Apply Office 365 Message Encryption

UPDATED ON 16 AUGUST 2016

One of the newest features available to Office 365 Enterprise subscribers with Exchange Online is message encryption. Message encryption allows the administrative staff to set up and allow users send secured messages to anyone. In Office 365, message encryption must be set up and configured as it is not integrated. However, the set up is relatively simple.

To use Office 365 Message Encryption (OME) we must take a few prerequisite steps to get it working for you.

  1. Activate Rights Management
  2. Enable Message Encryption
  3. Create Transport Rule

 

ACTIVATE RIGHTS MANAGMENT

First, we must activate rights management for our tenant. To do that, login to the portal as a global administrator. If you are using the old Office 365 Admin Center, you will select Service Settings > Rights Management > Manage.

O365 OME 1

 

If you are using the new O365 Admin Center, you will select Settings > Services & add-ins > Microsoft Azure Rights Management.

O365 ARM 1

 

Then, click Activate once and click Activate again to confirm the choice.

O365 OME 2

O365 OME 3

 

The tenant should now show “Rights management is activated”.

O365 OME 4

 

ENABLE OFFICE 365 MESSAGE ENCRYPTION

Originally, I didn’t follow the step above, so when I attempted to create a transport rule for message encryption, I received the following error…

You can't create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled

 

In doing some research, I found this excellent post in the O365 forums that perfectly described my scenario and resolved the issue that was preventing me from proceeding.

NOTE: The steps above to Activate Rights Management are what resolved the “IRM licensing is disabled” issue.

Secondly, we now need to enable message encryption for our tenant. To do that, proceed with the following steps…

We need to Connect to Office 365 via the Azure AD PowerShell module in order to complete these steps.

Check the status of your existing information rights management (IRM) features by running this command…

Get-IRMConfiguration

O365 OME 5

 

The following command will configure the IRM key sharing location feature for the tenant…

Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”

O365 OME 6

NOTE: The command above is specific to North American subscribers. Use the link from the O365 forum post I cited for other regions, or refer to Step 2 noting the location URL in the TechNet article to Configure IRM to use Azure Rights Management. For convenience, the locations URLs are below as well.

LOCATION RMS KEY SHARING LOCATION
North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc
Office 365 for Government (Government Community Cloud) https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc

 

This next command adds the associated templates and sets additionally required regional-based location URLs…

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

O365 OME 7

 

Now, I’ll test the configuration to ensure it passes before proceeding…

Test-IRMConfiguration -RMSOnline

O365 OME 8

 

  • Upon successful test, I need to enable the license that will allow us to encrypt messages for the tenant…
Set-IRMConfiguration -InternalLicensingEnabled $true

O365 OME 9

 

CREATE TRANSPORT RULE

Now, I’ll proceed to set up the transport rule. Log on to the portal again as an O365 administrator and access the Exchange Admin Center.

From the menu choices on the left, select Mail Flow

Under Rules, click the plus sign (+) to add a new policy using the “Apply rights protection to messages…” template

O365 OME 10

 

In the rules editor…

  • Name: Give the rule a name
  • Apply this rule if…: Select “The recipient…” from the drop down, choose “is external/internal“, and finally choose to apply based on all messages sent to recipients “Outside the organization“.

O365 OME 11

  • Do the following…: Select “Modify the message security…” > “Apply Office 365 Message Encryption” option

O365 OME 12

  • Then, I set the rule mode to Enforce
  • Click Save to save the transport rule

O365 OME 13

NOTE: If you receive an error (“You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled”) while saving the newly created transport rule, please be sure you completed the above tasks to activate and enable message encryption for your tenant.

 

SENDING AN ENCRYPTED MESSAGE

Sending an encrypted message isn’t any different than sending a normal message. Whether your users use OWA or Outlook or an EAS, the experience will be no different. NOTE: The experience will vary depending on how the administrator configures the message rule(s) for your organization.

O365 OME 14

NOTE: It is possible that these configuration settings may take hours to be applied. In my scenario, it was only a matter of minutes before I was able to successfully send an encrypted message.

 

RECEIVING AN ENCRYPTED MESSAGE

Though the sender’s experience may not change for sending an encrypted message, the experience for the recipient is entirely different from what would normally be expected.

The recipient will receive the encrypted message from the sender with instructions and an attachment (message.html) on how to view the message. The body of the message provides instructions, and the attachment provides options to view the encrypted message in a browser or on a smart device.

O365 OME 15

O365 OME 16

O365 OME 17

 

Originally, there was one BIG caveat for recipients to be able to view an encrypted message from an Office 365 user. The recipient needed to have an Office 365 or Microsoft LiveID account to log in to the OME service to view the contents of the message. Any email address can be used for a Live account. In other words, you don’t need a Hotmail, Outlook or Live email address.

If you don’t have a Microsoft LiveID account that is associated with your corporate email address, you can sign up for one here. However, Microsoft understands that you may not want to create a Live account if you don’t have an Office 365, and has provide an alternate option that uses a one-time passcode.

 

ONE-TIME PASSCODES

Starting in October 2014, Microsoft has provided a simpler method to opening encrypted messages with one-time passcodes. No longer are recipients of encrypted messages from senders in Office 365 users required to create a Microsoft LiveID account to view secured emails.

To use the one-time passcode option, in the received message download, open the attached “message.html” file. A browser will open to allow access to the message.

Next, click on the link “Use one-time passcode” and a one-time passcode will be sent via email. NOTE: The passcode expires after 15 minutes.

O365 OME 18

 

Check the inbox for a message with the associated reference code. This message will have a passcode to open the encrypted message.

O365 OME 19

 

Enter the passcode and click Continue to open the encrypted message that will then display in a browser window.

O365 OME 20

 

Good luck and have fun.

 

Reference(s):

 

ARTICLE UPDATES
  • Updated 16 August 2016: Included screenshot to enable ARM in new O365 Admin center
  • Updated 8 April 2016: Added corresponding pictures and updated reference links

 

Advertisements

2 thoughts on “Apply Office 365 Message Encryption

  1. Hello… Great article, but the link you referenced for the error:

    You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled

    appears to be dead? I really really need to know what the fix is for that error. Can you possibly refresh the link?

    Thanks!

    • Glad you like it. Thank you.

      I updated by placing a note of clarification that activating rights management resolved the error. The link is dead and not really relevant because it does imply the tasks above resolve it. However, I will try to find a good link and replace it.

      Thank you for letting me know.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s