Encrypted Secure Email in Office 365

So you’ve rolled out email, yay! But have you enabled your users to send secure encrypted email?  It is a very underused feature among small- and medium-sized businesses.  This makes me kind of sad because every business sends some personal data that should be protected. Quotes, bids, specifications, drawings, credit card information, health questions, benefits, or employment information, if sent via email should be sent in a secure manner. Whether it’s protecting other people’s Personally Identifiable Information (PII), required protection of credit card data (PCIDSS), or your businesses’ secrets, encrypted email use is a must.

The encrypted email feature is included in the Office 365 E3, E4, E5, and K1 plans. If you don’t have one of those plans, you can add Azure Rights Management Service (RMS) or Enterprise Mobility & Security (EMS) to your plan.
Enable Office 365 Message Encryption
It’s not at all difficult to implement message encryption. I’ve tried the GUI method of enabling the message encryption with mixed results so I’m going to recommend that you skip it and use PowerShell instead. It’s not complex. Just punch in the following commands.
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Set-IRMConfiguration -ClientAccessServerEnabled $True

You might want to wait a couple of hours to give the command time to take effect. This is Microsoft’s recommendation for any feature on/off request. I’ve found, though, that this feature seems to happen nearly instantly. You can verify that you’ve got it turned on by using the following command to check the status:

Configuring encryption rules
The next step is to let Office 365 know when you want a message to be sent securely. This is done by setting up rules in Exchange Online. The GUI is flexible enough to allow you to tailor these rules to your businesses’ needs. I’ll show you how to allow the users to decide when to send an encrypted email and then how to configure a rule that will scan for content in a message and encrypt when it detects that it contains that data.
Configuring a manual encryption rule
If you’ve used encrypted email before, then it’s probably been a manual encryption process. By that I mean that when you are ready to send an email you have to tell the system that you want to send it with encryption. Office 365 Message Encryption does this, too, but it also has automated super powers that I’ll show you later. Let’s get encryption going by enabling our users to decide if a message should be encrypted:
Setup custom encryption rules
We’ll set up a rule that says if the subject line contains the word SecureMail, then apply message encryption to it. Here’s how:
Setting up a manual encryption rule
Click the + to add a new rule
In the Name field type a name for the rule
Under Apply this rule if…click the arrow and choose The subject or body, then subject matches these text patterns. For the text pattern type SecureMail or some other term that your users will type to indicate that the message should be encrypted.Chose an encryption trigger word
Check the box to Audit this rule and choose a level. This is optional, of course, but I like to have a record of when the rule was triggered in the logs.
Finally, select the Enforce or Test options and click OK to enable the rule.
Configuring an automatic encryption rule
Now it’s time to put the super powers to work. Let’s say that we want to make sure that any email containing a Social Security number is automatically sent using message encryption. Because protecting PII is a regulation to which most businesses are subject to, we don’t want to depend on our users remembering to add the word SecureMail to the subject line. If they do, great! But if they forget, the rule we’re about to create will do it for them.
You’ll start to configure your rule in the Exchange Admin Center by going to mail flow, and clicking the + sign to create a new rule. Under Apply this rule if…The message contains any of these sensitive information types… You’ll be presented with a list  according to country information types. Pick the ones that if contained in an email you want to encrypt.automated encryption ruleResist the temptation to add another condition because I’ve found that doing so results in a hit-or-miss implementation.  Under Do the Following, pick Modify the message security… and pick Apply Office 365 Message Encryption from the menu. Now set an exception for messages sent internally. In Except if…choose The sender is located…and pick Inside the organization
Your finished rule will automatically catch outgoing sensitive data and encrypt it.
Customizing the portal and email messaging
By default the email message is pretty bland and I think it looks suspicious. Email recipients are wary these days so you’ll want to give them a signal that it’s OK to click on the attachment. Customization is the way to let the reader know that this email from you is legitimate. You can do that by adding your logo, customizing the disclaimer text to match your corporate standard and including some standard messaging that will let the recipient know that this email is indeed from you.
The process to do this is another set of straight forward PowerShell commands. I’ve included them here because as is often the case with PowerShell commands they aren’t readily discoverable. Why would you look for commands related to IRM under OME?
Here is what the portal looks like by default and after I’ve applied PowerShell commands. Notice that after applying the changes the top bar now includes my company name. There are also PowerShell commands that allow us to add a logo, which we’ll do below.

Here are the PowerShell commands that you need to apply branding to your encrypted email, including adding your logo.
This command customizes the portal from which the recipient will read your email.
Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText “<text for your portal, string of up to 128 characters>”
Example: Set-OMEConfiguration -Identity “OME Configuration” -PortalText “ContosoPharma secure email portal”
This command adds your logo to the email and the portal. Note that despite the example your logo path must point to an Internet accessible location.
Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <Byte[]>
Example: Set-OMEConfiguration -Identity “OME configuration” -Image (Get-Content “C:\Temp\contosologo.png” -Encoding byte)
Supported file formats: .png, .jpg, .bmp, or .tiff
Optimal size of logo file: less than 40 KB
Optimal size of logo image: 170×70 pixels

I can further customize the encrypted message by adding my own disclaimer statement and instructions.
This command lets you add a note to the email above the instructions for viewing encrypted messages
Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText “<string of up to 1024 characters>”
Example: Set-OMEConfiguration -Identity “OME Configuration” -EmailText “Encrypted message from ContosoPharma secure messaging system”
This command customizes the disclaimer statement in the email
Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText “<your disclaimer statement, string of up to 1024 characters>”
Example: Set-OMEConfiguration -Identity “OME Configuration” -DisclaimerText “This message is confidential for the use of the addressee only”
All of the above PowerShell commands are documented in TechNet here.
This is what the text now looks like after my changes. Notice that the name of the portal has been changed to Harbor Computer Services secure email portal and our logo is present at the bottom of the page. Our branding of the portal will give the viewer more confidence in the process of viewing the encrypted message.