Skip navigation
Encryption in Exchange Online Part 3

Encryption in Exchange Online Part 3

In the first two articles (Part 1, Part 2) in this series, I gave a very basic explanation of how a couple of different types of encryption work and introduced the first two type of encryption in Exchange Online. In part three of this series I am going to talk about Office 365 Message Encryption.

Office 365 Message Encryption (OME) is usually what people think about when they think about sending encrypted email from Office 365. OME allows you to send an encrypted email to anyone external to your organization and the destination user does not need to be on Office 365 or even on Exchange. OME takes messages that are set through its systems and packages them into an encrypted attachment which is then sent on to the original destination. In order to decrypt the message the recipient needs to prove her identity to Microsoft via the use of a known email account. The encrypted message is not stored on any Microsoft OME server, but is temperately posted to OME servers for recipient viewing.

OME does allow an organization to customize the appearance of the encrypted attachments via text at the top of the encrypted message, disclaimer text, and a company logo can be attached to messages encrypted via OME as well.

OME is licensed as part of Azure Rights Management (which we will cover in the next article of this series). The recipients of encrypted messages do not require any licensing to open the encrypted messages they receive, and when they reply to encrypted messages their replies will also be encrypted.

The process for setting up OME on an Office 365 tenant is fairly straight forward, if you know what you’re doing. Before you can use Office 365 Message Encryption you have to setup and configure Information Rights Management for your Office 365 tenant. IRM is also included in all Enterprise tenants, but it does require a bit of configuration.

To configure IRM, go to the Office 365 Admin Center on your tenant portal. On the left expand service settings then select rights management. In the middle pane select manage, and you will be redirected to a new page with the option to active rights management.

In the right management portal, choose “activate” to turn on Rights Management. We’ll talk about the “advanced features” when we cover RMS in a later article in this series.

After you have activated rights management in the portal, the rest of the configuration for IRM needs to be done from PowerShell. To do the next series of configurations, you’ll need to install Windows Azure Active Directory Module for Windows PowerShell. Launch WAAD module for PS, and run the following commands to connect to your tenant


You will be prompted to enter Office 365 Global Admin credentials.

Once connected to WAAD, there are a couple of PowerShell commands that need to be entered to finish your IRM configuration. First you will need to designate your IRM online key sharing location. To do this, run one of the following commands based on the location of your Office 365 tenant.

North America: Set-IRMConfiguration -RMSOnlineKeySharingLocation

European Union: Set-IRMConfiguration -RMSOnlineKeySharingLocation

Asia-Pacific: Set-IRMConfiguration -RMSOnlineKeySharingLocation

After your key sharing location is set, the next step is to import the Trusted Publishing Domain (TPD). Run the following command

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

The final step is to activate the internal IRM licensing. Run the following command

Set-IRMConfiguration -InternalLicensingEnabled $True

Now that IRM is configured for your tenant, the way to setup Office 365 Message Encryption for your users is via a transport rule. A transport rule, as you might expect, is a rule that is applied to a message while that message is in the transport sub-system. Since all email has to go through transport to get anywhere (even an email you send to your own mailbox), a transport rule is the best way to ensure that all messages are processed in the same way.

To create a transport rule, go into your Office 365 admin portal and select Admin > Exchange. Once in the EAC, on the left select mail flow then at the top select rules. For a new rule, select the + and then choose Apply rights protection to messages… This will launch the new rule wizard. In the Name: field, give the new rule a name. In the *Apply this rule if… field, select the conditions that will cause this rule to fire. For an encryption rule, I suggest adding the condition The subject includes… and then adding a key word like “Secure”. This will cause this rule to fire for any messages that include the word “Secure” in the subject line, making it easy for your users to encrypt a message.

In the *Do the following… field, choose Modify the message security… and then Apply Office 365 Message Encryption. Ensure you select the check box to enforce the rule, and review the other settings available for this transport rule. Once done, select save. You’re new transport rule should look something like this

Now that you have OME all configured and working, let’s take a look at OME in action. The first step is to write an email that you want to encrypt. I am going to send this email to my Gmail account to demonstrate that OME works with foreign mail services.


When I receive this message in Gmail, it looks like this


To read this message, you need to open the attachment. Doing so will give you the below screen is your browser.

Select “Sign in and view your encrypted message”. Once you get logged in, you’ll be able to read your message in a web interface that looks like OWA.

If you can’t or don’t want to sign into your Microsoft account to read the message, there is an option to sing in with a one-time passcode as well.

Selecting this option will send you a one-time passcode you can use to access this message without having to login with a Microsoft account.

Once you are signed in you can read, reply, and even forward the message. All replies and forwards will be encrypted without the need for anyone on the message chain to have an Office 365 license beside the original sender.

It should be noted that these messages are not stored in Office 365 separately from the mailboxes of those sending and/or receiving the messages.

In conclusion, OME is a very easy to setup and use feature available within Office 365 that allows users access to sending and receiving encrypted email.

In the next article in this series, we’ll take a look at Rights Management Service and its messaging encryption features.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.