New Office 365 OME not working?

New Office 365 OME not working?

The new Microsoft Office Message Encryption for Office 365 and Exchange Online is a fantastic upgrade that allows external recipients to open encrypted messages using either their Microsoft, Yahoo or Google accounts. You can still use a one time code as well which is very convenient.

However, those of you who have enabled (via PowerShell) the new Office Message Encryption may have encountered an issue where recipients are getting a ‘You don’t have rights to view this message’ error. This is simply because the old Transport Rule you were using still uses the old message encryption method and now needs to use the Rights Management Service.

To fix this simple do the following:

To update an existing mail flow rule to use the new OME capabilities by using the Exchange Admin Center.

  1. In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.
  2. Choose the Admin tile.
  3. In the Office 365 admin center, choose Admin centers > Exchange.
  4. In the EAC, go to mail flow > rules.
  5. In the list of mail flow rules, select the rule you want to modify to use the new OME capabilities and then choose Edit icon (Edit).
  6. To enable encryption using the new OME capabilities, from Do the following, choose Modify the message security and then choose Apply rights protection. Select an RMS template (YOU MUST CHOOSE DO NOT FORWARD) from the list, choose Save and then choose OK.

    The list of templates includes all default templates and options as well as any custom templates you’ve created for use by Office 365. If the list is empty, ensure that you have set up Office 365 Message Encryption with the new capabilities as described in Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection. For information about the default templates, see Configuring and managing templates for Azure Information Protection. For information about the Do Not Forward option, see Do Not Forward option for emails.

    You can choose add action if you want to specify another action.

  7. From the Do the following list, remove any actions that are assigned to Modify the message security > Apply Office 365 Message Encryption.
  8. Choose Save.

It is CRITICAL that you select the DO NOT FORWARD template and not any of the other templates as they are designed for internal use only.

More information can be found at the links below:

Please comment below if you are using the new OME in your environment.

Setup Email Encryption in Office 365

Setup Email Encryption in Office 365

So this is really going to be easy. You will enjoy paying just $2 a month for your entire company to have hosted email encryption. NOTE: Commands are italicized.

Here is a summary of what we are going to do. (assuming you use Office 365 already)

  1. Purchase Azure Information Protection and assign the license to any user.
  2. Connect to Exchange Online via PowerShell.
  3. Run a few commands in PowerShell.
  4. Create a Rule inside of Office 365 to encrypt messages.

Step 1 | Purchase Azure Information Protection

To purchase a new subscription in Office 365, login to https://portal.office.com, go to the App Chooser in the top left hand corner and select Admin.

AdminCtrO365

Next, go to the Billing section and select Purchase services. There you can find and subscribe to the Azure Information Protection Plan 1 for $2.00 per user per month. NOTE: You only need 1 subscription for message encryption.

AIPO365Step 2 | Connect to Exchange Online via PowerShell

If you have Windows 10, then you already have the necessary software. Simply go to your Start menu > Type PowerShell > Right click on it and Run As Administrator.

In PowerShell run the following commands:

  • Set-ExecutionPolicy RemoteSigned
    • Respond with “A” for all or “Y” for yes.
  • $UserCredential = Get-Credential
    • Login with your Office 365 admin credentials.
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
  • Import-PSSession $Session

Now we are connected to Exchange Online. Don’t close PowerShell just yet.

Step 3 | Run Some PowerShell Commands

Now that we are connected to Exchange Online with a PowerShell session. Let’s enable the Azure Rights Management service to allow for us to send encrypted emails.

In PowerShell run the following commands:

  • Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”
    • Please note this command is for US only.
  • Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
    • This imports the Trusted Publishing Domain from RMS Online.
  • Test-IRMConfiguration -RMSOnline
    • This just tests that you have successfully configured IRM in Exchange Online to use the Azure Rights Management service.
  • Set-IRMConfiguration – ClientAccessServerEnabled $false
    • This disables IRM templates in OWA and Outlook.
  • Set-IRMConfiguration -InternalLicensingEnabled $true
    • This enables IRM for Office 365 Message Encryption.
  • Test-IRMConfiguration -Sender user@yourdomain.com
    • This verifies that you successfully imported the TPD and enabled IRM.

We have successfully enabled Information Rights Management in your Office 365 tenant. Now all that is left to do is create a Transport Rule that tells the server to encrypt the message.

Step 4 | Create a Rule to Encrypt Email

So now we are done with PowerShell, you can close it or run Remove-PSSession $Session and then close it. Now we just need to create a Transport Rule in Exchange Online to tell the server when a message meets a set of criteria, encrypt it before sending.

Now technically, encrypted emails never leave the mail server. They simply send a message to the recipient saying, “You’ve received an encrypted message from…” So, the recipient can either use a Microsoft Account or a one-time passcode to view the message. See image below for an example of what the recipient sees.

EncryptMessO365

So to setup this rule, go back to https://portal.office.com and login and go to the Admin Center. Down in the bottom left you will see Admin Centers > Exchange.

EACO365

Then in the Exchange Admin Center, select Mail Flow > Rules. Here you will create a new Rule and Apply this rule if…

  • The subject or body includes…
    • I would use a word in brackets like [ENCRYPT].
  • and… The recipient is located…
    • Outside the Organization (within the org the messages are encrypted)
  • Then, do the following…
    • Modify the message security and Encrypt the message with Office 365 Message Encryption.

RuleO365

 

Make sure to enable Enforce this rule. Lastly, you will need to test this out but after a few hours. Technically all these changes take an hour or two to apply.

So that’s it! Whenever someone within your organization sends an email to someone outside the organization, with the subject that includes [ENCRYPT], the message with be encrypted. Take it for a spin and let me know what you think.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates.

You have Successfully Subscribed!

Pin It on Pinterest