Office 365 Message Encryption (OME)

In this post, I will demonstrate how to configure Office 365 Message Encryption (OME), activating/ setting up Azure RMS and all necessary ExchangeTransport Rules ).

We will create a transport rule that will enable Office 365 Message Encryption on messages with a Sensitivity level set to Confidential.

The process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

  1. Activate Azure Rights Management
  2. Setup Azure Rights Management for Exchange Online
  3. Setup transport rules to enforce message encryption in Exchange Online

The steps to enable this are as follows:

1. Activate Azure Rights Management for Office 365 Message Encryption

Login to Microsoft Online Portal with a Global Admin Account
Open the App Launcher 
Select ADMIN
Select SERVICE SETTINGS from the left pane
From within RIGHTS MANAGEMENT click Manage
On the management page, click ACTIVATE
Click ACTIVATE again on the popup asking if you are sure you want to activate Rights Management

2. Set up Azure Rights Management for Office 365 Message Encryption

If you attempt to use Office 365 Message Encryption before first enabling IRM licensing, the operation will fail and give you this message:

"You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled"

To fix this, we need to enable IRM licensing using the Admin portal and PowerShell.

Here are the steps:

Connect to your Exchange Online account by using Windows PowerShell

Login with this command:

$LiveCred = Get-Credential

Begin configuration of Exchange Online:

( If you have never used remote powershell with Exchange Online run the following command: set-executionpolicy remotesigned )

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic –AllowRedirection

Import-PSSession $Session

Run the following commands to enable Rights management within Exchange Online:

Set-IRMConfiguration –RMSOnlineKeySharingLocation ""

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

Set-IRMConfiguration -InternalLicensingEnabled $true

For regions outside North America, please substitute .NA. with .EU. for the European Union, and .AP. for Asia



Optionally test the configuration by running the following command:

Test-IRMConfiguration -sender

3. Create the OME Transport Rule

We will create a transport rule that enables Office 365 Message Encryption if the message is sent to a recipient outside the organization and the Sensitivity header have been set to Confidential.

Follow these steps:

1. Log in to your Office 365 Admin Portal and navigate to Exchange Control Panel (Admin\Exchange).
2. Navigate to Mail Flow, click the + icon and select Create a new rule…

3. Give the rule a suiting name and click More options…

4. From here you can set your condition as it fits your needs, but for this example we will inspect the Sensitivity header and apply Message Encryption based on that. To do so, select the following conditions:
Apply this rule if… A message header includes any of these words

5. Complete the Apply this rule if-condition by clicking the properties Enter text and Enter word so that the condition makes ‘Sensitivity’ header includes ‘Confidential’

6. Click Add condition and select The recipient… Is external/internal. Click Select one… and select Outside the organization and hit OK

7. Proceed with clicking Do the following… and select Modify the message security… and select Apply Office 365 Message Encryption

8. Hit Save at the bottom of the New rule editor.

Now you can create a message with the sensitivity level set to Confidential and send this to a recipient outside our organization. Our transport rule will apply Office 365 Message Encryption to the message.

To summarize this post,  Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail,, etc.).

Office 365 Message Encryption FAQ

Hope this post was helpful! Thanks!



Comments (15)

  1. Tony Martinac says:

    Thank you!  Very helpful article on how to setup the Rights Management.  I was getting stuck on that piece.

  2. Mike Hapner says:

    Worked great. Thank you!

    Now to create a button on the ribbon in Outlook to set sensitivity more easily.

  3. Mike Rowe says:

    Awesome! I’ve been trying to get this to work all morning and this got it for me. Thank you.

  4. Brad Mic says:

    Awesome and thank you!

  5. Dorego Borrego says:

    Thanks this was very helpful and got it working.

    Not sure why but it took a while for the Powershell commands to propagate through (overnight) before I could create an encryption rule.

  6. Jim Barr says:

    This post is helpful, but glosses over the early stages of ARM.. you must have multiple connectors and modules installed on PC’s in your domain that are already Azure enabled (and they CANNOT be domain controllers). In addition, your licensing of Office 365 is central to understand; if you have E3 or higher, RM is licensed by default, but not activated, so nothing more to buy. Business Premium requires a 2.00/user/month license – along with all the other AD sync that is required.

  7. Thank You ! Its very useful article on how to setup the Rights Management

  8. GRJ says:

    That’s a great article, pal.
    The official articles at Technet and such leave a lot to be desired.

  9. Alex M says:

    I still get the error ““You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled”” when I try to save the rule.
    Do I need to an amount of time before it works/sync?

    1. Alex M says:

      ok it works. you should add in your procedure to wait 8hours+ after step #2. Otherwise, your procedure is perfect! THX!

  10. Joel Holt says:

    I am trying to do this on a Mac using the open source powershell for mac from GitHub. I cannot make the commands work. Has anybody done this on Mac?

  11. Mark says:

    Done all of the above, but still get “You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.” when trying to create a rule for encryption. Any ideas?

  12. Phill says:

    Worked perfectly… Mac Users – choose a different trigger… “Subject or body” matches work great….

  13. Louise says:

    Any idea if these instructions should work in a Hybrid environment? I’m getting this error:

    [PS] C:\Windows\system32>Set-IRMConfiguration -RMSOnlineKeySharingLocation “
    Cannot process argument transformation on parameter ‘ClientAccessServerEnabled’. Cannot convert value “System.String” t
    o type “System.Boolean”, parameters of this type only accept booleans or numbers, use $true, $false, 1 or 0 instead.
    + CategoryInfo : InvalidData: (:) [Set-IRMConfiguration], ParameterBindin…mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-IRMConfiguration

    Any help is appreciated!

Skip to main content