Microsoft has recently included email encryption in all Enterprise Office 365 tenants. Since then, I have had several customers ask me how to send encrypted email. The process is somewhat less clear than that I would expect, so here is a quick guide on how to setup and configure email encryption in Exchange Online.
The way to setup Office 365 Message Encryption for your users is via a transport rule. A transport rule, as you might expect, is a rule that is applied to a message while that message is in the transport sub-system. Since all email has to go through transport to get anywhere, a transport rule is the best way to ensure that all messages are processed in the same way.
To create a transport rule, go into your Office 365 admin portal and select Admin > Exchange. Once in the EAC, on the left select mail flow then at the top select rules. For a new rule, select the + and then choose Apply rights protection to messages… This will launch the new rule wizard. In the Name: field, give the new rule a name. In the *Apply this rule if… field, select the conditions that will cause this rule to fire. For an encryption rule, I suggest adding the condition The subject includes… and then adding a key word like “Secure”. This will cause this rule to fire for any messages that include the word “Secure” in the subject line, making it easy for your users to encrypt a message.
In the *Do the following… field, choose Modify the message security… and then Apply Office 365 Message Encryption. Ensure you select the check box to enforce the rule, and review the other settings available for this transport rule. Once done, select save and, unless you have previously setup IRM, you will get an error that says “You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.”
That’s right, before you can use Office 365 Message Encryption you have to setup and configure Information Rights Management for your Office 365 tenant. IRM is also included in all Enterprise tenants, but it does require a bit of configuration.
To configure IRM, go back to Admin > Office 365 on your tenant portal. On the left select service settings then on the top select rights management. In the middle pane select manage, and you will be redirected to a new page with the option to active rights management.
After you have activated rights management in the portal, the rest of the configuration for IRM needs to be done from PowerShell. To do the next series of configurations, you’ll need to install Windows Azure Active Directory Module for Windows PowerShell. Launch WAAD module for PS, and run the following commands to connect to your tenant
$cred = Get-Credential
Connect-MsolService -Credential $cred
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirectionImport-PSSession $Session
Once connected to WAAD, there are a couple of PowerShell commands that need to be entered to finish your IRM configuration. First you need to designate your IRM online key sharing location. To do this, run one of the following commands based on the location of your Office 365 tenant.
North America: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
European Union: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
The Asia-Pacific Area: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
After your key sharing location is set, the next step is to import the Trusted Publishing Domain (TPD). Run the following command
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
The final step is to activate the internal IRM licensing. Run the following command
Set-IRMConfiguration -InternalLicensingEnabled $True
At this point, you’re ready to go back and setup you transport rule as I covered above. I know I put together this instructions backwards, but this is the order most people will come into this configuration so I figured I’d go with it.