Implement Microsoft Purview Message Encryption
Once you've implemented your tenant encryption strategy, Microsoft Purview Message Encryption can be implemented. To provide the best user experience, administrators should review their tenant settings for information rights management (IRM) features and OME settings before activating the encryption system for all users.
Verify information rights management functionality
Any Microsoft 365 tenant should be activated to use Azure RMS and IRM capabilities by default. To determine, if Azure RMS was deactivated for your tenant, run the following PowerShell cmdlets:
Run the following cmdlet to validate IRM configuration of a tenant:
Get-IRMConfiguration | fl AzureRMSLicensingEnabled
If the AzureRMSLicensingEnabled parameter is set to $False, activate OME for your tenant by using the following cmdlet:
Set-IRMConfiguration -AzureRMSLicensingEnabled:$True
Now run the following cmdlet with a sender inside your organization, to check if IRM data can be obtained for this recipient:
Test-IRMConfiguration -Sender admin@contoso.com -Recipient admin@contoso.com
The output of the cmdlet will display the results of several tests performed and an overall test result, which should be PASS.
Note
The above cmdlets require a connection with the Exchange Online PowerShell and Exchange administrator permissions to change tenant-wide settings.
If any of the tests fail, you may not fetch the RMS templates for a recipient or there may be issues with the utilized encryption keys.
The IRM and OME configuration cmdlets allow you to configure how RMS content is used in a tenant and which key endpoints are in use. Administrators should become familiar with the available settings for these cmdlets.
Implement custom Office Message Encryption settings
OME is managed via configuration objects, or more precisely templates, which can be assigned and referenced. The default template for all users is named "OME Configuration" and any setting done in this configuration, is applied to all users. While the basic Microsoft Purview Message Encryption allows only a single template, Microsoft Purview Advanced Message Encryption provides more flexibility with multiple branding templates for different purposes.
The following examples provide a general description of which settings are available with the *-OMEConfiguration
cmdlets and which settings should be configured when implementing OME for the first time. The first default template with the name "OME Configuration" is the default OME settings object for all users in a tenant.
Note
If your tenant only includes Microsoft 365 E3 licenses, the number of cmdlets available is limited to managing the default OME template only. You cannot create new templates or add other Microsoft Purview Advanced Message Encryption related settings.
OME branding templates
Customized company branding templates control the look of an organization's email messages and the encryption portal. The Get-OMEConfiguration and Set-OMEConfiguration Windows PowerShell cmdlets are used to modify the default template and to customize these parts of encrypted email messages:
Introductory text
Disclaimer text (TEST123)
URL for Your organization's privacy statement
Text in the encrypted message portal
Logo that appears in the email message and encrypted message portal, or whether to use a logo at all
Background color in the email message and encrypted message portal
You can also revert to the default look and feel at any time.
Note
Only Microsoft Purview Advanced Message Encryption supports multiple templates, which will be covered in the next unit.
The following image provides an overview of the customizable areas of a branding template:
Learn more about the PowerShell commands to modify these settings: Add your organization's brand to your Microsoft Purview Message Encryption encrypted messages