Domain
To allow the S/MIME to interact with your OWA Domain, the users are being asked to configure your OWA Domain once after clicking on an email with S/MIME Content. The user sees a yellow Mailtip with a link, which guides to the S/MIME Extension Options Page, on which they can add your OWA Domain to be allowed.