Purview Email Encryption

I recently had the opportunity to help setup Purview email encryption in a Microsoft tenant that was upgraded to 365 Business Premium licenses (from Business Standard). Along with many other data governance tools, the Business Premium license includes Azure Information Protection. AIP provides the encryption capabilities that Purview uses to enable 365 message encryption.

A lot of the documentation on Office 365 message encryption is spotty or refers to deprecated versions. So let’s skip straight to what we want to do: Enable Purview Message Encryption

In order to do this, we first need to connect to Exchange Online Powershell. (Tip: don’t use any version of Powershell > 7. The utilities we need worked best with Powershell 5.1)

First, we need to check our licensing configuration. Make sure you have the ExchangeOnlineManagement and AIPService modules installed.

If you’re not sure what Powershell modules you have installed, run the following command: 

Get-Module -ListAvailable

If you’re missing these modules, install them with the following commands:

Install-Module -Name ExchangeOnlineManagement
Install-Module -Name AIPService

Next, connect to Exchange Online by entering the following:

Connect-ExchangeOnline -UserPrincipalName <your UPN>

Replace <your UPN> with your 365 credentials.

Now run the following command in Powershell:

Get-IRMConfiguration

The AzureRMSLicensingEnabled parameter should be set to $True. If it isn’t, use the following command:

Set-IRMConfiguration -AzureRMSLicensingEnabled $True

Next, we will test if Exchange can encrypt a message by running the following command (replace the sender and recipient with users inside of your tenant):

Test-IRMConfiguration -Sender securityadmin@contoso.com -Recipient securityadmin@contoso.com

If the result of this command is a PASS, then we’re good to go! If it fails, it is most likely because it is unable to acquire the necessary RMS templates.

Make sure you’ve installed the AIPService module, and run the following commands:

$RMSConfig = Get-AipServiceConfiguration
$LicenseUri = $RMSConfig.LicensingIntranetDistributionPointUrl
Set-IRMConfiguration -LicensingLocation $LicenseUri
Set-IRMConfiguration -InternalLicensingEnabled $true

Now run the Test-IRMConfiguration cmdlet again. You should get a PASS.

Now the fun part! We can move onto to creating sensitivity labels in Purview that can be applied to emails. Alternatively, we can create transport rules in Exchange.

Leave a Reply

Your email address will not be published. Required fields are marked *