Enabling Encrypted Messaging in Office 365 Exchange

IMPORTANT PREREQUISITES:

  • Client must be an E3 or E5 subscriber OR have an Azure RMS subscription.

This Accomplishes

The process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

  1. Activate Azure Rights Management
  2. Setup Azure Rights Management for Exchange Online
  3. Setup transport rules to enforce message encryption in Exchange Online

Step 1: Activate Azure Rights Management for Office 365 Message Encryption

  • Login to Office 365 with your Kirbside Credentials
  • Go to the partner portal and open the Admin portal for the reference customer
  • Under Service Settings choose Rights Management
  • Click Manage
  • On the management page, click Activate, and Activate again on the popup. The resulting page should display:

Step 2: Set up Azure Rights Management for Office 365 Message Encryption

The next steps are completed via connecting to Exchange Online with PowerShell

  • Open PowerShell with Elevated Privileges (Run as Admin)
  • If you haven’t already, set your Execution Policy as Remote Signed
 Set-ExecutionPolicy RemoteSigned 
  • When you set $cred, use a Global Admin on the customer’s tenant.
  • Finish connecting your PowerShell Session
$cred = Get-Credential 
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic --AllowRedirection 
Import-PSSession $Session 
  • Once you’re connected, verify the setup hasn’t already been completed
Get-IRMConfiguration
  • Configure RMS with the online key-sharing location for Exchange Online with PowerShell. For my example I am using North America, but the table below shows all the locations.
Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Location RMS key sharing location:

  •  Import the Trusted Publishing Domain (TPD) from RMS Online
Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
  • Verify successful setup of IRM in Exchange Online (replace admin@domain.com with an active user of O365 for the customer)
Test-IRMConfiguration --sender admin@domain.com
  • Disable IRM templates in OWA and Outlook
Set-IRMConfiguration -ClientAccessServerEnabled $false
  • Enable IRM for Office 365 Message Encryption
Set-IRMConfiguration -InternalLicensingEnabled $true
  • View/verify the IRM Configuration
Get-IRMConfiguration

Step 3: Create Transport Rules to Encrypt Messages

The customer should specify what criteria the would like for encryption. Typically, a keyword in the subject line is used such as “encrypt.”

  • Open the Office 365 Admin Portal (https://portal.microsoftonline.com)
  • Open Exchange Admin Center
  • Click Mail Flow
  • Create a new rule
  • The example rule below will encrypt messages that have the word “Encrypt” in the subject. Other conditions may be needed based on customer specification. Be sure that the action is to encrypt with Office 365 Message Encryption. Unless the customer has specified otherwise, the recipient outside organization filter (highlighted in green) should be applied.
  • If needed, multiple transport rules can be created to satisfy multiple conditions that may have been specified by the customer
  • The transport rule should be tested by a customer contact before the ticket is completed

Attachment: Recipient Instructions Template