UPDATED ON 16 AUGUST 2016
One of the newest features available to Office 365 Enterprise subscribers with Exchange Online is message encryption. Message encryption allows the administrative staff to set up and allow users send secured messages to anyone. In Office 365, message encryption must be set up and configured as it is not integrated. However, the set up is relatively simple.
To use Office 365 Message Encryption (OME) we must take a few prerequisite steps to get it working for you.
- Activate Rights Management
- Enable Message Encryption
- Create Transport Rule
ACTIVATE RIGHTS MANAGMENT
First, we must activate rights management for our tenant. To do that, login to the portal as a global administrator. If you are using the old Office 365 Admin Center, you will select Service Settings > Rights Management > Manage.
If you are using the new O365 Admin Center, you will select Settings > Services & add-ins > Microsoft Azure Rights Management.
Then, click Activate once and click Activate again to confirm the choice.
The tenant should now show “Rights management is activated”.
ENABLE OFFICE 365 MESSAGE ENCRYPTION
Originally, I didn’t follow the step above, so when I attempted to create a transport rule for message encryption, I received the following error…
You can't create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled
In doing some research, I found this excellent post in the O365 forums that perfectly described my scenario and resolved the issue that was preventing me from proceeding.
NOTE: The steps above to Activate Rights Management are what resolved the “IRM licensing is disabled” issue.
Secondly, we now need to enable message encryption for our tenant. To do that, proceed with the following steps…
We need to Connect to Office 365 via the Azure AD PowerShell module in order to complete these steps.
Check the status of your existing information rights management (IRM) features by running this command…
The following command will configure the IRM key sharing location feature for the tenant…
Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”
NOTE: The command above is specific to North American subscribers. Use the link from the O365 forum post I cited for other regions, or refer to Step 2 noting the location URL in the TechNet article to Configure IRM to use Azure Rights Management. For convenience, the locations URLs are below as well.
|LOCATION||RMS KEY SHARING LOCATION|
|Office 365 for Government (Government Community Cloud)||https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc|
This next command adds the associated templates and sets additionally required regional-based location URLs…
Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
Now, I’ll test the configuration to ensure it passes before proceeding…
- Upon successful test, I need to enable the license that will allow us to encrypt messages for the tenant…
Set-IRMConfiguration -InternalLicensingEnabled $true
CREATE TRANSPORT RULE
Now, I’ll proceed to set up the transport rule. Log on to the portal again as an O365 administrator and access the Exchange Admin Center.
From the menu choices on the left, select Mail Flow
Under Rules, click the plus sign (+) to add a new policy using the “Apply rights protection to messages…” template
In the rules editor…
- Name: Give the rule a name
- Apply this rule if…: Select “The recipient…” from the drop down, choose “is external/internal“, and finally choose to apply based on all messages sent to recipients “Outside the organization“.
- Do the following…: Select “Modify the message security…” > “Apply Office 365 Message Encryption” option
- Then, I set the rule mode to Enforce
- Click Save to save the transport rule
NOTE: If you receive an error (“You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled”) while saving the newly created transport rule, please be sure you completed the above tasks to activate and enable message encryption for your tenant.
SENDING AN ENCRYPTED MESSAGE
Sending an encrypted message isn’t any different than sending a normal message. Whether your users use OWA or Outlook or an EAS, the experience will be no different. NOTE: The experience will vary depending on how the administrator configures the message rule(s) for your organization.
NOTE: It is possible that these configuration settings may take hours to be applied. In my scenario, it was only a matter of minutes before I was able to successfully send an encrypted message.
RECEIVING AN ENCRYPTED MESSAGE
Though the sender’s experience may not change for sending an encrypted message, the experience for the recipient is entirely different from what would normally be expected.
The recipient will receive the encrypted message from the sender with instructions and an attachment (message.html) on how to view the message. The body of the message provides instructions, and the attachment provides options to view the encrypted message in a browser or on a smart device.
Originally, there was one BIG caveat for recipients to be able to view an encrypted message from an Office 365 user. The recipient needed to have an Office 365 or Microsoft LiveID account to log in to the OME service to view the contents of the message. Any email address can be used for a Live account. In other words, you don’t need a Hotmail, Outlook or Live email address.
If you don’t have a Microsoft LiveID account that is associated with your corporate email address, you can sign up for one here. However, Microsoft understands that you may not want to create a Live account if you don’t have an Office 365, and has provide an alternate option that uses a one-time passcode.
Starting in October 2014, Microsoft has provided a simpler method to opening encrypted messages with one-time passcodes. No longer are recipients of encrypted messages from senders in Office 365 users required to create a Microsoft LiveID account to view secured emails.
To use the one-time passcode option, in the received message download, open the attached “message.html” file. A browser will open to allow access to the message.
Next, click on the link “Use one-time passcode” and a one-time passcode will be sent via email. NOTE: The passcode expires after 15 minutes.
Check the inbox for a message with the associated reference code. This message will have a passcode to open the encrypted message.
Enter the passcode and click Continue to open the encrypted message that will then display in a browser window.
Good luck and have fun.
- Cannot enable mail flow rules that apply Office 365 message encryption
- Office 365 Message Encryption (Microsoft)
- Office 365 Message Encryption (Neil Hobson)
- Configure IRM to use Azure Rights Management
- One-Time Passcode for Office 365 Message Encryption
- Use a one-time passcode to view an encrypted message
- Webcast: Office 365 Message Encryption (OME)
- Office 365 Message Encryption Viewer (via iTunes)
- Updated 16 August 2016: Included screenshot to enable ARM in new O365 Admin center
- Updated 8 April 2016: Added corresponding pictures and updated reference links