office 365 message encryption

Office 365 Message Encryption – Email encryption for the masses

With Office 365 Message Encryption Microsoft released a feature that greatly simplifies the exchange of secure emails. Before if you wanted to securely communicate with a business partner he would have to share his public key for you in order to encrypt the message, which was a complicated and often cumbersome process.

Office 365 now allows for sending encrypted emails to business partners without any prior setup or key exchange. This is achieved by a central encryption key within Office 365, which can either be uploaded by your company or simply managed by Office 365. If your recipient uses Office 365 as well the experience is seamless, they'll received the message, see that's encrypted and be able to open and read the message just like a regular email. If they use a third-party email provider they'll receive a limited time web view link that will let them read the message, there is no software to install or additional configuration necessary.

Starting in February 2018, Office 365 automatically enables the new OME capabilities for eligible organisations. Your organisation is eligible if you have an Office 365 Enterprise E3 or Enterprise E5 subscription. You need to have Azure Information Protection enabled, then Microsoft automatically enables Office 365 Message Encryption for you.

If your office 365 tenant has been set up before February 2018 you have to manually enable the new office 365 message encryption capabilities. Unfortunately the only way right now is to use the following power shell commands, as there is no option while web GUI:

#Install the AADRM module from the PowerShell Gallery
Install-Module -Name AADRM

#Connect to the Azure Rights Management service. 
$cred = Get-Credential
Get-Command -Module aadrm
Connect-AadrmService -Credential $cred
#Activate the service.
#Get the configuration information needed for message encryption.
$rmsConfig = Get-AadrmConfiguration
$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
#Disconnect from the service.
#Create a remote PowerShell session and connect to Exchange Online.
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session
#Collect IRM configuration for Office 365.
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
if (!$list) { $list = @() }
if (!$list.Contains($licenseUri)) { $list += $licenseUri }
#Enable message encryption for Office 365.
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true
#Enable the Protect button in Outlook on the web (Optional).
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
#Enable server decryption for Outlook on the web, Outlook for iOS, and Outlook for Android.
Set-IRMConfiguration -ClientAccessServerEnabled $true

To verify that the new capabilities for Outlook message encryption are set up properly please run the following command:

Test-IRMConfiguration -Sender

After successful setup it can take up to one day until the feature becomes fully active and is visible to all users in your organisation, depending if they are using the Outlook desktop client or the online version.

Overall this feature greatly simplifies the encrypted communication with your business partner, as they not only can receive but also respond to your encrypted messages. We would recommend everyone who is currently using an office 365 Enterprise E3 or E5 subscription to activate this feature, and if you frequently exchange sensitive information it's now well worth considering upgrading. We are more than happy to help with any of your questions, simply get in touch with us.

Share this Post


We love to help, get in touch with us