Office 365 Encryption Setup For Email – 2 Easy Options
Sending encrypted email—when you’re dealing with sensitive information, “I don’t know how to secure my email!” is not an acceptable response.
Office 365 encryption setup is the solution, but it can be tricky to set up if you don’t have a background in IT. You want to send compliant email without reading hours of technical tutorials.
This post will demonstrate practical Office 365 setup options for users to implement email encryption with Office 365 Message Encryption (OME) and Cirius. The OME method has no extra cost for many Office 365 subscriptions, but requires some technical knowledge and administrative access. The Cirius method has an additional cost, but is easy to implement, easy to use, and includes other security and convenience features. Either way, you’ll only need about 30 minutes to set it up.
But first, let’s clear up a few things.
Do I Have To Use Encrypted Email?
You tell us.
If you’re business involves personal health information, social security numbers, financial info, etc., the answer is most likely yes.
Compliancy issues involving electronic communication trickle down into dozens of industries and professions, not just health data.
Here are a few examples:
- Lawyers emailing confidential information to clients or legal professionals
- Therapists sending a patient’s diagnosis to insurance providers
- Mortgage brokers seeking financial info from loan applicants
- Business consultants transmitting contracts to their clients
- Insurance companies providing policy info to clients
- Banks sending financial statements via email
We are making the assumption that you’re aware of your own needs for encrypted email, hence why you’re reading this post, so we’ll jump right into step-by-step instructions for implementing encryption with OME and Cirius.
Sending Encrypted Email With Office 365 Message Encryption (OME)
OME is possibly the simplest way to send encrypted email over the Internet. The Exchange Admin can use transport rules to secure messages that meet certain conditions, and end users can easily be trained how to meet these conditions. Additionally, the recipient’s of OME can use any email platform—they do not need to have Office 365. More on this FAQ page.
Instead of sending plain text over the Internet the way email does, OME sends an html attachment that the recipient opens. This leads him/her to a web portal where he will log on (either with Organizational Account, Microsoft Account, or One Time Passcode) and access the secure message there. If he chooses to respond, his response will also be encrypted.
Microsoft made a huge improvement to OME in 2014 with One Time Passcodes (OTP). Before OTP, if you wanted to read an encrypted email, you had to log in with your Organizational Account (Azure AD) or a Microsoft Account (formerly LiveID). If you didn’t have one of those, it could cause confusion or extra work.
OTP is just like what it sounds—the encrypted email comes with the option to use a one-time passcode (usually sent via separate email) for the recipient to access the encrypted message. This is especially useful for sending encrypted mail to people outside your organization.
The good thing about OME is its flexibility—by configuring it properly to the users’ needs, you can save them a ton of time and headache, thus reducing the friction for using email encryption and increasing adoption.
How To Configure OME
In this example, we’ll show how to configure OME and allow end users to send encrypted mail by using the keyword “secure” in the subject line.
How To Activate Azure Rights Management
After you have signed up for an Office 365 plan that includes Rights Management, sign in to Office 365 https://portal.office.com with your work or school account that is a global administrator for your Office 365 deployment.
1. If the Office 365 admin center does not automatically display, select the app launcher icon in the upper-left and choose Admin. The Admin tile appears only to Office 365 administrator
2. From the left pane: Settings > Services & add-ins
3. Click Microsoft Azure Rights Management.
4. On the Microsoft Azure Rights Management page, click Manage Microsoft Azure Rights Management settings.
5. On the rights management page, click activate.
6. When prompted Do you want to activate Rights Management?, click activate.
7. You should now see Rights management is activated and the option to deactivate.
Setup Azure Rights Management for Office 365 Message Encryption:
1. Use Exchange Online Remote PowerShell to perform the steps in this procedure. For information about connecting to Remote PowerShell, see Connect to Exchange Online Using Remote PowerShell.
2. Configure the Rights Management Services (RMS) online key-sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location, as shown in this table:
North America |
https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc |
European Union |
https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc |
Asia |
https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc |
South America |
https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc |
Office 365 for Government (Government Community Cloud) |
https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc1 |
Note: Only customers who have purchased Office 365 for Government SKUs (Government Community Cloud) should use this RMS key sharing location.
For example, to configure the RMS Online key sharing location for a customer in North America, you would use this URL:
Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”
For detailed syntax and parameter information, see Set-IRMConfiguration.
3. Run the following command to import the Trusted Publishing Domain (TPD) from RMS Online:
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
For detailed syntax and parameter information, see Import-RMSTrustedPublishingDomain.
4. To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service, run the Test-IRMConfiguration -RMSOnline cmdlet. Among other things, the command checks connectivity with the RMS Online service, downloads the TPD, and checks its validity.
5. Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:
- To disable IRM templates in OWA and Outlook:
Set-IRMConfiguration – ClientAccessServerEnabled $false
- To enable IRM for Office 365 Message Encryption:
Set-IRMConfiguration -InternalLicensingEnabled $true
6. To verify that you successfully imported the TPD and enabled IRM, use the Test-IRMConfiguration cmdlet to test IRM functionality. For details, see “Example 1” in Test-IRMConfiguration.
OME is now available for your Office 365 tenant. For more information on PowerShell commands, please see the Microsoft documentation.
Now it’s time to set up a transport rule. This means that when a certain amount of circumstances are met, your message will go through OME.
To set up the transport rule, navigate to Exchange Admin Center, then to Mail Flow.
Define rules to encrypt or decrypt email messages
- From the EAC, go to mail flow > rules > New. If you need help to become familiar with the EAC, see Exchange Admin Center in Exchange Online.
- Select + > Create a new rule.
- In Name, type a name for the rule, such as Encrypt mail for DrToniRamos@hotmail.com.
- In Apply this rule if select a condition, and enter a value if necessary. For example, to encrypt messages going to DrToniRamos@hotmail.com:
-
- In Apply this rule if, select the recipient is.
- Select an existing name from the contact list or type a new email address in the check names box.
- In Apply this rule if, select the recipient is.
To select an existing name, select it from the list and then click OK.
To enter a new name, type an email address in the check names box and then select check names > add > OK.
- To add more conditions, select add condition and select from the list. For example, to specify that the previous rule applies only if the recipient is outside your organization:
- Select add condition and then select The recipient is located > Outside the organization.
- Select add condition and then select The recipient is located > Outside the organization.
-
- Select OK.
- To enable encryption, in Do the following, select Modify the message security > Apply Office 365 Message Encryption, as shown below, and then select Save. You can select add action if you want to specify another action.
At this point it’s a good idea to test your rule by sending an email to a personal account and making sure everything works properly.
Additionally, you can customize the branding, disclaimers and other features of your encrypted email by running the following commands in PowerShell.
Feature |
Command |
Default text |
Set-OMEConfiguration -Identity -EmailText “up to 1024 characters” |
Disclaimer statement |
Set-OMEConfiguration -Identity -DisclaimerText “up to 1024 characters” |
Text in the encrypted mail web portal |
Set-OMEConfiguration -Identity -PortalText “up to 128 characters” |
Logo |
Set-OMEConfiguration -Identity -Image <Byte[]> |
Here’s an example of what our OME emails look like at Big Green IT.
[picture of branded, disclaimed, encrypted email]
[picture of the web portal would also be nice]
And that’s how to conduct an Office 365 encryption setup with OME.
Sending Encrypted Email With Cirius
If the OME configuration instructions were too complex, there is another way to send encrypted email with Office 365 that is a breeze to set up. There is an added cost to this method, but the ease of use and extra benefits like message tracking, large file transfer, and mobile capabilities make it an attractive option for some.
Cirius is third party software that allows you to securely share messages, files and workflows. Their solution for encrypting email is especially nifty, and that’s what we’re going to demonstrate.
How To Configure Email Encryption With Cirius
First, you need to navigate to the Office Store and find locate the Cirius add-in.
Click the green Add button and follow the prompts to install the mini application into Outlook. You will need to set up an account, which only takes a few minutes. That’s it.
Once installed, there are a ton of options for setting rules for email encryption, but they are all so intuitive it’s not necessary to list them here. Simply follow the prompts from Cirius and tailor the mini app to your workflows.
BONUS: Neat Workflows Using Cirius
Send email attachments up to 5GB
Sending large files via email is a common complaint to IT departments:
“I can’t send this file! I don’t have time to mess around with FTP I just need to send it!”
Besides being slightly more complex than sending an email, FTP is also potentially less secure.Cirius makes this easy by allowing you to send files up to 5GB directly from your email client—no other software or workflows required.
Files sent with Cirius Secure Messaging are actually sent outside your company’s email pipeline, therefore bypassing the file size limiters most organizations use. Cirius breaks down large files into 4 MB chunks while in transit and stores them (encrypted) in the cloud.
Another neat aspect of this feature is the ability to receive a Delivery Slip when the person you sent the email to receives it—just like certified mail with USPS.
Send E-Signatures Over Email
E-signatures are a faster, more convenient, and environmentally responsible method for getting documented approval. We like Cirius for e-signatures because it’s not only fast and simple—it’s also secure.
Security – Cirius does not send a plain text link that could be intercepted when sending e-signatures—everything goes through their Secure Messaging Suite that we discussed earlier. These e-signature features require the user to be authenticated in order to e-sign the document.
Simplicity – In addition to security, sending e-signature requests with Cirius is really easy.
- Open a new secure message.
- Add required parties who need to sign to the “To” box.
- From the E-Signature Documents section of the Delivery Slip, click Select documents for e-signature
- Choose the files you need e-signed.
- Send.
A couple other features worth mentioning are custom branding and the fact that this integrates directly into Office 365—there’s no need to open up a new piece of software.
For even more tricks integrating Cirius with Office 365, check out this handy guide.
There you have it—Office 365 encryption setup. And a few bonuses from our friends at Cirius. If you have questions about encryption, or Office 365 in general, that aren’t answered in this post, feel free to contact us or take a look at our Office 365 Webinars.
Big Green IT is a Microsoft Cloud Champion Partner. Our experience spans small-scale to large-scale Office 365 migrations for both the private and public sector. We specialize in migrations and deployments from 100 to 10,000 seats.