SMIME in Office 365


I am after some clarification regarding SMIME on Office 365.

We are running O365, currently there is no AD sync or ADFS.

We have customers (only 2) who will require us to communicate with them using SMIME.

Am I right in assuming that in order to do this they would have to send us there cert (assuming they generate their own) and apply that to their external contact in AD (via LDP), and then sync our AD with Azure AD.  We would then be able to select that external contact and select their cert to encrypt the message.

I also assume we would need at least dirsync in place between our directories.

Are my assumptions correct or am I making an ass out ......well, myself!

LVL 12
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
If you are cloud only, you dont need dirsync. In any case, dirsync is used to publish certificates for *your* users to EO, not to the other party. The external certs you can upload directly to the contact objects. There's lot of documentation on the net, for example:

The main question you should be asking is whether they really need SMIME. With IRM and OME, you have way more convenient tools to protect your data. I would strongly suggest to take a look at this session and get yourself familiar with the new methods:
DLeaverAuthor Commented:
Thanks for the quick response

I will definitely consider your second point, we can advise on better ways of doing it but at the moment the customers requirements are that we have to communicate with them using SMIME.

Now I know that SMIME is supported in O365 I just wanted to confirm what was needed to get this off the ground.  I have searched the web, and referenced the article above, I am however after the specific detail around my requirements.

Following your first link I can upload the clients supplied certs in an SST file.  Then I map these to the external contact or the cert will just be available when I select the contact and enable SMIME?

Vasil Michev (MVP)Commented:
The SST file is not user specific, it's purpose is to 'complete the chain' for the certificates that the end users will use. Step 4 is what each user should do in his Outlook to upload his personal certificate with EO.

That's for sending messages, for verifying the validity of received messages, you use the contact objects. If the recipients are not using publicly trusted certs, you need to make sure that their SST (i.e. the full certificate chain) is added to the trusted certs of each PC, so that the verification can succeed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.