Configuring OME (Office Message Encryption)

This week I was working on implementing Office Message Encryption (part of Azure Information Protection) for a customer and I’d like to share my experience on this one.

Why OME? Because it’s a super user-friendly way of sending encrypted mails and attachments to customers and colleagues. It works directly from Outlook and OWA and on the recipient side it supports Gmail/Gsuite & Microsoft accounts for authentication and in case you haven’t got his type of account you can also use an OTP code as well.

Now let’s get started!

Getting the correct licenses

The requirements for sending mails via OME is (at least) a license which contains Azure Information Protection Premium P1.
You can purchase the AIP Plan 1 as a stand-alone product or as part of the Microsoft 365 Premium, E3/E5 or the EMS suites. You can take a look here for more info on the licenses:

https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-faq?view=o365-worldwide#what-subscriptions-do-i-need-to-use-the-new-ome-capabilities

Minimum license required is AIP Plan 1

Activating Azure Rights Management

In order to start using OME you need to enable the Azure Rights Management service, you can do this by going to portal.office.com, opening the Settings > Org settings tab and selecting Microsoft Azure Information Protection.

You will then be send to the Rights Management page where you can select “activate” in order to activate Rights Management.

Activate the RMS

Testing

When you’ve activated the RMS you can validate the configuration by running the Test-IRMConfiguration command. In order to use this commandlet you will need to install the AIP PowerShell module first. Use the following commands to follow these steps:

Install-Module AIPService

Test-IRMConfiguration

This command will check if the templates are accessible by the service , if the encryption and decryption processes are working and if the service itself is enabled.

When you get a test result of “FAILED to acquire RMS Templates”

Connect to your Exchange Online environment via the PowerShell module and execute the following commands:

Connect-AadrmService

$aadrmconfig = Get-AadrmConfiguration

$LicenseIDPU = $aadrmconfig.LicensingIntranetDistributionPointUrl

Set-IRMConfiguration -LicensingLocation $LicenseIDPU

Set-IRMConfiguration -InternalLicensingEnabled $true

undefined Super User

Something you shouldn’t forget while configuring OME is a Super User. Because OME is using the infrastructure of Azure Rights Management a Super User is able to decrypt files send via OME when necessary. To assign Super Users you need to run the following commands in the AIP Powershell module:

Connect-AIPService

Enable-AipServiceSuperUserFeature

Add-AipServiceSuperUser -EmailAddress thesuperuser@domain.com

Sidenote Another option is to use security groups but as outlined by Microsoft, the addition of an extra Super User might take some time to get processed by the IRM service.
https://docs.microsoft.com/nl-nl/azure/information-protection/prepare#group-membership-caching-by-azure-information-protection

Decrypting files is really easy, just download the Unified Labeling client via https://aka.ms/aipclient and open the file with the client. Sign in with the Super User, uncheck the Protect with custom permissions checkbox and click Apply.

The End-user experience

After you have setup OME it’s time for the users to start encrypting them mails (and attachments)!

Applying encryption to an e-mail is really simple, just let the user follow these steps:

  1. Compose an e-mail message
  2. Add the attachments
  1. Click on Options in the Outlook ribbon
  2. Select “Encrypt”
  1. By default the button Encrypt will use the “Encrypt-only” option, this will encrypt but it will still give the user the option to forward the message after it has been opened.
    To deny the recipient to forward the mail you should select the down arrow next to Encrypt and select the option Do Not Forward
The “DNF” button

6. Hit Send!

The result

Recipients will be able to read the message and preview the attachments in the browser via Office Online.
When the user downloads the attachments he/she is required to authenticate in Office or, in case of a PDF attachment, in a compatible PDF reader (https://docs.microsoft.com/nl-nl/azure/information-protection/rms-client/protected-pdf-readers) with the same account that received the message. If this is not a Microsoft account, they will need to register a Microsoft account on their mail address first.

When you use Outlook 2016 or OWA (Outlook on the Web) and a signed-in Microsoft 365 account, OME works out-of-the-box and opens the message right away without the requirement to go to the sign-in page and the viewing portal.
The same applies to the Outlook for iOS and Android apps with a signed-in Microsoft 365 account.

As you can see, OME is a great way to securely send mails and attachments to both internal and external recipients.

I hope you liked reading this blog and if you have any questions, please drop them in the comments section below.

Dit vind je misschien ook leuk...

1 reactie

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

%d bloggers liken dit: