Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection

With new Office 365 Message Encryption capabilities built on top of Azure Information Protection, your organization can use protected email communication with people inside and outside your organization. The new OME capabilities work with other Office 365 organizations, Outlook.com, Gmail, and other email services.

How the new capabilities for OME work

The new Office 365 Message Encryption capabilities use the Azure Rights Management data protection service from Azure Information Protection. Azure Rights Management uses encryption, identity, and authorization policies to help secure your email. You can encrypt messages by using Rights Management templates or the Do Not Forward option. Users can then encrypt their messages and a variety of Office 365 attachments by using these options. For a full list of supported attachment types, see "File types covered by IRM policies when they are attached to messages" in Introduction to IRM for email messages. As an administrator, you can also define mail flow rules to apply this protection. For example, you can define a rule where all unprotected messages that are addressed to a specific recipient or that contain specific words in the subject line are protected from unauthorized access, and the recipients cannot copy or print the contents of the message.

Unlike Office Message Encryption (OME), these new capabilities provide a unified sender experience whether you're sending mail inside your organization or to recipients outside of Office 365. In addition, recipients who receive a protected email message sent to an Office 365 account in Outlook 2016 or Outlook on the web, don't have to take any additional action to view the message. It works seamlessly. Recipients using other email clients and email service providers also have an improved experience. For information, see Learn about protected messages in Office 365 and How do I open a protected message.

Who can use the new capabilities for OME?

You can follow the steps in this topic to set up the new capabilities for OME under the following conditions:

  • If you have never set up OME or IRM for Exchange Online in Office 365.

  • If you have set up OME and IRM, you can use these steps if you are using the Azure Rights Management service from Azure Information Protection.

  • If you are using Exchange Online with Active Directory Rights Management service (AD RMS), you can't enable these new capabilities right away. Instead, you need to migrate AD RMS to Azure Information Protection first. When you've finished the migration, you can successfully complete these steps.

    If you choose to continue to use on-premises AD RMS with Exchange Online instead of migrating to Azure Information Protection, you will not be able to use these new capabilities.

Steps to set up the new capabilities for OME

To set up the new capabilities for OME, you will follow these steps:

  1. Ensure you have the right subscription for your organization. To use this service, you need one of the following combinations:

    • An Office 365 subscription that includes Azure Rights Management as well as Exchange Online or Exchange Online Protection (EOP).

    • An Azure Information Protection subscription and an Office 365 subscription that includes Exchange Online or Exchange Online Protection (EOP).

    If you’re not sure of what your Office 365 subscription includes, see the Exchange Online service descriptions for Message Policy, Recovery, and Compliance.

    For information about purchasing a subscription to Azure Information Protection, see Azure Information Protection.

  2. Decide whether you want Microsoft to manage the root key for Azure Information Protection (the default), or generate and manage this key yourself (known as bring your own key, or BYOK). If you want to generate and manage this key yourself, you need to complete some steps before you set up the new capabilities for OME. For more information, see Planning and implementing your Azure Information Protection tenant key. Microsoft recommends that you complete these steps before you set up OME.

  3. Set up the new capabilities for OME by using Windows PowerShell.

  4. Set up new mail flow rules or update existing mail flow rules that define how and when you want Office 365 to encrypt messages sent from your organization.

Set up the new capabilities for OME by using Windows PowerShell

Follow these steps to set up the new capabilities for OME through Azure PowerShell and then Exchange Online PowerShell.

  1. If you do not already have the Windows module for Azure Rights Management from Azure Information Protection installed, you need to download and install it. For instructions, see Installing Windows PowerShell for Azure Rights Management.

  2. Using a work or school account that has global administrator permissions in your Office 365 organization, start a Windows PowerShell session.

  3. Review the script in "Figure 1: Setup Script for Office 365 Message Encryption for Azure PowerShell and Exchange Online PowerShell" that follows. If you need to, you can copy the script into a text editor and then modify the script based on your organization's requirements before you run it. For example:

    • If your organization uses multi-factor authentication (MFA) to connect to Exchange Online PowerShell, follow the instructions in Connect to Exchange Online PowerShell using multi-factor authentication instead. You will need to delete the following lines and insert the commands you use to connect with MFA:

      #Create a remote PowerShell session and connect to Exchange Online.
      $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
      Import-PSSession $session
    • If you don't want to enable the Protect button in Outlook on the web, delete these two lines:

      #Enable the Protect button in Outlook on the web (Optional).
      Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
  4. Once you're ready to run the script, copy and paste the script into your PowerShell session.

    Figure 1: Setup Script for Office 365 Message Encryption for Azure PowerShell and Exchange Online PowerShell   

    #Connect to the Azure Rights Management service. 
    $cred = Get-Credential
    Get-Command -Module aadrm
    Connect-AadrmService -Credential $cred
    #Activate the service.
    Enable-Aadrm
    #Get the configuration information needed for message encryption.
    $rmsConfig = Get-AadrmConfiguration
    $licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
    #Disconnect from the service.
    Disconnect-AadrmService
    #Create a remote PowerShell session and connect to Exchange Online.
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
    Import-PSSession $session
    #Collect IRM configuration for Office 365.
    $irmConfig = Get-IRMConfiguration
    $list = $irmConfig.LicensingLocation
    if (!$list) { $list = @() }
    if (!$list.Contains($licenseUri)) { $list += $licenseUri }
    #Enable message encryption for Office 365.
    Set-IRMConfiguration -LicensingLocation $list
    Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true
    #Enable the Protect button in Outlook on the web (Optional).
    Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
    #Enable server decryption for Outlook on the web, Outlook for iOS, and Outlook for Android.
    Set-IRMConfiguration -ClientAccessServerEnabled $true
  5. Verify that the new capabilities for OME are configured properly by running the Test-IRMConfiguration cmdlet using the following syntax:

    Test-IRMConfiguration [-Sender <email address>]

    For example:

    Test-IRMConfiguration -Sender securityadmin@contoso.com

    Where email address is the email address of a user in your Office 365 organization. While optional, providing a sender email address forces the system to perform additional checks.

    Your results should look like these:

    Results : Acquiring RMS Templates ...
                  - PASS: RMS Templates acquired.  Templates available: Contoso - Confidential View Only, Contoso - Confidential, Do Not 
              Forward.
              Verifying encryption ...
                  - PASS: Encryption verified successfully.
              Verifying decryption ...
                  - PASS: Decryption verified successfully.
              Verifying IRM is enabled ...
                  - PASS: IRM verified successfully.
              
              OVERALL RESULT: PASS

    Where Contoso is replaced with the name of your Office 365 organization.

    The names of the default Rights Management templates returned in the results may be different from those displayed in the results above for several reasons.

    In this example, the list of available templates also displays the Do Not Forward option for emails. This is a set of rights that is dynamically applied by users to their email recipients and is available to Office 365 organizations by default.

    For an introduction to templates and information about the default templates, see Configuring and managing templates for Azure Information Protection. For information about the Do Not Forward option, how to create additional templates, or find out what rights are included in an existing template, see Configuring usage rights for Azure Rights Management.

    • If you recently obtained a subscription for Azure Information Protection, your default templates are created with the following names:

      • Confidential \ All Employees for read or modify permissions for the protected content. This template applies these permissions only to users in your Office 365 organization. Recipients outside of your Office 365 organization will not be able to open content that is protected by this template.

      • Highly Confidential \ All Employees for read-only permission for the protected content. This template applies these permissions only to users in your Office 365 organization. Recipients outside of your Office 365 organization will not be able to open content that is protected by this template.

    • If you obtained your Azure Information Protection subscription some time ago, or if you don't have an Azure Information Protection subscription but you do have an Office 365 subscription that includes Azure Rights Management, your default templates are created with the following names:

      • <organization name> - Confidential for read or modify permissions for the protected content. This template applies these permissions only to users in your Office 365 organization. Recipients outside of your Office 365 organization will not be able to open content that is protected by this template.

      • <organization name> - Confidential View Only for read-only permission for the protected content. This template applies these permissions only to users in your Office 365 organization. Recipients outside of your Office 365 organization will not be able to open content that is protected by this template.

    • You can modify the names of the templates. If the list of templates returned in the results includes names that are different from the defaults provided above, then someone in your organization has already set up Azure RMS and modified the names of the default templates or perhaps created new ones and deleted the defaults. Microsoft recommends that you confirm the definition of any unfamiliar templates before assigning them to your users. To learn more about customization, see Configuring and managing templates for Azure Information Protection.

  6. Run the Remove-PSSession cmdlet to disconnect from the Rights Management service.

Remove-PSSession $session

Note:  Outlook on the Web caches its UI, so it's a good idea to wait a day before you try applying the new capabilities for OME to email messages using this client. Before the UI updates to reflect the new configuration, the new capabilities for OME won't be available. After the UI updates, users can protect email messages by using the new capabilities for OME.

Define new mail flow rules that use the new OME capabilities

Note: This step is required for existing OME deployments that already have mail flow rules set up to encrypt outgoing mail. If you want to take advantage of the new Office 365 Message Encryption (OME) capabilities available to you through Azure Information Protection, you must update your existing mail flow rules. Otherwise, your users will continue to receive encrypted mail that uses the previous HTML attachment format instead of the new, seamless OME experience. This step is optional for new OME deployments.

Mail flow rules determine under what conditions email messages should be encrypted, as well as conditions for removing that encryption. When you set an action for a rule, any messages that match the rule conditions are encrypted when they’re sent.

For more information about mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.

Related Topics

Send, view, and reply to encrypted messages in Outlook

Enable-Aadrm

Connect to Exchange Online PowerShell

Define mail flow rules to encrypt email messages in Office 365

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×