Implement Microsoft Purview Message Encryption


Once you've implemented your tenant encryption strategy, Microsoft Purview Message Encryption can be implemented. To provide the best user experience, administrators should review their tenant settings for information rights management (IRM) features and OME settings before activating the encryption system for all users.

Verify information rights management functionality

Any Microsoft 365 tenant should be activated to use Azure RMS and IRM capabilities by default. To determine, if Azure RMS was deactivated for your tenant, run the following PowerShell cmdlets:

  1. Run the following cmdlet to validate IRM configuration of a tenant:

    Get-IRMConfiguration | fl AzureRMSLicensingEnabled
  2. If the AzureRMSLicensingEnabled parameter is set to $False, activate OME for your tenant by using the following cmdlet:

    Set-IRMConfiguration -AzureRMSLicensingEnabled:$True
  3. Now run the following cmdlet with a sender inside your organization, to check if IRM data can be obtained for this recipient:

    Test-IRMConfiguration -Sender -Recipient
  4. The output of the cmdlet will display the results of several tests performed and an overall test result, which should be PASS.


The above cmdlets require a connection with the Exchange Online PowerShell and Exchange administrator permissions to change tenant-wide settings.

If any of the tests fail, you may not fetch the RMS templates for a recipient or there may be issues with the utilized encryption keys.

The IRM and OME configuration cmdlets allow you to configure how RMS content is used in a tenant and which key endpoints are in use. Administrators should become familiar with the available settings for these cmdlets.

Implement custom Office Message Encryption settings

OME is managed via configuration objects, or more precisely templates, which can be assigned and referenced. The default template for all users is named "OME Configuration" and any setting done in this configuration, is applied to all users. While the basic Microsoft Purview Message Encryption allows only a single template, Microsoft Purview Advanced Message Encryption provides more flexibility with multiple branding templates for different purposes.

The following examples provide a general description of which settings are available with the *-OMEConfiguration cmdlets and which settings should be configured when implementing OME for the first time. The first default template with the name "OME Configuration" is the default OME settings object for all users in a tenant.


If your tenant only includes Microsoft 365 E3 licenses, the number of cmdlets available is limited to managing the default OME template only. You cannot create new templates or add other Microsoft Purview Advanced Message Encryption related settings.

OME branding templates

Customized company branding templates control the look of an organization's email messages and the encryption portal. The Get-OMEConfiguration and Set-OMEConfiguration Windows PowerShell cmdlets are used to modify the default template and to customize these parts of encrypted email messages:

  • Introductory text

  • Disclaimer text (TEST123)

  • URL for Your organization's privacy statement

  • Text in the encrypted message portal

  • Logo that appears in the email message and encrypted message portal, or whether to use a logo at all

  • Background color in the email message and encrypted message portal

You can also revert to the default look and feel at any time.


Only Microsoft Purview Advanced Message Encryption supports multiple templates, which will be covered in the next unit.

The following image provides an overview of the customizable areas of a branding template:

Picture that shows which areas of the Office 365 OME portal can be edited.

Learn more about the PowerShell commands to modify these settings: Add your organization's brand to your Microsoft Purview Message Encryption encrypted messages