Office 365 email encryption

Office 365 email encryption

It still surprises me how few know that Office 365 includes a full-fledged email encryption solution, Office Message Encryption (OME). A “new OME”, built on top of Azure Information Protection, has been available for some time now. In this blog, I’ll tell you how to setup and customise the new OME.


First, you need to install the Azure AD Rights Management (AADRM) PowerShell Module.

Module installation requires PowerShell 5 or later which is included in Windows 10 & Server 2016. If you have previous version of Windows, you need to install Windows Management Framework 5.1 here.

Install-Module AADRM

Next, save your admin credentials to a variable for later use.

$cred = Get-Credential

Now you’re ready to start the configuration. First, we connect to AADRM to fetch the licensing url needed for OME.

# Connect to the AADRM 
Connect-AadrmService -Credential $cred

# Activate AADRM

# Get the licensing url from AADRM configuration
$LicensingLocation = (Get-AadrmConfiguration).LicensingIntranetDistributionPointUrl

# Disconnect AADRM

The second step is to configure your Exchange Online to use Azure Information Protection.

# Connect to Exchange Online
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session

# Add the licensing location
Set-IRMConfiguration -LicensingLocation @{add=$LicensingLocation}

# Enable OME for both external and internal recipients
Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true

# Enable a Protect button in OWA
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

# Enable OME for OWA and ActiveSync clients
Set-IRMConfiguration -ClientAccessServerEnabled $true

Now the OME is ready to use! You can either use the Protect -button to encrypt individual messages or transport rules.

The following PowerShell command creates a transport rule to apply OME to messages sent to outside your organisation with high priority and enables it.

# Create and enable transport rule
New-TransportRule -Name "Apply OME for external recipients" -ApplyRightsProtectionTemplate "Encrypt" -WithImportance High -SentToScope NotInOrganization -Mode Enforce -Enabled $true


Disable one-time-password

By default, OME allows recipients to decrypt messages using Microsoft and Google identities. This means that the recipient must use login using the same identity (i.e. email address) the message was sent to.

There is also an option to use a one-time-password (OTP), which sents an OTP in a separate email to the same address than the original email. Some people, including me, think that the OTP actually breaks the whole idea of the message encryption. Luckily, this can be easily disabled!

# Disable OTP
Set-OMEConfiguration -Identity "OME Configuration" -OTPEnabled $false


By default, the encrypted email looks like seen at the top of the page.

This can be easily changed to match your organization branding.

First, lets change the logo. Supported file formats are .png, .jpg, .bmp, and .tiff. The optimal size of the file is less than 40kb and size of image 170x70.

# Change OME logo
Set-OMEConfiguration -Identity "OME Configuration" -Image (Get-Content "mylogo.png" Encoding byte)

Now, set the background colour. The following sets the background to orange used in this blog site.

# Set the background to orange
Set-OMEConfiguration -Identity "OME Configuration" -BackgroundColor "#e64946"

You can also change the default texts used in encrypted emails.

# Set message text
Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Encrypted message from Office 365 blog."

After these modifications, our OME messages looks like this: alt text

Should you like to remove the modifications, just set the text and background to empty string “” and $null for the logo.


Now that you have setup and configured your OME remember to disconnect from Exchange Online.

# Disconnect Exchange Online
Remove-PSSession $session

Dr Nestori Syynimaa (@DrAzureAD) avatar
About Dr Nestori Syynimaa (@DrAzureAD)
Dr Syynimaa works as Principal Identity Security Researcher at Microsoft Security Research.
Before his security researcher career, Dr Syynimaa worked as a CIO, consultant, trainer, and university lecturer for over 20 years. He is a regular speaker in scientific and professional conferences related to Microsoft 365 and Entra ID (Azure AD) security.

Before joining Microsoft, Dr Syynimaa was Microsoft MVP in security category and Microsoft Most Valuable Security Researcher (MVR).