The new Microsoft Office Message Encryption for Office 365 and Exchange Online is a fantastic upgrade that allows external recipients to open encrypted messages using either their Microsoft, Yahoo or Google accounts. You can still use a one time code as well which is very convenient.
However, those of you who have enabled (via PowerShell) the new Office Message Encryption may have encountered an issue where recipients are getting a ‘You don’t have rights to view this message’ error. This is simply because the old Transport Rule you were using still uses the old message encryption method and now needs to use the Rights Management Service.
To fix this simple do the following:
To update an existing mail flow rule to use the new OME capabilities by using the Exchange Admin Center.
In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.
Choose the Admin tile.
In the Office 365 admin center, choose Admin centers > Exchange.
In the EAC, go to mail flow > rules.
In the list of mail flow rules, select the rule you want to modify to use the new OME capabilities and then choose (Edit).
To enable encryption using the new OME capabilities, from Do the following, choose Modify the message security and then choose Apply rights protection. Select an RMS template (YOU MUST CHOOSE DO NOT FORWARD) from the list, choose Save and then choose OK.
Encryption improvements are generally a good thing…
“This means it’s protected from everyone, unless they have the customer’s authorization, which presumably won’t be granted particularly easily unless it’s vital. Customers can create their own secret ‘enclave’ using Microsoft’s server software or using Intel chips with Microsoft’s security software built in.”
So this is really going to be easy. You will enjoy paying just $2 a month for your entire company to have hosted email encryption. NOTE: Commands are italicized.
Here is a summary of what we are going to do. (assuming you use Office 365 already)
Purchase Azure Information Protection and assign the license to any user.
Connect to Exchange Online via PowerShell.
Run a few commands in PowerShell.
Create a Rule inside of Office 365 to encrypt messages.
Step 1 | Purchase Azure Information Protection
To purchase a new subscription in Office 365, login to https://portal.office.com, go to the App Chooser in the top left hand corner and select Admin.
Next, go to the Billing section and select Purchase services. There you can find and subscribe to the Azure Information Protection Plan 1 for $2.00 per user per month. NOTE: You only need 1 subscription for message encryption.
Step 2 | Connect to Exchange Online via PowerShell
If you have Windows 10, then you already have the necessary software. Simply go to your Start menu > Type PowerShell > Right click on it and Run As Administrator.
This enables IRM for Office 365 Message Encryption.
Test-IRMConfiguration -Sender email@example.com
This verifies that you successfully imported the TPD and enabled IRM.
We have successfully enabled Information Rights Management in your Office 365 tenant. Now all that is left to do is create a Transport Rule that tells the server to encrypt the message.
Step 4 | Create a Rule to Encrypt Email
So now we are done with PowerShell, you can close it or run Remove-PSSession $Session and then close it. Now we just need to create a Transport Rule in Exchange Online to tell the server when a message meets a set of criteria, encrypt it before sending.
Now technically, encrypted emails never leave the mail server. They simply send a message to the recipient saying, “You’ve received an encrypted message from…” So, the recipient can either use a Microsoft Account or a one-time passcode to view the message. See image below for an example of what the recipient sees.
So to setup this rule, go back to https://portal.office.com and login and go to the Admin Center. Down in the bottom left you will see Admin Centers > Exchange.
Then in the Exchange Admin Center, select Mail Flow > Rules. Here you will create a new Rule and Apply this rule if…
The subject or body includes…
I would use a word in brackets like [ENCRYPT].
and… The recipient is located…
Outside the Organization (within the org the messages are encrypted)
Then, do the following…
Modify the message security and Encrypt the message with Office 365 Message Encryption.
Make sure to enable Enforce this rule. Lastly, you will need to test this out but after a few hours. Technically all these changes take an hour or two to apply.
So that’s it! Whenever someone within your organization sends an email to someone outside the organization, with the subject that includes [ENCRYPT], the message with be encrypted. Take it for a spin and let me know what you think.
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates.