Configure Microsoft Purview Message Encryption
Microsoft Purview Message Encryption enables organizations to share protected email with anyone on any device. Users can exchange protected messages with other Microsoft 365 organizations. They can also share protected messages with third parties using Outlook.com, Gmail, and other email services.
Before an organization can use Microsoft Purview Message Encryption, it should perform the following steps to ensure its activation.
Verify that Azure Rights Management is active
Microsoft Purview Message Encryption applies the protection features in Azure Rights Management Services (Azure RMS). Azure RMS is the technology used by Microsoft Entra ID Protection to protect emails and documents through encryption and access controls.
Important
The only prerequisite for an organization to use Microsoft Purview Message Encryption is that it must activate Azure RMS in its tenant. When an organization activates Azure RMS, Microsoft 365 automatically activates Microsoft Purview Message Encryption, and you don't need to do anything.
Microsoft automatically activates Azure RMS for most eligible subscriptions, so you probably don't have to do anything in this regard either. For more information, see Activating Azure Rights Management.
Important
If you use Active Directory Rights Management service (AD RMS) with Exchange Online, you must migrate to Microsoft Entra ID Protection before you can use message encryption. Microsoft Purview Message Encryption isn't compatible with AD RMS.
Additional reading. For more information, see:
- Message Encryption FAQ to check whether your subscription plan includes Microsoft Entra ID Protection (which includes Azure RMS functionality).
- Microsoft Entra ID Protection for information about purchasing an eligible subscription.
Manually activating Azure Rights Management
If you disabled Azure RMS, or if your subscription didn't automatically activate it for some reason, you can manually activate it in either of the following portals:
- Microsoft 365 admin center. See How to activate Azure Rights Management from the admin center for instructions.
- Microsoft Entra admin center. See How to activate Azure Rights Management from the Microsoft Entra admin center for instructions.
Configure management of your Microsoft Entra ID Protection tenant key.
This step is optional. Allowing Microsoft to manage the root key for Microsoft Entra ID Protection is the default setting. It's also a best practice recommended for most organizations. For these organizations, they don't need to do anything.
However, there are many reasons, such as compliance requirements that may necessitate an organization generating and managing its own root key (also known as bring your own key, or BYOK). In this situation, Microsoft recommends that organizations complete the required steps to generate their own key before setting up Microsoft Purview Message Encryption.
Note
This scenario is outside the scope of this training. For more information, see Planning and implementing your Microsoft Entra ID Protection tenant key.
An organization can use Exchange Online PowerShell to verify that it properly configured its Microsoft 365 tenant to use Microsoft Purview Message Encryption. To do so, the organization should complete the following steps:
Connect to Exchange Online PowerShell using an account with global administrator permissions in your Microsoft 365 tenant.
Run the Get-IRMConfiguration cmdlet.
You should see a value of $True for the AzureRMSLicensingEnabled parameter. This value indicates the organization configured Microsoft Purview Message Encryption in its tenant.
If it isn't, use Set-IRMConfiguration to set the value of AzureRMSLicensingEnabled to $True to enable Microsoft Purview Message Encryption.
Once an organization enables Microsoft Purview Message EncryptionEnabled, it should run the Test-IRMConfiguration cmdlet using the following syntax:
Test-IRMConfiguration [-Sender <email address> -Recipient <email address>]For example, see the following command that tests Microsoft Purview Message Encryption at Contoso:
Test-IRMConfiguration -Sender securityadmin@contoso.com -Recipient securityadmin@contoso.comFor sender and recipient, use the email address of any user in your Microsoft 365 tenant. Your results should be similar to the following example:
Results: Acquiring RMS Templates ... - PASS: RMS Templates acquired. Templates available: Contoso - Confidential View Only, Contoso - Confidential, Do Not Forward. Verifying encryption ... - PASS: Encryption verified successfully. Verifying decryption ... - PASS: Decryption verified successfully. Verifying IRM is enabled ... - PASS: IRM verified successfully. OVERALL RESULT: PASSIn this example, your organization name replaces Contoso.
The default template names may be different from those names displayed in the prior example. For more information, see Configuring and managing templates for Microsoft Entra ID Protection.
Run the Remove-PSSession cmdlet to disconnect from the Rights Management service.
Remove-PSSession $session
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”