Setup and enable Office 365 Message Encryption (OME)

To start using Office 365 Message Encryption you need to follow three easy steps

  1. Activate Azure Rights Management
  2. Setup Azure Rights Management for Exchange online
  3. Setup transport rules to enforce message encryption in Exchange online


Step 1. Activate Azure Rights Management

Open the Office 365 admin center and expand the “SERVICE SETTINGS” menu on the left side, then choose “Rights Management”

Now choose Enable to activate Rights Management.

You can also use PowerShell to activate Rights Management

Download and install the Azure Rights Management Administration Tool
This will install the Windows PowerShell module for Azure Rights Management.

Open a PowerShell session and run:

To activate Azure Rights Management service run:

Step 2. Setup Azure Rights Management for Exchange online

Connect to Exchange online with PowerShell (open PowerShell as Administrator)

Enter the following commands to Connect and import the session

Verify if your IRM isn’t already configured using:

1. Configure RMS with the online key-sharing location; choose a location that best suites your environment. In my example I will be using Europe, a table of all locations is listed below.

Location RMS key sharing location
North America
European Union
South America
Office 365 for Government

To configure the RMS online key sharing location for a customer in Europe you would use this command:

2. Run the following command to import the Trusted Publishing Domain (TPD) from RMS online:

3. Verify that you successfully configured IRM in Exchange Online by running this command:

4. Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:

To disable IRM templates in OWA and Outlook:

To enable IRM for Office 365 Message Encryption:

View the IRM Configuration

3. Setup transport rules to enforce message encryption in Exchange online

Open the Office 365 Admin center

Open the Exchange Admin Center, and navigate to mail flow – rules

Click on the “+” symbol to create a new rule.

I will show two separate rules to give you an idea how you could use this in your organization.

The first rule will encrypt the message based on a trigger word in the subject or body of the message. In your organization you can agree on one or more specific and unique words that will trigger this rule. Using this method you could for example give the users a secondary email signature with at the bottom the trigger word and name the signature: “Encrypt message” for example. Then whenever this signature is selected the email message will be encrypted. In the below example I’ve use the trigger word: [secure-email] please note that the brackets are part of the trigger word to reduce the chance that a message is unintentionally encrypted with this rule.

Another example is to have all outbound messages that have an Office document attached automatically encrypted.

Test the rules by sending a message making sure the message content will trigger one of the rules.

The recipient will receive a message with instruction how to open en decrypt the message.

In a next blog I will show you how to customise encrypted messages and the viewing portal.

I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me:

4 thoughts on “Setup and enable Office 365 Message Encryption (OME)

  1. I am sorry to be commenting several months after the post, but I am trying to set this up today. Why am I using powershell to configure OME? Is it so that the process or encryption key is somehow tied to my computer or my enterprise domain? Why can it not be configured completely from within the O365 admin portal?

    Also, when you are describing the powershell commands, there did not seem to be any reference to account or password? How do your actions get associated to the proper O365 account?

    I apologize for being a total beginner when it comes to powershell. I have a good amount of experience with CMD, but that does not seem to help me here.


    1. Hi Jones, the reason you need to use powershell to configure this is simply because Microsoft has chosen to not put everthing in the admin console for the more advanced features you need to use powershell.

      In Step 2. Setup Azure Rights Management for Exchange online I have described how you connect to your O365 tenant using powershell. When you run $cred = Get-Credential you should be prompted for credentials and please make sure you use the credential of and global administrator in your Office 365 tenant. If you are using multifactor authentication in your environment please follow these instructions to connect with you tenant:
      Once your powershell session is connected all cmdlets you run will run against your O365 tenant.

      So please make sure you run all commands from the same powershell window/session.

      Because you are running the commands against your O365 tenant the encryption key is associated with your office 365 tenant not an computer or user account.

      Hopefully this helps a little, if not please feel free to send me any screenshots or error you might get and I can have a look what going on.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.