How To Set Up Encrypted Email Office 365

In this blog mail, nosotros'll be giving you the step-by-step instructions for configuring Office Bulletin Encryption. I have to say they aren't for the faint at eye! Enabling OME is much more difficult than the other Microsoft electronic mail security products such as Function 365 ATP, Commutation Online Protection, or configuring DKIM, DMARC, and SPF.

This blog is the 3rd mail service of a 5 post series titled Your Complete Guide to Microsoft E-mail Security. The 5 steps to electronic mail security are:

1. Configure DKIM, DMARC, SPF
2. Deploy EOP (Substitution Online Protection)
3. Enable Office Message Encryption (this blog post)
4. Enable Role 365 ATP (Avant-garde Threat Protection)
5. Enable Function 365 MFA with Authenticator App

Note: This blog was last reviewed 2/2022. Nosotros do our best to keep all of our blogs up to date to offer you the best, most accurate guidance possible. If you discover otherwise, delight drop a comment so nosotros tin update the blog. Thank y'all!

---

Do I Need Security?

Brusque answer: yep.

If you lot're yet not convinced why you need email security Microsoft breaks it down here nicely:

"People often utilise email to exchange sensitive information, such as financial data, legal contracts, confidential product information, sales reports and projections, patient health data, or client and employee information. As a result, mailboxes can become repositories for big amounts of potentially sensitive information and information leakage tin become a serious threat to your system."

---

What is Part Message Encryption (OME)?

Office Message Encryption (OME) allows your arrangement to send and receive encrypted messages, fifty-fifty to people exterior of your organisation. Encryption makes it so that only your intended audience can view the sensitive data your messages contain.

---

Setting Up Office 365 Message Encryption

Alright, now that we've got the basics under our belts, let's get started!

1. Get to https://portal.office.com
2. Sign in with Global Admin credentials
3. Click on Admin
4. Click on Settings
5. Click on Services & add-ins
6. Click on Microsoft Azure Information Protection

You volition be sent to:

1. Click on Manage Microsoft Azure Information Protection setting
2. Make sure that Rights Management is activated (if non, please actuate it)

If your system uses multi-gene authentication (MFA) to connect to Commutation Online PowerShell, follow the instructions: MFA requires you to install the Exchange Online Remote PowerShell Module, and use the Connect-EXOPSSession  cmdlet to connect.

1. Get to the Exchange admin center
   • Yous must haveOffice 365 admin permissions  to access the Substitution admin centre.
2. You need to use Border - Chrome does not piece of work
3. Sign in  to Office 365 using your work or school account, and then choose the Admin  tile.
4. In the Role 365 admin centre, choose Admin centers  > Exchange .
5. Click Hybrid
6. Click the Configure push button nether The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more deeply .

You volition get the following prompt:

1. Click Open
2. The following screen will appear

1. Click Install

2. Once washed, a similar screen will open

1. You can now close the screen above
2. Windows Remote Direction (WinRM) on your figurer needs to allow basic authentication (it's enabled by default). To verify that basic hallmark is enabled, do the following:
3. Open a Command Prompt Session (as an Admin)
4. Run this command in a Control Prompt:
   • Winrm quickconfig
5. Respond Y to Brand these changes [y/north]
6. You will likely get the error below - simply ignore

1. Type: winrm go winrm/config/client/auth
   • If y'all don't run across the value Basic = true, y'all demand to run this command to enable basic authentication for WinRM:
     winrm fix winrm/config/client/auth @{Basic="true"}
2. If basic authentication is disabled, y'all'll become this error when y'all try to connect:
   • he WinRM customer cannot process the request. Basic authentication is currently disabled in the customer configuration. Change the client configuration and try the request again.

Once done, you lot should see the screen beneath

Connect to Exchange Online PowerShell by using MFA

1. On your local computer, open the Exchange Online Remote PowerShell Module  ( Microsoft Corporation  > Microsoft Substitution Online Remote PowerShell Module ).
2. The command that you need to run uses the following syntax:
   • Connect-IPPSSession -UserPrincipalName <username>@bemopro.com

Once logged in, you will get a screen similar to:

1. You will now need to import the newly installed modules.
   • Import-Module AADRM
     
2. To see which cmdlet is available for the newly imported module type the post-obit.
   • Go-Command -Module ADDRM
     
3. To become started nosotros need to connect to Azure RMS , type the following cmdlet and enter the credentials  of a Global Ambassador .
   • Connect-AadrmService
4. Now that we have a successful connection establish with Azure RMS , we tin can get ahead and run the following Cmdlet to Enable Azure RMS.
   • Enable-Aadrm
5. Get the configuration information needed for message encryption.
   • $rmsConfig = Get-AadrmConfiguration
     $licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
6. Disconnect from the service.
   • Disconnect-AadrmService
7. Create a remote PowerShell session and connect to Exchange Online.
   Connect-EXOPSSession -UserPrincipalName <username>@bemopro.com
   
8. Collect IRM configuration for Function 365
   • $irmConfig = Get-IRMConfiguration
     $listing = $irmConfig.LicensingLocation
     if (!$list) { $list = @() }
     if (!$listing.Contains($licenseUri)) { $list += $licenseUri }
9. Enable bulletin encryption for Function 365
   • Set-IRMConfiguration -LicensingLocation $listing
     Set-IRMConfiguration -AzureRMSLicensingEnabled $true -InternalLicensingEnabled $true
     
10. Enable server decryption for Outlook on the spider web, Outlook for iOS, and Outlook for Android.
    • Set-IRMConfiguration -ClientAccessServerEnabled $true
      
11. Once washed, run the following examination
    • Examination-IRMConfiguration –sender <username>@bemopro.com

12. Disable IRM templates  in OWA and Outlook

• • Set-IRMConfiguration -ClientAccessServerEnabled $false

xiii. View the IRM Configuration

---

Role Message Encryption - Things to Consider

1) You need to enable Google, Yahoo, and Microsoft Account recipients to apply these accounts to sign in to the Role 365 Message Encryption portal

By default, when you gear up the new Role 365 Message Encryption capabilities, users in your organization tin can transport messages to recipients that are exterior of your Office 365 organization. If the recipient uses a social ID  such as a Google business relationship, Yahoo account, or Microsoft account, the recipient tin sign in to the OME portal using the social ID.

2) To manage whether or not to allow recipients to use social IDs to sign in to the OME portal

1. Run the Set-OMEConfiguration cmdlet with the SocialIdSignIn parameter as follows:
   • Set up-OMEConfiguration -Identity "OME Configuration" -SocialIdSignIn $false
2. To enable social IDs:
   • Fix-OMEConfiguration -Identity "OME Configuration" -SocialIdSignIn $true

iii) Managing the use of i-time passcodes for signing in to the Office 365 Message Encryption portal

Past default, if the recipient of a message encrypted past OME doesn't use Outlook, regardless of the account used by the recipient, the recipient receives a limited-time spider web-view link that lets them read the bulletin. This includes a one-time passcode. As an ambassador, you tin can manage whether or not onetime passcodes can be used to sign-in to the OME portal.

To manage whether or not i-time passcodes are generated for Office Message Encryption

1. Run the Set-OMEConfiguration cmdlet with the OTPEnabled parameter as follows:
   • For instance, to disable one-time passcodes:
     • Set-OMEConfiguration -Identity "OME Configuration" -OTPEnabled $fake
   • To enable one-fourth dimension passcodes:
     • Set-OMEConfiguration -Identity "OME Configuration" -OTPEnabled $true

4) Managing the display of the Protect button in Outlook on the web

By default, the Encrypt  button in Outlook on the web is non enabled when you ready OME. As an administrator, you lot tin can manage whether or non to brandish this button to cease-users. To manage whether or non the Protect push appears in Outlook on the web:

1. Run the Set-IRMConfiguration cmdlet with the -SimplifiedClientAccessEnabled parameter as follows:
2. For instance, to disable theEncrypt  push button:
   • Fix-IRMConfiguration -SimplifiedClientAccessEnabled $imitation
3. To enable the Encrypt  button:
   • Ready-IRMConfiguration -SimplifiedClientAccessEnabled $truthful

5) Enable service-side decryption of electronic mail messages for iOS mail app users

The iOS mail app can't decrypt letters protected with Office 365 Message Encryption. Every bit an Office 365 administrator, yous tin apply service-side decryption for letters delivered to unenlightened clients like the iOS mail app. When you choose to exercise this, the service will transport a decrypted copy of the message to the iOS device. The message is stored decrypted on the client device. The bulletin also retains information most usage rights even though the iOS mail app doesn't apply client-side usage rights to the user. This means that the user can copy or print the message even if they did not originally accept the rights to practice then.

However, if the user attempts to consummate an activity that requires the Office 365 mail service server, such as forwarding the bulletin, the server will not let the action if the user did not originally have the usage right to do so. Still, end-users can work around Practise Not Forward usage restriction by forwarding the bulletin from a different account in their iOS mail app.

Regardless of whether you ready service-side decryption of mail, any attachments to encrypted and rights protected postal service cannot be viewed in the iOS mail app. If y'all choose non to permit decrypted messages to be sent to iOS mail app users, users receive a message that states that they don't take the rights to view the message. By default, service-side decryption of electronic mail messages is non enabled.

Office Message Encryption: The Wrap-Up

As you can see, setting up OME is no minor undertaking merely hopefully, these steps got y'all through to the other side. If you take any questions or thoughts, please feel free to comment beneath.

We implement OME with all of our cybersecurity plans. Bank check them out 👉 hither

Questions? Schedule a meeting by clicking the button below:

Curious how your current security stacks upwards? Take our 5-infinitesimal cybersecurity risk calculator quiz to find out:

How To Set Up Encrypted Email Office 365,

Source: https://www.bemopro.com/cybersecurity-blog/how-to-set-up-office-message-encryption-ome

Posted by: sibleysearry.blogspot.com

Share this post