Once you’ve enabled Azure Rights Management in the Office 365 portal and configured your tenant, your next step is to create transport rules that will encrypt (and optionally decrypt) email messages based on the settings you choose.
Start by going to the Exchange Admin Center, and click on Mail Flow, then Rules. Click the + icon to start creating a new rule, and select Apply rights protection to messages…
Provide a name for the rule, and the initial criteria that will trigger the policy:
Next, you can select the type of RMS policy that will be assigned:
Clicking this *Select one… option allows you to choose one of the RMS templates that you’ve defined.
Or you can choose to use the built in OME option:
The difference between the two options is basically that Office 365 Message Encryption would be considered the basic policy, and choosing an RMS template allows you to specify advanced options.
The decryption option is the reverse of our first policy:
Note that the decryption option ONLY decrypts the replies to emails sent out from this organization. If another organization has their own encryption policies in place to encrypt email sent to your organization, this will not decrypt those messages automatically. The purpose of setting up this decryption is to make the process more user friendly, and seamless for users in your environment.