I was recently trying to set up email encryption for an Office 365 Client with a new O365 tenancy. They wanted email encryption so along with buying Business Premium licenses for their Users, they also bought Azure Information Protection Plan 1 licenses.

I was expecting it to be as easy to set up email encryption for them as it was when I configured it on my own tenancy which has been operational for several years and in which the Users all have E3 licenses. All I had to do for my own tenancy was to activate Microsoft Azure Information Protection via Settings -> Service & Add-Ins, then create a mail flow rule in the Exchange Admin Centre. Email encryption then worked with having to do nothing else.

This was not the case when trying to set it up for my new Client. So, it seems to me that for new tenancies with BP and AOPplan1 licenses, more hoops have to be jumped through to get it working

Here is the process I had to go through to get email encryption working for my new Client. If you are hiiting problems, follow this process and you should be ok:

  1. Log into Office 365 with a Global Admin account.
  2. Open up O365 Admin Centre.
  3. Open up Settings.
  4. Select Services and Add-Ins.
  5. Scroll down to Microsoft Azure Information Protection and select it. (this will only appear as an option if the correct licenses are activated, in the case of my Client, Azure Information Protection Plan 1).
  6. Activate Rights Management.
  7. Open Windows Powershell in elevated mode (Run as administrator).
  8. Enter the following commands to open up a session:
  • Set-ExecutionPolicy RemoteSigned
  • $cred = Get-Credential (login with O365 admin account details)
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic –AllowRedirection
  • Import-PSSession $Session

9. Now, to verify that the isn’t already configured, enter this command Get-IRMConfiguration

10. For email encryption to work, the settings that are returned should look like this:

If the settings returned for you look the same as in the screenshot then great! Go to item 12 to see how to set up the mail flow rule in Exchange.

However, if any of the values that are set to “True” in the screenshot are set to “False”, then you need to apply the relevant Set-IRMConfiguration command. For example, if SimplifiedClientAccessEnabled is set to “false”, apply this command:

Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

Here is a link to all of Set_IRMConfiguration commands for you choose from to get all of settings correct as in the screenshot above:


Also,please note: The licensingLocation must be set properly as well. I’m inEurope, hence that’s why, in the screenshot above, it reads ……rns.eu.aadrn.com If you are in North America, for example, then you need to issue this command:

Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

For Asia: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

For South America: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

For office 365 for Government:

Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc1

11. Now re-run the command Get-IRMConfiguration and check that the returned table of values looks like those in the screenshot above. If so, you’re good to set up the mail flow rule in the Exhange Admin centre to enable email encryption. Don’t forget to issue this final command to close down the powershell session: Remove-PSSession $Session

12. To set the mail flow rule, go to the Exchange Admin Centre, select Mail Flow and set the rule as outlined in this screenshot:

13. You should now be good to go. Open up the OWA or Outlook for any of the mailboxes for O365 users that have the appropriate licensing and create an email with the word “Encrypt” specified in the Subject box. Send the email. If it sends ok without bouncing back the world is looking good. The recipient should receive the encrypted email with instructions on how to decrypt it.

Sean Warde
Pennine IT Services