In order to send encrypted e-mail, you will need to have E3 or higher license assigned to the mailbox you want to use to send encrypted email from. You will also need to have Outlook desktop or access outlook over the Web. This guide is for setting up encrypted mail IRM on a newly configured tenant and not intended to be used on existing tenants as a troubleshooting tool.
Installing AIP Service and ExchangeOnlineManagement Service
To start you will need to have AIP and ExchangeOnline connection service installed on a PC. If you already have these services installed, you can skip to the next section. Othersie open an elevated Powershell prompt and execute the following commands:
Install-Module -Name AIPService
Import-Module -Name AIPService
Update-Module -Name AIPService
Connect-AIPService
Set-ExecutionPolicy RemoteSigned
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connecting to ExchangeOnLine
To connect to ExchangeOnLine, open an elevated Powershell prompt and execute the following command:
Connect-ExchangeOnline
You will be prompted to log in to your O365 server. You must log in as a global admin or using an administrative account with management rights to Exchange server. Once logged in, execute the following command:
Get-IRMConfiguration
You will notice that the defaults have the many of the RMS settings turned off.
Next, let’s enable them by executing the following commands:
Set-IRMConfiguration -LicensingLocation $null -InternalLicensingEnabled $false
Enable-AIPService
$rmsConfig = Get-AipServiceConfiguration
$licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
if (!$list) { $list = @() }
if (!$list.Contains($licenseUri)) { $list += $licenseUri }
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -AzureRMSLicensingEnabled $True -InternalLicensingEnabled $true
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
$RMSConfig = Get-AadrmConfiguration
$LicenseUri = $RMSConfig.LicensingIntranetDistributionPointUrl
Set-IRMConfiguration -LicensingLocation $LicenseUri
Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -Scope All
Set-IRMConfiguration -decryptattachmentforencryptonly $true
Now run the get-irmconfiguration command again and notice the output has the services enabled.
The configuration may take up to 1 hour to propagate fully but it’s usually done within minutes. To test whether or not it’s functional, execute the following command:
Test-IRMConfiguration -Sender kirk@enterprise.starfleet.org –Recipient spock@enterprise.starfleet.org
Replace the email addresses with your own and make sure that the the sender has an E3 or higher license.