How to Enable Office 365 Email Encryption in PowerShell | Step by Step Guide
If you are not encrypting your email, it is vulnerable to hackers,
identity thieves, and snooping government agencies. This tutorial will walk you through how to encrypt your email in a step-by-step process.
The new Office 365 Message Encryption (OME) capabilities allow organizations to share protected email with anyone on any device. Users can exchange protected messages with other Office 365 organizations, as well as non-Office 365 customers using Outlook.com, Gmail, and other email services.
Why Email Encryption
Office 365 Message Encryption is an online service which is built on Microsoft Azure Rights Management (Azure RMS). With Azure RMS set up for an organization, administrators can enable message encryption by defining transport rules that determine the conditions for encryption. A rule can require the encryption of all messages addressed to a specific recipient, for example. When a user sends an email message in Exchange Online that matches an encryption rule, the message is sent out with an HTML attachment. The recipient opens the HTML attachment in the email. The message recognizes a familiar brand if that’s present, and follows the embedded instructions to view the encrypted message on the Office 365 Message Encryption portal. The recipient can choose to view the message by signing in with a Microsoft account, Google, Yahoo, etc., or by using a one-time passcode. Both options help ensure that only the intended recipient can view the encrypted message.
Protection capabilities included in Office 365 subscription plans – also known as “Azure Information Protection for Office 365.”
Office 365 Education A1
Office 365 Enterprise E3
Office 365 Education A3
Office 365 Government G3
Office 365 Enterprise E4
Office 365 Education A4
Office 365 Government G4
Office 365 Enterprise E5
Office 365 Education A5
Configure Email Encryption in Office 365.
Three main steps need to follow
- Activate Azure Rights Management.
- Create Template in Azure Information Protection or use Default templates.
- Setup transport rules to enforce message encryption in Exchange Online.
Verify that Azure Rights Management is active
- If your subscription that includes Azure Rights Management or Azure Information Protection was obtained towards the end of February 2018 or later: The service is automatically activated for you. You do not have to activate the service unless you or another global administrator for your organization deactivated Azure Rights Management.
- If your subscription that includes Azure Rights Management or Azure Information Protection was obtained before or during February 2018: Microsoft is starting to activate the Azure Rights Management service for these subscriptions if your tenant is using Exchange Online. For these subscriptions, automatic activation is starting to roll out August 1, 2018, when the service will be activated.
How to activate Rights Management protection from the Microsoft 365 admin center – requires Global Administrator account
- Go to Office 365 Admin Portal
- Settings > Services & add-ins > Microsoft Azure Information Protection > Manage Microsoft Azure Information Protection settings.
- On the rights management page, click activate.
How to activate the Rights Management protection service from the Azure portal – does not require Global Administrator account
Use these instructions if you want to activate the Rights Management protection service (Azure RMS) from Azure Information Protection, by using the Azure portal.
- If you haven’t already done so, open a new browser window and sign in to the Azure portal. Then navigate to the Azure Information Protection blade.
- Click All services and start typing Information in the Filter box. Select Azure Information Protection.
- If you haven’t accessed the Azure Information Protection blade before, see the one-time additional steps to add this blade to the portal.
- Locate the Manage menu options, and select Protection activation.
- Click Activate, and then confirm your action.
- When activation is complete, the information bar displays Activation finished successfully.
Create Template in Azure Information Protection – Skip this if you want to use the default template
Default Templates:
- Encrypt-Only
- Do Not Forward
- Confidential
- High Confidential
- Sign in to the Azure portal. Then navigate to the Azure Information Protection
- Click All services and start typing Information in the Filter box. Select Azure Information Protection.
- Add a new label
Enable Office 365 Email Encryption in PowerShell
Open PowerShell ISE as Administrator and run the following command
#Connect to the Azure Rights Management service.
$cred = Get-Credential
Get-Command -Module aadrm
Connect-AadrmService -Credential $cred
#Activate the service.
Enable-Aadrm
#Get the configuration information needed for message encryption.
$rmsConfig = Get-AadrmConfiguration
$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
#Disconnect from the service.
Disconnect-AadrmService
#Create a remote PowerShell session and connect to Exchange Online.
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session
#Collect IRM configuration for Office 365.
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
if (!$list) { $list = @() }
if (!$list.Contains($licenseUri)) { $list += $licenseUri }
#Enable message encryption for Office 365.
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true
#Enable the Protect button in Outlook on the web (Optional).
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
#Enable server decryption for Outlook on the web, Outlook for iOS, and Outlook for Android.
Set-IRMConfiguration -ClientAccessServerEnabled $true
#Checks IRM Configuration
Get-IRMConfiguration
#Test
Test-IRMConfiguration -Sender admin@yourdomain.com
#Exit from session
Remove-PSSession $session
How to Send Encrypt email messages in Outlook 2013, 2016, 2019 and Outlook for Office 365
Need Help? Contact Us
STEPINLOGIC | 292 262 6652
Stepinlogic.com
Full-service IT provider for Growing Companies in NY & NJ