View RSS Feed


Office 365 E-mail Encryption

Rate this Entry
by , 17th July 2014 at 12:09 AM (3093 Views)
With the recent blog from the ICO about the thing to consider when sending E-mails parents i thought this would be an opportune time to post a quick HOW-TO-GUIDE on setting up E-mail encryption in Office 365.

I don't want to get into the specifics of why or why not to encrypt here but i'll show you what you need and how to achieve it.

First thing to consider is licensing. As far as education is concerned the only way to license a user for E-mail encryption is by purchasing an A3 license. I see this as a bit of an oversight on Microsoft's part as Enterprise users can purchase the specific part of this license (Azure Rights Management) separately. This license will cost you £3.40 per User per Month.
This does seem expensive, but it comes with a host of other benefits like mobile Apps for android and IOS, unlimited storage in exchange, being able to install Office on 5 PCs/MACs/etc per user and some other features you can see here.

The next thing to bare in mind is that the recipient will need a Microsoft account. Now this doesn't have to be a Microsoft E-mail account, you can attach a gmail, yahoo or any other type of address to a Microsoft account, but the recipient will need a way of signing in to Microsoft with their E-mail address. The sign up process is pretty quick and can be completed in under 5 minutes.

Now we've got past the money bit we can get to the set up.

The first thing you'll need to do is activate Azure Rights Management on Office 365.

In the Office 365 Admin Center, go to 'Service Settings'.


In 'Service Settings', click on the 'Rights Management' tab. When clicked-on for the first time, the portal might take a few moments to set up rights management, before displaying any content.

When it does, click on 'Manage'.


Click to 'activate' rights management.




Rights management is activated.


Next we need to set up Azure Rights Management. This bit, as with so much in Office 365, requires some PowerShell commands.
I'm going to assume you already know how to connect to Office 365 & Exchange Online already. If not there are some good guides already on here.

Before we can run the PowerShell commands we need to make sure we have the correct permissions.

You can do this by adding your administrator to be a part of the following role groups under Office 365 portal \ Exchange admin center \ permissions \ admin roles

Compliance Management
Organization Management
Records Management

Then we need to download the Azure Rights Management administration module.

Go to the Microsoft Download Centre and download the Azure Rights Management Administration Tool which contains the Azure Rights Management administration module for Windows PowerShell.

We now need to connection to Exchange Online,

Once you have done that we need to set the RMS key sharing location. I'll post the commands for the EU location but the other locations are as follow:
North America:

European Union:


South America:
So the code you will need to execute in PowerShell if you are connection to the EU RMS key is:
Set-IRMConfiguration -RMSOnlineKeySharingLocation ""
Run the following command to import the Trusted Publishing Domain (TPD) from RMS Online:
Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
To keep things simple you can remove the IRM templates for users from Outlook and OWA and just leave them for admins to set up.

To disable IRM templates in OWA and Outlook:
Set-IRMConfiguration - ClientAccessServerEnabled $false
To enable IRM for Office 365 Message Encryption:
Set-IRMConfiguration -InternalLicensingEnabled $true
Now Office 365 is all set up to use E-mail encryption you just need to assign the A3 licenses to your users.

Next is to set up some policies to encrypt the E-mails.

The first thing i did was to give users an option to encrypt any E-mail they want to by prefixing their E-mail subject with "Encrypt:"

To set this up we need to go into the Exchange Admin Centre, then Mail Flow and then Rules.

We create a new rule


Then click more options near the bottom to allow us to see the extra features.


Then we set the following options

*Apply this rule if...
The subject or body... > subject includes any of these words

Then type in "Encrypt:" without the quotes.

*Do the following...
Modify the message security... > Apply Office 365 Message Encryption


This will now encrypt any e-mail the contains the text 'Encrypt:'

Next we get to a slightly more complex rule. To automatically detect any E-mail that contains a UPN number and encrypt it.

The same method as above but a slightly different setting for detecting the text, we'll use a regex statement that @Arthur helped me out by providing.

We go through the same process as before but now we want the following:

* Apply this rule if...
The Recipient is located... Outside the Organisation.


The subject or Body... The subject or body matches these text patterns

the bit of regex code we enter is
*Do the following...
Modify the message security... > Apply Office 365 Message Encryption


Lastly if we also want to detect the UPN in attachments we need another policy for that.

* Apply this rule if...
The Recipient is located... Outside the Organisation.


Any attachment... content matches these text patterns

add this code again
*Do the following...
Modify the message security... > Apply Office 365 Message Encryption


Lastly there are some built in Data Loss Prevention policies but i have found these to be not very applicable to education.
However i will show you one quickly.

Go to Exchange Admin Centre \ Compliance Management \ data loss prevention

click the + and select 'new DLP policy from template'

You can select from pre-built templates and there are a few specific to the U.K. and lots of other related to other countries too.
Some of these will encrypt your E-mails or give the user a warning that they are about the send confidential data with the option to override.

U.K. Access to Medical Reports Act
U.K. Data Protection Act
U.K. Financial Data
U.K. Personal Information Online Code of Practice ‎(PIOCP)‎
U.K. Personally Identifiable Information ‎(PII)‎ Data
U.K. Privacy and Electronic Communications Regulations

We are not fully set up to send encrypted E-mails, but what does it look like to receive an encrypted email?

The recipient will receive an email with a 'message.html' attachment. This email will have the same subject line as the originally sent email.


Double click or open the 'message.html' attachment in a browser – preferably Internet Explorer.


Click on 'View your encrypted message'.


Use one of the sign in options.

If the recipient has never received an email from Office 365 Message Encryption service, then an initial sign up process is required to verify the account. Once signed up, the recipient can use the created credentials for any future messages encrypted by Office 365 Message Encryption Service.
If the recipient's email address belongs to one of Microsoft's services like Office 365, then the same can be used directly to sign in and view the encrypted message.
If however, the recipient address belongs to a third-party or unsupported service, an associated Microsoft account is created for the recipient as part of the sign up process.
Note that the recipient does not need an Office 365 Message Encryption license to view or reply to the encrypted message. And all subsequent replies to an encrypted message, including attachments, are also encrypted.

The message opens in a captive portal.

The recipient will be able to 'reply', 'reply all' or 'forward' the email.


The recipient can insert an attachment to the reply and it goes out as part of the encrypted message.

Also, the recipient automatically receives a copy of the reply, as an encrypted email, for reference.


When the reply is sent, it is delivered as an encrypted message to the first sender.

This is because there is no decryption rule in place.

All subsequent communications are thus encrypted.

We can now make or staff's lives that little bit easier and create a rule to decrypt all incoming E-mails.

We go back to Exchange Admin Centre \ mail flow \ rules

Create new Rule and add the following options

* Apply this rule if...
The Recipient is located... Inside the Organisation.

*Do the following...
Modify the message security... > Remove Office 365 Message Encryption


We are not finished!

This is my first post like this so i welcome any criticisms (please don't be too harsh!)
If you have any other questions please feel free to ask.
I'd like to discuss any ideas for other data types that would be worth detecting and encrypting.


Source Materials:
technet blog
technet IRM

Updated 17th July 2014 at 12:19 AM by Marshall_IT



  1. FN-GM's Avatar

    Do you use the Encrypt message option in Outlook or OWA? Or do you find your users forget to use this?

  2. Marshall_IT's Avatar
    Hi FN-GM,

    my users do sometimes use the encrypt feature in outlook out OWA but that is mainly myself or the data Manager. Most users find it easier if they can just prefix the subject with encrypt.

    Thanks for reading.
  3. FN-GM's Avatar
    Thanks for posting

    Looking at something like this for some of the admin staff, it looks something fairly simple for the end users


Total Trackbacks 0
Trackback URL: