Step-By-Step: Setup and Enablement of Office 365 Message Encryption


Office 365 Message Encryption is an online service which is built on Microsoft Azure Rights Management (Azure RMS) offering. With Azure RMS set up for an organization, administrators can enable message encryption by defining transport rules that determine the conditions for encryption. A rule can require the encryption of all messages addressed to a specific recipient, for example.

When a user sends an email message in Exchange Online that matches an encryption rule, the message is sent out with an HTML attachment. The recipient opens the HTML attachment in the email message, recognizes a familiar brand if that’s present, and follows the embedded instructions to view the encrypted message on the Office 365 Message Encryption portal. The recipient can choose to view the message by signing in with a Microsoft account or a work account associated with Office 365, or by using a one-time passcode. Both options help ensure that only the intended recipient can view the encrypted message.

The following diagram summarizes the passage of an email message through the encryption and decryption process.

Diagram showing the path of an encrypted email

Office365_Message_Encryption_001

The process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

  1. Activate Azure Rights Management
     
  2. Setup Azure Rights Management for Exchange Online
     
  3. Setup transport rules to enforce message encryption in Exchange Online

The steps to enable this are as follows: 

Step 1: Activate Azure Rights Management for Office 365 Message Encryption

  1. Login to Microsoft Online Portal with a Global Admin Account
     
  2. Open the App Launcher (waffle)
     
  3. Select Admin
     
    clip_image004
     
  4. Select SERVICE SETTINGS from the left pane
     
  5. Click Rights Management
     
    clip_image006
     
  6. From within RIGHTS MANAGEMENT click Manage
     
    clip_image008
     
  7. On the management page, click Activate
     
  8. Click Activate again on the popup asking if you are sure you want to activate Rights Management
     
    clip_image010

Step 2: Set up Azure Rights Management for Office 365 Message Encryption

The next steps are completed via connecting to Exchange Online with PowerShell

  1. Open PowerShell as Administrator
     
  2. Enter the following commands to connect and import the session
     
    Set-ExecutionPolicy RemoteSigned
    $cred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic –AllowRedirection
    Import-PSSession $Session
     
    clip_image012
     
  3. Verify your IRM isn’t configured already
     
    Get-IRMConfiguration
     
    clip_image014
     
  4. Configure RMS with the online key-sharing location for Exchange Online with PowerShell (locations below). For my example I am using North America, but the table below shows all the locations
     
    Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
     
    clip_image016
     

    Location

    RMS key sharing location

    North America

    https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

    European Union

    https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

    Asia

    https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

    South America

    https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

    Office 365 for Government

    https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc1


     

  5. Import the Trusted Publishing Domain (TPD) from RMS Online
     
    Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
     
    clip_image018
     
  6. Verify successful setup of IRM in Exchange Online
     
    Test-IRMConfiguration –sender admin@domain.com
     
    clip_image020
     
  7. Disable IRM templates in OWA and Outlook
     
    Set-IRMConfiguration -ClientAccessServerEnabled $false
     
    clip_image022
     
  8. Enable IRM for Office 365 Message Encryption
     
    Set-IRMConfiguration -InternalLicensingEnabled $true
     
    clip_image024
     
    NOTE: You shouldn’t see that warning, but if you do it’s safe to ignore. I got it because I ran the command and forgot to grab the screen shot before clearing the screen, thus I had to run the command again.
     
  9. View the IRM Configuration
     
    Get-IRMConfiguration
     
    clip_image026
     

Step 3: Create Transport Rules to Encrypt Messages

  1. Open the Office 365 Admin Portal (https://portal.microsoftonline.com)
     
  2. Open Exchange Admin Center
     
    clip_image028
     
  3. Click Mail Flow
     
    clip_image030
     
  4. Click the + and create your transport rule. I have created two simple rules.
     
  5. This rule will encrypt anything that is sent external with an attachment larger than 1MB
     
    clip_image032
     
    NOTE: This rule will encrypt the email if the word ‘Encrypt’ is in the subject line of the email. This will give the users (once trained) the flexibility to encrypt emails they deem sensitive.
     
    clip_image034
     
  6. Make sure the rules are active and test
     
    clip_image036
     
  7. Testing that the transport rule apply Office 365 Message Encryption
     
    Testing Transport Rule 1
     
    clip_image038
     
    Testing Transport Rule 2
     
    clip_image040
     
    When the user gets the email, this is how its presented to them
     
    clip_image042
Comments (13)

  1. Thank you!! This is extremely helpful to assist my clients.

  2. Yuri Burkinshaw says:

    You are missing a $ - it should be "$Session" and not "Session" for the third command!

    1. Thank you for the catch Yuri. Much appreciated.

  3. Robin Faulkner says:

    Thanks! You made this a breeze to set up.

  4. Jay Arendt says:

    Very easy to follow. We were up and running in 15 minutes. Thanks!

  5. Tolu says:

    This is brilliant and it works perfectly! Thanks a lot for this, saved me hours

  6. Todd Searls says:

    Thank you so much for this! This is my second organization that I've used your step-by-step guide to enable email encryption on o365. Really appreciate it!

  7. Lawton Lee says:

    Wonderful. Keep up the good work.

    1. Scott D says:

      We have done all this successfully, but still get the: error
      You can't create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.
      when we try to save the transport rule. Don't know what else to do. Everything shows up exactly like you show in this doc with the Get-IRMConfiguration. Have followed each step piece by piece. Any help would be greatly appreciated!!

  8. John Lane says:

    Thank you very much

  9. Bill Hogan says:

    Thank-you VERY MUCH this has been extremely helpful!

    A quick note to others, is seems to take a few hours to spin up.

    1. Philip @ GN says:

      Agreed, simple and straight forward instructions. But what you don't get is instant gratification. You'll have to wait several hours for all the pieces to settle into place on the backside before it starts 'working'. This guide is definitely being saved/bookmarked.

  10. Richard Pozywak says:

    Excellent instructions!! Took minutes to setup

Skip to main content