Setup and Enable Office 365 Message Encryption

thThe process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

  1. Activate Azure Rights Management
  2. Setup Azure Rights Management for Exchange Online
  3. Setup transport rules to enforce message encryption in Exchange Online


The following Microsoft TechNet article details the process, I have a step-by-step below.


Office 365 Message Encryption Mail Flow



Activate Azure Rights Management for Office 365 Message Encryption


Login to Microsoft Online Portal with a Global Admin Account

Open the App Launcher (waffle)

Select Admin


Select SERVICE SETTINGS from the left pane

Click Rights Management


From within RIGHTS MANAGEMENT click Manage



You’ll be redirected to the management page

Click Activate

Click Activate again on the popup asking if you are sure you want to activate Rights Management



Set up Azure Rights Management for Office 365 Message Encryption


Connect to Exchange Online with PowerShell

Open PowerShell as Administrator

Enter the following commands to connect and import the session

  • Set-ExecutionPolicy RemoteSigned


  • $cred = Get-Credential


  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic –AllowRedirection


  • Import-PSSession $Session



Verify your IRM isn’t configured already

  • Get-IRMConfiguration


Configure RMS with the online key-sharing location for Exchange Online with PowerShell (locations below). For my example I am using North America, but the table below shows all the locations



RMS key sharing location

North America
European Union
South America
Office 365 for Government


Import the Trusted Publishing Domain (TPD) from RMS Online

  • Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”


Verify successful setup of IRM in Exchange Online

  • Test-IRMConfiguration –sender


Disable IRM templates in OWA and Outlook

  • Set-IRMConfiguration -ClientAccessServerEnabled $false


Enable IRM for Office 365 Message Encryption

  • Set-IRMConfiguration -InternalLicensingEnabled $true

*Note – You shouldn’t see that warning, but if you do it’s safe to ignore. I got it because I ran the command and forgot to grab the screen shot before clearing the screen, thus I had to run the command again.


View the IRM Configuration

  • Get-IRMConfiguration


Create Transport Rules to Encrypt Messages

Open the Office 365 Admin Portal (

Open Exchange Admin Center


Click Mail Flow



Click the + and create your transport rule. I have created two simple rules.

This rule will encrypt anything that is sent external with an attachment larger than 1MB

This rule will encrypt the email if the word ‘Encrypt’ is in the subject line of the email. This will give the users (once trained) the flexibility to encrypt emails they deem sensitive.


Make sure the rules are active and test



Testing that the transport rule apply Office 365 Message Encryption

Testing Transport Rule 1


Testing Transport Rule 2



When the user gets the email, this is how its presented to them

 One thing to note is that after you go through the setup process, it may take some time to replicate across the Microsoft back end servers. So if you test and it doesn’t work, give it some more time. I have see this process take up to 2 hours to replicate.


Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

11 thoughts on “Setup and Enable Office 365 Message Encryption

  1. Jon Taylor

    Can you use any mail client and as long as your message meets the criteria, the message will be encrypted? I saw you were using webmail and wasn’t sure if this would still work with say, Mac Mail, Outlook 2016, etc.

  2. Jon Taylor

    Perfect, thank you for your response! One other quick question thought: While I can use any client to send the initial message, any replies back and forth seem to go through the web based encryption portal. Do you know if it has to be that way or is it possible to have the recipient’s response to my encrypted message come in to my inbox like any other email?

  3. Andrew Bradburn

    Do you happen to know if the Azure component and Encrypted Email is included in the Office 365 subscription or is there an additional charge for this service? I will find out, but figured I’d ask as well before searching around.. Great how to, I cant wait to try it out on my personal Office 365.

    1. Kelsey EppsKelsey Epps Post author

      If you get an encrypted email, you can use the service to de-crypt without charge. If you want to encrypt email using the service you need to have the proper Exchange Online License. Currently that is Exchange Online Plan 2.


Leave a Reply