Over the past year, I have witnessed a significant effort from Microsoft to unify the protection capabilities across all of their Office 365 services. To demonstrate this, a new configuration option was recently released, currently in preview mode, for associating an Azure Information Protection (AIP) label to a document based on a metadata value in […]
Encryption improvements are generally a good thing…
“This means it’s protected from everyone, unless they have the customer’s authorization, which presumably won’t be granted particularly easily unless it’s vital. Customers can create their own secret ‘enclave’ using Microsoft’s server software or using Intel chips with Microsoft’s security software built in.”
Credit to Arvind Iyer on this post.
If after you have run the IdFix tool and verified that your Sync profiles have the msExchHideFromAddressLists attribute selected and still the check box in the Exchange Admin Center is not check. Pull your hair out, then follow these steps.
- Open the Synchronization Rules Editor on the Azure AD Sync server.
- Filter by or go to Inbound Rules, and find the “In from AD – User Common” rule and click Edit.
- Make sure it is not the User Common Microsoft Exchange rule.
- Select Transformations from the left navigation,
- Click, Add a Transformation as a Direct flow type, a Target Attribute of msExchHideFromAddressLists, and a source of msExchHideFromAddressLists.
- Then click Save and make sure to run a new sync to your 365 tenant.
Once the sync is completed you should begin to see in the Exchange Admin Center, the Hide from Address List box checked.
Have you ever encountered this? If so, let me know if this solution worked or if you found another method.
So this is really going to be easy. You will enjoy paying just $2 a month for your entire company to have hosted email encryption. NOTE: Commands are italicized.
Here is a summary of what we are going to do. (assuming you use Office 365 already)
- Purchase Azure Information Protection and assign the license to any user.
- Connect to Exchange Online via PowerShell.
- Run a few commands in PowerShell.
- Create a Rule inside of Office 365 to encrypt messages.
Step 1 | Purchase Azure Information Protection
To purchase a new subscription in Office 365, login to https://portal.office.com, go to the App Chooser in the top left hand corner and select Admin.
Next, go to the Billing section and select Purchase services. There you can find and subscribe to the Azure Information Protection Plan 1 for $2.00 per user per month. NOTE: You only need 1 subscription for message encryption.
Step 2 | Connect to Exchange Online via PowerShell
If you have Windows 10, then you already have the necessary software. Simply go to your Start menu > Type PowerShell > Right click on it and Run As Administrator.
In PowerShell run the following commands:
- Set-ExecutionPolicy RemoteSigned
- Respond with “A” for all or “Y” for yes.
- $UserCredential = Get-Credential
- Login with your Office 365 admin credentials.
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
- Import-PSSession $Session
Now we are connected to Exchange Online. Don’t close PowerShell just yet.
Step 3 | Run Some PowerShell Commands
Now that we are connected to Exchange Online with a PowerShell session. Let’s enable the Azure Rights Management service to allow for us to send encrypted emails.
In PowerShell run the following commands:
- Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”
- Please note this command is for US only.
- Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
- This imports the Trusted Publishing Domain from RMS Online.
- Test-IRMConfiguration -RMSOnline
- This just tests that you have successfully configured IRM in Exchange Online to use the Azure Rights Management service.
- Set-IRMConfiguration – ClientAccessServerEnabled $false
- This disables IRM templates in OWA and Outlook.
- Set-IRMConfiguration -InternalLicensingEnabled $true
- This enables IRM for Office 365 Message Encryption.
- Test-IRMConfiguration -Sender email@example.com
- This verifies that you successfully imported the TPD and enabled IRM.
We have successfully enabled Information Rights Management in your Office 365 tenant. Now all that is left to do is create a Transport Rule that tells the server to encrypt the message.
Step 4 | Create a Rule to Encrypt Email
So now we are done with PowerShell, you can close it or run Remove-PSSession $Session and then close it. Now we just need to create a Transport Rule in Exchange Online to tell the server when a message meets a set of criteria, encrypt it before sending.
Now technically, encrypted emails never leave the mail server. They simply send a message to the recipient saying, “You’ve received an encrypted message from…” So, the recipient can either use a Microsoft Account or a one-time passcode to view the message. See image below for an example of what the recipient sees.
So to setup this rule, go back to https://portal.office.com and login and go to the Admin Center. Down in the bottom left you will see Admin Centers > Exchange.
Then in the Exchange Admin Center, select Mail Flow > Rules. Here you will create a new Rule and Apply this rule if…
- The subject or body includes…
- I would use a word in brackets like [ENCRYPT].
- and… The recipient is located…
- Outside the Organization (within the org the messages are encrypted)
- Then, do the following…
- Modify the message security and Encrypt the message with Office 365 Message Encryption.
Make sure to enable Enforce this rule. Lastly, you will need to test this out but after a few hours. Technically all these changes take an hour or two to apply.
So that’s it! Whenever someone within your organization sends an email to someone outside the organization, with the subject that includes [ENCRYPT], the message with be encrypted. Take it for a spin and let me know what you think.