๐ Key Takeaways
- Purview Message Encryption activates on Microsoft 365 E3, E5, Business Premium, or Office 365 E3.
- The fastest rollout is a mail flow rule that triggers Encrypt-Only on PHI keywords or labels.
- PowerShell scripts Set-IRMConfiguration and New-TransportRule for reproducible tenant baselines.
- S/MIME gives cryptographic sender ID but demands certificate distribution to every user device.
- Pair encryption with MFA, conditional access, DLP, and audit logs for defense-in-depth compliance.
Healthcare teams running Microsoft 365 already own most of the tools they need to send encrypted email. The Encrypt button in Outlook, mail flow rules in Exchange, and rights management services in Azure combine into a working encryption stack that meets HIPAA transmission requirements.
The gap is configuration. Most practices discover that the default Office 365 tenant does not enable email encryption until an administrator turns it on, assigns the right licenses, and writes a mail flow rule. Teams that want a simpler path often pair Microsoft 365 with a dedicated encrypted email service to skip the per-user setup work.
This guide walks through the exact steps to enable email encryption in Office 365 from the admin center, PowerShell, and Outlook. It also covers S/MIME setup, mail flow rules, DLP policies, and the license checks that trip up first-time deployments.
Confirm your Office 365 license includes encryption
License verification comes first. Microsoft Purview Message Encryption ships with Microsoft 365 E3, E5, A3, A5, G3, G5, Business Premium, and Office 365 E3 and E5 plans.
Business Basic and Business Standard do not include Purview by default. Administrators on those plans add Azure Information Protection Premium P1 as an add-on license, upgrade the tenant, or route encryption through a third-party service.
To check coverage, sign in to the Microsoft 365 admin center, open Billing, then Licenses. Confirm that assigned licenses include Azure Rights Management Service and Microsoft Purview Message Encryption entitlements.
Users without the correct license see the Encrypt button greyed out in Outlook. Fixing that means assigning the license, waiting for the tenant to provision, then having the user sign out and back in to refresh the token.
Activate Azure Rights Management in the admin center
Azure Rights Management is the underlying service that Purview Message Encryption depends on. New tenants have it enabled by default, but tenants created before 2018 or tenants that were manually disabled need activation.
Open the Microsoft 365 admin center. Go to Settings, then Org settings, then Services. Find Microsoft Azure Information Protection and select it. Click Manage Microsoft Azure Information Protection settings, then Activate.
The activation runs in the background. After a few minutes, the service shows as Activated and the tenant is ready for message encryption policies.
Administrators who prefer to script this step run Enable-AadrmService or the newer Set-IRMConfiguration cmdlet through Exchange Online PowerShell. Both approaches produce the same result and are documented in Microsoft Purview Message Encryption setup guides at learn.microsoft.com.

Create a mail flow rule to trigger encryption automatically
Manual encryption depends on staff clicking the Encrypt button on every sensitive message. Mail flow rules remove that dependency by triggering encryption based on message content, sender, recipient, or attached sensitivity labels.
Open the Exchange admin center. Go to Mail flow, then Rules. Click the plus icon and select Apply Office 365 Message Encryption and rights protection to messages.
Set the condition to match the trigger you want. Common conditions include the subject or body containing terms like PHI, patient, or diagnosis, or messages sent to external recipients from clinical users.
Choose the RMS template. Encrypt-Only lets recipients forward, while Do Not Forward blocks reply-all, forwarding, and printing. Save the rule and send a test message to confirm the recipient portal loads as expected.
Enable email encryption in Office 365 with PowerShell
PowerShell is the fastest path for IT teams managing multiple tenants or scripted deployments. Install the Exchange Online Management module, then connect with the appropriate global admin credentials.
Run Install-Module with the name ExchangeOnlineManagement once per machine. Then connect with Connect-ExchangeOnline and the global admin user principal name.
Enable the service with Set-IRMConfiguration and the AutomaticServiceUpdateEnabled parameter set to true. Verify state with Get-IRMConfiguration. The output should show ServiceLocation, LicensingLocation, and InternalLicensingEnabled populated with valid values.
Create mail flow rules with New-TransportRule. Bulk operations save hours when standing up encryption across acquired practices, new subsidiaries, or lab environments where a repeatable baseline matters more than a one-time click-through.
An orthopedic group in Cleveland with 22 users on Microsoft 365 Business Premium needed automatic encryption for outbound referral letters. The IT contractor scripted the rollout through PowerShell, enabling IRM with Set-IRMConfiguration and creating a mail flow rule that triggered on subject keywords like referral, MRI, and X-ray. A second DLP policy caught patterns like ICD-10 codes and insurance member IDs. Total configuration ran 45 minutes. The first test message from a licensed mailbox to a personal Gmail address delivered a Microsoft portal link within seven seconds.
Use the Encrypt button in Outlook desktop and web
Once the tenant is configured, individual senders trigger encryption from Outlook without additional setup. In Outlook desktop, open a new message, click the Options tab, then click Encrypt.
Choose the protection template from the drop-down. Encrypt applies default protection, Do Not Forward blocks reply-all and forwarding, and any custom labels created by the tenant appear alongside the built-in options.
In Outlook on the web, the Encrypt button lives at the top of the new message pane. The behavior is identical to the desktop version, and messages appear in the recipient portal with the same experience.
Mobile users on the Outlook iOS and Android apps get the same Encrypt option under the three-dot menu when composing a message. Recipients open the encrypted message through a portal link and sign in with Microsoft, Google, or a one-time passcode.

Configure S/MIME for regulated communications
S/MIME provides cryptographic identity verification on top of encryption. It requires certificate distribution to every user and device, which raises the operational cost but delivers sender authentication for compliance-critical exchanges.
Deploy a certificate authority or use a public CA. Push user certificates through Group Policy, Intune, or manual import into the personal certificate store. Confirm the store shows the certificate under Trusted Publishers.
In Outlook 2007 and later, open File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted Email, select the S/MIME certificate. Check the boxes to sign outgoing messages and encrypt content and attachments.
S/MIME becomes practical for teams with an existing PKI. Small practices without one usually get better outcomes from Purview Message Encryption or a third-party secure email service that handles keys behind the scenes.
Layer DLP policies on top of encryption rules
Data loss prevention policies inspect messages for regulated content patterns. When a match hits, the policy applies encryption automatically or blocks the message and notifies the sender.
Open the Microsoft Purview compliance portal. Go to Data loss prevention, then Policies. Click Create policy and choose the U.S. Health Insurance Act (HIPAA) template as a starting point.
The template detects patterns like Social Security numbers, ICD-10 codes, DEA numbers, and insurance member IDs. Set the action to apply Purview Message Encryption when the policy matches an outbound message.
Tune the policy over the first two weeks. Review the DLP alert dashboard, adjust match confidence thresholds, and add exceptions for internal training data or test accounts. A tuned policy catches PHI leaks without blocking legitimate clinical email.
Save the Set-IRMConfiguration, Enable-OrganizationCustomization, and New-TransportRule commands in a single .ps1 file with comments naming each step. When a mailbox migration, tenant reset, or license upgrade happens, the same script rebuilds the encryption baseline in under 10 minutes. Manual UI clicks are the leading cause of drift between what the risk register says is configured and what the tenant actually has active. A checked-in script also serves as evidence of consistent policy enforcement during an OCR audit.
Test the encryption workflow end to end
Testing catches misconfigured rules before staff sends real PHI through a broken flow. Set up two accounts. Use one licensed Office 365 mailbox as the sender and one external Gmail or Yahoo account as the recipient.
Send a test message with the word PHI in the subject line to trigger the mail flow rule. The external recipient should receive a wrapper message with a link to view the encrypted content.
Open the portal link. Sign in with a Microsoft account, a Google account, or request a one-time passcode. Confirm the message body renders correctly, and reply from the portal to test round-trip encryption.
Document each step with screenshots. Save the DLP report, the mail flow rule configuration, and the PowerShell output. This documentation becomes evidence during HIPAA audits, business associate reviews, and internal security assessments.
Match encryption with the HIPAA Security Rule
The HIPAA Security Rule addresses transmission security under 45 CFR 164.312(e). Encryption is an addressable standard, which means covered entities either implement it or document a reasonable alternative.
Office 365 encryption meets the transmission standard when configured with the mail flow rules and DLP policies described above. Practices should also enable multi-factor authentication, conditional access, and audit logging to satisfy access control and integrity standards.
The HHS Security Rule guidance outlines the full set of technical safeguards. Encryption alone does not satisfy the rule, but it addresses one of the more visible controls that auditors ask about first.
Healthcare organizations also need a signed business associate agreement (BAA) with Microsoft. The BAA is available through the Microsoft Service Trust Portal and covers Office 365, Exchange Online, and Purview Message Encryption when configured for HIPAA workloads. Compliance also depends on healthcare website security features that protect the public-facing side of the practice.
Choose between native encryption and a dedicated service
Native Office 365 encryption works well for organizations that already run on Microsoft 365 E3 or Business Premium and have IT staff to manage mail flow rules, license assignments, and Purview policies.
Small practices without dedicated IT often find the setup and ongoing maintenance costly. Every license change, tenant migration, or Outlook update creates a potential point of failure that a solo IT contractor needs to troubleshoot.
Mailhippo works alongside existing Gmail or Outlook accounts as a HIPAA-compliant secure email service. The base plan includes a business associate agreement and applies TLS with client-side encryption without requiring PGP keys or separate client software. Recipients open messages with one click.
Teams building the workflow further may want to look at enable office 365 email encryption, review outlook 365 enable encryption email options, or benchmark against email encryption office 365 business premium to confirm the plan level covers the needed features.
- Confirm license coverage before touching mail flow rules.
- Activate Azure Rights Management once per tenant.
- Script repeat deployments with PowerShell instead of the admin UI.
- Layer DLP policies on top of manual encryption for PHI patterns.
- Document the full configuration for HIPAA audit evidence.
Frequently Asked Questions
Microsoft 365 E3, E5, A3, A5, G3, G5, Business Premium, and Office 365 E3 and E5 include Microsoft Purview Message Encryption at no extra cost. Business Basic and Business Standard plans do not include Purview Message Encryption in the base license. Practices on lower-tier plans need to add Azure Information Protection Premium P1, upgrade the tenant, or use a third-party secure email service. Verifying license coverage before enabling encryption avoids failed mail flow rules and confused end users.
A single-tenant configuration with existing Purview Message Encryption licensing takes about 30 to 60 minutes. That includes activating Azure Rights Management, creating a mail flow rule, testing an outbound message, and documenting the setup. Multi-tenant rollouts, custom branding, and DLP policy tuning add several hours. Practices adding licenses first should expect provisioning delays of up to 24 hours before the Encrypt button appears in Outlook for newly licensed users.
No. External recipients receive a notification message with a link to a secure portal hosted by Microsoft. They sign in with a Microsoft account, a Google account, or request a one-time passcode delivered to the recipient email address. The message opens in the browser, and replies stay inside the encrypted thread. Recipients on mobile see the same experience through the Office mobile app or a standard web browser.
Yes. Connect to Exchange Online PowerShell using Connect-ExchangeOnline, then run Set-IRMConfiguration with the AutomaticServiceUpdateEnabled parameter set to true and enable the rights management service with Enable-OrganizationCustomization. Verify the state with Get-IRMConfiguration and Test-IRMConfiguration against a licensed mailbox. PowerShell also handles bulk mail flow rule creation through New-TransportRule, which is faster than the admin center for tenants with dozens of rules or repeated deployment across labs, subsidiaries, and clinics.
S/MIME uses digital certificates issued to individual users. Each sender signs and encrypts the message with keys bound to a verified identity, and each recipient needs a matching certificate to read the message. Microsoft Purview Message Encryption uses a policy-based approach that does not require recipient certificates. S/MIME provides stronger identity assurance for regulated communications with fixed partners. Purview scales better for healthcare teams sending to patients, insurers, and referral partners who do not manage certificates.
Encryption satisfies the transmission security standard under the HIPAA Security Rule, but compliance requires additional controls. Practices need multi-factor authentication, access controls, audit logs, workforce training, a signed business associate agreement with Microsoft, and documented policies. Encryption without those supporting controls fails an OCR audit even when messages themselves are secured. Treat encryption as one layer inside a broader compliance program rather than the finish line for HIPAA readiness.
Check three items in order. First, confirm the user license includes Purview Message Encryption in the Microsoft 365 admin center. Second, verify Azure Rights Management is active by running Get-IRMConfiguration and checking that RMSOnlineActivated returns True. Third, sign the user out of Outlook and back in to refresh the license token. If the button still does not appear, restart Outlook in safe mode and clear the Office credentials cache under Windows Credential Manager.