Quick Steps to Enable Office 365 Message Encryption

These instructions will step you through enabling Microsoft Office 365 Message Encryption in your tenant account.

• Background Info
• Prerequisites
• Instructions
• Activate Azure Rights Management
• Configure O365 Account
• Next Steps

Background Info

These instructions are focused on the steps necessary to enable Office 365 Message Encryption. If you're looking for background information or more deetails, try some of these links:

• Encryption in Office 365
• Set up Microsoft Azure Rights Management for Office 365 Message Encryption
• Activating Azure Rights Management
• Azure Rights Management Documentation

Prerequisites

Office 365 Message Encryption requires Azure Rights Management. This service is available free for certain O365 and Exchange Online account types (E3 or higher, Plan 2 or higher). If you do not already have one of these account levels, you can either upgrade or purchase the service as an add-on to your existing O365 account.

Instructions

At a high level, setup is a 2 step process:

1. Enable Azure Rights Management
2. Configure your O365 account settings

1. Activate Azure Rights Management

Azure Right Management is activated via the O365 Admin Center. There's currently 2 flavors of this as Microsoft is working on a new UI.
Select the type of Admin UI that matches your setup from the list below for instructions:

• Former/Current O365 Admin Center UI
• New/Next O365 Admin Center UI

2. Configure O365 Account

Connect to your O365 account with a remote powershell console and follow these steps:
(NOTE: you may need to wait up to 24 hours for Azure Rights Management to go into effect.)

1. Set the IRM configuration for your geographic area:
   • North America:
     

     Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"

   • European Union:
     

     Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc"

   • Asia:
     

     Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc"

   • South America:
     

     Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc"

2. Setup RMS Online:

   Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

3. Test the IRM configuration:

   Test-IRMConfiguration -RMSOnline

   Verify the command completes with OVERALL RESULT: PASS

4. Enable IRM licensing:

   Set-IRMConfiguration -InternalLicensingEnabled $true

5. Wait ~12 hours for changes to take effect.

The following is a screenshot of these commandlets after being executed:

Next Steps

At this point Office 365 Message Encryption should be enabled and ready for use.
You can now install Nucleuz DLP Policies which utilize encryption.
You can also configure Exchange Transport Rules or DLP Rules to apply Office 365 Message Encryption. Here's an example: