To start using Office 365 Message Encryption you need to follow three easy steps

Activate Azure Rights Management Setup Azure Rights Management for Exchange online Setup transport rules to enforce message encryption in Exchange online

Step 1. Activate Azure Rights Management

Open the Office 365 admin center and expand the “SERVICE SETTINGS” menu on the left side, then choose “Rights Management”



Now choose Enable to activate Rights Management.

You can also use PowerShell to activate Rights Management

Download and install the Azure Rights Management Administration Tool

This will install the Windows PowerShell module for Azure Rights Management.

Open a PowerShell session and run:

Connect-AadrmService 1 Connect-AadrmService

To activate Azure Rights Management service run:

Enable-Aadrm 1 Enable-Aadrm

Step 2. Setup Azure Rights Management for Exchange online

Connect to Exchange online with PowerShell (open PowerShell as Administrator)

Enter the following commands to Connect and import the session

Set-ExecutionPolicy RemoteSigned $cred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic –AllowRedirection Import-PSSession $Session 1 2 3 4 5 6 7 Set-ExecutionPolicy RemoteSigned $cred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft . Exchange -ConnectionUri https : / / outlook . office365 . com / powershell -liveid / -Credential $cred -Authentication Basic – AllowRedirection Import-PSSession $Session

Verify if your IRM isn’t already configured using:

Get-IRMConfiguration 1 Get-IRMConfiguration

1. Configure RMS with the online key-sharing location; choose a location that best suites your environment. In my example I will be using Europe, a table of all locations is listed below.

Location RMS key sharing location North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc Office 365 for Government https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc

To configure the RMS online key sharing location for a customer in Europe you would use this command:

Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc" 1 Set -IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc"

2. Run the following command to import the Trusted Publishing Domain (TPD) from RMS online:

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online" 1 Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

3. Verify that you successfully configured IRM in Exchange Online by running this command:

Test-IRMConfiguration –sender admin@domain.com 1 Test-IRMConfiguration – sender admin @ domain . com

4. Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:

To disable IRM templates in OWA and Outlook:

Set-IRMConfiguration -ClientAccessServerEnabled $false 1 Set -IRMConfiguration -ClientAccessServerEnabled $false

To enable IRM for Office 365 Message Encryption:

Set-IRMConfiguration -InternalLicensingEnabled $true 1 Set -IRMConfiguration -InternalLicensingEnabled $true

View the IRM Configuration

Get-IRMConfiguration 1 Get-IRMConfiguration

3. Setup transport rules to enforce message encryption in Exchange online

Open the Office 365 Admin center https://portal.office.com

Open the Exchange Admin Center, and navigate to mail flow – rules

Click on the “+” symbol to create a new rule.

I will show two separate rules to give you an idea how you could use this in your organization.

The first rule will encrypt the message based on a trigger word in the subject or body of the message. In your organization you can agree on one or more specific and unique words that will trigger this rule. Using this method you could for example give the users a secondary email signature with at the bottom the trigger word and name the signature: “Encrypt message” for example. Then whenever this signature is selected the email message will be encrypted. In the below example I’ve use the trigger word: [secure-email] please note that the brackets are part of the trigger word to reduce the chance that a message is unintentionally encrypted with this rule.

Another example is to have all outbound messages that have an Office document attached automatically encrypted.

Test the rules by sending a message making sure the message content will trigger one of the rules.

The recipient will receive a message with instruction how to open en decrypt the message.

In a next blog I will show you how to customise encrypted messages and the viewing portal.









Related

I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me: