Email Encryption Setup DEMO
Start course

Email Encryption Solutions in Microsoft 365 looks at how messages and attachments are protected both within the Microsoft 365 ecosystem and when they are sent to external recipients. This course outlines the various protection mechanisms at play, how they work, and how to use them. In addition to encryption and information rights management, we see how encrypted messages can be customized with an organization’s branding and what additional functionality comes with custom branding.

Learning Objectives

  • Gain an overview of Microsoft 365 email encryption
  • Learn how to implement email encryption
  • Understand advanced message encryption

Intended Audience

This course is intended for students working towards the SC-400: Microsoft Information Protection Administrator exam or those students wanting to learn about Microsoft 365 email message encryption.


There are no mandatory prerequisites required to take this course, but an understanding of how email works and previous experience with PowerShell would be beneficial.


In this demo, I want to set up the prerequisites for Microsoft email encryption and validate the functionality. 

I’m going to start by installing the PowerShell Azure information protection package. Open a PowerShell terminal as administrator and execute the install module command with the name parameter as AIPService. Alternatively, you can update the Azure information protection service module with update module. Next, we want to import the module with the aptly named import module cmdlet. If you want to check which version of the module you're running, use the get module command with the module name and the parameter list available. As you can see, you need to make sure your parameter is preceded with a hyphen, so PowerShell knows what you're talking about. OK, I'll clear that and connect to the AIP service. When I run the Get-AipService command, we can see that it is disabled, so I’ll enable it with the appropriately named Enable-AipService cmdlet.


Next, we want to check that information rights management is configured and enabled. I don’t need to be a local administrator to do that, so I’ll open a PowerShell terminal as me and connect to Exchange Online using my Microsoft 365 account. However, you do need the appropriate permissions to run the Test-IRMConfiguration cmdlet. If you need to find what permissions are required to run an Exchange command, you can use Get-ManagementRole with the command of interest as the cmdlet parameter. Pipe the results into Get-ManagementRoleAssignment to reveal the roles. We can see compliance and organization roles are required. I’m an admin, so not an issue. I’ll run the cmdlet with myself as the sender and recipient. The results tell us which rights management service templates are available, whether encryption and decryption are in effect, and if information rights management is enabled. Everything has passed and is enabled, so we’re good to go.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.