Export (0) Print
Expand All

Set up Microsoft Azure Rights Management for Office 365 Message Encryption

 

Topic Last Modified: 2014-06-13

Office 365 Message Encryption depends on Microsoft Azure Rights Management (previously known as Windows Azure Active Directory Rights Management). To use this encryption service, you must have an Office 365 organization that includes an Exchange Online or Exchange Online Protection subscription that, in turn, includes an Azure Rights Management subscription.

  • If Azure Rights Management is already set up for Exchange Online or Exchange Online Protection, you’re ready to define transport rules and start using the Office 365 Message Encryption service, as described in Define rules to encrypt or decrypt email messages.

  • If you have Azure Rights Management but it’s not set up for Exchange Online or Exchange Online Protection, activate it following the steps described in this topic under Activate Azure Rights Management for Office 365 Message Encryption.

  • If you don’t have an Azure Rights Management subscription for Exchange Online or Exchange Online Protection, you must purchase a subscription and set up Azure Rights Management in order to use Office 365 Message Encryption. For information purchasing a subscription to Azure Rights Management, see Azure Rights Management. The next section gives you information about activating Azure Rights Management.

  • If you’re not sure of what your subscription includes, see the Exchange Online service descriptions for Message Policy, Recovery, and Compliance.

ImportantImportant:
Following the procedures in this topic will enable Office 365 Message Encryption for your organization and prevent IRM templates from being available to users by disabling them in Microsoft Outlook Web App and Microsoft Outlook. If you want to enable IRM for Office 365 Message Encryption and make IRM templates available in OWA and Outlook, follow the steps described in Configure IRM to use Microsoft Azure Rights Management.

Office 365 Message Encryption requires the Azure Rights Management service. Once you have a subscription to this service, you can activate it as described in the following procedure. For more information about this requirement, see Prerequisites for using Office 365 Message Encryption.

To set up Azure Rights Management for Office 365 Message Encryption, do the following:
  1. Use Exchange Online Remote Power Shell to perform the steps in this procedure. For information about connecting to Remote PowerShell, see Connect to Exchange Online Using Remote PowerShell.

  2. Configure the Rights Management Services (RMS) online key-sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location, as shown in this table:

     

    Location RMS key sharing location

    North America

    https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

    European Union

    https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

    Asia

    https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

    South America

    https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

    Office 365 for Government (Government Community Cloud)

    https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc1

    NoteNote:
    1   Only customers who have purchased Office 365 for Government SKUs (Government Community Cloud) should use this RMS key sharing location.

     

    For example, to configure the RMS Online key sharing location for a customer in North America, you would use this URL:

    Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"

    For detailed syntax and parameter information, see Set-IRMConfiguration.

  3. Run the following command to import the Trusted Publishing Domain (TPD) from RMS Online:

    Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

    For detailed syntax and parameter information, see Import-RMSTrustedPublishingDomain.

  4. To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service, run the Test-IRMConfiguration cmdlet. Among other things, the command checks connectivity with the RMS Online service, downloads the TPD, and checks its validity.

  5. Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption:

    • To disable IRM templates in OWA and Outlook:

      Set-IRMConfiguration - ClientAccessServerEnabled $false

    • To enable IRM for Office 365 Message Encryption:

      Set-IRMConfiguration -InternalLicensingEnabled $true

      For detailed syntax and parameter information, see Set-IRMConfiguration.

  6. To verify that you successfully imported the TPD and enabled IRM, use the Test-IRMConfiguration cmdlet to test IRM functionality. For details, see "Example 1" in Test-IRMConfiguration.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft