In this demo, I want to set up the prerequisites for Microsoft email encryption and validate the functionality. 

I’m going to start by installing the PowerShell Azure information protection package. Open a PowerShell terminal as administrator and execute the install module command with the name parameter as AIPService. Alternatively, you can update the Azure information protection service module with update module. Next, we want to import the module with the aptly named import module cmdlet. If you want to check which version of the module you're running, use the get module command with the module name and the parameter list available. As you can see, you need to make sure your parameter is preceded with a hyphen, so PowerShell knows what you're talking about. OK, I'll clear that and connect to the AIP service. When I run the Get-AipService command, we can see that it is disabled, so I’ll enable it with the appropriately named Enable-AipService cmdlet.

Next, we want to check that information rights management is configured and enabled. I don’t need to be a local administrator to do that, so I’ll open a PowerShell terminal as me and connect to Exchange Online using my Microsoft 365 account. However, you do need the appropriate permissions to run the Test-IRMConfiguration cmdlet. If you need to find what permissions are required to run an Exchange command, you can use Get-ManagementRole with the command of interest as the cmdlet parameter. Pipe the results into Get-ManagementRoleAssignment to reveal the roles. We can see compliance and organization roles are required. I’m an admin, so not an issue. I’ll run the cmdlet with myself as the sender and recipient. The results tell us which rights management service templates are available, whether encryption and decryption are in effect, and if information rights management is enabled. Everything has passed and is enabled, so we’re good to go.