Exchange Hosted Encryption (EHS) Activation with Office 365

Woody_trapped (2)

Woody Walton

As Exchange Hosted Encryption, or EHE, has evolved as a service parallel to Office 365, we are often asked questions regarding integration of the two services.  The purpose of this post to educate the partner community on how to activate your EHE subscription fro use with Office 365.

The first point to note is that the process is different depending on whether the customer has the newer Wave 15 tenant (2013 versions of Office and Services), or the a Wave 14 (2010 versions) that has yet to be upgraded. The reason for this difference is that wave 14 tenants leverage FOPE (Forefront Online Protection for Exchange), whereas Wave 15 tenants leverage Exchange Online Protection, the successor email security solution.

The second point to note is that it is a manual process to tie the two together at this point. 

Instructions for Wave 15 Office 365 Tenants with Exchange Online Protection (EOP):

1. Purchase the EHE Licenses (open License through distribution for example)

2. Email the following information to :

· Domain:

· O365 Tenant Domain:

· Company Name:

· Agreement Number:   

3.) The Activations Team will facilitate the manual addition of the EHE license to the EOP/O365 portal.

4.) Instructions for log in and set up sent to you (customer) from Activation, upon completion of license being enabled.

5.) Set up Transport Rules, with domain/ domain mailboxes for Encryption. 

Additional Context: for setting up Transport Rules. You will not be able to see the actual EHE license in your O365 Administration Center portal.  

You can see it in the VL site, but in a pre-provisioning status only.  Please note the VLS site will tell you what license have been validated, but this is not where you create your transfer rules. It is a separate portal.

Please proceed to add your policy/ transfer rules to encrypt, within the  w15 Administration Center O365 portal.  

Please follow the following link to configure EHE (Encryption) with Office 365.

There can be a one to two hour replication time, once you set up your encrypt rules.

Instructions for Office 365 wave 14 tenant with FOPE or FOPE SA.  

1. Purchase the EHE Licenses

2. Wait for the email from VLS site Licensing team.- Request for validation of the activation.  This causes your purchased order to flow into the Microsoft Billing Team, to create and order.

3. Ideally, the Activations of EHE licenses are done in the backend and happen quickly, but you can reach out to the email address of to get the licenses activated internally for your domain.  Customers often are stuck at “provide IP address”; adding – may force it through.

4. Once the licenses are activated, you will receive Log in instructions, and set up information.

5. Create Policy rules for your domain.  You can chose to encrypt all for domain(s) or specific email addresses.

6. Test with sample scenarios whether the encryption is working.  Once the tests are successful, go ahead with a full production deployment

You will notice the email address in both processes above.   It stands for the Microsoft Exchange Hosted Services Activations.  This email alias is to be used expressly for EHE Activation processes above.  It is not a support alias for EHE.  

If you need help with set up of policy rules, please contact Support:  

Microsoft Online Support - 800-865-9408  North America

·         Option 1 - Billing / Activation

·         Option 2 - Product Information before you buy

·         Option 3 – Cancellation / Discontinuation of service

·         Option 4 - Technical Support

A special thanks to Sandy on the Activations team for sharing this process with me.



Comments (2)

  1. Chris says:


    We're an MS SPLA partner and would like to use EHE with our on-premise exchange service. How do I go about activating the service under our SPLA?

  2. Chandler Bootchk says:

    Good post, Woody.  Very helpful.  I am told our licensing is a 1:1 named user model.  If so, how is that tracked and monitored?  I mean, if I create a rule that says any mail sent to gets encrypted, how could I possibly track that?

Skip to main content