Office 365 Message Encryption – configuration

Office 365 Message Encryption – configuration

This article explains how to configure Exchange Online for Office 365 Message Encryption. Office 365 Message Encryption is an encryption system delivered via Microsoft’s Information Rights Management (IRM) framework using “transport rules”. When emails meeting criteria, for instance subject headers, are met, the encryption service is run on outgoing email. This means users do not have to deploy services on individual hosts to use encryption services. As long as one or more metrics meet established criteria, email sent from any device will be encrypted when it is processed by the server.

Please read the whole article before beginning work. Configured hosts can be used to manage customers’ servers provided the network administrator has a customer’s global administrator rights.

Powershell users may like to approach this manually, however using the automated approach set out here, users avoid the problem of having to configure a “Trusted Publishing Domain“. Without a Trusted Publishing Domain, IRM services cannot be enabled manually.

Office 365 Message Encryption relies on IRM services which in turn depend on Azure Directory Services (ADS) which is available with E* subscriptions, and possibly with Business Premium. ADS must still be manually activated by going to: Admin – Office 365 – Service Settings – Rights Management.

Once Azure Directory Services are active, IRM can be enabled on Exchange Online Server in a one-off modification, and then users can establish “rules” for Microsoft Office 365 Message Encryption in Admin – Exchange – Mail Flow – Rules.

Workstation Prerequisites:

Office 365 Message Encryption requires IRM services to be enabled on Exchange Online. Although ADS is enabled using the portal, IRM is enabledd via a Powershell remote session to invoke a script provided by Microsoft called EnableIRMforEXO. The remote session requires the four applications to be installed on the local host:

Install the applications in the order listed. Note also that Powershell (PS) mus run in Administrator mode.

PS runs in a restricted mode by default that prohibits the execution of unsigned scripts. If PS has not been modified, users will typically get a PS error message like:

File C:\Common\Scripts\hello.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see “get-help about_signing” for more details.
At line:1 char:13
+ .\hello.ps1 <<<<
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException

To enable scripting, open PS and run the following command. This is a one time command, and can be disabled.

set-executionpolicy remotesigned

Enabling IRM on Exchange Online

Using the unzipped script – EnableIRMforEXO – Powershell establishes a remote session with Exchange Online Server, and on confirmation of location and user credentials, executes the necessary server modifications. The command can be fully executed with strings for “location” and “get-credentials”, however the cmdlet works more reliably if it is left to call for location and credentials itself. These instructions assume the script is installed in c:\scripts\

  • open Powershell
  • enter c:\scripts\EnableIRMforEXO
  • when prompted for location, input European Union
  • complete when prompted for user name etc.

The process will execute and return results. This should be adequate for enabling Office 365 Message Encryption.