As part of my work this week with Exchange transport rules, I needed to recreate another facility that my customer has grown used to in Office 365 – the ability to selectively encrypt emails using keywords.
This one turned out to be relatively straightforward – Office 365 Message Encryption has been around for a while now (it replaced Exchange Hosted Encryption) and I was able to use a transport rule to detect a phrase in the subject or body (“encrypt me please”) and apply Office 365 Message Encryption accordingly. I could equally have done this based on other criteria (for example, I suggest that any message marked as confidential and sent externally would be a good candidate).
So, the rule is fairly simple:
New-TransportRule -Name 'Encrypt email on request' -Comments ' ' -Mode Enforce -SubjectOrBodyContainsWords 'encrypt me please' -ApplyOME $true
Office 365 Message Encryption needs Azure RMS
The challenge for me was that I wasn’t creating it in PowerShell – I was using the Exchange Admin Center and the appropriate options weren’t visible. That’s because Office 365 Message Encryption needs Azure Rights Management Services (RMS) to be enabled, and it’s necessary to use the More Options link to expose the option to Modify the Message Security… from which it’s possible to Apply Office 365 Message Encryption.
Unfortunately that still didn’t work and the resulting error message was:
You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.
It seems it’s not just a case of enabling RMS in the service settings. I also needed to run the following commands in PowerShell:
Set-IRMConfiguration –RMSOnlineKeySharingLocation “https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc”
(that’s the European command – there are alternative locations for other regions listed in the post I used to help me)
Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
Test-IRMConfiguration -RMSOnline
(check everything passes)
Set-IRMConfiguration -InternalLicensingEnabled $true
With RMS/Information Rights Management (IRM) properly enabled I could create the rule as intended.
Customising the experience
Testing my rule was easy enough, but it’s also possible to customise the portal that recipients go to in order to read the encrypted message.
This is all done in PowerShell, with some simple commands:
Get-OMEConfiguration provides the current Office 365 Message Encryption configuration and to set the configuration to meet my requirements, I used:
Set-OMEConfiguration -Identity "OME Configuration" -Image (Get-Content "markwilsonitlogo.png" -Encoding byte) -PortalText "markwilson.it Secure Email Portal" -EmailText "Encrypted message from markwilson.it"
The tricky bit was working out how to provide the logo file as just the filename creates a PowerShell error and the Get-Content cmdlet has to be used to encode the file.