Set up Azure Rights Management for Office 365 Message Encryption

This topic describes the steps you need to follow in order to activate and then set up Azure Rights Management (RMS), part of Azure Information Protection, for use with Office 365 Message Encryption (OME).

Prerequisites for using Office 365 Message Encryption

Office 365 Message Encryption (OME), including IRM, depends on Azure Rights Management (Azure RMS). Azure RMS is the protection technology used by Azure Information Protection. To use OME, your Office 365 organization must include an Exchange Online or Exchange Online Protection subscription that, in turn, includes an Azure Rights Management subscription.

  • If you're not sure of what your subscription includes, see the Exchange Online service descriptions for Message Policy, Recovery, and Compliance.

  • If you don't have an Azure RMS subscription for Exchange Online or Exchange Online Protection, you must purchase a subscription and activate it first.

    For information about purchasing a subscription to Azure Rights Management, see Azure Rights Management. The next section gives you information about activating Azure Rights Management.

  • If you have Azure Rights Management but it's not set up for Exchange Online or Exchange Online Protection, this article explains how to activate Azure Rights Management and then the describes the best way to set up OME to work with Azure Rights Management.

  • If you've already set up OME to work with Azure Rights Management for Exchange Online or Exchange Online Protection, depending on how you set it up, you may be ready to start using OME and its new capabilities right away. This article explains how to determine if you've set OME up correctly, what to do if you need to change your setup, and what happens if you choose not to change your setup. For example, in order to use the new capabilities, you must use Azure RMS with OME. You can't use the new capabilities with an on-premises Active Directory RMS.

Activate Azure Rights Management for OME in Office 365

You need to activate Azure Rights Management so that the users in your organization can apply information protection to messages that they send, and open messages and files that have been protected by the Azure Rights Management service. For instructions, see Activating Azure Rights Management. Once you've completed the activation, return here and continue with the tasks in this article.

Set up OME to use Azure RMS by importing trusted publishing domains (TPDs)

A TPD is an XML file that contains information about your organization's rights management settings. For example, the TPD contains information about the server licensor certificate (SLC) used for signing and encrypting certificates and licenses, the URLs used for licensing and publishing, and so on. You import the TPD into your Office 365 organization by using Windows PowerShell.

Important

Previously, you could choose to import TPDs from the Active Directory Rights Management service (AD RMS) into your Office 365 organization. However, doing so will prevent you from using the new OME capabilities and is not recommended. If your Office 365 organization is currently configured this way, Microsoft recommends that you create a plan to migrate from your on-premises Active Directory RMS to cloud-based Azure Information Protection. For more information, see Migrating from AD RMS to Azure Information Protection. You will not be able to use the new OME capabilities until you have completed the migration to Azure Information Protection.

To import TPDs from Azure RMS

  1. Connect to Exchange Online Using Remote PowerShell.

  2. Choose the key-sharing URL that corresponds to your Office 365 organization's geographic location:

Location Key sharing location URL
North America
https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
European Union
https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
Asia
https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
South America
https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc
Office 365 for Government (Government Community Cloud)
This RMS key-sharing location is reserved for customers who have purchased Office 365 for Government SKUs.
https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc
  1. Configure the key-sharing location by running the Set-IRMConfiguration cmdlet as follows:
Set-IRMConfiguration -RMSOnlineKeySharingLocation "<RMSKeySharingURL >"
For example, to configure the key sharing location if your organization is located in North America:
Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"
  1. Run the Import-RMSTrustedPublishingDomain cmdlet with the -RMSOnline switch to import the TPD from Azure Rights Management:
Import-RMSTrustedPublishingDomain -RMSOnline -Name "<TPDName> "
Where  *TPDName*  is the name you want to use for the TPD. For example, "Contoso North American TPD". 
  1. To verify that you successfully configured your Office 365 organization to use the Azure Rights Management service, run the Test-IRMConfiguration cmdlet with the -RMSOnline switch as follows:
Test-IRMConfiguration -RMSOnline
Among other things, this cmdlet checks connectivity with the Azure Rights Management service, downloads the TPD, and checks its validity.
  1. Run the Set-IRMConfiguration cmdlet as follows to disable Azure Rights Management templates from being available in Outlook on the web and Outlook:
Set-IRMConfiguration -ClientAccessServerEnabled $false
  1. Run the Set-IRMConfiguration cmdlet as follows to enable Azure Rights Management for your cloud-based email organization and configure it to use Azure Rights Management for Office 365 Message Encryption:
Set-IRMConfiguration -InternalLicensingEnabled $true
  1. To verify that you have successfully imported the TPD and enabled Azure Rights Management, use the Test-IRMConfiguration cmdlet to test Azure Rights Management functionality. For details, see "Example 1" in Test-IRMConfiguration.

I have OME set up with Active Directory Rights Management not Azure Information Protection, what do I do?

You can continue to use your existing Office 365 Message Encryption mail flow rules with Active Directory Rights Management, but you can't configure or use the new OME capabilities. Instead, you need to migrate to Azure Information Protection. For information about migration and what this means for your organization, see Migrating from AD RMS to Azure Information Protection.

Next steps

Once you've completed Azure Rights Management setup, if you want to enable the new OME capabilities, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection.

After you've set up your organization to use the new OME capabilities, you're ready to Define mail flow rules to protect email messages with new OME capabilities.

Encryption in Office 365

Technical reference details about encryption in Office 365

What is Azure Rights Management?