Skip Navigation LinksHow-to-configure-Office-365-message-Encryption-(OME)

How to configure Office 365 Message Encryption (OME)



New capabilities are available in Office 365 for sending encrypted e-mails to external recipients. Microsoft announced this late 2013 as an upcoming feature in this blog post: Azure AD Rights Management is not available with Office 365 Government G3 or Office 365 Government G4).

In this post, I will demonstrate the user experience of Office 365 Message Encryption, both for the end user and the administrator.


We will create a transport rule that will enable Office 365 Message Encryption on messages with a Sensitivity level set to Confidential.


If you attempt to use Office 365 Message Encryption before first enabling IRM licensing, the operation will fail and give you this message:

You can't create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.

To remediate this, we need to enable IRM licensing using the Admin portal and PowerShell. Follow these steps:

1.       First, enable RMS in your tenant by logging on to your Office 365 Admin Portal, navigate to Service settings (left pane). select "Rights management" (top bar), click "Manage" and finally hit the button "Activate". A message should appear stating that RMS is activated for the tenant.

2.       The remaining steps will be done in PowerShell. Open Windows Azure Active Directory Module for Windows PowerShell, found here:

3.       Connect your PowerShell session to your Office 365 tenant and Exchange Online by entering the following:

$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri  -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

4.       When connected to Exchange Online, you can enable IRM licensing with just a few steps. The first step is to set the RMS Online key sharing location. You will use different configurations depending on where your tenant is located (North AmericaEuropean Union or the Asia Pacific area).Enter the command that matches your tenant location (choose one):

5.      North America:

Set-IRMConfiguration -RMSOnlineKeySharingLocation

6.      European Union:

Set-IRMConfiguration -RMSOnlineKeySharingLocation

7.      The Asia Pacific Area:

Set-IRMConfiguration -RMSOnlineKeySharingLocation

LocationRMS key sharing location
North America
European Union
South America
Office 365 for Government (Government Community Cloud) 1>


8.       After setting the key sharing location, the next step is to import the Trusted Publishing Domain (TPD). Do so by entering the following:

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

9.       The final step is to activate the internal IRM licensing. Do so by entering the following:

Set-IRMConfiguration -InternalLicensingEnabled $True

10.   After enabling IRM licensing, verify the functionality by entering:

Test-IRMConfiguration -RMSOnline

The test should pass with the result OVERALL RESULT: "PASS".

NOTE: Enabling IRM licensing might need several hours for the change to take effect. If possible, allow 8 hours to pass before proceeding with STEP 2.





We will create a transport rule that enables Office 365 Message Encryption if the message is sent to a recipient outside the organization and the Sensitivity header have been set to Confidential.

Follow these steps:

1.       Log in to your Office 365 Admin Portal and navigate to Exchange Control Panel (Admin\Exchange).
2.       Navigate to "Mail Flow", click the + icon and select Create a new rule…


3.       Give the rule a suiting name and click More options…

Message Encryption Rule


 1.       From here you can set your condition as it fits your needs, but for this example will inspect the Sensitivity header and apply Message Encryption based on that. To do so, select the following conditions:
Apply this rule if… "A message header includes any of these words"


 2.       Complete the Apply this rule if-condition by clicking the properties Enter text and Enter word so that the condition makes 'Sensitivity' header includes 'Confidential'


 3.       Click Add condition and select The recipient… Is external/internal. Click Select one… and select Outside the organization and hit OK



 1.       Proceed with clicking Do the following… and select Modify the message security… and select Apply Office 365 Message Encryption


 The rule will be created:



2.       Hit Save at the bottom of the New rule editor. (If you get the message that IRM licensing is not enabled and have completed STEP 1 – please allow more time for the change to take effect, as stated in the Note after STEP 1).


We will create a message with the sensitivity level set to Confidential and send this to a recipient outside our organization. Our transport rule will apply Office 365 Message Encryption to the message.

Follow these steps:

3.       Open Outlook or Outlook Web App. Both clients have the native functionality to set the sensitivity header. In the example, use OWA, but the procedure is the same in Outlook.
4.       Compose a new message. Enter an external recipients, give the message a subject and some content, then click … and Show message options…

Subject and Body as a test in a message:

Test OME (Office 365 Message Encryption)

Testing the Test OME (Office 365 Message Encryption) to verify how it works with external organization using attachments, picture, JPG, PDF, TXT,RDP, MSI, XLSX  and .EXE compressed.



5.       Set the message Sensitivity level to Confidential and hit OK


NOTE: In the rich Outlook client, Sensitivity options are found under Message Options\More options\Sensitivity.
6.       Send the message.


7.       Open the inbox of the external mailbox and find the encrypted message

Received from External (


 *How do you know this step worked?

To verify that you have successfully configured IRM in Exchange Online to use Azure Rights Management service, run the Test-IRMConfiguration cmdlet. Among other things, the command checks connectivity with the RMS Online service, downloads the TPD, and checks its validity.

Test-IRMConfiguration -RMSOnline

* Step 4: Use the Exchange Management Shell to enable IRM in Exchange Online

After you configure the RMS Online key sharing location in Exchange Online and import the RMS Online TPD, run the following command to enable IRM for your cloud-based email organization.

Set-IRMConfiguration -InternalLicensingEnabled $true

For detailed syntax and parameter information, see Set-IRMConfiguration.

How do you know this task worked?

To verify that you have successfully imported the TPD and enabled IRM, do the following:

•Use the Test-IRMConfiguration cmdlet to test IRM functionality. For details, see "Example 1" in Test-IRMConfiguration.
•Compose a new message in Outlook Web App and IRM-protect it by selecting Set permissions from the extended menu (More Options Icon).

Additional information