Sending encrypted workflow notification emails
Does business require to send encrypted workflow notification emails in synch with your company’s security requirements? The following steps describe how to do it using CRM Online and Office 365.
Office 365 Message Encryption requires the Azure Rights Management service. Once you have a subscription to this service, you can activate it as described in the following procedure. For more information about this requirement, see Prerequisites for using Office 365 Message Encryption.
Necessary steps:
- Server side synchronization configuration for your CRM Online instance
- Activate Azure Rights Management
- Set up Azure Rights Management for Office 365 Message Encryption
- Define rules to encrypt email messages
- Create a test CRM workflow and test it
1. Server side synchronization configuration for your CRM Online instance
It is assumed that server side synchronization is set up properly for your CRM Online instance using Exchange Online for outgoing emails. More information: Set up server-side synchronization of email, appointments, contacts, and tasks
2. Activate Azure Rights Management
Check whether you have an Azure Right Management subscription.:
Go to https://portal.office.com/AdminPortal/Home?switchtomoderndefault=true#/subscriptions within Office 365. You should see Azure Rights Management Premium among your subscriptions.
If your subscription does not include it, press the +Add Subscription button and select Azure Rights Management Premium (you can buy it or start a 30-day trial):
After a few minutes you should see this under Subscriptions in the Office 365 Admin Center:
More information: how to activate Azure Rights Management (https://docs.microsoft.com/en-us/rights-management/deploy-use/activate-service)
3. Set up Azure Rights Management for Office 365 Message Encryption
Once you have Azure Rights Management, the next step is to set up Azure Rights Management for Office 365 (Exchange Online) message encryption. We will use Windows Power Shell to connect to Exchange Online and accomplish this step. (More information how to Connect to Exchange Online using PowerShell)
Open a PowerShell windows as Administrator and execute the following PowerShell commands:
Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
Enter your Office 365 Global Administrator user credentials.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Configure the Rights Management Services (RMS) online key-sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location, as shown in this table:
Location | RMS key sharing location |
European Union | https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc |
North America | https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc |
South America | https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc |
Asia | https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc |
Since my tenant is located in the European Union, I use the following PowerShell command:
Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc“
Run the following command to import the Trusted Publishing Domain (TPD) from RMS Online:
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”
To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service, run the following command:
Test-IRMConfiguration -RMSOnline
Among other things, the command checks connectivity with the RMS Online service, downloads the TPD, and checks its validity. If everything is OK, you should see as result of the test: ‘Overall result: pass’.
Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption.
To disable IRM templates in OWA and Outlook:
Set-IRMConfiguration -ClientAccessServerEnabled $false
To enable IRM for Office 365 Message Encryption:
Set-IRMConfiguration -InternalLicensingEnabled $true
To test the IRM functionality, run the following command, where you use your username instead of administrator@encryptedwfmail.onmicrosoft.com:
Test-IRMConfiguration -Sender administrator@encryptedwfmail.onmicrosoft.com
If everything is OK, you should see as result of the test: ‘Overall result: pass’.
More information how to Set up Microsoft Azure Rights Management for Office 365 Message Encryption.
4. Define rules to encrypt email messages
The next step is to define the conditions when we want to encrypt an email. In our case, email encryption is only needed when the body of the email contains the following phrase: ‘(This email was encrypted using Microsoft Office 365)’
It can be defined in the Exchange Admin Center (EAC), which can be accessed within Office 365 via Admin > Exchange:
From the EAC, go to mail flow > rules:
Select + > Create a new rule…
Enter the Name (for example ‘Encrypted CRMONL workflow email’) and click on the More options… button in the opening pop-up window as shown below:
Then specify when the rule should be applied. So select The subject or body > subject or body matches these text patterns:
Enter the phrase (for example: ‘(This email was encrypted using Microsoft Office 365)’), press the + sign and finally press Ok as shown below:
The last step to set Office 365 Message Encryption by selecting Modify the message security… > Apply Office 365 Message Encryption as shown below and then press Save:
More information how to Define rules to encrypt or decrypt email messages.
5. Create a test CRM workflow and test it
The final step is to create a workflow where we want to use the email encryption and test it in practice.
We are creating a simple workflow which is fired when an account is created and sends an encrypted notification email. Assuming that the reader is familiar with the Dynamics CRM workflow basic, the relevant parts are highlighted here.
When you define the workflow, specify the
- Process Name: Account create – encrypted mail
- Entity: Account
- Category: Workflow
- Start condition: Record is created
- Step: Send email: Create new message
as shown below:
And add the email properties as the following:
The key elements of the workflow notification email is the last sentence in the message body – (This email was encrypted using Microsoft Office 365) – which should be the same string as we defined the message encryption rule.
Let’s Save and Activate the workflow, before we can test our work.
Finally, to test our work, first let’s create a new account in CRM:
Then we receive the encrypted account creation notification email, which is actually an html email attachment:
When we try to open the html file in a browser, we have two options:
- Sign in with our Office 365 credentials or
- Use a one-time passcode
Now, using the one-time passcode option, we will get another email including the one-time passcode:
After specifying the passcode, we can read the workflow notification email:
– Miklos Hoffmann