Enabling Office 365 Message Encryption

Back in November of 2013, Microsoft announced Office 365 Message Encryption (OME) as a way to protect the contents of outbound messages to people in other organizations. This excellent update helps fence in it's predecessor, Exchange Hosted Encryption (EHE), to the Office 365 branding and management. Users of EHE had to work through more cumbersome configuration steps and were required to purchase it open volume licensing, whereas OME comes included as part of Azure Active Directory Rights Management  (AADRM) in the E3 and E4 packages, or purchased as an add-on to other enterprise SKUs with the normal subscription licensing.


Unfortunately, the scheduled release date is a broad "Q1 2014" and there are still some small missing details, like "How do I friggin' enable this stuff?". Search results for OME are flooded with news articles announcing the service and irrelevant posts about EHE, and the only TechNet articles are for EHE customers who are currently being migrated to OME. However, it is possible to enable the service if you already have access to AADRM and are prepared to do a little PowerShell work.

Enable Rights Management in the Portal

The very first thing we need to do is activate your Azure Rights Management functionality.

1. Log in to https://portal.microsoftonline.com (you'll need to be a Global Admin, obviously).
2. Go to service settings on the left-hand menu
3. Click on rights management on the top menu
4. Click the manage link (Direct Link)
5. Click the big activate button (it's hard to miss).

Wait a minute or two and it should show a nice green check mark indicating "Rights management is activated":

Activate Internal Licensing for Information Rights Management (IRM)

If you are like me, you probably thought that previous step would be sufficient. Maybe it will be eventually, but as of January 13th it takes a bit more than that to get going. We need to whip out PowerShell and do a little tinkering with IRM first. If you haven't used PowerShell to manage Office 365 before, you'll first want to download the Sign In Assistant and then head over to get the latest Azure AD Module for Powershell x64 (the 32-bit version is available here). Then just fire up PowerShell as an administrator and run the following commands:

import-module AADRM

connect-aadrmservice

Next, we need to check and make sure AADRM was enabled properly by running the get-aadrmconfiguration command and checking for "FunctionalState: Enabled". Assuming that looks good, then we can continue and connect to Exchange Online:

import-module msonline  

$cred=get-credential  

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection   

Import-PSSession $session

Doing great! Now let's enable customization of our org, set the RMS key sharing location, import the RMS domain, and turn up our licensing. We are going to use the North America URL in the next step, but here are the other regions if you need them:

• North America - https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
• EMEA - https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
• Asia Pacific - https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

Enable-OrganizationCustomization  

Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc" 

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online" 

Set-IRMConfiguration -InternalLicensingEnabled $true

Now run the Get-IRMConfiguration command and check the output.You should get back something like the following:

You can test your IRM configuration with the following command now (replacing test@tenant.onmicrosoft.com with your own admin account):

Test-IRMConfiguration -sender test@tenant.onmicrosoft.com

Assuming you get back an "OVERALL RESULT" of "PASS" from that command, then you are good to move on to the next step. However, It may take 12-24 hours for the licensing to start working in Exchange admin center.

Add OME Rules in the Exchange Admin Center (EAC)

NOW we are ready to create some encryption rules! This can be done in PowerShell, but it is much easier from EAC. OME works based on rulesets that an admin creates and you can specify what criteria you want to use for messages. Or you can simply encrypt everything leaving the organization. Make sure you take a look at Microsoft's TechNet article on the user experience before you do this though - you could very well wind up with users at your door with pitchforks otherwise.

We typically configure the rule to only fire when sending external mail where the word "secure" is in the subject line, so that's how I'll demonstrate this step. You may prefer a different trigger, and there's lots to choose from. 

1. Log back in to the Office 365 portal (https://portal.microsoftonline.com)
2. Click the Admin button in the top-right next to your name and select Exchange from the drop-down. If you are accessing a tenant as a delegated admin (e.g. Microsoft Partner), then you'll need to navigate to the EAC by hitting service settings on the left-hand menu and selecting Manage additional settings in the Exchange admin center.
3. Once in the EAC, click mail flow on the left-hand menu and you'll be taken to the rules page by default.

Now we need to create our OME rules. Our first rule will encrypt outbound messages with the 'secure' keyword in the subject:

1. Click the 'plus' sign on the rules page.
2. Select Create new rule and give it a descriptive name (e.g. "Outbound Encryption")
3. Set the rule to apply if the sender is located inside the organization, the recipient is located outside the organization, and the subject includes 'secure' (or whatever keyword you wish to use)
4. Set it to perform the Encrypt the message with Office 365 Message Encryption action ("Apply Office 365 Message Encryption" under "Modify the message security")
5. Enable auditing if desired and save the rule

Encryption should be working now! Pay special attention to the order of your rules (if you have others) and make sure your encryption rule won't be cancelled out by anything else. I'd also recommend creating a second rule to decrypt inbound messages that are sent as replies. This will keep your users happy since they won't have to leave Outlook to read encrypted message replies from external users:

1. Click the 'plus' sign on the rules page.
2. Select Create new rule and give it a descriptive name (e.g. "Inbound Decryption")
3. Set the rule to apply if the sender is located outside the organization and the recipient is located inside the organization. Technically this will apply the rule to all inbound mail, but it won't do anything unless that e-mail was encrypted anyways.
4. Set it to perform the Remove Office 365 Message Encryption from the message action ("Remove Office 365 Message Encryption" under "Modify the message security")
5. Enable auditing if desired and save the rule

Enjoy your Office 365 Message Encryption!

That's all folks, you can now send out secure messages with Office 365 just by adding the keyword to your e-mail. It should work with any mail client, including mobile phones and OWA. I'm open to suggestions on better ways to write the rules and I'll also note here that we did have a few issues where some of our users are getting NDRs specifying they are not licensed (which appears to be untrue). We've opened a Microsoft ticket and I'll update this post with the results of that case. (UPDATE: The 550-5.7.1 error we were receiving indicating encryption was disabled on the transport server has disappeared on it's own this week. I'm guessing we jumped the gun on deployment)

Feedback welcome! Special thanks from across the pond to ahandyblog for the write up on IRM that helped me fill in the gap there.