A support ticket came in recently, in which a client asked whether they needed to upgrade their Microsoft 365 license to encrypt email in Outlook.

Initially, I thought not, as I remembered they were using Microsoft 365 Business Premium. I replied that the option should be available in Outlook if they start a new mail and look under Options.

Encrypt email in Outlook missing

They said they could not see the option and wanted additional help. After logging into their PC, sure enough, the option wasn't there. Shown below is what it would look like if the email encryption feature were available.

Option to use encrypt email may be missing in Outlook

Option to use encrypt email may be missing in Outlook

When Outlook isn't working, I tend to advise people to test the same functionality in Outlook on the web. It is no longer lagging behind its desktop cousin, and I actually use it myself instead.

I loaded up Outlook on the web, but again, the option was missing. Again, below, we show how it looks if everything is correctly configured.

Option is also missing in Outlook on the web

Option is also missing in Outlook on the web

The only option available was to use S/MIME which requires setting up manual PKI, and I know from having used the encrypt email feature in the past, it should "just be there."

SMIME Options in Outlook on the web

SMIME Options in Outlook on the web

Nothing wrong with using S/MIME, if that is your thing, but the intention here was to use the built-in email encryption functionality instead.

So, after going back to their original query and down a rabbit hole of conflicting documentation, for example, here, here, and some others, I managed to confirm that, yes, the Microsoft 365 Business Premium license does include the email encryption feature, but, likely as not, I needed to enable the feature in their tenant.

I found this article, which explains the procedure, but I found it omits another key setting.

Unfortunately, after following the commands, I was still unable to run the Test-IRMConfiguration command successfully. You may see nothing returned from the command, or you may see a failure.

Enable encrypt email in Microsoft 365

To complete this procedure, you will need both the Exchange Online PowerShell module and Azure Information Protection PowerShell module.

Connect to both services using an administrator account. Then, run the following commands:

Connect-ExchangeOnline
Connect-AIPService

Enable-AIPService
$RMSConfig = Get-AipServiceConfiguration
$LicenseUri = $RMSConfig.LicensingIntranetDistributionPointUrl
Set-IRMConfiguration -LicensingLocation $LicenseUri
Set-IRMConfiguration -InternalLicensingEnabled $true
Set-IRMConfiguration -AzureRMSLicensingEnabled $true

Notice that Enable-AIPService is not included in the Microsoft documentation. I found that while I could run the Test-IRMConfiguration and Set-IRMConfiguration cmdlets without error, they had no effect until after I ran Enable-AIPService, which, when you think about it, is probably the first thing you want to check.

Once you have run those commands, you will find that the Test-IRMConfiguration command succeeds.

Subscribe to 4sysops newsletter!

Test-IRMConfiguration success

Test-IRMConfiguration success

I hope this saves you some head-scratching when your users complain that the encrypt email feature in Outlook is missing.

avatar
1 Comment
  1. Cdavis 4 months ago

    Thank you for this. I spent hours in a loop with Microsoft documentation. The steps you provided resolved my issues.

    Very Grateful!

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account