Microsoft Virtual Academy Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers

Course Topics Solving Office 365 Client Deployment Scenarios 01 | System Center Configuration Manager (SCCM) Deployment Best Practices 02 | Multi-language Deployment Considerations for Office 365 ProPlus 03 | Office 365 ProPlus with Azure Rights Management Services for IRM/Encryption 04 | Controlling access to Office 365 ProPlus & Services 05 | Office 365 and Exchange Migration Troubleshooting Common Gotchas 06 | New Office 365 ProPlus Customizations via Group Policy or XML 07 | New Updating and Repair Command-Line Options for Office 365 ProPlus

Microsoft Virtual Academy Module 3: Office 365 ProPlus with Azure Rights Management Services for IRM/Encryption Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers

Azure Rights Management for Office 365 Office 365 Message Encryption Customizing Office 365 Message Encryption Module Overview

Azure Rights Management for Office 365

About Microsoft Azure Rights Management Prevent unauthorized access to information, using Microsoft encryption and rights management technology. ARM enables: –Information Rights Management (IRM) Policy-based permissions rules to help protect data across different workloads such as SharePoint, Exchange, and Office documents. –Office 365 Message Encryption Deliver confidential business communications with enhanced security, allowing users to send and receive encrypted as easily as regular directly from their desktops.

Requirements for Azure RM in Office 365 Setup An active Exchange Online or Exchange Online Protection subscription Administrator must be part of the following role groups under Office 365 Exchange Online –Compliance Management –Organization Management –Records Management Azure Rights Management Administration Tool installed

Activating Azure Rights Management on Office 365

Configure IRM to Use Microsoft Azure RM 1. Configure the RMS online key-sharing in Exchange Online: 2. Import the Trusted Publishing Domain (TPD) from RMS Online 3. Enable IRM for Exchange Online 4. OPTIONAL – Disable IRM templates in OWA and Outlook

Rights Management Services Key Sharing URLs LocationRMS key sharing location North Americahttps://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc European Unionhttps://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc Asiahttps://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc South Americahttps://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc Office 365 for Government (Government Community Cloud) * Note: * Only customers who have purchased Office 365 for Government SKUs (Government Community Cloud) should use this RMS key sharing location.

CONFIGURING IRM FOR OFFICE 365 WITH POWERSHELL demo

Configure IRM to Use Microsoft Azure RM with PowerShell StepsPowerShell Cmdlet Enable-OrganizationCustomization Configure the RMS online key- sharing in Exchange Online Set-IRMConfiguration -RMSOnlineKeySharingLocation " rms.na.aadrm.com/TenantManagement/ServicePartner.svc" Import the Trusted Publishing Domain (TPD) from RMS Online Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online“ Enable IRM for Exchange OnlineSet-IRMConfiguration -InternalLicensingEnabled $true OPTIONAL – Disable IRM templates in OWA and Outlook Set-IRMConfiguration –ClientAccessServerEnabled $false

Default Azure Rights Management Templates Read-only viewing for the protected content –Display name: - Confidential View Only –Specific permission: View Content Read or Modify permissions for the protected content –Display name: - Confidential –Specific permissions: View Content, Save File, Edit Content, View Assigned Rights, Allow Macros, Forward, Reply, Reply All Do Not Forward

DEFAULT INFORMATION RIGHTS MANAGEMENT TEMPLATES IN OUTLOOK AND OWA demo

Default Azure Rights Management Templates

Office 365 Message Encryption

About Office 365 Message Encryption Office 365 Message Encryption is an online service that’s built on Microsoft Azure Rights Management (Azure RMS) and available through Exchange Online –Admins enable message encryption by defining transport rules that determine the conditions for encryption A rule can require the encryption of all messages addressed to a specific recipient

S/MIME Requires a certificate and publishing infrastructure Is often used in business-to- business (B2B) and business-to- consumer (B2C) scenarios Is a requirement for certain government business cases The user controls the keys Outlook searches the local client machine to for digital signing and verification Office 365 Message Encryption Policy-based encryption configured and enforced by an administrator Encrypts mail sent to anyone inside or outside of the organization. Includes the ability to customize the mail with organization’s brand Office 365 Message Encryption vs. S/MIME

About Office 365 Message Encryption

Send Encrypted Messages Two Ways Automatic –Admin-defined encryption rules that automatically encrypt all messages meeting specific criteria Manual –Admin-defined rules that allow the sender to encrypt messages at will

Requirements for Office 365 Message Encryption An active Exchange Online or Exchange Online Protection subscription Azure Rights Management must be activated Defined transport rules to trigger message encryption –Create transport rules to determine the conditions for encrypting messages –Create transport rules to define conditions where encryption should be removed from messages Microsoft Rights Management connector*

Microsoft Rights Management connector Enables existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management services Acts as a communications relay between the on-premises servers and the cloud service Supports Exchange Server, SharePoint Server, and file servers that run Windows Server and use File Classification Infrastructure to classify and apply policies to documents in a folder Small-footprint service runs on Windows Server 2008 R2 or later

Microsoft Rights Management connector

Create an Encrypted Message Rule in PowerShell Use the ApplyOME attribute New-TransportRule “Encrypt rule for drtoniramos" -SentTo - ApplyOME $true This parameterSpecifies: New-TransportRule “Encrypt rule for drtoniramos"Name of the new rule -SentTo 1 -SentToScope "NotinOrganization"Condition 2 -ApplyOME $trueEncrypt the message

Create an Encrypted Message Rule in EAC

CREATING MAIL ENCRYPTION RULES IN EXCHANGE ADMIN CENTER demo

Receiving an Encrypted Message The message is delivered to the recipient’s inbox It contains an HTML file attachment The recipient is required to sign in* or use a one-time passcode to view the message on the Office 365 Message Encryption Portal *The recipient can choose to sign in with a work account associated with Office 365 or with a Microsoft account.

RECEIVING AND OPENING AN ENCRYPTED MESSAGE demo

Receiving an Encrypted Message

The passcode expires after 15 minutes. If that happens, or if you can’t open the message for any reason, start over by opening the attachment again and following the steps

Customizing Office 365 Message Encryption

What can be customized Introductory text of the that contains the encrypted message Disclaimer text of the that contains the encrypted message Portal text that will appear in the message viewing portal Logo that will appear in the message and viewing portal

Customizing Office 365 Message Encryption Use the Set-OMEConfiguration cmdlet Feature of the encryption experienceUse these Windows PowerShell commands Default text that accompanies encrypted messages. The text appears above the instructions for viewing encrypted messages Set-OMEConfiguration -Identity - Text " " Disclaimer statement in the that contains the encrypted message Set-OMEConfiguration -Identity DisclaimerText " " Text that appears at the top of the encrypted mail viewing portal Set-OMEConfiguration -Identity - PortalText " " Logo Set-OMEConfiguration -Identity -Image Note 1.Supported file formats:.png,.jpg,.bmp, or.tiff 2.Optimal size of logo file: less than 40 KB 3.Optimal size of logo image: 170x70 pixels

CUSTOMIZING THE OFFICE 365 ENCRYPTED MESSAGE PORTAL AND MESSAGING demo

DEMO - Customizing Office 365 Message Encryption Set-OMEConfiguration -Identity "OME Configuration" - Text "Encrypted message from ContosoPharma secure messaging system“ Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is confidential for the use of the addressee only" Set-OMEConfiguration -Identity "OME Configuration" -PortalText "ContosoPharma secure portal" Set-OMEConfiguration -Identity "OME configuration" -Image (Get-Content "C:\Temp\contosologo.png" -Encoding byte)

DEMO - Customized Office 365 Message Encryption

You must accomplish the following three tasks: 1.Make sure that ALL messages sent to domains are encrypted 2.Make sure all encrypted replies are decrypted for users internally 3.Allow users to encrypt messages by typing “ENCRYPT” to the subject line Real World Scenario

CREATION OF MAIL FLOW RULES TO TRIGGER MESSAGE ENCRYPTION demo

Create the Outbound Message Encryption Rule

Create the Remove Encryption on Replies Rule New-transportrule -name "Remove encryption from incoming mail" -SentToScope "InOrganization" -RemoveOME $true

Create the “At Will” User Encryption Rule

Additional Resources passcode-to-view-an-encrypted-message.aspxhttp://msdn.microsoft.com/en-us/library/use-a-one-time- passcode-to-view-an-encrypted-message.aspx message-encryptionhttp://products.office.com/en-us/exchange/office-365- message-encryption

©2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.