In addition to BitLocker for encrypting at the volume level, Microsoft 365 employs service encryption for encryption of customer data at the application layer. There are two key management options provided for the use of service encryption:
- Microsoft Managed Keys: In a default implementation of Microsoft 365, Microsoft manages all cryptographic keys providing service encryption, and can be visualized in the following diagram:
Figure 6.2 – Microsoft managed key option of service encryption
- Customer managed key: This option provides the possibility for customers to use their own root keys to encrypt data. These keys are uploaded to, or created within, Azure Key Vault, allowing customers to have a greater impact on the ability of Microsoft services such as Exchange Online, OneDrive for Business, and SharePoint Online to process and decrypt data:
Figure 6.3 – Customer managed key option of service encryption
This concludes the first topic of the chapter, in which we have covered an introduction to encryption in Microsoft 365, and the following section will focus on defining requirements for Office 365 Advanced Message Encryption.
Defining requirements for implementing Office 365 Advanced Message Encryption
After deciding how to manage encryption in your Microsoft 365 tenant, it is time to start looking at how to use these encryption settings in other services, such as Exchange Online.
Before implementing Office 365 Advanced Message Encryption (OME), you will need to do a quick check to see that the information rights management features in your tenant are working as expected. To perform this verification, follow the outlined steps shown next:
- You need to have Exchange Service Administrator permissions or higher to configure tenant-wide settings.
- Install the Exchange Online PowerShell module, ExchangeOnlineManagement, by starting your PowerShell prompt as an administrator and entering the following text: cmdlet: Install-Module -Name ExchangeOnlineManagement.
- Connect to Exchange Online using the cmdlet command: Connect-ExchangeOnline -UserPrincipalName <UPN@domain.com>.
- Use the following cmdlet command to validate the information rights management configuration in your tenant: Get-IRMConfiguration | Format-List AzureRMSLicensingEnabled.
- If the AzureRMSLicensingEnabled parameter returns the value of $false, you can activate the Office 365 Message Encryption capabilities by issuing the following cmdlet command: Set-IRMConfiguration -AzureRMSLicensingEnabled:$true AzureRMSLicensingEnabled.
- To test whether IRM data can be obtained for a recipient inside your organization, run the following cmdlet command: Test-IRMConfiguration -Sender .
- The output of the cmdlet run in step 5 will display the results of multiple tests and an overall result. The result should be PASS.
- If any of the tests performed in step 5 show the result FAIL, you will not able to fetch the RMS templates for the specified recipient, or there may be an issue with the encryption keys used.
Now that we have verified the functionality of IRM in our tenant, we need to discuss the business requirements for using the product, as it contains several branding features to more easily identify the fact that the email is specifically sent from your organization rather than spoofing as your organization.
Note
If your tenant only has Microsoft 365 E3 licenses available, you can only manage the default OME template. There is no possibility to create a new template or add other Office 365 Advanced Message Encryption settings.
Customizing the branding templates for your company allows you to control the way your organization sends email messages and the portal for encryption. There are two cmdlets that come into play when it comes to customization or modifications of the templates or the email messages. These are Get-OMEConfiguration and Set-OMEConfiguration.
The parts of email messages and templates that you can customize consist of the following:
- The introductory text
- The disclaimer text
- The URL for the privacy statement of your organization
- The text displayed in the OME portal
- The background color in the email messages and the OME portal
- The logo or brand that is on display in the email message, if one is used
The following diagram gives you an overview of what is customizable in a branding template:
Figure 6.4 – Customizable portions of a branding template in OME
Once we have gathered the required information to proceed with our deployment of OME within the organization, we can safely proceed with the actual deployment, a topic that we will cover in the following section.
Leave a Reply