Security……Enabling & Using Office Message Encryption in Office 365 Government Community Cloud


If you have a Government Community Cloud (GCC) tenant you have access to a feature called Office Message Encryption (OME). If you need a refresher about OME you can check out this Office Blog post or even the Office Message Encryption TechNet site for a drill down of details. OME allows you to send encrypted emails that are driven by rules in Exchange Online. Those rules can be custom rules that can be started in various ways. For example you can specify that if an email has keyword in the subject or body like #Encrypt#, then it's encrypted. You can also tie encryption into your enforcement of DLP policies. If you have an agency that has HIPAA requirements you could set emails that detect PHI data being sent to external recipients to be automatically encrypted. We will be covering DLP in a series of additional posts, so we won't go into significant detail on this post other than the show the implementation of an OME rule and its results.

Let's get started.

First we need to enable Rights Management through the portal and then to enable OME you will need to use PowerShell. If you need a refresher on using PowerShell with Office 365, I would suggest visiting the Windows PowerShell in Office 365 site.
Also please note that sometimes copying and pasting the PowerShell below may somehow include formatting. I always suggest copying PowerShell code into a text file in an app like notepad and then copying from there to ensure no formatting is preserved.

  1. login to Office 365 admin center via https://portal.microsoftonline.com/
  2. Go to service settings -> rights management -> manage , make sure the Rights management is activated
  3. Connect to your Office 365 Tenant and Exchange Online via PowerShell (my connection script is below)
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
    set-executionpolicy remotesigned
    Import-PSSession $Session
    Set-RemoteDomain –Identity default –AutoForward $true

  4. Then run the following command:
    Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc"

    Note
    the above is for G3/G4 customers only. If you are an E3/E4 customer then your key sharing location is https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

  5. Then run the following command:
    Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"


  6. Then run and make sure the result is PASS:
    Test-IRMConfiguration –RMSOnline


  7. Then run the following command:
    Set-IRMConfiguration -InternalLicensingEnabled $true


  8. You can test your IRM configuration with the following command (replacing your@tenant.onmicrosoft.com with your own admin account):

    Test-IRMConfiguration -sender your@tenant.onmicrosoft.com

    You should get an "OVERALL RESULT" of "PASS." It may take between 12-24 hours for the licensing to start working in Exchange Admin Center.

Now it's time to add OME Rules in the Exchange Admin Center (EAC)

Let's add a rule that will encrypt any email that is sent to someone outside your organization that includes a Social Security Number. We will do this via the EAC but, it can also be done via PowerShell if you prefer. Again, OME works based on rules that an administrator creates and is able to be triggered by things detected within a message. To see additional instructions on setting up OME rules visit the TechNet Site. For our example we are going to create a rule that uses one of the prebuilt sensitive information types within Exchange (U.S. Social Security Number).

  1. Make sure you are logged into the Office 365 portal (https://portal.microsoftonline.com)
  2. Click the Admin button in the top right next to your name and then select Exchange from the drop-down list.
  3. Once in the EAC, click mail flow on the left-hand menu. You should default to the rules page but if you don't be sure to click the word rules.

Now we need to create our rule to enable OME. For this example we are going to encrypt a rule that is being sent to someone outside the organization if it contains a Social Security Number:

  1. Click the plus ( + )sign.
  2. Select Create new rule and give it a name (e.g. "PII Encryption")


  3. Set the rule to apply if The recipient is located…. And then select: Outside the organization and then click OK,

  4. Next click add condition

  5. Select The Message… Contains Sensitive Information,

  6. The sensitive information type's box should appear. Click the plus ( + )sign

  7. Scroll through the list until you find U.S. Social Security Number (SSN) click add and then OK,

  8. Next under Do the Following… Select Modify the message security… Apply Office 365 Message Encryption

  9. In the section Choose a mode for this rule, choose Enforce and then click save

Are we done yet? Almost……

Let's test this rule out. If everything worked as expected, when a user sends an email to someone outside your organization and it includes a Social Security Number, they should receive that message encrypted by OME.

  1. Open up and Log In to Outlook or Outlook Web Access with an account in your Office 365 GCC tenant.
  2. Craft and send an email that includes sample SSN's and follows the Matching Methods and Techniques for rules packages (email must have SSN number and other text like SSN, Name, or other related keywords).
    Note in my sample below I am using Sample SSN's that are used for testing within applications. To be extra safe I am blurring out the final numbers as a precaution. A quick Bing search helped me find numbers to use for testing purposes.

  3. If everything is configured correctly your recipient will get an encrypted message like the one below and they will need to follow the instructions in the message.

  4. Once they open the attachment they will begin the process to authenticate to access the encrypted message

  5. Users MUST login to view the encrypted message. If they have an existing Office 365 account at the email address they were sent the request they can simply select Organization account above and login with their organization credentials. If they do not they will need to create or associate their Microsoft account with the email address the message was sent to. If your recipient needs help with that last part send them here.
  6. Once they are logged in the message will appear and they will be able to view and even reply to the message

And that's that…..

Well, that was a long journey but if everything worked correctly you can now enable encryption rules that meet you compliance needs. This will likely be a hot topic for most Government customers. The rules capabilities within Exchange Online are extremely powerful and this example just scratched the surface of what is capable. Heck, we didn't even get into customizing the branding for the encryption service. We will be writing a lot more in the future about the rules and DLP capabilities in Exchange Online along with the upcoming DLP capabilities in SharePoint. Until then thanks for reading.

Comments (1)

  1. OgedeiSechen says:

    I have Business Premium and I do not have these options. Is this specific to the G and E versions or is there something else I need to do?

Skip to main content