ARTICLE UPDATED OCTOBER 2014 AFTER LAUNCH OF OTP CAPABILITIES IN OME.
At the beginning of 2014, Microsoft released new capabilities for email encryption, called Office 365 Message Encryption (OME). The functionality was first announced in november 2013 in this article. In October 2014, OME was improved drastically as the receiver of encrypted emails now can use a One Time Passcode (OTP) to access the encrypted message (documented here). At launch of OME, all receivers had to authenticate with either an Organizational Account (Azure AD) or a Microsoft Account (formerly LiveID) to access the email, which often led to confusion for external receivers. Now, the receiver can instead request a One Time Passcode to the same email address as to which the encrypted message was sent, and use that (within 15 minutes) to access the encrypted email. This post was updated in October 2014 to include this new OTP-functionality.
In this post, I will demonstrate the user experience of Office 365 Message Encryption, both for the end-user (using OTP) and the administrator (setting up IRM Licensing and all necessary Transport Rules etc).
We will create a transport rule that will enable Office 365 Message Encryption on messages with a Sensitivity level set to Confidential.
STEP 1 – ENABLE IRM LICENSING
If you attempt to use Office 365 Message Encryption before first enabling IRM licensing, the operation will fail and give you this message:
You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.
To remediate this, we need to enable IRM licensing using the Admin portal and PowerShell. Follow these steps:
- First, enable RMS in your tenant by logging on to your Office 365 Admin Portal, navigate to Service settings (left pane). select Rights management (top bar), click Manage and finally hit the button Activate. A message should appear stating that RMS is activated for the tenant.
- The remaining steps will be done in PowerShell. Open Windows Azure Active Directory Module for Windows PowerShell, found here:
- Connect your PowerShell session to your Office 365 tenant an Exchange Online by entering the following:
$msolcred = Get-Credential (Answer the credential prompt with your Office 365 tenant administrator credentials)
Connect-MsolService -Credential $msolcred
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $msolcred -Authentication Basic -AllowRedirection
- When connected to Exchange Online, you can enable IRM licensing with just a few steps. The first step is to set the RMS Online key sharing location. You will use different configurations depending on where your tenant is located (North America, European Union or the Asia-Pacific area).Enter the command that matches your tenant location (choose one):
North America: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
European Union: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
The Asia-Pacific Area: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
- After setting the key sharing location, the next step is to import the Trusted Publishing Domain (TPD). Do so by entering the following:
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
- The final step is to activate the internal IRM licensing. Do so by entering the following:
Set-IRMConfiguration -InternalLicensingEnabled $True
- After enabling IRM licensing, verify the functionality by entering:
The test should pass with the result OVERALL RESULT: PASS.
NOTE: Enabling IRM licensing might need several hours for the change to take effect. If possible, allow 8 hours to pass before proceeding with STEP 2.
STEP 2 – CREATE THE OME TRANSPORT RULE
We will create a transport rule that enables Office 365 Message Encryption if the message is sent to a recipient outside the organization and the Sensitivity header have been set to Confidential.
Follow these steps:
- Log in to your Office 365 Admin Portal and navigate to Exchange Control Panel (Admin\Exchange).
- Navigate to Mail Flow, click the + icon and select Create a new rule…
- Give the rule a suiting name and click More options…
- From here you can set your condition as it fits your needs, but for this example we will inspect the Sensitivity header and apply Message Encryption based on that. To do so, select the following conditions:
Apply this rule if… A message header includes any of these words
- Complete the Apply this rule if-condition by clicking the properties Enter text and Enter word so that the condition makes ‘Sensitivity’ header includes ‘Confidential’
- Click Add condition and select The recipient… Is external/internal. Click Select one… and select Outside the organization and hit OK
- Proceed with clicking Do the following… and select Modify the message security… and select Apply Office 365 Message Encryption
- Hit Save at the bottom of the New rule editor. (If you get the message that IRM licensing is not enabled and have completed STEP 1 – please allow more time for the change to take effect, as stated in the Note after STEP 1).
STEP 3 – SEND A CONFIDENTIAL MESSAGE WITH OME
We will create a message with the sensitivity level set to Confidential and send this to a recipient outside our organization. Our transport rule will apply Office 365 Message Encryption to the message.
Follow these steps:
- Open Outlook or Outlook Web App. Both clients have the native functionality to set the sensitivity header. In the example, I will use OWA, but the procedure is the same in Outlook.
- Compose a new message. Enter an external recipients, give the message a subject and some content, then click … and Show message options…
- Set the message Sensitivity level to Confidential and hit OK
NOTE: In the rich Outlook client, Sensitivity options are found under Message Options\More options\Sensitivity.
- Send the message.
STEP 4 – RECEIVE AND OPEN THE ENCRYPTED MESSAGE
- Open the inbox of the external mailbox and find the encrypted message
- As you can see, the message includes an attached HTML-document. Open the attachment.
- To be able to read the encrypted message, you can choose to sign in with a Microsoft Account or Corporate Credentials (AAD/Office 365 account) that has a username that matches the e-mail address to which the encrypted message was sent – or (new October 2014) you can choose to open the message with a One Time Passcode that is sent to the same email address that received the encrypted message (html file). I recommend using Organizational Accounts when sending to other Office 365 users, as they can then open the message with their corporate credentials or even an existing session cookie (Single Sign-on experience) – but for external users, which we are demonstrating in this case, One Time Passcode would be prefered. I am selecting the OTP choise by following the link at the bottom (“Don’t want to sign in? Get a one-time passcode…”).
- Now, go back to your inbox (recipient) to find the One Time Passcode and a reference code (handy if you have received multiple encrypted messages at once to differentiate the OTPs for different messages). Make a note of the OTP and go back to the browser.
- Enter the Passcode from the email in the Passcode field, then click Continue.
- The message will now load and be displayed in the browser.
The Office 365 Message Encryption is a very good feature that allows Office 365/Exchange Online customers to send encrypted messages both inside and outside their organization. The new OTP functionality makes it even better and more complete. This post demonstrated the basic capabilities of OME, and you can make even more advanced Mail Rules, such as applying RMS templates to the message if it is sent to an internal recipient, and use Office 365 Message Encryption only to external recipients – just configure the rule to fit your needs.
You can also customize/brand the message that includes the HTML-file by using the
Set-OMEConfiguration cmdlets. The cmdlets allow you to set custom e-mail text, disclaimer, portal text and even include your company logo for branding.