Tenant changes required for Office Message Encryption
When setting up Office 365 Message Encryption (OME), there are some changes to your tenant’s IRM (Information Rights Management) configuration which requires connecting to Exchange Online through Powershell.
Once connected to Exchange Online, start by checking your existing IRM Configuration by running the following command:
Note that there is no RMS Online Key Sharing Location defined, so you’ll need to perform that step next:
Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
Next, Import the RMS Online Trusted Publishing Domain:
Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
This will configure the required settings to enable IRM in your environment, as well as add two default IRM templates: Credential -Confidential, and Credential – Confidential View Only.
If you check your IRM configuration again after performing these steps, you’ll see the configuration changes that were made:
The final configuration step in this phase is to enable Internal Licensing by running the following command:
Set-IRMConfiguration -InternalLicensingEnabled $true
You can then test your IRM Configuration against a user in your environment to confirm that everything is set up properly. Note that at this point, no rules have been defined for encrypting email, but they are now able to be defined.
Test-IRMConfiguration -Sender email@example.com
Once you’ve completed these steps, you’re ready to define encryption rules in Exchange Online.