Tenant changes required for Office Message Encryption

When setting up Office 365 Message Encryption (OME), there are some changes to your tenant’s IRM (Information Rights Management) configuration which requires connecting to Exchange Online through Powershell.

Once connected to Exchange Online, start by checking your existing IRM Configuration by running the following command:


Note that there is no RMS Online Key Sharing Location defined, so you’ll need to perform that step next:

Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Next, Import the RMS Online Trusted Publishing Domain:

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

This will configure the required settings to enable IRM in your environment, as well as add two default IRM templates: Credential -Confidential, and Credential – Confidential View Only.

If you check your IRM configuration again after performing these steps, you’ll see the configuration changes that were made:

The final configuration step in this phase is to enable Internal Licensing by running the following command:

Set-IRMConfiguration -InternalLicensingEnabled $true

You can then test your IRM Configuration against a user in your environment to confirm that everything is set up properly. Note that at this point, no rules have been defined for encrypting email, but they are now able to be defined.

Test-IRMConfiguration -Sender jdahl@masterandcmdr.com

Once you’ve completed these steps, you’re ready to define encryption rules in Exchange Online.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.