Skip navigation
Encryption in Exchange Online Part 5

Encryption in Exchange Online Part 5

In the first four parts of this series (Part 1, Part 2, Part 3, Part 4) I’ve covered the basics of encryption, BitLocker, TLS, Office 365 Message Encryption, and Information Rights Management. In this article I’m going to continue the previous discussion of Information Rights Management.

Now that we have the basic three templates working, let’s circle back and talk about that “advanced features” button we saw earlier. In your Office 365 portal go into Admin > Service Settings > Rights Management and select Manage in the center dashboard. You will be redirected to an Azure website (no need to log in again) where you will see a dashboard that looks like this

Until a fairly recent change, the only IRM templates available in Office 365/Exchange Online were those three default templates unless you did the necessary work to connect your Office 365 tenant to AD RMS running in your on-premises Active Directory. Once that work was done, you could create IRM templates on-premises and import them into your Office 365 tenant for use with Exchange Online. With the addition of the advanced features button in the Rights Management screen you can now add some custom templates to your Office 365 tenant.

As with most new features added to Office 365 [this is an Azure AD feature, not Office 365], this feature will undoubtedly improve over time. Right now the configuration is a little rough, and the options for creating your own templates are limited. I expect improvement in both categories over time, but for now let’s take a look at how to create a custom template.

There are several reasons you might want to create your own templates.

  • To define a template with user rights not present in the default templates, such as View and Edit but not Copy and Print
  • To configure additional rights within a template such as setting an expiration date for protected items or whether or not a message can be accessed when working offline
  • To restrict a template to a specific subset of your users rather than all users in your organization via template scoping (this feature is in public preview as of this publication)

Because you are unable to edit the default templates, all these modifications require you to create a new custom template. Let’s go through that process.

When you are redirected to the portal. In the center pane, you’ll see the Azure AD instance associated with your Office 365 tenant.

Selecting the Rights Management option will take you into the Rights Management quick start wizard.

You can step through the wizard to create a new policy template, but here I am going to start with copying on of the existing templates and adding the option to have the messages expire after 2 days.

Select the CompanyName – Confidential View Only template and select Copy at the bottom of the screen. This will bring up the “Copy and existing template” wizard

I modified the name to show that this template includes the setting for messages to expire after two days, and I modified the description to include this information.

After saving this, your template list will be updated to show the new template.

The new template is in “Archived” status. This means that content that has been created with this template will still work, but you cannot protect new contact with this template.

Now select this new template, and select the arrow in the name field to edit the template.

Go to the “configure” tab. At the top of this sheet change the status from archive to publish. Scroll down to the bottom. Modify the template by selecting content will expire after two day and content is only available with an internet connection.

Select save at the bottom of the page.

You can also create a new template from scratch. The process is pretty much the same as copying a template, and there is a wizard to walk you through the necessary settings.

Now we have a new template available in Azure, but we cannot access this template from our Exchange Online mailbox yet. We’re going to need to import the new template into Exchange Online, and then download the new template into Outlook. Outlook 2013 will eventually download new templates automatically, but I don’t want to wait so we’re going to do it manually.

Connect to remote PowerShell for your Exchange Online tenant. First we’re going to need to get your TPD (Trusted Publishing Domain) name. Run the command

Get-RMSTrustedPublishingDomain | FL Name

For most tenants this is going to be “RMS Online – 1”. Once you know your TPD name, run the command

Import-RMSTrustedPublishingDomain -Name "RMS Online - 1" -RefreshTemplates -RMSOnline

After the command completes, wait a few minutes then run the following command to verify that the new template(s) have been successfully imported.


Once your new template(s) are reported by Get-RMSTemplate the final step is to set the template(s) to distributed.

Set-RMSTemplate -Identity "" -Type Distributed

At this point, your new template(s) should be available in OWA (because it refreshes the available templates when it connects to Exchange Online). Office applications (including Outlook) will download new templates every 7 days by default. To modify that interval, you need to change the following registry key.

It may also be necessary to delete the templates you have already downloaded. To do so, delete the following folder.


As I said above, this ability to add new templates is a new feature to Azure AD and I think it’s safe to say Microsoft has not completely worked out all the bugs. It took me several attempts to get a new template working. Additionally there is no way to create templates that can be sent to users outside of your own Office 365 tenant beyond the default “Do Not Forward” template.

IRM templates can be manually applied via Outlook or OWA, but they can also be applied automatically via Transport Rule and Outlook Protection Rules. I’ll address the different ways the various types of encryption can be applied and the circumstances when each is best used in the last article in this series.

Currently Azure supports BYOK (Bring Your Own Key), or the ability to import your own key into Azure RMS. A recent update to the Azure BYOK process means you no longer have to complete that process by bringing your key to load it into a Microsoft datacenter in Redmond. However, those keys cannot be used for Exchange Online IRM at this time, but that is a feature I am sure Microsoft will add at some point in the future.

In the next article we’ll explore S/MIME for Exchange Online.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.