Tuesday, November 4, 2014

Office 365 Message encryption

If you weren’t aware, Office 365 supports sending encrypted messages to anyone. Basically, they get an email telling them to login to a web portal to view the message. Here’s how to make all that work.

You’ll firstly need to enable Rights Management for your tenant. To do that login to the Office 365 portal as an administrator.

image

On the left hand side select Service Settings.

image

This will expand a menu as shown above. From this menu select Rights Management.

image

On the right now select the Manage hyperlink.

image

Select the Activate button to enable Right Management.

image

Confirm that you wish to enable by selecting the Activate button.

image

After a few moments the screen should update.

image

You are now going to need to run some PowerShell commands. if you haven’t done this check out this previous blog post to get your environment setup:

Configuring PowerShell Access in Office 365

Once you have connected using PowerShell you’ll need to run the following commands depending on your location:

USA: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Europe:
Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

Asia-Pacific: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

image

In my case I used the Asia Pacific URL as shown above.

image

You then need to run the command:

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

which produces the above result.

image

Then this command:

Set-IRMConfiguration -InternalLicensingEnabled $True

image

Finally run the command:

Test-IRMConfiguration -RMSOnline

and ensure the result come back OVERALL RESULT: PASS

image

With that done you can now return to the Office 365 management portal as an administrator to set up a message encryption transport rule.

image

In the top right of the Office 365 portal select Admin and then Exchange from the menu that appears.

image

From the menu on the left select mail flow.

image

Select the Plus icon on the right and the option Create a new rule from the menu that appears.

Now there are lots of different options when creating an Office 365 Transport Rule but I am not going to cover these. This post is aimed at showing you the basics of enabling Exchange Online Message Encryption. If you want more information about Office 365 Transport Rules in general see:

http://technet.microsoft.com/en-us/library/jj919238(v=exchg.150).aspx

image

In this case I am going to set a rule to encrypt messages sent to one person in the organisation (Anne Wallace).

To see the encryption options ensure you select the More options hyperlink at the bottom of this window as shown above.

image

For the Do the following condition select Modify the message security and then Apply Office 365 Message Encryption as shown above.

image

Once saved the new rule should appear in the list as shown above.

Now if Anne Wallace is sent an email by another Office 365 she will see:

image

Indicating that this is an encrypted message.

To view the message Anne must save the attached HTML file to her local machine and open it.

image

When she so and opens it she will see the above message.

If she then selects the Sign in and view encrypted message hyperlink she will be see the encrypted message.

image

Exchange Online Encrypted messages work with people inside and outside Office 365. If you want more information check out the following:

http://technet.microsoft.com/en-us/library/dn569286.aspx

Once you have done the initial Rights Management setup you then have a lot of flexibility using Exchange Online Transport Rules to determine how messages are handled. You could set up a rule that if the word ENCRYPT is in the message subject it will always be encrypted.

Very flexible and most importantly, very secure.