Step 1 – Scenario
Tenant domain = contoso.com
Encryption method = Microsoft Purview Advanced Message Encryption (AME) using branded, link-based emails.
Recipients:
Recipient1 → Contoso internal user (same tenant).
Recipient2 → External Microsoft 365 user (Fabrikam).
Recipient3 → Outlook.com consumer email.
Recipient4 → Gmail.com consumer email.
The question asks: For which recipients can User1 revoke the emails?
Step 2 – Revocation in Advanced Message Encryption
Microsoft Purview AME allows senders to:
Revoke sent encrypted emails.
Revoke applies to all recipients who receive a link-based branded encrypted message.
When revoked, the secure message link no longer works, regardless of whether the recipient is internal, external Microsoft 365, Outlook.com, Gmail, or another email provider.
This differs from traditional RMS-based encryption where revocation is tenant-specific. In AME, the revocation is possible because the recipient must open the message through a secure browser portal (Office 365 Message Encryption portal).
Step 3 – Evaluate each recipient
Recipient1 (contoso.com, internal) → Yes, message can be revoked.
Recipient2 (fabrikam.onmicrosoft.com, external Microsoft 365) → Yes, message can be revoked because AME link enforcement works across tenants.
Recipient3 (outlook.com, consumer) → Yes, message can be revoked, they use the secure OME portal.
Recipient4 (gmail.com, consumer) → Yes, message can be revoked, they also use the secure OME portal.
Step 4 – Microsoft Reference
From Microsoft Docs:
“With Advanced Message Encryption, admins can configure branding and revocation for encrypted email messages. Revocation applies to encrypted emails sent to both internal and external recipients, including those using Outlook.com, Gmail.com, and other email services.”
