Email encryption is an added layer of security to protect being read by non-intended recipients. Even though office 365 is doing secured transmission using TLS (Transport Layer Security) OME is to build more secured mail transactions. Earlier office 365 version which is FOPE/Wave14 encryption needed  separate Microsoft hosted Encryption license and tokens were issued by reputed service provider called “Voltage” but with multiple enhancement current version has got in built encryption technology in Office 365.


To enable encryption in Office365 all we need is the active Azure Rights Management License, Bu default it is available in E3 & E4 Subscriptions, for all other subscription you can purchase as an add on for just 2$/user/month.

How to?

Enabling Encryption is not that difficult: We just have to,

  • Activate Azure Rights Management License. (If already activated, proceed to next step)
  • Configure Azure Rights Management
  • Configure Transport Rule based on requirement

Activate Azure Rights Management License

  1. Login to Office365 Portal
  2. Service Settings on Left Pane- > Rights Management-> Manage
  3. Click on “Activate”

Below is the screen, You will see post activation.



Configure Azure Rights Management:

  1. First Connect to Exchange Online Powershell
  2. Run : Get-IRMConfiguration & make sure IRM is not enabled (If already enabled, You saved lot of time, Just transport rule is pending)

Refer table & choose URL of your region.

Location RMS key sharing location
North America
European Union
South America
Office 365 for Government (Government Community Cloud)


Example : For asia below is IRM configuration

  • Set-IRMConfiguration -RMSOnlineKeySharingLocation “”
  • Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
  • Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:

To disable IRM templates in OWA and Outlook:

Set-IRMConfiguration – ClientAccessServerEnabled $false

To enable IRM for Office 365 Message Encryption:

Set-IRMConfiguration -InternalLicensingEnabled $true

Post configuration you will see it as below:


To make sure all configured properly, You can run test by running “Test-IRMConfiguration -Sender [email protected]



Configure Transport Rule

Microsoft Technet has the detailed information on how to create transport rules with screenshot to apply encryption on messages. Based on your requirement you can customize the conditions to get the message encrypted.

Example, for me the encryption process should be simple so I need all my “High Importance” email should be encrypted, In this case I can simply click on “High Importance” button in Outlook/OWA and mails will be encrypted.

Below is the simple rule to achieve this requirement


After doing this all, I need to do is to simply click on “High Importance” and send the mail.




You can simply sign in using you Microsoft account, or use one time passcode to view the mail.


We can also create rule for confidential mails, By mentioning the condition for header Sensitivity: company-confidential.

Doing this we can change the sensitivity in outlook and send mails.


There are lot more you can do with transport rules to make it more effective way of processing mails.




Feel free to comment below for any suggestions or questions 🙂

5 thoughts on “Office365 Message Encryption – Explained”
  1. content material governance is exceptionally beneficial, thanks for the articles that your self include furnished:)

  2. I have been browsing online more than three hours today, yet I never found any interesting article like yours. It pretty worth enough for me. In my view, if all site owners and bloggers made good content as you did, the web will be much more useful than ever before.

Comments are closed.