--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Recently Changed Pages:

View All Pages

View All Tags


WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Pages with comments

View All Comments


Exchange Online - Message Encryption

There are several ways to encrypt your email using Exchange Online. See here for more information but it comes down to:

  • E-mail encryption:
    • OME: Encrypts messages sent to internal or external recipients.
    • S/MIME: User based encryptie; To use S/MIME, you must have public keys on file for each recipient. Recipients have to maintain their own private keys, which must remain secure.
    • IRM: Uses encryption and usage restrictions to provide online and offline protection for email messages and attachments. It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people.
  • Secure connection:
    • Office 365 email internal and external: Exchange Online servers always encrypt connections to other Exchange Online servers in our datacenters with TLS 1.2.
    • External email: By default, Exchange Online always uses opportunistic TLS. This means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. No agreement means unencrypted.
    • Force TLS; this requires an encrypted connection or the email will not be sent or received.
  • Data in Rest: Encryption using Bitlocker Drive Encryption

This page describes how to use the OME message encryption capabilities with Exchange Online. Follow these steps to configure the service.

Activate Azure Rights Management

Note that you need a E3 or E5 license to do this, as well as a global administrator account.

* Log in to the Office 365 adminportal * Navigate: Settings > Services & add-ins > Microsoft Azure Information Protection > Manage Microsoft Azure Information Protection settings

  • On the rights management page, click activate, and confirm

This automatically enables the OME (Office 365 Message Encryption)

Activate User Licenses

This might not be strictly necessary. I need to test this next time I do this.

All users need the Azure Rights Management license

  • Log into the azure portal with proper admin account
  • Go to Azure Active Directory
  • Go to Licenses
  • Go to All Products
  • Click on your E5 Product. (or e3 as it has the license required as well)
  • Go to Licensed Groups
  • Click on Office365_Rings_Production
  • Click on Office 365 Enterprise E5
  • Set Azure Rights Management to On
  • Click Save

It could take a while for the setting to propagate.

Verify Office365 Message Encryption

You can verify the settings using PowerShell:

PS C:\Users\sjoerdadmin> Test-IRMConfiguration -sender
Results : Acquiring RMS Templates ...
              - PASS: RMS Templates acquired.  Templates available: Shift - Confidential, Shift - Confidential View Only,
          Encrypt, Do Not Forward.
          Verifying encryption ...
              - PASS: Encryption verified successfully.
          Verifying decryption ...
              - PASS: Decryption verified successfully.
          Verifying IRM is enabled ...
              - PASS: IRM verified successfully.

Verify OME Default Settings

You can check the settings using PowerShell using the Get-OMEConfiguration and the Get-IRMConfiguration commandlets:

PS C:\Users\sjoerdadmin> Get-OMEConfiguration
RunspaceId              : 00dc7da4-e429-4d7f-a8dc-3c0632432691
Image                   :
ImageUrl                :
EmailText               :
PortalText              :
DisclaimerText          :
BackgroundColor         :
IntroductionText        :
ReadButtonText          :
OTPEnabled              : True
SocialIdSignIn          : True
ClientEncryptionEnabled : True
ExpirationOptionEnabled : True
Identity                : OME Configuration
IsValid                 : True
ObjectState             : Unchanged
PS C:\Users\sjoerdadmin> Get-IRMConfiguration
InternalLicensingEnabled        : True
ExternalLicensingEnabled        : True
AzureRMSLicensingEnabled        : True
TransportDecryptionSetting      : Optional
JournalReportDecryptionEnabled  : True
SimplifiedClientAccessEnabled   : True
ClientAccessServerEnabled       : True
SearchEnabled                   : True
EDiscoverySuperUserEnabled      : True
DecryptAttachmentFromPortal     : False
DecryptAttachmentForEncryptOnly : False
AutomaticServiceUpdateEnabled   : True
RMSOnlineKeySharingLocation     :
RMSOnlineVersion                :
ServiceLocation                 :
PublishingLocation              :
LicensingLocation               : {}

Depending on your needs you might want to change these settings:

  • SocialIdSignIn : True
    • Users that receive encrypted messages can use the their social ID accounts (currently Yahoo/Microsoft/Google) to decrypt messages
  • OTPEnabled : True
    • Users can use a one-time pass code to decrypt messages
  • SimplifiedClientAccessEnabled : True
    • Enabled the protect button in Outlook Web Access

Add SHIFT Brand

We can use powershell to add some branding to the wrapper email and portal:

PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is confidential and only for the intended recipient. "
PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Secured Message from SHIFT. You will only receive secure messages if previously agreed on. Please contact SHIFT in case you have questions regarding the source or confidentiality of this message. "
PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME Configuration" -PortalText "SHIFT Portal for secure email messages."
PS C:\Users\sjoerdadmin> Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "D:\sjoerdadmin\shift-logo.png" -Encoding byte)


Now considering the many possibilities in sending and receiving email with different clients and recipients I strongly advise you to test at least the following scenarios so you can provide in depth information to your users:

Sending Email

  • Encryption Policy: Do not forward
    • Outlook
    • Outlook online
    • Outlook mobile
  • Encrypt
    • Outlook (watch out; different behavior between client versions)
    • Outlook online
    • Outlook mobile
  • Confidential policies
    • Outlook
    • Outlook online
    • Outlook mobile
  • Attachments: Office files
  • Attachments: Pdfs

Receiving Email

  • All encryption policies as an internal user
    • Outlook
    • Outlook Online
    • Outlook Mobile
  • All encryption policies as en external user
    • Office 365 users
    • Microsoft users (hotmail; live; msn; outlook; etc.)
    • Google and yahoo users
    • Users with independent email accounts
  • Attachments: Office files
  • Attachments: Pdfs


You could leave a comment if you were logged in.
o365me.txt · Last modified: 2021/09/24 00:25 (external edit)