Activate Office 365 Education email encryption using your free Azure RMS licenses

ome-iconIn order to meet Data Protection requirements for sending data to external recipients we needed to find a method of providing encrypted email functionality for our users. In Office 365 this is provided as a native feature via Azure Rights Management Services.

I vaguely remembered seeing something a while back about these licenses being available at zero cost and sure enough soon found a link confirming this as part of the plan changes that also brought us eDiscovery features.

Ordering licenses

In a similar vein to how the Student Advantage licenses were made available you’ll need to ask your EES reseller to get them activated against your O365 tenancy. For reference here’s the names and part numbers of the licenses you’ll need:

azure-rms-order

Assigning licenses

Once the order has been assigned you’ll need to add the license to any user you want to be able to use the RMS features i.e. in our case anyone who needs to send an encrypted message. If you’re using the GUI look for this:

azure-rms-o365-license

Given the number of users to assign licenses to the quickest way was via PowerShell, using a variation on the script that originally assigned our student licenses.

Tip: I initially scared the living daylights out of myself when checking which licenses were assigned after I’d ran the update script as it appeared users no longer had their Office 365 licenses.
The script (below) uses column position [0] to search the field AccountSkuID, which is all well and good until your users have multiple licenses assigned and for whatever reason they aren’t all listed in the same order (!)

I ended up having to run this code twice, once with Licenses[0] and again with Licenses[1] to pick up all the staff accounts, then checked a few random samples in the GUI for good measure:

Get-MsolUser -All | select UserPrincipalName,Licenses | Where-Object {$_.Licenses[0].AccountSkuID -eq "YOURORG:STANDARDWOFFPACK_FACULTY"} | Set-MsolUserLicense -AddLicenses "YOURORG:RIGHTSMANAGEMENT_STANDARD_FACULTY"

Once done I then ran GetMsolAccountSku and confirmed the numbers match up.
The number of office 365 licenses assigned to each staff user is now 3:

  • Office 365 Education
  • Office 365 ProPlus
  • Azure RMS

I’ve since found this very handy looking GUI license assignment tool via the Office 365 Yammer group which may make any further bulk maintenance tasks a bit less scary 🙂

https://gallery.technet.microsoft.com/office/Office365-License-cfd9489c

Usual disclaimer applies, be very careful running license update scripts, especially in bulk!

Configuring Azure RMS and Office 365 Message Encryption (OME)

Now your users are licensed jump into the Admin Portal > Service Settings > Rights Management then follow this excellent guide to switch on Azure RMS, then configure Office 365 Message Encryption.

http://office365support.ca/setup-and-enable-office-365-message-encryption/

There’s not much else to say for this step as the guide is spot on 🙂

Once you’ve set up a Transport Rule in Exchange settings sending yourself a test email with the keyword(s) you specify will generate this at the recipient’s end (sample screenshot of the message arriving in a GMail inbox).

ome-email

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: