Set up new Office 365 Message Encryption capabilities
With the new Office 365 Message Encryption (OME) capabilities, which leverage the protection features in Azure Information Protection, your organization can easily share protected email with anyone on any device. Users can send and receive protected messages with other Office 365 organizations as well as non-Office 365 customers using Outlook.com, Gmail, and other email services.
Get started with OME by activating Azure Rights Management, part of Azure Information Protection
It's now easy to get started with the new OME capabilities. As of February 2018, Office 365 automatically enables the new OME capabilities for eligible organizations within our datacenters. Your organization is eligible if it is a new Office 365 tenant and your organization has the appropriate subscriptions. If you have enabled Azure Rights Management (Azure RMS), part of Azure Information Protection, then we automatically enable Office 365 Message Encryption for you. You don't have to do anything else to enable OME. To activate Azure Rights Management, see Activating Azure Rights Management. For information on subscriptions, see "What subscriptions do I need to use the new OME capabilities?" in the Office 365 Message Encryption FAQ. For information about purchasing a subscription to Azure Information Protection, see Azure Information Protection.
If you are using Exchange Online with Active Directory Rights Management service (AD RMS), you can't enable these new capabilities right away. Instead, you need to migrate from AD RMS to Azure Information Protection first. When you've finished the migration, you can successfully complete these steps.
If you choose to continue to use on-premises AD RMS with Exchange Online instead of migrating to Azure Information Protection, you will not be able to use these new capabilities.
How the new capabilities for OME work
The new Office 365 Message Encryption capabilities use the protection capabilities, also called Azure Rights Management (Azure RMS), from Azure Information Protection. This includes encryption, identity, and authorization policies to help secure your email. You can encrypt messages by using rights management templates, the Do Not Forward option, and the encrypt-only option. Users can then encrypt email messages and a variety of Office 365 attachments by using these options. For a full list of supported attachment types, see "File types covered by IRM policies when they are attached to messages" in Introduction to IRM for email messages. As an administrator, you can also define mail flow rules to apply this protection. For example, you can define a rule where all unprotected messages that are addressed to a specific recipient or that contain specific words in the subject line are protected from unauthorized access, and the recipients can't copy or print the contents of the message.
Unlike the previous version of OME, these new capabilities provide a unified sender experience whether you're sending mail inside your organization or to recipients outside of Office 365. In addition, recipients who receive a protected email message sent to an Office 365 account in Outlook 2016 or Outlook on the web, don't have to take any additional action to view the message. It works seamlessly. Recipients using other email clients and email service providers also have an improved experience. For information, see Learn about protected messages in Office 365 and How do I open a protected message.
Steps to manually set up the new capabilities for OME
If your organization does not automatically have OME enabled, or if you turned OME off, follow these steps to manually set up the new capabilities for OME.
To manually set up the new capabilities for OME
Ensure you have the right subscription for your organization. For information on subscriptions, see "What subscriptions do I need to use the new OME capabilities?" in the Office 365 Message Encryption FAQ. For information about purchasing a subscription to Azure Information Protection, see Azure Information Protection.
Decide whether you want Microsoft to manage the root key for Azure Information Protection (the default), or generate and manage this key yourself (known as bring your own key, or BYOK). If you want to generate and manage this key yourself, you need to complete some steps before you set up the new capabilities for OME. For more information, see Planning and implementing your Azure Information Protection tenant key. Microsoft recommends that you complete these steps before you set up OME.
Enable the new capabilities for OME by activating Azure Rights Management. For instructions, see Activating Azure Rights Management. When you do this, Office 365 automatically enables the new OME capabilities for you.
Outlook on the Web caches its UI, so it's a good idea to wait a day before you try applying the new capabilities for OME to email messages using this client. Before the UI updates to reflect the new configuration, the new capabilities for OME won't be available. After the UI updates, users can protect email messages by using the new capabilities for OME.
(Optional) Set up new mail flow rules or update existing mail flow rules that define how and when you want Office 365 to encrypt messages sent from your organization.
Verify that the new capabilities for OME are configured properly by using Windows PowerShell
Follow these steps to verify that your tenant is properly configured to use the new capabilities for OME through Exchange Online PowerShell.
Using a work or school account that has global administrator permissions in your Office 365 organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see Connect to Exchange Online PowerShell.
Run the Test-IRMConfiguration cmdlet using the following syntax:
Test-IRMConfiguration [-Sender <email address >]
Test-IRMConfiguration -Sender email@example.com
Where email address is the email address of a user in your Office 365 organization. While optional, providing a sender email address forces the system to perform additional checks.
Your results should look like these:
Results : Acquiring RMS Templates ... - PASS: RMS Templates acquired. Templates available: Contoso - Confidential View Only, Contoso - Confidential, Do Not Forward. Verifying encryption ... - PASS: Encryption verified successfully. Verifying decryption ... - PASS: Decryption verified successfully. Verifying IRM is enabled ... - PASS: IRM verified successfully. OVERALL RESULT: PASS
Where Contoso is replaced with the name of your Office 365 organization.
The names of the default templates returned in the results may be different from those displayed in the results above.
For an introduction to templates and information about the default templates, see Configuring and managing templates for Azure Information Protection. For information about the Do Not Forward option, encrypt-only option, and how to create additional templates, or find out what rights are included in an existing template, see Configuring usage rights for Azure Rights Management.
Run the Remove-PSSession cmdlet to disconnect from the Rights Management service.
Next steps: Define new mail flow rules that use the new OME capabilities
This step is optional for new OME deployments, however, this step is required for existing OME deployments that already have mail flow rules set up to encrypt outgoing mail. If you want to take advantage of the new OME capabilities, you must update your existing mail flow rules. Otherwise, your users will continue to receive encrypted mail that uses the previous HTML attachment format instead of the new, seamless OME experience.
Mail flow rules determine under what conditions email messages should be encrypted, as well as conditions for removing that encryption. When you set an action for a rule, any messages that match the rule conditions are encrypted when they're sent.
For more information about mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.