In this post, I will demonstrate how to configure Office 365 Message Encryption (OME), activating/ setting up Azure RMS and all necessary ExchangeTransport Rules ).
We will create a transport rule that will enable Office 365 Message Encryption on messages with a Sensitivity level set to Confidential.
The process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed
- Activate Azure Rights Management
- Setup Azure Rights Management for Exchange Online
- Setup transport rules to enforce message encryption in Exchange Online
The steps to enable this are as follows:
1. Activate Azure Rights Management for Office 365 Message Encryption
Login to Microsoft Online Portal with a Global Admin Account
Open the App Launcher
Select SERVICE SETTINGS from the left pane
Click RIGHTS MANAGEMENT
From within RIGHTS MANAGEMENT click Manage
On the management page, click ACTIVATE
Click ACTIVATE again on the popup asking if you are sure you want to activate Rights Management
2. Set up Azure Rights Management for Office 365 Message Encryption
If you attempt to use Office 365 Message Encryption before first enabling IRM licensing, the operation will fail and give you this message:
“You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled”
To fix this, we need to enable IRM licensing using the Admin portal and PowerShell.
Here are the steps:
Connect to your Exchange Online account by using Windows PowerShell
Login with this command:
$LiveCred = Get-Credential
Begin configuration of Exchange Online:
( If you have never used remote powershell with Exchange Online run the following command: set-executionpolicy remotesigned )
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
Run the following commands to enable Rights management within Exchange Online:
Set-IRMConfiguration –RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc“
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
Set-IRMConfiguration -InternalLicensingEnabled $true
For regions outside North America, please substitute .NA. with .EU. for the European Union, and .AP. for Asia
Optionally test the configuration by running the following command:
Test-IRMConfiguration -sender email@example.com
3. Create the OME Transport Rule
We will create a transport rule that enables Office 365 Message Encryption if the message is sent to a recipient outside the organization and the Sensitivity header have been set to Confidential.
Follow these steps:
1. Log in to your Office 365 Admin Portal and navigate to Exchange Control Panel (Admin\Exchange).
2. Navigate to Mail Flow, click the + icon and select Create a new rule…
4. From here you can set your condition as it fits your needs, but for this example we will inspect the Sensitivity header and apply Message Encryption based on that. To do so, select the following conditions:
Apply this rule if… A message header includes any of these words
Now you can create a message with the sensitivity level set to Confidential and send this to a recipient outside our organization. Our transport rule will apply Office 365 Message Encryption to the message.
To summarize this post, Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc.).
Hope this post was helpful! Thanks!