MS Purview replaces OME encryption

HEADS-UP – Purview will starting April 1. 2023 be replacing the legacy OME way of encrypting outgoing mail from O365.

If you don’t do anything, Microsoft will process all mail flow rules that currently applies OME protection to Microsoft Purview Message Encryption protection.

This will bring a much more secure and flexible end-user experience, that differs depending on location and platform. There will also be other major improvements, like the ability to customize Mail body branding with your companys logo etc, to give a more trustworthy experience for recipients.

Use the commandlet Set-OMEConfiguration to adjust the branded experience

With legacy OME encryption the behaviour differs, depending on platform, client, locations etc – where this is much more streamlined with Purview.

Below is a comparison chart

SituationLegacy OMEIRM in AD RMSMicrosoft Purview Message Encryption
Sending an encrypted mailThrough Exchange mail flow rulesEnd-user initiated from Outlook desktop or Outlook on the Web; or through Exchange mail flow rulesEnd-user initiated from Outlook desktop, Outlook for Mac, or Outlook on the Web; through Exchange mail flow rules (also known as transport rules) and data loss prevention (DLP)
Rights management templateN/ADo Not Forward option and custom templatesDo Not Forward option, encrypt-only option, and custom templates
Recipient typeInternal and external recipientsInternal recipients onlyInternal and external recipients
Experience for internal recipientRecipients receive an HTML message, which they download and open in a web browser or mobile appNative inline experience in Outlook clientsNative inline experience for recipients in the same organization using Outlook clients. Recipients can read message from OME portal using clients other than Outlook (no download or app required).
Experience for external recipientRecipients receive an HTML message, which they download and open in a web browser or mobile appN/ANative inline experience for Microsoft 365 recipients. All other recipients can read message from OME portal (no download or app required).
Attachment permissionsNo restrictions on attachmentsAttachments are protectedAttachments are protected for the Do Not Forward option and custom templates. Admins can choose whether attachments for the encrypt-only option are protected or not.
Bring your own key (BYOK) supportNoneNoneBYOK supported

What you need to do to prepare:

If you want to compare the behavior before the deprecation, you can modify and test the changes with your mail flow rules by following the steps outlined in this documentation: Define mail flow rules to use Microsoft Purview Message Encryption

OUTLOOK on the web – manual use

As more and more users start using Outlook directly on the web – also please take note of the ability to add ENCRYPT button for ease of use

Run the Set-IRMConfiguration cmdlet with the -SimplifiedClientAccessEnabled parameter:

Set-IRMConfiguration -SimplifiedClientAccessEnabled <$true|$false>

For example, to disable the Encrypt button:

Set-IRMConfiguration -SimplifiedClientAccessEnabled $false

To enable the Encrypt button:

Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

Automated use

Most likely you want to automate encryption either based on content or labelling, there are many ways to achieve this – most prominent being either by means of a mailflow rule in the Exchange admin center.

You can have the mailflow rule kick in when specific words or phrases are used.:

OR you can use automation be means of sensitivity labelling.

As an example in this Label example i want to auto encrypt all content that contains at least 10 US Bank account numbers.

And i want to adjust the number of days in which the content will be available without authentication (offline access)

Giving me this Label, that i can the publish with a Labelling policy

For details on Labels and label policyes please refer to the official documentation that gives great explanations and examples.


To get everything up and running you need sufficient licenses – and you will have to make sure that Azure rights management is enabled in your tenant.

To use Microsoft Purview Message Encryption, you need one of the following plans:

  • Microsoft Purview Message Encryption is offered as part of Office 365 Enterprise E3 and E5, Microsoft 365 Enterprise E3 and E5, Microsoft 365 Business Premium, Office 365 A1, A3, and A5, and Office 365 Government G3 and G5. You don’t need additional licenses to receive the new protection capabilities powered by Azure Information Protection.
  • You can also add Azure Information Protection Plan 1 to the following plans to receive Microsoft Purview Message Encryption: Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F3, Microsoft 365 Business Basic, Microsoft 365 Business Standard, or Office 365 Enterprise E1.
  • Each user benefiting from Microsoft Purview Message Encryption needs to be licensed to be covered by the feature.

You can verify that your Microsoft 365 tenant is properly configured to use Microsoft Purview Message Encryption in Exchange Online PowerShell.

  1. Connect to Exchange Online PowerShell using an account with global administrator permissions in your Microsoft 365 tenant.
  2. Run the Get-IRMConfiguration cmdlet.You should see a value of $True for the AzureRMSLicensingEnabled parameter, which indicates that Microsoft Purview Message Encryption is configured in your tenant. If it is not, use Set-IRMConfiguration to set the value of AzureRMSLicensingEnabled to $True to enable Microsoft Purview Message Encryption.
  3. Run the Test-IRMConfiguration cmdlet using the following syntax:

Test-IRMConfiguration -Sender -Recipient

For sender and recipient, use the email address of any user in your Microsoft 365 tenant.

Results : Acquiring RMS Templates …
– PASS: RMS Templates acquired. Templates available: Juhl – Confidential View Only, Juhl – Confidential, Do Not Forward.
Verifying encryption …
– PASS: Encryption verified successfully.
Verifying decryption …
– PASS: Decryption verified successfully.
Verifying IRM is enabled …
– PASS: IRM verified successfully.


If the test fails with an error message Failed to acquire RMS templates, execute the following commands and run the Test-IRMConfiguration cmdlet to verify that it passes. Connect to the AIPService module to run the cmdlet.

$RMSConfig = Get-AipServiceConfiguration $LicenseUri = $RMSConfig.LicensingIntranetDistributionPointUrl Set-IRMConfiguration -LicensingLocation $LicenseUri Set-IRMConfiguration -InternalLicensingEnabled $true

I hope this can be a teaser to start your journey into Purview – its super powerfull.


Intro to Purivew:

Encryption in general info:

Set up encryption:

Manage Message encryption:

Double Key encryption:

Sensitivity labels:

Using labels in Groups, Teams and Sharepoint sites:

Leave a Reply

Your email address will not be published. Required fields are marked *