Enabling Encrypted Messaging in Office 365 Exchange

IMPORTANT PREREQUISITES:

• Client must be an E3 or E5 subscriber OR have an Azure RMS subscription.

The process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

1. Activate Azure Rights Management
2. Setup Azure Rights Management for Exchange Online
3. Setup transport rules to enforce message encryption in Exchange Online

• Login to Office 365 with your Partner Credentials
• Go to the partner portal and open the Admin portal for the reference customer
• Under Service Settings choose Rights Management
  • 
• Click Manage
  • 
• On the management page, click Activate, and Activate again on the popup. The resulting page should display:
  • 

The next steps are completed via connecting to Exchange Online with PowerShell

• Open PowerShell with Elevated Privileges (Run as Admin)
• If you haven’t already, set your Execution Policy as Remote Signed

 Set-ExecutionPolicy RemoteSigned 

• When you set $cred, use a Global Admin on the customer’s tenant.
• Finish connecting your PowerShell Session

$cred = Get-Credential 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic --AllowRedirection 

Import-PSSession $Session 

• Once you’re connected, verify the setup hasn’t already been completed

Get-IRMConfiguration

• 
• Configure RMS with the online key-sharing location for Exchange Online with PowerShell. For my example I am using North America, but the table below shows all the locations.

Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Location RMS key sharing location:

• North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
• European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
• Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
• South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc
• Office 365 for Government (Government Community Cloud) https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc1

•  Import the Trusted Publishing Domain (TPD) from RMS Online

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

• Verify successful setup of IRM in Exchange Online (replace admin@domain.com with an active user of O365 for the customer)

Test-IRMConfiguration -sender admin@domain.com

• Disable IRM templates in OWA and Outlook

Set-IRMConfiguration -ClientAccessServerEnabled $false

• Enable IRM for Office 365 Message Encryption

Set-IRMConfiguration -InternalLicensingEnabled $true

• View/verify the IRM Configuration

Get-IRMConfiguration

The customer should specify what criteria the would like for encryption. Typically, a keyword in the subject line is used such as “encrypt.”

• Open the Office 365 Admin Portal (https://portal.microsoftonline.com)
• Open Exchange Admin Center
• Click Mail Flow
• Create a new rule
• The example rule below will encrypt messages that have the word “Encrypt” in the subject. Other conditions may be needed based on customer specification. Be sure that the action is to encrypt with Office 365 Message Encryption. Unless the customer has specified otherwise, the recipient outside organization filter (highlighted in green) should be applied.
  • 
• If needed, multiple transport rules can be created to satisfy multiple conditions that may have been specified by the customer
• The transport rule should be tested by a customer contact before the ticket is completed

Attachment: Recipient Instructions Template