Configuring OME (Office Message Encryption)

This week I was working on implementing Office Message Encryption (part of Azure Information Protection) for a customer and I’d like to share my experience on this one.

Why OME? Because it’s a super user-friendly way of sending encrypted mails and attachments to customers and colleagues. It works directly from Outlook and OWA and on the recipient side it supports Gmail/Gsuite & Microsoft accounts for authentication and in case you haven’t got his type of account you can also use an OTP code as well.

Now let’s get started!

Getting the correct licenses

The requirements for sending mails via OME is (at least) a license which contains Azure Information Protection Premium P1.
You can purchase the AIP Plan 1 as a stand-alone product or as part of the Microsoft 365 Premium, E3/E5 or the EMS suites. You can take a look here for more info on the licenses:

Minimum license required is AIP Plan 1

Activating Azure Rights Management

In order to start using OME you need to enable the Azure Rights Management service, you can do this by going to, opening the Settings > Org settings tab and selecting Microsoft Azure Information Protection.

You will then be send to the Rights Management page where you can select “activate” in order to activate Rights Management.

Activate the RMS


When you’ve activated the RMS you can validate the configuration by running the Test-IRMConfiguration command. In order to use this commandlet you will need to install the AIP PowerShell module first. Use the following commands to follow these steps:

Install-Module AIPService


This command will check if the templates are accessible by the service , if the encryption and decryption processes are working and if the service itself is enabled.

When you get a test result of “FAILED to acquire RMS Templates”

Connect to your Exchange Online environment via the PowerShell module and execute the following commands:


$aadrmconfig = Get-AadrmConfiguration

$LicenseIDPU = $aadrmconfig.LicensingIntranetDistributionPointUrl

Set-IRMConfiguration -LicensingLocation $LicenseIDPU

Set-IRMConfiguration -InternalLicensingEnabled $true

undefined Super User

Something you shouldn’t forget while configuring OME is a Super User. Because OME is using the infrastructure of Azure Rights Management a Super User is able to decrypt files send via OME when necessary. To assign Super Users you need to run the following commands in the AIP Powershell module:



Add-AipServiceSuperUser -EmailAddress

Sidenote Another option is to use security groups but as outlined by Microsoft, the addition of an extra Super User might take some time to get processed by the IRM service.

Decrypting files is really easy, just download the Unified Labeling client via and open the file with the client. Sign in with the Super User, uncheck the Protect with custom permissions checkbox and click Apply.

The End-user experience

After you have setup OME it’s time for the users to start encrypting them mails (and attachments)!

Applying encryption to an e-mail is really simple, just let the user follow these steps:

  1. Compose an e-mail message
  2. Add the attachments
  1. Click on Options in the Outlook ribbon
  2. Select “Encrypt”
  1. By default the button Encrypt will use the “Encrypt-only” option, this will encrypt but it will still give the user the option to forward the message after it has been opened.
    To deny the recipient to forward the mail you should select the down arrow next to Encrypt and select the option Do Not Forward
The “DNF” button

6. Hit Send!

The result

Recipients will be able to read the message and preview the attachments in the browser via Office Online.
When the user downloads the attachments he/she is required to authenticate in Office or, in case of a PDF attachment, in a compatible PDF reader ( with the same account that received the message. If this is not a Microsoft account, they will need to register a Microsoft account on their mail address first.

When you use Outlook 2016 or OWA (Outlook on the Web) and a signed-in Microsoft 365 account, OME works out-of-the-box and opens the message right away without the requirement to go to the sign-in page and the viewing portal.
The same applies to the Outlook for iOS and Android apps with a signed-in Microsoft 365 account.

As you can see, OME is a great way to securely send mails and attachments to both internal and external recipients.

I hope you liked reading this blog and if you have any questions, please drop them in the comments section below.

Dit vind je misschien ook leuk...

3 reacties

  1. Bram Dokman schreef:

    Hi Patrick,

    Do you know if it is possible to disable G-suite authentication for an office encrypted message?
    I am also looking to enforce MFA for the recipients of the message. Do you have experience with that scenario?
    I can not seem to find any information on both.



    • Patrick van Bemmelen schreef:

      Hi Bram,

      You will only be able to disable this through PowerShell, to do this you connect to Exchange Online and configure your OME Configuration to block “Social Sign-in” via the command Set-OMEConfiguration -SocialIdSignIn $false.
      I have not seen an option yet to force MFA, only the option to use OTP which of course is not the same. The point here is that there won’t be any guest access to your Microsoft 365 as the OME portal or inline experience is only part of Exchange Online and doesn’t rely on the complete Azure AD infrastructure for Microsoft 365 account verification of your own organization. If however the recipients organization will require MFA then this will be the case once the recipient tries to read the message.

Geef een reactie

%d bloggers liken dit: