Create a mechanism to wrap an OME Configuration to some/all encrypted emails but not every emai.
"Ensure all external recipients use the OME Portal to read encrypted mail" in the article below is misleading. The instructions lead you to encrypting every outbound external message. It would be nice to ensure external recipients OF ENCRYPTED EMAILS use the OME Portal. Even better, ensure some external recipients (based on criteria like recipient domain) OF ENCRYPTED EMAILS use the OME Portal.

The behavior requested is the currently implemented behavior. You can define conditions in the transport rule so it applies to the specified messages only.
See the available conditions here:
https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions