Configuring Office 365 Message Encryption

Configuring Office 365 Message encryption in exchange online helps organization to secure their sensitive information based on transport rules in Exchange online. Before we start configuring Office 365 message encryption, i hope you have a good understanding of what message encryption is and what it can do for you and why we need message encryption. If not, then please read my blog post of Office 365 Encryption Option.

Office 365 Message Encryption is a policy based control of your emails sensitive information and it’s a replacement for Exchange Hosted Encryption Service.

Configuring Office 365 Message Encryption

Before we start configuring Office 365 Message encryption, please make sure you understand the requirements for message encryption as described below.

  • We have Office 365 tenant setup.
  • We’ve the required license. Office 365 Message Encryption requires the purchase of Microsoft Azure Rights Management, which is available for $2.00 per user per month.

Microsoft Azure Rights Management service is already included in E3, E4, A3 and A4 licenses. We’re using E3 license in our lab which qualify us to setup Message encryption in office 365.

  •  We’ve a supported client device. Office 365 encrypted messages can be viewed on any client device that has support to open HTML attachments in a browser that support Form Post.
  • We can encrypt a message of up to 150 megabytes size. For more details about message size limits, see Exchange Online Limits.

To start configuring office 365 message encryption, first step is to activate Azure Rights Management. To activate Azure Rights Management, Navigate to Service Settings –> Rights Management –> Click on Manage

Configuring Office 365 Message Encryption

Configuring Office 365 Message EncryptionEnsure that Rights Management is activated, If not, click on Activate. Once Rights Management is activated. We’re only left with two more steps to configure message encryption. For encryption configuration the administrator must have the required permissions. Administrator must have Compliance Management, Record Management and Organization Management rights in Exchange online. Alternatively, you can download the Azure AD Rights Management Tool from TechNet.

After installing the Azure AD management tool, run the following cmdlet to set the execution policy to RemoteSigned. Default value is Restricted.

  • After setting up execution policy to RemoteSigned, Connect with your exchange online PowerShell.
  • Configure RMS key sharing location in Exchange online. Use the key sharing URL corresponding to your location.
  • Run the following cmdlet to configure the sharing key location. My location is North America and I’ve selected the key for NA.


  • Import the Trusted Publisher Domain from RMS Online. To do so, run the cmdlet Import-RMSTrustedPublishingDomain -RMSOnline -Name “RMS Online”.
  • Run “Test-IRMConfiguration -RMSOnline” cmdlet to verify the IRM configuration.
  • Enable IRM for office 365 Message Encryption using Set-IRMConfiguration -InternalLicensingEnabled $true.
  • Once IRM is configured, next step is configure Transport Rules in Exchange Online.
  • Navigate to Exchange Online –> Mail Flow –> Rules. Click on + icon to create a new rule.

12Name your rule and define the encryption parameters as shown below, We’ve configured a rule to encrypt the messages if the sender is within the organization.


Once you define the rule, click on Save and you’re done with configuring office 365 message encryption. You can configure a rule based on keywords, recipient, sender and a lot of other options. An encrypted email will be sent as an attachment to the recipient and recipient needs to login using his credentials to read the information within the email. Recipient can login using his Microsoft account or Org. account. I would highly suggest to use this cool feature in office 365 and secure your mail flow. For more information on Office 365 message encryption, please have a look at Office 365 Message Encryption FAQs at TechNet.