Exchange Online - Message Encryption
Introduction
Activate Azure Rights Management
Activate User Licenses
- Verify Office365 Message Encryption
- Verify OME Default Settings
Add SHIFT Brand
Test
- Sending Email
- Receiving Email
Useful Links

Exchange Online - Message Encryption

Summary: How to setup email message encryption in office 365 exchange online
Date: Around 2018
Refactor: 6 January 2025: Checked links and formatting.

o365

Introduction

There are several ways to encrypt your email using Exchange Online. See here for more information but it comes down to:

E-mail encryption:
- OME: Encrypts messages sent to internal or external recipients.
- S/MIME: User based encryptie; To use S/MIME, you must have public keys on file for each recipient. Recipients have to maintain their own private keys, which must remain secure.
- IRM: Uses encryption and usage restrictions to provide online and offline protection for email messages and attachments. It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people.
Secure connection:
- Office 365 email internal and external: Exchange Online servers always encrypt connections to other Exchange Online servers in our datacenters with TLS 1.2.
- External email: By default, Exchange Online always uses opportunistic TLS. This means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. No agreement means unencrypted.
- Force TLS; this requires an encrypted connection or the email will not be sent or received.
Data in Rest: Encryption using Bitlocker Drive Encryption

This page describes how to use the OME message encryption capabilities with Exchange Online. Follow these steps to configure the service.

Activate Azure Rights Management

Note that you need a E3 or E5 license to do this, as well as a global administrator account.

* Log in to the Office 365 adminportal: https://portal.office.com/adminportal/home

Navigate: Settings > Services & add-ins > Microsoft Azure Information Protection > Manage Microsoft Azure Information Protection settings
On the rights management page, click activate, and confirm

This automatically enables the OME (Office 365 Message Encryption)

Activate User Licenses

This might not be strictly necessary.

All users need the Azure Rights Management license

Log into the azure portal with proper admin account
Go to Azure Active Directory
Go to Licenses
Go to All Products
Click on your E5 Product. (or e3 as it has the license required as well)
Go to Licensed Groups
Click on Office365_Rings_Production
Click on Office 365 Enterprise E5
Set Azure Rights Management to On
Click Save

It could take a while for the setting to propagate.

Verify Office365 Message Encryption

You can verify the settings using PowerShell:

PS C:\Users\sjoerdadmin> Test-IRMConfiguration -sender sjoerd@shift.com
 
 
Results : Acquiring RMS Templates ...
              - PASS: RMS Templates acquired.  Templates available: Shift - Confidential, Shift - Confidential View Only,
          Encrypt, Do Not Forward.
          Verifying encryption ...
              - PASS: Encryption verified successfully.
          Verifying decryption ...
              - PASS: Decryption verified successfully.
          Verifying IRM is enabled ...
              - PASS: IRM verified successfully.
 
          OVERALL RESULT: PASS

Verify OME Default Settings

You can check the settings using PowerShell using the Get-OMEConfiguration and the Get-IRMConfiguration commandlets:

PS C:\Users\sjoerdadmin> Get-OMEConfiguration
 
 
RunspaceId              : 00dc7da4-e429-4d7f-a8dc-3c0632432691
Image                   :
ImageUrl                :
EmailText               :
PortalText              :
DisclaimerText          :
BackgroundColor         :
IntroductionText        :
ReadButtonText          :
OTPEnabled              : True
SocialIdSignIn          : True
ClientEncryptionEnabled : True
ExpirationOptionEnabled : True
Identity                : OME Configuration
IsValid                 : True
ObjectState             : Unchanged
 
PS C:\Users\sjoerdadmin> Get-IRMConfiguration
 
 
InternalLicensingEnabled        : True
ExternalLicensingEnabled        : True
AzureRMSLicensingEnabled        : True
TransportDecryptionSetting      : Optional
JournalReportDecryptionEnabled  : True
SimplifiedClientAccessEnabled   : True
ClientAccessServerEnabled       : True
SearchEnabled                   : True
EDiscoverySuperUserEnabled      : True
DecryptAttachmentFromPortal     : False
DecryptAttachmentForEncryptOnly : False
AutomaticServiceUpdateEnabled   : True
RMSOnlineKeySharingLocation     :
RMSOnlineVersion                :
ServiceLocation                 :
PublishingLocation              :
LicensingLocation               : {https://1152aa96-bcfb-4cfb-XXXX-fb049201e412.rms.eu.aadrm.com/_wmcs/licensing}

Depending on your needs you might want to change these settings:

SocialIdSignIn : True
- Users that receive encrypted messages can use the their social ID accounts (currently Yahoo/Microsoft/Google) to decrypt messages
OTPEnabled : True
- Users can use a one-time pass code to decrypt messages
SimplifiedClientAccessEnabled : True
- Enabled the protect button in Outlook Web Access

Add SHIFT Brand

We can use powershell to add some branding to the wrapper email and portal:

PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is confidential and only for the intended recipient. "
PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Secured Message from SHIFT. You will only receive secure messages if previously agreed on. Please contact SHIFT in case you have questions regarding the source or confidentiality of this message. "
PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -PortalText "SHIFT Portal for secure email messages."
PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "D:\sjoerdadmin\shift-logo.png" -Encoding byte)

Test

Now considering the many possibilities in sending and receiving email with different clients and recipients I strongly advise you to test at least the following scenarios so you can provide in depth information to your users:

Sending Email

Encryption Policy: Do not forward
- Outlook
- Outlook online
- Outlook mobile
Encrypt
- Outlook (watch out; different behavior between client versions)
- Outlook online
- Outlook mobile
Confidential policies
- Outlook
- Outlook online
- Outlook mobile
Attachments: Office files
Attachments: Pdfs

Receiving Email

All encryption policies as an internal user
- Outlook
- Outlook Online
- Outlook Mobile
All encryption policies as en external user
- Office 365 users
- Microsoft users (hotmail; live; msn; outlook; etc.)
- Google and yahoo users
- Users with independent email accounts
Attachments: Office files
Attachments: Pdfs

Useful Links

https://docs.microsoft.com/en-us/office365/securitycompliance/encryption
https://docs.microsoft.com/en-us/azure/information-protection/activate-office365
https://docs.microsoft.com/en-us/office365/securitycompliance/manage-office-365-message-encryption
https://docs.microsoft.com/en-us/office365/securitycompliance/add-your-organization-brand-to-encrypted-messages
https://docs.microsoft.com/en-us/office365/securitycompliance/exchange-online-uses-tls-to-secure-email-connections
https://docs.microsoft.com/en-us/office365/securitycompliance/email-encryption

Table of Contents