Set up new Office 365 Message Encryption capabilities

The new Office 365 Message Encryption (OME) capabilities allow organizations to share protected email with anyone on any device. Users can exchange protected messages with other Office 365 organizations, as well as non-Office 365 customers using Outlook.com, Gmail, and other email services.

This article is part of a larger series of articles about Office 365 Message Encryption. This article is intended for administrators and IT Pros. If you're just looking for information on sending or receiving an encrypted message, see the list of articles in Office 365 Message Encryption (OME) and locate the article that best fits your needs.

Follow the steps below to ensure that the New OME capabilities are available in your Office 365 organization.

Verify that Azure Rights Management is active

The new OME capabilities leverage the protection features in Azure Rights Management Services (Azure RMS), the technology used by Azure Information Protection to protect emails and documents via encryption and access controls.

The only prerequisite for using the new OME capabilities is that Azure Rights Management must be activated in your organization's tenant. If it is, Office 365 activates the new OME capabilities automatically and you don't need to do anything.

Azure RMS is also activated automatically for most eligible plans, so you probably don't have to do anything in this regard either. See Activating Azure Rights Management for more information.

Important

If you use Active Directory Rights Management service (AD RMS) with Exchange Online, you need to migrate to Azure Information Protection before you can use the new OME capabilities. OME is not compatible with AD RMS.

For more information, see:

Manually activating Azure Rights Management

If you disabled Azure RMS, or if it was not automatically activated for any reason, you can activate it manually in the:

Configure management of your Azure Information Protection tenant key

This is an optional step. Allowing Microsoft to manage the root key for Azure Information Protection is the default setting and recommended best practice for most Office 365 tenants. If this is the case, you don't need to do anything.

There are many reasons, for example compliance requirements, that may necessitate you generating and managing your own root key (also known as bring your own key (BYOK)). If this is the case, we recommend that you complete the required steps before setting up the new OME capabilities. See Planning and implementing your Azure Information Protection tenant key for more.

Verify new OME configuration in Exchange Online PowerShell

You can verify that your Office 365 tenant is properly configured to use the new OME capabilities in Exchange Online PowerShell.

  1. Connect to Exchange Online PowerShell using an account with global administrator permissions in your Office 365 tenant.

  2. Run the Get-IRMConfiguration cmdlet.

    You should see a value of $True for the AzureRMSLicensingEnabled parameter, which indicates that OME is configured in your tenant. If it is not, use Set-IRMConfiguration to set the value of AzureRMSLicensingEnabled to $True to enable OME.

  3. Run the Test-IRMConfiguration cmdlet using the following syntax:

    Test-IRMConfiguration [-Sender <email address >]
    

    Example:

    Test-IRMConfiguration -Sender securityadmin@contoso.com
    
    • Providing a sender email is optional, but forces the system to perform additional checks. Use the email address of any user in your Office 365 tenant.

    Your results should be similar to:

    Results : Acquiring RMS Templates ...
               - PASS: RMS Templates acquired.  Templates available: Contoso  - Confidential View Only, Contoso  - Confidential, Do Not
           Forward.
           Verifying encryption ...
               - PASS: Encryption verified successfully.
           Verifying decryption ...
               - PASS: Decryption verified successfully.
           Verifying IRM is enabled ...
               - PASS: IRM verified successfully.
    
           OVERALL RESULT: PASS
    
  4. Run the Remove-PSSession cmdlet to disconnect from the Rights Management service.

    Remove-PSSession $session
    

Next steps: Define mail flow rules to use new OME capabilities

If there are previously configured mail flow rules to encrypt email in your Office 365 organization, you need to update the existing rules to use the new OME capabilities. For new deployments, you need to create new mail flow rules.

Important

If you do not update existing mail flow rules, your users will continue to receive encrypted mail that uses the previous HTML attachment format, instead of the new seamless OME experience.

Mail flow rules determine under what conditions email messages should be encrypted, as well as conditions for removing that encryption. When you set an action for a rule, any messages that match the rule conditions are encrypted when they're sent.

For steps on creating mail flow rules for OME, see Define mail flow rules to encrypt email messages in Office 365.

To update existing rules to use the new OME capabilities:

  1. In the Office 365 admin center, go to Admin centers > Exchange.
  2. In the Exchange admin center, go to Mail flow > Rules.
  3. For each rule, in Do the following:
    • Select Modify the message security.
    • Select Apply Office 365 Message Encryption and rights protection.
    • Select an RMS template from the list.
    • Select Save.
    • Select OK.