Here is the step by step guide on how to configure Email Encryption using O365. The content of this article was performed in a test environment and tested to be working as expected.

Why Email Encryption?
In the Digital era, Emails have become most sophisticated means of communication. Given the current technology, the traditional email system is less secure and it becomes easy to access/read what is being sent by others since most of the email communication happens as clear text. For a better and safer email communication, Email encryption is the only recommended solution.
Having said that, Office 365 message encryption is the most reliable and efficient method of email encryption that is available today. With O365, one’s information remains secure and allows users to send and receive encrypted emails. The recipients can be internal or external to one’s organization and can be on any messaging platform.
 The Recipients is ‘only’ expected to have a valid email address, regardless of the backend email system or domain.
 Recipients can access this message on any device (Browser compatibility).

• Setting up Office 365 Message Encryption?
• Set up Azure Rights Management for Office 365 Message Encryption
• Disable IRM templates in OWA and Outlook
• Create Transport Rules to Encrypt Messages

Setting up Office 365 Message Encryption

1. RBAC version should be updated (contact support to verify the current version).
2. Encryption rule (Transport Rule) to be created in the EMC.

Steps to configure:
1. Check the current RBAC version using the following PowerShell command.

Get-OrganizationConfig | fl *rb*

2. As called out earlier, please reach out to Microsoft Support to get the RBAC version updated (if required).
(Microsoft Support usually takes 2-3 business days to get the RBAC version updated)

Pre Update:

 Post Update:

3. Login into O365 admin portal (
4. SelectSERVICE SETTINGS on the left pane
5. Go to Rights Management

6. Under RIGHTS MANAGEMENT, click Manageon the right as shown.

7. In the Rights Management page, click Activate

8. A warning window would popup. To confirm activation, click Activate

9. Once activated, we would get a confirmation screen which would show the right management to be activated.

Set up Azure Rights Management for Office 365 Message Encryption
Now that we have the rights management activated, it’s time to setup Azure

1 Login to azure active directory (runas administrator)

2 To connect and import the session, run the following command and Choose Y.
Set-ExecutionPolicy RemoteSigned(Help topic:

3 Post keying in the credentials, use the following command to Import the session.

$cred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
4 After importing the session, use the Exchange Management Shell to configure the RMS Online key sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location.


RMS key sharing location

North America
European Union
South America
Office 365 for Government
(Government Community Cloud) 1

5 In the example below, we have used ASIA location. Before we set, check IRM configuration using the below command.
PS C:\Windows\system32> Get-IRMConfiguration

10. Set up Key location using the below command let.
PS C:\Windows\system32> Set-IRMConfiguration -RMSOnlineKeySharingLocation

11 Import the Trusted Publishing Domain (TPD) from RMS OnlineImport-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

12 Verify successful setup of IRM in Exchange Online
Test-IRMConfiguration –sender

Test results
PS C:\Windows\system32> Test-IRMConfiguration -sender

Disable IRM templates in OWA and Outlook

Now, it’s time to disable IRM templates in the clients as part of the set-up. Run the following commands to disable the client access and enable internal licensing.

1 Set-IRMConfiguration -ClientAccessServerEnabled $false

2 Enable IRM for Office 365 Message Encryption
Set-IRMConfiguration -InternalLicensingEnabled $true

3 Confirm the IRM ConfigurationGet-IRMConfiguration

Create Transport Rules to Encrypt Messages

The following settings are to be performed in the Office 365 admin portal to enable encryption.
1 Open the Office 365 Admin Portal (
2 Open Exchange Admin Center

3 Under Mail Flow, click the + and create your transport rule. I have created two simple rules for reference.



4 This sample rule would encrypt anything that is sent external with an attachment larger than 1MB.


5 Save the rule before exiting the window.

6 Now, user can start sending encrypted email. The below samples would show how an encrypted email is being sent.

7 When a user wants to send an encrypted email, the sender is expected to type “Encrypt” in the subject line.

8 At the Recipient’s end, the user would receive the email as below.

9 To view the message content, the recipient is expected to open the attachment in the email.

10 To view the message content, the recipient is expected to open the attachment in the email.

11 The recipient would receive the one-time passcode on a separate email.

12 Continue, once after entering the one-time password. The encrypted email would decrypt and the recipient will be able to see the content of the email.

With this O365 email encryption is complete. It’s a one-time activity. The users are expected to type “encrypt” in the subject line of any email to be encrypted. Encryption as a standard practice will help to protect your information and prevent the unauthorized access. Get in touch with us to know more.

Written by Lakshmanan

Lakshmanan is a Technology Specialist in Kryptos. He is a tech savvy person with deep knowledge in Exchange, Windows & handles office 365 migration at Kryptos. He is a MCITP certificate holder who keeps expanding his knowledge by reading and learning a lot. He spends his free time with his family and loves playing cricket.