Enable Office 365 Message Encryption

EDIT: This content has been depreciated. A post on OMEv2 is coming soon.

In today’s world, the need for secure information is greater than ever before. Email communications are no exception and should definitely be included in your security considerations. Whether this need is because of a corporate policy, or because you feel you should protect the messages that you send, Office 365 gives us a solution for email encryption. The solution that is provided by Microsoft is a customizable solution that removes the dependence on 3rd party tools/services to accomplish this.

Office 365 Message encryption is dependent on Information Rights Management (IRM). In order to utilize the message encryption functionality, you need to be sure that you have a subscription that includes Azure Rights Management. The E3 and E5 licenses have this functionality by default, but you can purchase Azure Rights Management licenses as an addon for your tenant.

In order to begin encrypting messages from Office 365, You must have Azure Active Directory Rights Management (AADRM) activated on your tenant. To activate AADRM open the Office 365 admin center and go to Settings. Select Services & Add-Ins, then Microsoft Azure Information Protection and select Manage Microsoft Azure Information Protection settings. You will then have the option to activate Rights Management or it will already be activated.

Now that we have verified AADRM is enabled for the tenant, we need to enable IRM for EOL. To do this, we need to connect up to the tenant using remote PowerShell and start a session to Exchange Online.

Now we’ll need to configure the service to use the correct online key sharing location. Microsoft has split out the key sharing to several different location. I will be using the North America location.

The command to set the key sharing location is:
[PS] C:\> Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"
Now we’ll need to import the Trusted Publishing Domain from RMS Online:
[PS] C:\> Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
We can test the configuration to ensure this worked:
[PS] C:\> Test-IRMConfiguration -RMSOnline
Finally, we need to enable IRM in Exchange Online:
[PS] C:\> Set-IRMConfiguration -InternalLicensingEnabled $true
We can test to ensure IRM has been enabled by running the following command:
[PS] C:\> Test-IRMConfiguration -Sender sender@domain.com

Where the Sender is an account in your tenant. A successful test should looks like the following.

Now that we have IRM configured in our tenant, we can create transport and DLP rules to utilize message encryption.