At the Ignite 2017 Microsoft presented a bulk of new features which are waiting for us in 2018. One of them is the message encryption in Office 365.

In this article I want to tell you more about that:


Till today, or lets say till +/- 2016 most of us had this kind of infrastructure within the company.

Picture taken form the presentation of Praveen Vijayaraghavan.


Everything was located on-premise, from the identities up to the data.

The security perimeter was defined by company policies.

From approximately 2015/2016 the infrastructure requirements have started to change. As an example, you don’t buy software by itself, you start using SaaS, online storage, Open ID, etc.

So your infrastructure big picture could look somehow like this today or in future:

Picture taken form the presentation of Praveen Vijayaraghavan.


Users and devices will be managed from the cloud and/or your users will access data and/or services in the cloud.

The challenge for the company is now, to protect the whole content!

One example of this is the mail flow. User one is working for the Contoso company and is sending a mail to another user who is working in the Fabrikam company.

This mail content is confidential for the sender and recipient. Let’s say it has information about a contract between these two companies.
The user from Fabrikam has access to his mailbox from a mobile device.The mobile device itself has a week password protection.

In our example the phone of the Fabrikam user will be stolen. As we know he has a week phone protection it is easy for the 3rd person who has stolen the phone to access the data on it, including the confidential mail he has received from the Contoso user.

So how to prevent, that the information cannot not be stolen by a 3rd parties?

This is the challenge we have to face!


Here you can see an existing solution:

Picture taken form the presentation of Praveen Vijayaraghavan.



Email encryption is already known for some time now. One of the most popular is S/MINE.

(If you want to know more about S/MINE, you can simply follow the LINK here)


As good S/MINE is, as painful is managing it. You have to deploy certificates, also for the senders. Every time a new employee starts in your company or an employee gets a new device you have to deploy the certificates.

This can become such a huge load, that your company may need to hire new employees to handle the whole work.

Alternately, you can go back to 3rd party tools. But here you will need some additional service agreements, contracts and a bulk of licenses for it.

Many of these 3rd party tools can handle the encryption of the message itself, but what about after they are delivered? What if I don’t want that the recipient can forward, print or copy the mail content?

Microsoft started with a new Platform called: Information Protection Technologies.


The main focus of it is about “Detect”, “Monitor”, Classify” and “Protect”. Here you can see a simple graphic about it:

Picture taken form the presentation of Praveen Vijayaraghavan.



Data can be created everywhere. On your computer, on your mobile device, or it can be created in the cloud.

What you need is a service which is capable of detecting the data which is being created. Once a content is detected, the next step is to classify it. The organization you own, the classification labels.
You want the business logic on what needs to be classified and how.

Once the content is classified and labeled, the next step is to protect the content. That means, not all of your content needs to be protected. I think it makes sense to see the encryption as an additional attribute you can use.

Here are some features which belong to Microsoft’s Information Protection Technologies:

  • Microsoft Cloud App security
  • O365 advanced security management
  • Windows information protection
  • Message encryption
  • Conditional access
  • Azure information protection
  • Office 365 DLP
  • 3rd Party Applications
  • Office Apps
  • Office 365 advanced Data governance
  • Sharepoint & Groups

Our focus now will be on the message encryption, because we are still looking for the answer for the example shown previously in this article!

Let’s talk about Office 365 message encryption:

With Office 365, senders will have a consistent work flow to encrypt and protect your mails to every recipient!

Picture taken form the presentation of Praveen Vijayaraghavan.



So how that can work?

Here the final answer:

First the setup:

#Connect to the Azure Rights Management service.
$cred = Get-Credential
Get-Command -Module aadrm
Connect-AadrmService -Credential $cred

#Activate the service.

#Get the configuration information needed for message protection.
$rmsConfig = Get-AadrmConfiguration
$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl

#Disconnect from service.

#Create a remote PowerShell session and connect to Exchange online.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

#Collect IRM configuration for Office 365
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
if (!$list) { $list = @() }
if (!$list.Contains($licenseUri)) { $list += $licenseUri }

#Enable message protection for Office 365
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true

#Enable new Protect button in Outlook on the Web
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

#set the IRM Configuration:
Set-IRMConfiguration -RMSOnlineKeySharingLocation ""

Dependent on the region where your tenant is located, you have to use different URL’s, here the list of them: North America European Union Asia South America Office 365 for Government (Government Community Cloud)


Start with importing:

Import-RMSTrustedPublishingDomain -RMSOnline -Name "RMS Online"

If you want to disable IRM templates in OWA and Outlook (not recommended):

Set-IRMConfiguration -ClientAccessServerEnabled $false

To enable IRM for Office 365 Message Encription (recommended):

Set-IRMConfiguration -InternalLicensingEnabled $true


More Informations about IRMConfiguration you can find here.

Now we have activated the ability to encrypt/decrypt mails and files.



The next steps are to define rules to encrypt or decrypt email messages…

Here we go…

First of all we need to create a new transport rule on the Exchange online. For example, to require that all email messages that are addressed to [email protected] must be encrypted, type:

New-TransportRule -Name "Encrypt rule for Desmond" -SentTo "[email protected]" -SentToScope "NotinOrganization" -ApplyOME $true

In this example: The name of the new rule is “Encrypt rule for Desmond”.


The -SentTo parameter, specifies a condition that looks for recipients in email messages. You can use any value that uniquely identifies the recipient, such as an email address, name, distinguished name (DN), etc. In this example, the recipient is identified by the email address “[email protected]”.

The -SentToScope parameter specifies a condition that are responsible for the location of recipients. In this example, the recipient’s mailbox is in hotmail and is not part of the Office 365 organization, so the “NotInOrganization” value is used.

It really is a lot of work to create all of these rules and it is very important that you have a concept for how you want to manage your rules.

Once this is done, the user can use them easily through a drop down menu. An example how this could look like, you can see here:

Picture taken form the presentation of Praveen Vijayaraghavan.



To create a rule to remove encryption from email replies encrypted by using Windows PowerShell for Exchange Online, simply use this cmdlet:

New-TransportRule - Name "Remove encryption from incoming mail" -SentToScope "InOrganization" -RemoveOME $true

In this example:

The name of the new rule is “Remove encryption from incoming mail”.

The -SentToScope parameter specifies a condition that looks for the location of recipients. In this example, the “InOrganization” value is used which indicates that:

The recipient is a mailbox, mail user, group, or mail-enabled public folder in your organization, or

The recipient’s email address is in an accepted domain which is configured as an authoritative domain or an internal relay domain, and the message was sent or received over an authenticated connection.


More Information about New-TransportRule you can find here.



I hope I was able to bring the Message Encryption with Office 365 a little closer to you.

If you are interested to know more about it, you can watch the following video from the Ignite 2017 – I can highly recommend to watch it.