This content is part of the Essential Guide: The essential admin's guide to Office 365 PowerShell

Set up Office 365 message encryption

OME is a handy feature for Office 365 users who want to protect any information they send outside their organizations.

Office 365 message encryption is a service that lets you send encrypted messages to anyone outside your tenant....

Recipients can be anyone with a valid email address, regardless of the backend email system or domain in use. The encrypted message is wrapped in an HTML attachment and sent to the recipient. Recipients can access this message on any device -- as long as a supporting browser can open the HTML attachment. This type of encryption becomes extremely useful for attorneys sending information to clients, doctors sending medical records to patients or banks sending transaction records to customers. But Office Message Encryption (OME) is useful for any Office 365 organization.

Office 365 E3 and E4 subscriptions include OME at no extra cost because Azure Rights Management is included in these plans. If you have another plan, you can buy the standalone Azure Rights Management service to have OME for your subscription. This feature works with Office 365 mailboxes as well as on-premises mailboxes using Exchange Online Protection. Organizations with hybrid deployments can also use OME for on-premises mailboxes as long as they route outbound emails through the cloud (Exchange Online Protection).

OME can encrypt an email message up to 25 MB. This is the maximum message size Office 365 supports for all emails, encrypted or not.

Activate Rights Management

You must activate and configure the Rights Management Services (RMS) in your Office 365 subscription before you can use OME. It's a one-off setup in PowerShell.

To activate RMS for your tenant, log in to your Office 365 portal, navigate to Service Settings > Rights Management and click "Manage." Click Activate on the next page (Figure 1).

Click "Activate" again in the confirmation window that pops up. A message will be appear stating that RMS is activated for the tenant (Figure 2).

Open an elevated PowerShell window and connect to Exchange Online. Run $Cred = Get-Credential in the shell to configure and import a remote session. Next, type in Office 365 global administrator's username and password. This credential saves in the variable:

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri -Authentication Basic -AllowRedirection -Credential $Cred

Import this session by running Import-PSSession $Session, which should connect you to Exchange Online.

Run the following commands to configure RMS.

  1. Configure the RMS online key sharing location. Run the command based on your region:

Set-IRMConfiguration –RMSOnlineKeySharingLocation "" (for Europe)

Set-IRMConfiguration –RMSOnlineKeySharingLocation "" (for North America)

Set-IRMConfiguration –RMSOnlineKeySharingLocation "" (for South America)

Set-IRMConfiguration –RMSOnlineKeySharingLocation "" (for Asia)

  1. Once the RMS online key sharing location is set, import the trusted publishing domain:

Import-RMSTrustedPublishingDomain –RMSOnline –Name "Azure RMS Online"

  1. Enable internal IRM licensing:

Set-IRMConfiguration –InternalLicensingEnabled $True

The prerequisites for configuring OME are now complete; you can remove the session by running Remove-PSSession $session.

How transport rules fit in

Setting up OME is simple for anyone familiar with Exchange because transport rules encrypt email as it passes through the transport pipeline. Using transport rules for message encryption provides greater flexibility, and they can be configured using the Office 365 portal Exchange Administration Center or PowerShell.

As an administrator, you can be creative with enforcing OME, depending upon the business requirements. For example, you can enforce it only for a subset of end users or apply it when specific criteria are met.

Configuring the OME transport rule is easy. Log in to the Office 365 portal and navigate to the Exchange Admin Center > Mail flow > Rules (Figure 3).

Create a transport rule by selecting the "+" symbol with specific criteria and select Apply Office 365 Message Encryption. The outbound message is encrypted before being delivered to the recipient's mail server to prevent any type of tampering.

As an example, I created a transport rule to encrypt any outbound message when any staff has the word "encrypt" in the subject. Any message sent outside my organization will be scanned for this word in the message, and the message will be encrypted for the ones that match the criteria (Figure 4). Pretty simple, huh?

From an admin's perspective to set up transport rules, all you need to do is to set them up based on your requirements, and educate end users on how to initiate message encryption (such as specifying the word "encrypt" in the subject). You can also choose to encrypt all outbound emails to a specific domain or set of domains, including your partners and government firms; no user training is necessary in this case.

Customize and brand encrypted messages

When the end user receives the encrypted message, he's asked to save the HTML attachment and open it in a browser (Figure 5). As an administrator, you can customize options in the encrypted message delivered to the end user and the portal that reads the email.

A branded encrypted message gives the recipient more confidence that you're actually the sender and that the message can be safely opened. Header text, a disclaimer, portal text and a company logo can be set to have a branded email, but they must be set in PowerShell.

Connect to Exchange Online using the commands we previously used to make any changes. Get the default configuration by running Get-OMEConfiguration. The values for the editable options are blank, which means that the default Office 365 setting is applied (Figure 6).

Run the following commands in PowerShell to change the settings:

Set-OMEConfiguration –identity default –EmailText "Encrypted message from TheUCGuy.Net secure system"

Set-OMEConfiguration –identity default –Portaltext "TheUCGuy.Net Email Portal"

Set-OMEConfiguration –identity default –DisclaimerText "This email message and its attachments are for the sole use of the intended recipient or recipients and may contain confidential information. TheUCGuy.Net is not responsible for any viruses/malware in the email."

Set-OMEConfiguration –identity default –Image (Get-Content "c:\Company Logo.jpg" –Encoding byte

Once Office 365 replicates the configuration around their data centers, all encrypted emails will have these new settings (Figure 7). If end users reply to an encrypted message they receive, the reply is also encrypted by default.

Next Steps

Overview of encryption techniques for electronic mail

Dig Deeper on Exchange Server setup and troubleshooting