How to configure Email encryption for Office 365

Back to Blog

How to configure Email encryption for Office 365

This is a four-part post on Azure Information Protection (formerly Rights Management) for Office 365. The Azure RMS service is a powerful tool that we can use to prevent data leakage and share information securely with users inside & outside of the organization.

Follow along as we explore how to:

  1. Activate Azure Information Protection for Office 365 
  2. Configure Email encryption for Office 365 (this post)
  3. Compare Email encryption & Rights Management templates
  4. Enable Rights Management for SharePoint Online & OneDrive for Business

Email encryption is a fantastic security feature included with certain Office 365 subscriptions. The encryption feature relies on Azure Information Protection / Rights Management, and we will need to activate this service to get started. With the service enabled, users will be given a variety of options to help protect their data.

Before you proceed to enabling the Email encryption and defining your transport rules (below), you will want to be sure and Activate Azure Information Protection: Settings > Services & add-ins > Microsoft Azure Information Protection. Later, we will compare encryption to information rights management rules in a follow-up post.


How-to Enable Email Encryption in Exchange Online

In order to enable Email encryption for Exchange Online, we will need to connect to your Exchange Online tenancy using PowerShell following these instructions, which are also summarized here:

Open PowerShell as administrator. Run the following commands:

Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential


The Get-Credential command will bring up a dialogue box for you to enter your Office 365 administrator credentials, which are then stored in the variable $UserCredential.  That variable is called in the following PS line.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Finally, you can activate the session.

Import-PSSession $Session

You can verify successful connection to your Exchange server by running the command “Get-Mailbox” and pressing Enter.


Now, the first command you need to run to configure RMS will change slightly depending on your geography. There is a different “RMS key sharing location” depending on which region of the world you are based in. See this link for more details.

For North America, where I live, I must set the URL to the following:

Set-IRMConfiguration -RMSOnlineKeySharingLocation “”

Next, we have to “import the Trusted Publishing Domain (TPD)” from the online RMS service. What does this do? It connects Exchange Online to your Azure tenancy and imports the Rights Management templates that are associated with your domain (remember: you should only have two by default). If you have created additional templates in the Azure Management portal, it would import those also.

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

Pause. If you want to see where we are at so far, run Get-IRMConfiguration:


You will notice that we have the value False for InternaLicensingEnabled, but True for ExternalLicensingEnabled.  You will want to enable it for Internal as well as External, so run this command:

Set-IRMConfiguration -InternalLicensingEnabled $true

To test the configuration, run the following:

Test-IRMConfiguration -Sender [email protected]

Replace [email protected] with a sender in your own organization. You should get an overall result of PASS.


Microsoft’s instructions suggest that you could also disable IRM templates from being visible to users in OWA and Outlook, which is optional. I do not typically do this. But this is the command, if you need it:

Set-IRMConfiguration – ClientAccessServerEnabled $false

How-to Define Email Encryption & IRM Rules

Now you can define rules that automatically encrypt messages when they meet certain criteria. Alternatively, we can make up a rule that allows users to decide when they want to encrypt messages, for example, by adding a keyword to the subject line such as “encrypt.”

From the Office 365 Admin portal, switch over to the Exchange Admin Center by going to Admin Centers > Exchange.


Now navigate to mail flow > rules > new (+). Choose Apply rights protection to messages.


In the dialogue that comes up, give the rule a name. I named mine: “Allow users to encrypt email with subject line keyword.” In the drop-down for Apply this rule if… find the selection for The subject or body… > subject includes any of these words.


I usually include “encrypt” and/or “encrypted” in the words list. But you may have some others you’d like to include.

Before proceeding, notice the link that says Select one… next to Apply rights protection to the message with… If you click on that, you will see a list of your default Azure RMS templates.


Marking something “Confidential” or “Confidential & View Only” is not exactly the same as Email encryption. We will see how templates behave later on. For now, exit out of the template menu, and flip the drop down selection for Do the following… to Modify the Message Security > Apply Office 365 Message Encryption.


Once you’re done, press Save.

For comparison, let’s also add a Rights Management rule to mark a message as Confidential View Only. For this rule, we will ask that the keyword “Confidential” be added to the subject line.

In the next post, we will compare the results for both of these rules, and see the behavior of each from the perspective of end-users.


Comments (2)

  • Bob Smith Reply

    What is the procedure to allow a group to decrypt messages and where are permissions set. TY.

    April 16, 2019 at 1:44 pm
    • Alex Reply

      The permissions are automatically applied to the recipients, who access the encrypted message by signing into OWA and viewing the message there. What this means is that the message never really left the Office 365 Exchange Online system. It is simply sending the recipient a link to come in and view the message. They have to identify themselves to Exchange online successfully in order to sign in and see the contents of the “encrypted” email. Magic revealed! As for attachments, it is possible to enable globally the ability to decrypt attachments as they are downloaded by the recipients (otherwise AIP is applied to the documents that are attached, and the user must sign into the Office apps also to view the content).

      April 17, 2019 at 12:55 pm

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.