Skip to content

Encrypting Email Messages in Microsoft Office 365

Microsoft Office 365 Message Encryption


In this post, I will look at configuring message encryption in Office 365. What is message encryption?

Microsoft Office 365 Message Encryption is an extra add-on online service build on Microsoft Azure Right Management (Azure RMS), By enabling Azure RMS administrators can configure message encryption by configuring exchange online transport rules. The Rules can apply to multiple or only a few users i.e. CEO who needs to send encrypted emails across the internet.


The Following diagram showcase the flow of the encrypted email.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/5B7D3020-D5CF-BE46-AD2E-6F63EC26666A.png


To get started with the setup we need to make sure that we have the prerequisites completed. In order for us to make use of the service we need the following.


  • Microsoft Office 365 organization for Exchange Online or Exchange Online Protection subscription this will include Azure RMS subscription.


The next step would be to enable Azure RMS before we can continue, let’s have a look at how to enable Azure RMS.

Azure RMS has some prerequisites that we need to follow as well and they include the following.


  • Supported operating System: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
  • Minimum version of Windows PowerShell: 2.0
  • Microsoft .Net Framework: 4.5


Next, we can download the Azure RMS PowerShell Module Here: .

From the local folder double click the exe file (WindowsAzureADRightsManagementAdministration_x64) to start the Azure AD RMS Setup wizard.

Next open PowerShell and the following cmdlet to import the newly installed modules.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/64A37A70-7F24-7040-A5B5-6680364357FA.png

To see which cmdlet is available for the newly imported module type the following.

To get started we need to connect to Azure RMS, type the following cmdlet and enter the credentials of a Global Administrator.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/FF4929D5-3F1D-5F46-BBE5-74B838D9B334.png

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/E670CBAF-8C8D-3643-B54F-6AA3BABD6804.png

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/63F83044-B45A-1646-A408-0E88BC6BE1B3.png

Now that we have a successful connection establish with Azure RMS, we can go ahead and run the following Cmdlet to Enable Azure RMS.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/E3119D79-1FD6-6849-A842-439659F2AAE6.png /Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/1C0F3BF1-FD53-6E44-9086-DA5A67F67CBA.png

For the purpose of this lab I will not active Azure RMS across all user in my Office 365 organization, instead I will configure Azure RMS to only allow the users to protect content using Azure RMS if they meet the following. Note If you don’t want all users to be able to protect files immediately by using Azure Rights Management, you can configure user onboarding controls by using the Set-AadrmOnboardingControlPolicy PowerShell command. You can run this command before or after you activate the Azure Rights Management service.

  • Is part of an security group?
  • Has an Azure RMS license?

I have created a security group on premise and used Azure ADSync to Synced to my Office 365 tenant, the group is called Azure-RMS-User. To set the Azure RMS On Boarding Control Policy to only apply the above mentioned conditions, type the following cmdlets.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/C156BCA3-F748-7E4B-B2CC-46145818CD05.png /Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/003858B2-0CF1-7A40-AD9F-1BDF8254B8CE.png

PS. To get the Security group Object ID. Launch Azure AD navigate to groups, select the group and in the properties page of the group on top you will see the security Object ID.

Now that we have successfully specified a security group and on-boarding policy for our Azure RMS service, now we need to go ahead and connect to Exchange Online to continue with configuring encrypted email messages for exchange online.

To connect to exchange online you can use a quick connect script I have created available on TechNet.


The next step would be to configure the Rights Management Services (RMS) online key-sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location, as shown in this table:
/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/746B64E9-38D0-0343-86A2-81E1349D4C75.png

For this example, I will use Europe as my RMS Online key sharing location as that is where the 365 tenant is hosted, to configure type the following cmdlet.


/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/BF36992B-E8C9-3F46-9456-E13F28AB515C.png

Next, we need to import the Trusted Publishing Domain (TPD) from RMS Online using the following cmdlet.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/12A2E3DF-E1D3-5D4C-A33B-A5465AA1FAF6.png

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/22394CCD-7ED0-FC4B-8DB8-4A29C0503F19.png

Now lets go ahead and test the configuration if it passes all test by running the following cmdlet. Among other things, the command checks connectivity with the RMS Online service, downloads the TPD, and checks its validity.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/125CC6E4-89A8-5A4D-A36A-4815255D784E.png

If all tests are passed let continue to enable Office 365 email encryption by running the following cmdlet.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/25D800CB-A1E1-C148-8D9F-3AAE021095B0.png

To verify that you successfully imported the TPD and enabled IRM, use the Test-IRMConfiguration cmdlet to test IRM functionality.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/3AA23EA8-66CD-3749-8746-BEB9485BAA8D.png

To disable IRM templates in OWA and Outlook, type the following. However, I will not be disabling for this demonstration.

For the next part of the configuration we need to create a transport rule in exchange online for encrypted email messages. To get started we need to login to Office 365 Portal and navigate the Exchange Online.


In the exchange, online admin console select mail flow and then click on the + to create a new transport rule.

For the purpose of this demonstration I will create a transport rule to encrypt all external emails sent from the users in the security group which we have applied the Azure RMS template.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/5A87EB29-C33A-8D4F-97D1-5980C23CEF79.png

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/8EC17745-DE9E-0A40-BFC4-68E32B8A457D.png


Our final step would be to test if external emails will be encrypted when a mail is being sent from Office 365.

Simple from the user side they don’t have to make any changing or compose an email any differently, so I will just create a simple new email and sent to a Gmail address.


/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/C95B9AB2-DB8E-1140-84C0-9441655196DF.png


Let’s view the encrypted email in Gmail.


/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/23FB323A-AF2A-984B-97DC-D07ACB419899.png

As we can see the email is not in a normal easy readable format, the message in the body of the email also explains on the next steps on how to read the email.

This requires the user to download the email and then login with the email address which they have received the email on.

Once you open the downloaded email file, you will be redirected to an Office 365 encrypted message page to login. Because I have sent an encrypted email to a Gmail address I won’t be able to use the Microsoft sign-in options so I will have to request a One-time passcode.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/3A506C75-CFBE-AC47-93C1-993C90D266B7.png



Once you have selected the one-time passcode and email with a passcode will be sent to the email address on which you have received the encrypted email.

The email with the passcode looks as follows.

/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/3734DE53-1C03-D146-AB1C-BF6C20889571.png




/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/93B869E6-2CF0-F44A-9F4D-E16BB589EB4D.png



Once you have entered the one-time passcode for the encrypted email message, you will then be redirected to an OWA page where you can read the decrypted email message.


/Users/shaunhardneck/Library/Group Containers/UBF8T346G9.Office/msoclip1/01/AD8FA2E7-3073-D948-8331-AA8B6750749F.png


I know that was a mouth full to configure Office 365 Encrypted Email Messages, but once you have configured this for the first time it’s very less administrative efforts to maintain.



Sharing is caring!

Published inAzureExchange OnlineOffice 365PowerShellWindowsWindows Server 2012

One Comment

Leave a Reply

Your email address will not be published.