Office 365 Message Encryption – configuration

This article explains how to configure Exchange Online for Office 365 Message Encryption. Office 365 Message Encryption is an encryption system delivered via Microsoft’s Information Rights Management (IRM) framework using “transport rules”. When emails meeting criteria, for instance subject headers, are met, the encryption service is run on outgoing email. This means users do not have to deploy services on individual hosts to use encryption services. As long as one or more metrics meet established criteria, email sent from any device will be encrypted when it is processed by the server.

Please read the whole article before beginning work. Configured hosts can be used to manage customers’ servers provided the network administrator has a customer’s global administrator rights.

Powershell users may like to approach this manually, however using the automated approach set out here, users avoid the problem of having to configure a “Trusted Publishing Domain“. Without a Trusted Publishing Domain, IRM services cannot be enabled manually.

Office 365 Message Encryption relies on IRM services which in turn depend on Azure Directory Services (ADS) which is available with E* subscriptions, and possibly with Business Premium. ADS must still be manually activated by going to: Admin – Office 365 – Service Settings – Rights Management.

Once Azure Directory Services are active, IRM can be enabled on Exchange Online Server in a one-off modification, and then users can establish “rules” for Microsoft Office 365 Message Encryption in Admin – Exchange – Mail Flow – Rules.

Workstation Prerequisites:

Office 365 Message Encryption requires IRM services to be enabled on Exchange Online. Although ADS is enabled using the portal, IRM is enabledd via a Powershell remote session to invoke a script provided by Microsoft called EnableIRMforEXO. The remote session requires the four applications to be installed on the local host:

Install the applications in the order listed. Note also that Powershell (PS) mus run in Administrator mode.

PS runs in a restricted mode by default that prohibits the execution of unsigned scripts. If PS has not been modified, users will typically get a PS error message like:

File C:\Common\Scripts\hello.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see “get-help about_signing” for more details.
At line:1 char:13
+ .\hello.ps1 <<<<
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException

To enable scripting, open PS and run the following command. This is a one time command, and can be disabled.

set-executionpolicy remotesigned

Enabling IRM on Exchange Online

Using the unzipped script – EnableIRMforEXO – Powershell establishes a remote session with Exchange Online Server, and on confirmation of location and user credentials, executes the necessary server modifications. The command can be fully executed with strings for “location” and “get-credentials”, however the cmdlet works more reliably if it is left to call for location and credentials itself. These instructions assume the script is installed in c:\scripts\

  • open Powershell
  • enter c:\scripts\EnableIRMforEXO
  • when prompted for location, input European Union
  • complete when prompted for user name etc.

The process will execute and return results. This should be adequate for enabling Office 365 Message Encryption.

EOP/TLS Encryption

Office 365 Message Encryption is an easy-to-use service that lets email users send encrypted messages to people inside or outside their organization. Designated recipients can easily view their encrypted messages and return encrypted replies. Regardless of the destination email service—whether it’s, Yahoo, Gmail, or another service—email users can send confidential business communications with an added level of protection against unauthorized access.

There are many scenarios in which email message encryption might be required, including:

  • A bank employee sending credit card statements to customers
  • An insurance company representative providing policy details to customers
  • A mortgage broker requesting financial information from a customer for a loan application
  • A health care provider sending health care information to patients
  • An attorney sending confidential information to a customer or another attorney
  • A consultant sending a contract to a customer

Exchange Online and Exchange Online Protection (EOP) administrators set up Office 365 Message Encryption by defining encryption rules. ComStat engineers can help customers with subscribed support service customize encrypted messages with organizational text and logo, presenting a company brand that’s familiar to message recipients.

Additionally, Exchange provides advanced services for high level encryption services like certificated TLS etc. The diagram below showing the workflow through which Office 365 Message Encryption protects encrypted emails from being read by unauthorized users, while allowing straightforward access by authorized recipients.

encrytpion workflow

‘Appy Days for Office 365

Office 365 users can tap into the Office Store’s app inventory to customise Office 365.

The facility enables authorised users to install apps from the Office 365 store.

Popular apps include Microsoft’s “Bing Maps”, which detects addresses in email content and gives users options to open maps within Outlook Web Acces (OWA). Another app which admins love is a tool for rendering email headers, which for some reason Microsoft have made so difficult for engineers to access in later versions of Outlook.

The real value comes for organisations whose admins can install apps within their Office 365 environment, and either make apps optionally available to end users, or push apps directly to end user accounts. This “server room” capability hints at Office 365’s more extensive features available to administrators, who have access to Exchange 2013’s full suite of management tools, which range from user account management to archiving policies and even options for managing, restricting, or wiping data on user’s connected mobile phones and tablets,  following loss or theft.

For a thirty trial of Office 365, or for a demonstration of services, please contact Steve Galloway on 07834 461 266.

Message Header Screen shots

The Message Header Analyzer runs as a drop down windows in OWA’s email reading pane.  Users click open the tool for a fully featured report on transport, anti-spam data, and other headers which help engineers isolate delivery issues. This screen shot shows summary header information – click on the images to see full res detail :

The Message Header Analyzer for OWA is a fully specified tool for examining various header types not normally available. This imge shows the summary header.

Message Analyzer also reports on header information not usually available in mainstream services like GMail, Windows Live, and Yahoo. Data is broken down into categories to help engineers understand present or potentially developing spam problems and transit information. In this screen shot, we have opened the “Original Headers” tab to capture raw data which is meaningful to engineers when troubleshooting. Click on the images to see full res detail:




Open chat
Scan the code
👋Scan the QR code or click open Chat to talk to us on WhatsApp.