Businesses have been using email, a cloud-based service, for decades. The recent push for compliance and security have given rise to various technology and services to provide encryption for sending / receiving messages especially through email. For most users Office 365 Encryption is the easiest and best way of sending encrypted email. This is done by purchasing licenses / configuring Azure Rights Management either through Enterprise Mobility Suite or Microsoft Azure Rights Management Premium in their Office 365 account. Once licensed the following setup procedure is needed to setup basic email encryption for all users:
Basic Office 365 Encryption Setup
- Login to Office 365 portal as Global Administrator and click on the Admin tile.
- In the left hand menu select Service Settings > Rights Management then click on the Manage link to the right.
- On the Rights Management page click on the Activate button.
- Now it is time for the powershell portion, open Windows Azure Active Directory Module for Windows Powershell as Domain Administrator
- Type in the following to connect to Exchange Online via Powershell:
$creds = Get-Credential
(Enter the Office 365 Administrator credentials then click “OK” button.)
Connect-MsolService -Credential $creds
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $creds -Authentication Basic -AllowRedirection
- Now type in the following to configure the Rights Management Services (RMS) online key-sharing location in Exchange Online (This is North American companies only – all others see the following Microsoft KB Article.):
Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”
- Run the following command to import the Trusted Publishing Domain (TPD) from RMS Online:
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
- To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service, run the following:
- Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:
- To disable IRM templates in OWA and Outlook:
Set-IRMConfiguration -ClientAccessServerEnabled $false
- To enable IRM for Office 365 Message Encryption:
Set-IRMConfiguration -InternalLicensingEnabled $true
- This completes the powershell portion. Make sure that all users who will be using Encryption have been given a license for the purchased service in the Office 365 portal.
- In the Office 365 portal in the left hand menu click on Admin > Exchange.
- In the Exchange Admin Center in the right hand side under Mail Flow click on Rules.
- Click on the + symbol and choose “Create a New Rule…” option.
- Give the Rule a name like “Message Encryption” then click on “More Options…”
- Under “Apply this rule if…” select “The subject or body includes…” and add “Encrypt:” as the search term.
- Under “Do the following…” select “Modify the message security…” then select “Apply Office 365 Message Encryption”
- Leave the other options as default unless otherwise needed and click on Save button.
This then allows users of Outlook or OWA to add the work “Encrypt:” to the subject line of an email and have the message sent as encrypted. The recepient will receive and HTML document that details how to access the contents of the email securely via Microsoft login or one time access code sent to their email. If they are accessing email from their phones then there is an App for that too. If your organization needs any help with compliance of email encryption then don’t hesitate to contact us for support.