So this is really going to be easy. You will enjoy paying just $2 a month for your entire company to have hosted email encryption. NOTE: Commands are italicized.
Here is a summary of what we are going to do. (assuming you use Office 365 already)
- Purchase Azure Information Protection and assign the license to any user.
- Connect to Exchange Online via PowerShell.
- Run a few commands in PowerShell.
- Create a Rule inside of Office 365 to encrypt messages.
Step 1 | Purchase Azure Information Protection
To purchase a new subscription in Office 365, login to https://portal.office.com, go to the App Chooser in the top left hand corner and select Admin.
Next, go to the Billing section and select Purchase services. There you can find and subscribe to the Azure Information Protection Plan 1 for $2.00 per user per month. NOTE: You only need 1 subscription for message encryption.
Step 2 | Connect to Exchange Online via PowerShell
If you have Windows 10, then you already have the necessary software. Simply go to your Start menu > Type PowerShell > Right click on it and Run As Administrator.
In PowerShell run the following commands:
- Set-ExecutionPolicy RemoteSigned
- Respond with “A” for all or “Y” for yes.
- $UserCredential = Get-Credential
- Login with your Office 365 admin credentials.
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
- Import-PSSession $Session
Now we are connected to Exchange Online. Don’t close PowerShell just yet.
Step 3 | Run Some PowerShell Commands
Now that we are connected to Exchange Online with a PowerShell session. Let’s enable the Azure Rights Management service to allow for us to send encrypted emails.
In PowerShell run the following commands:
- Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”
- Please note this command is for US only.
- Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
- This imports the Trusted Publishing Domain from RMS Online.
- Test-IRMConfiguration -RMSOnline
- This just tests that you have successfully configured IRM in Exchange Online to use the Azure Rights Management service.
- Set-IRMConfiguration – ClientAccessServerEnabled $false
- This disables IRM templates in OWA and Outlook.
- Set-IRMConfiguration -InternalLicensingEnabled $true
- This enables IRM for Office 365 Message Encryption.
- Test-IRMConfiguration -Sender email@example.com
- This verifies that you successfully imported the TPD and enabled IRM.
We have successfully enabled Information Rights Management in your Office 365 tenant. Now all that is left to do is create a Transport Rule that tells the server to encrypt the message.
Step 4 | Create a Rule to Encrypt Email
So now we are done with PowerShell, you can close it or run Remove-PSSession $Session and then close it. Now we just need to create a Transport Rule in Exchange Online to tell the server when a message meets a set of criteria, encrypt it before sending.
Now technically, encrypted emails never leave the mail server. They simply send a message to the recipient saying, “You’ve received an encrypted message from…” So, the recipient can either use a Microsoft Account or a one-time passcode to view the message. See image below for an example of what the recipient sees.
So to setup this rule, go back to https://portal.office.com and login and go to the Admin Center. Down in the bottom left you will see Admin Centers > Exchange.
Then in the Exchange Admin Center, select Mail Flow > Rules. Here you will create a new Rule and Apply this rule if…
- The subject or body includes…
- I would use a word in brackets like [ENCRYPT].
- and… The recipient is located…
- Outside the Organization (within the org the messages are encrypted)
- Then, do the following…
- Modify the message security and Encrypt the message with Office 365 Message Encryption.
Make sure to enable Enforce this rule. Lastly, you will need to test this out but after a few hours. Technically all these changes take an hour or two to apply.
So that’s it! Whenever someone within your organization sends an email to someone outside the organization, with the subject that includes [ENCRYPT], the message with be encrypted. Take it for a spin and let me know what you think.