Steps to Configure Email Encryption using Office 365

step by step Email Encryption O365

Here is the step by step guide on how to configure Email Encryption using O365. The content of this article was performed in a test environment and tested to be working as expected.

Why Email Encryption?

In the Digital era, Emails have become the most sophisticated means of communication. Given the current technology, the traditional email system is less secured and it becomes easy to access/read what is being sent by others since most of the email communication happens as clear text. For a better and safer email communication, Email encryption is the only recommended solution.

Having said that, Office 365 message encryption is the most reliable and efficient method of email encryption that is available today. With O365, one’s information remains secured and allows users to send and receive encrypted emails. The recipients can be internal or external to one’s organization and can be on any messaging platform.


  • The Recipients is ‘only’ expected to have a valid email address, regardless of the backend email system or domain.
  • Recipients can access this message on any device (Browser compatibility).


  • Setting up Office 365 Message Encryption
  • Set up Azure Rights Management for Office 365 Message Encryption
  • Disable IRM templates in OWA and Outlook
  • Create Transport Rules to Encrypt Messages

Setting up Office 365 Message Encryption

  1. RBAC version should be updated (contact support to verify the current version).
  2. Encryption rule (Transport Rule) to be created in the EMC.

Steps to configure:

  1. Check the current RBAC version using the following PowerShell command.
          Get-OrganizationConfig | fl *rb*
  1. As called out earlier, please reach out to Microsoft Support to get the RBAC version updated (if required).

(Microsoft Support usually takes 2-3 business days to get the RBAC version updated)

Pre Update:

O365 RBAC version

Post Update:

O365 RBAC version

  1. Login into O365 admin portal (
  2. Select SERVICE SETTINGS on the left pane
  3. Go to Rights Management

O365 service settings


  1. Under RIGHTS MANAGEMENT, click Manage on the right as shown.

Office 365 rights management


  1. In the Rights Management page, click Activate

O365 rights management activate


  1. A warning window would popup. To confirm activation, click Activate

O365 rights management


  1. Once activated, we would get a confirmation screen which would show the right management to be activated.

O365 rights management

Set up Azure Rights Management for Office 365 Message Encryption

Now that we have the rights management activated, it’s time to setup Azure

  1.  Login to azure active directory (run as administrator)

login to azure

  1. To connect and import the session, run the following command and Choose Y.

Set-ExecutionPolicy RemoteSigned     (Help topic:

windows azure active directory

  1. Post keying in the credentials, use the following command to Import the session.

$cred = Get-Credential  $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic –AllowRedirection Import-PSSession $Session

  1. After importing the session, use the Exchange Management Shell to configure the RMS Online key sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location.


RMS Key Sharing Location

North America

European Union


South America

Office 365 for Government

(Government Community Cloud) 1
  1. In the example below, we have used ASIA location. Before we set, check IRM configuration using the below command.
                                  PS C:\Windows\system32> Get-IRMConfiguration

IRM configuration

  1. Set up Key location using the below command let.

          PS C:\Windows\system32> Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-

  1. Import the Trusted Publishing Domain(TPD) from RMS Online Import-RMSTrustedPublishingDomain-RMSOnline -name “RMS Online”

RMS Online

12. Verify successful setup of IRM in Exchange Online
Test-IRMConfiguration –sender

Test results

PS C:\Windows\system32> Test-IRMConfiguration -sender


Disable IRM templates in OWA and Outlook

Now, it’s time to disable IRM templates in the clients as part of the set-up. Run the following commands to disable the client access and enable internal licensing.

  1. Set-IRMConfiguration -ClientAccessServerEnabled $false

IRM Configuration

  1. Enable IRM for Office 365 Message Encryption

Set-IRMConfiguration -InternalLicensingEnabled $true

IRM Configuration

  1. Confirm the IRM Configuration Get-IRMConfiguration

IRM Configuration

Create Transport Rules to Encrypt Messages

The following settings are to be performed in the Office 365 admin portal to enable encryption.

  1. Open the Office 365 Admin Portal ( 
  2. Open Exchange Admin Center

O365 admin portal

  1. Under Mail Flow, click the + and create your transport rule. I have created two simple rules for reference. 

Exchange Admin center

O365 Admin

  1. This sample rule would encrypt anything that is sent external with an attachment larger than 1MB.

Office 365 encryption


Office 365 encryption

Office 365 encryption


Office 365 encryption


  1. Save the rule before exiting the window.
  2. Now, user can start sending encrypted email. The below samples would show how an encrypted email is being sent.
  3. When a user wants to send an encrypted email, the sender is expected to type “Encrypt” in the subject line.

encrypted email

  1. At the Recipient’s end, the user would receive the email as below.

encrypted email

  1. To view the message content, the recipient is expected to open the attachment in the email.

encrypted email

  1. The steps below would talk about the getting the email decrypted at the recipient end.

encrypted message

  1. The recipient would receive the one-time passcode on a separate email.

One time pass code


One time pass code

  1. Continue, once after entering the one time password. The encrypted email would decrypt and the recipient will be able to see the content of the email.

Testing encryption

With this O365 email encryption is complete. It’s a one time activity. The users are expected to type “encrypt” in the subject line for any email to be encrypted. Encryption as a standard practice will help to protect your information and prevent the unauthorized access. Get in touch with us to know more.


Written by Lakshmanan


Lakshmanan is a Technology Specialist in Kryptos. He is a tech savvy person with deep knowledge in Exchange, Windows & handles office 365 migration at Kryptos tech. He is a MCITP certificate holder who keeps expanding his knowledge by reading and learning a lot. He spends his free time with his family and loves playing cricket.