Quick Steps to Enable Office 365 Message Encryption

These instructions will step you through enabling Microsoft Office 365 Message Encryption in your tenant account.

Background Info

These instructions are focused on the steps necessary to enable Office 365 Message Encryption. If you're looking for background information or more deetails, try some of these links:


Office 365 Message Encryption requires Azure Rights Management. This service is available free for certain O365 and Exchange Online account types (E3 or higher, Plan 2 or higher). If you do not already have one of these account levels, you can either upgrade or purchase the service as an add-on to your existing O365 account.


At a high level, setup is a 2 step process:

  1. Enable Azure Rights Management
  2. Configure your O365 account settings

1. Activate Azure Rights Management

Azure Right Management is activated via the O365 Admin Center. There's currently 2 flavors of this as Microsoft is working on a new UI.
Select the type of Admin UI that matches your setup from the list below for instructions:

2. Configure O365 Account

Connect to your O365 account with a remote powershell console and follow these steps:
(NOTE: you may need to wait up to 24 hours for Azure Rights Management to go into effect.)

  1. Set the IRM configuration for your geographic area:
    • North America:

      Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"

    • European Union:

      Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc"

    • Asia:

      Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc"

    • South America:

      Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc"

  2. Setup RMS Online:

    Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

  3. Test the IRM configuration:

    Test-IRMConfiguration -RMSOnline

    Verify the command completes with OVERALL RESULT: PASS

  4. Enable IRM licensing:

    Set-IRMConfiguration -InternalLicensingEnabled $true

  5. Wait ~12 hours for changes to take effect.

The following is a screenshot of these commandlets after being executed:

Screenshot of powershell commandlets after being run

Next Steps

At this point Office 365 Message Encryption should be enabled and ready for use.
You can now install Nucleuz DLP Policies which utilize encryption.
You can also configure Exchange Transport Rules or DLP Rules to apply Office 365 Message Encryption. Here's an example:

Screenshot of DLP Rule Configured To Apply Office Message Encryption