Why this matters (especially for older tenants)
If your tenant was created before mid‑2019, it may not have been initially configured with Microsoft Message Encryption and Information Rights Management (IRM) enabled. That means users may not see expected encryption options in Outlook/OWA, and compliance features that depend on the Rights Management service can fail or behave inconsistently until the tenant-side prerequisites are turned on.
In practical terms: you can assign the “right” licenses and configure the “right” policies — and still find that encryption, protected messages, and IRM-based behaviors don’t work until the foundational service is enabled and Exchange IRM is configured.
What you’re enabling (at a high level)
- Azure Information Protection / Rights Management service (often abbreviated as AIP / RMS) for your tenant.
- Exchange Online IRM configuration so Exchange can use RMS for licensing and protection workflows.
- Simplified client access in Exchange if the Encrypt button does not appear after a successful configuration test.
Prerequisites
- You’ll need an account that can authenticate with appropriate admin permissions (commonly Global Admin for tenant-level enablement steps).
- PowerShell execution policy and module installation must be permitted on your admin workstation.
- Expect propagation delays. Some changes may take up to 24 hours to reflect fully in clients and services.
Step-by-step: Enable Microsoft Message Encryption & IRM
1) Install the Azure Information Protection Service PowerShell module
The AIPService module is used to connect to the tenant’s Rights Management service and check/enable it.
Install-Module -Name AipService
Import-Module -Name AipService2) Connect to the Azure Information Protection service
Authenticate when prompted (commonly using Global Admin credentials).
Connect-AipService3) Check whether the AIP / Rights Management service is enabled
Get-AipServiceIf the service is disabled, enable it and check again. In some environments, the enablement can take time to fully propagate (up to 24 hours).
Enable-AipService
Get-AipServiceNote: If it shows enabled after running the command, continue immediately with Exchange IRM checks. In some tenants, enabling the service may be sufficient — but in many cases you’ll still need the Exchange IRM steps below.
4) Install the Exchange Online PowerShell module
Install-Module -Name ExchangeOnlineManagement
Import-Module -Name ExchangeOnlineManagement5) Connect to Exchange Online
Connect-ExchangeOnline6) Check the IRM configuration in Exchange
Get-IRMConfiguration7) Ensure Azure RMS licensing and internal licensing are enabled
If either of the following values are False, set them to True:
AzureRMSLicensingEnabledInternalLicensingEnabled
Set-IRMConfiguration -AzureRMSLicensingEnabled $true
Set-IRMConfiguration -InternalLicensingEnabled $trueValidation: Test the configuration
This test attempts to validate IRM end-to-end for a sender mailbox. Replace the sender value with a real mailbox in your environment.
Test-IRMConfiguration -sender user@domain.comIf this test passes, you can typically proceed to user validation (Outlook/OWA encrypt options). If it fails, the most common next step is to set the Exchange IRM licensing location using the tenant’s AIP configuration.
If Test-IRMConfiguration fails: Set the IRM licensing location
8) Reconnect to the AIP service
Connect-AipService9) Retrieve the licensing URL and set it in Exchange IRM configuration
This sequence retrieves the intranet distribution point URL from AIP configuration, then applies it to Exchange IRM.
$RMSConfig = Get-AipServiceConfiguration
$LicenseUri = $RMSConfig.LicensingIntranetDistributionPointUrl
Set-IRMConfiguration -LicensingLocation $LicenseUri10) Test IRM configuration again
Test-IRMConfiguration -sender user@domain.comIf the test passes at this point, allow up to 24 hours for the change to propagate across services and clients.
If the IRM test passes but the “Encrypt” button still doesn’t appear
In some cases, even after a successful IRM test, Outlook on the web may not show the Encrypt option within 24 hours. When that happens, enable simplified client access in Exchange IRM configuration and wait again.
Connect-ExchangeOnline
Set-IRMConfiguration -SimplifiedClientAccessEnabled $trueAfter enabling simplified client access, allow another 24 hours for UI and service behavior to update.
Operational guidance: what to check in a health review for older tenants
- Tenant age / legacy configuration: If the tenant predates mid‑2019, explicitly verify AIP/RMS is enabled.
- Service enablement: Confirm
Get-AipServicereflects the service as enabled. - Exchange IRM toggles: Confirm
AzureRMSLicensingEnabledandInternalLicensingEnabledare true. - End-to-end validation: Run
Test-IRMConfigurationand address licensing location if it fails. - User experience validation: Confirm Encrypt appears in Outlook on the web; enable simplified client access if it doesn’t.
- Propagation timing: Plan for up to 24 hours after changes — sometimes longer in complex tenants.
Common troubleshooting notes
- “I enabled AIP but nothing changed” — Exchange IRM configuration can still be disabled and must be checked separately.
- Test-IRMConfiguration fails — Setting the licensing location via AIP configuration is often required.
- Test passes but Encrypt doesn’t show — Use
-SimplifiedClientAccessEnabled $trueand allow time for propagation.
Closing thoughts
Message Encryption is one of those features that “should just work,” but older tenants can carry legacy defaults that prevent modern encryption experiences from showing up reliably. The good news is that verification and remediation are straightforward: enable the Rights Management service, validate Exchange IRM settings, and confirm behavior end-to-end with a real sender mailbox test.
Tip: If you’re doing a baseline security/compliance review for a long-lived tenant, add these checks to your standard runbook — it’s an easy win that prevents confusion during policy rollouts and user adoption.