5 minute read
Cloud Infrastructure Management

Message encryption policy for Exchange Online (OME)

When you intend to secure your email communication and want to ensure that your messages are only opened, forwarded or acted upon only by the intended recipients, you need to use the AADRMS that comes as a SAAS service of office 365. However the service requires some wizard driven configuration at the tenant level and certain level of administrative task to complete the service configuration.

I am documenting the process on how to configure Office 365 Message Encryption (OME), activating/ setting up Azure RMS and all necessary ExchangeTransport Rules.

We will create a transport rule that will enable Office 365 Message Encryption on messages with a Sensitivity level set to Confidential.

The process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

  1. Activate Azure Rights Management
  2. Setup Azure Rights Management for Exchange Online
  3. Setup transport rules to enforce message encryption in Exchange Online

The steps to enable this are as follows:

1. Activate Azure Rights Management for Office 365 Message Encryption

Login to Microsoft Online Portal with a Global Admin Account

Open the App Launcher

Select ADMIN

Select SERVICE SETTINGS from the left pane


From within RIGHTS MANAGEMENT click Manage

On the management page, click ACTIVATE

Click ACTIVATE again on the popup asking if you are sure you want to activate Rights Management

It was previously activated.

Encryption 1
Encryption 2

2. Set up Azure Rights Management for Office 365 Message Encryption

If you attempt to use Office 365 Message Encryption before first enabling IRM licensing, the operation will fail and give you this message:

“You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled”

Encryption 3

To fix this, we need to enable IRM licensing using the Admin portal and PowerShell

Here are the steps:

Connect to your Exchange Online account by using Windows PowerShell

Begin configuration of Exchange Online:

( If you have never used remote powershell with Exchange Online run the following command: set-executionpolicy remotesigned )

Login with this command:

$UserCredential = Get-Credential

Encryption 4

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUrihttps://ps.outlook.com/powershell/ -Credential $ UserCredential -Authentication Basic –AllowRedirection

Encryption 5

Import-PSSession $Session

Encryption 6

Run the following commands to enable Rights management within Exchange Online:

Set-IRMConfiguration –RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Encryption 7

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

Encryption 8

Set-IRMConfiguration -InternalLicensingEnabled $true

Encryption 9

For regions outside North America, please substitute .NA. with .EU. for the European Union, and .AP. for Asia

e.g.: https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

e.g.: https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

Optionally test the configuration by running the following command:

Test-IRMConfiguration -sender tirthag@xxxxxxxxx.onmicrosoft.com

Encryption 10

3. Create the OME Transport Rule

We will create a transport rule that enables Office 365 Message Encryption if the message is sent to a recipient outside the organization and the Sensitivity header have been set to Confidential.

Follow these steps:

  • Log in to your Office 365 Admin Portal and navigate to Exchange Control Panel (Admin\Exchange).
  • Navigate to Mail Flow, click the + icon and select Create a new rule…
Message encryption policy for Exchange Online (OME)
  • Give the rule a suiting name and click More options…
Message encryption policy for Exchange Online (OME)
  • From here you can set your condition as it fits your needs, but for this example we will inspect the Sensitivity header and apply Message Encryption based on that. To do so, select the following conditions: Apply this rule if… A message header includes any of these words
Message encryption policy for Exchange Online (OME)
  • Complete the Apply this rule if-condition by clicking the properties Enter text and Enter word so that the condition makes ‘Sensitivity’ header includes ‘Confidential’
Message encryption policy for Exchange Online (OME)
  • Click Add condition and select The recipient… Is external/internal. Click Select one… and select Outside the organization and hit OK
Message encryption policy for Exchange Online (OME)
Message encryption policy for Exchange Online (OME)
  • Proceed with clicking Do the following… and select Modify the message security… and select Apply Office 365 Message Encryption
Message encryption policy for Exchange Online (OME)

Hit Save at the bottom of the New rule editor.

Now you can create a message with the sensitivity level set to Confidential and send this to a recipient outside our organization. Our transport rule will apply Office 365 Message Encryption to the message.

To summarize this post,  Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc.).

Office 365 Message Encryption FAQ


Encryption 18

Receiving email

Encryption 19

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here :