4 min read

Sending encrypted workflow notification emails

Does business require to send encrypted workflow notification emails in synch with your company’s security requirements? The following steps describe how to do it using CRM Online and Office 365.

Office 365 Message Encryption requires the Azure Rights Management service. Once you have a subscription to this service, you can activate it as described in the following procedure. For more information about this requirement, see Prerequisites for using Office 365 Message Encryption.

Necessary steps:

  1. Server side synchronization configuration for your CRM Online instance
  2. Activate Azure Rights Management
  3. Set up Azure Rights Management for Office 365 Message Encryption
  4. Define rules to encrypt email messages
  5. Create a test CRM workflow and test it

1. Server side synchronization configuration for your CRM Online instance

It is assumed that server side synchronization is set up properly for your CRM Online instance using Exchange Online for outgoing emails. More information: Set up server-side synchronization of email, appointments, contacts, and tasks

2. Activate Azure Rights Management

Check whether you have an Azure Right Management subscription.:

Go to https://portal.office.com/AdminPortal/Home?switchtomoderndefault=true#/subscriptions within Office 365. You should see Azure Rights Management Premium among your subscriptions.

Activate Azure Rights Management subscription


If your subscription does not include it, press the +Add Subscription button and select Azure Rights Management Premium (you can buy it or start a 30-day trial):

Add Azure Rights Management Premium subscription


After a few minutes you should see this under Subscriptions in the Office 365 Admin Center:

Activate Azure Rights Management subscription


More information: how to activate Azure Rights Management (https://docs.microsoft.com/en-us/rights-management/deploy-use/activate-service)

3. Set up Azure Rights Management for Office 365 Message Encryption

Once you have Azure Rights Management, the next step is to set up Azure Rights Management for Office 365 (Exchange Online) message encryption. We will use Windows Power Shell to connect to Exchange Online and accomplish this step. (More information how to Connect to Exchange Online using PowerShell)

Open a PowerShell windows as Administrator and execute the following PowerShell commands:

Set-ExecutionPolicy RemoteSigned

$UserCredential = Get-Credential

Enter your Office 365 Global Administrator user credentials.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session


Configure the Rights Management Services (RMS) online key-sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location, as shown in this table:

Location RMS key sharing location
European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc
Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc


Since my tenant is located in the European Union, I use the following PowerShell command:

Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

Run the following command to import the Trusted Publishing Domain (TPD) from RMS Online:

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service, run the following command:

Test-IRMConfiguration -RMSOnline

Among other things, the command checks connectivity with the RMS Online service, downloads the TPD, and checks its validity. If everything is OK, you should see as result of the test: ‘Overall result: pass’.

Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption.

To disable IRM templates in OWA and Outlook:

Set-IRMConfiguration -ClientAccessServerEnabled $false

To enable IRM for Office 365 Message Encryption:

Set-IRMConfiguration -InternalLicensingEnabled $true

To test the IRM functionality, run the following command, where you use your username instead of administrator@encryptedwfmail.onmicrosoft.com:

Test-IRMConfiguration -Sender administrator@encryptedwfmail.onmicrosoft.com

If everything is OK, you should see as result of the test: ‘Overall result: pass’.

More information how to Set up Microsoft Azure Rights Management for Office 365 Message Encryption.

4. Define rules to encrypt email messages

The next step is to define the conditions when we want to encrypt an email. In our case, email encryption is only needed when the body of the email contains the following phrase: ‘(This email was encrypted using Microsoft Office 365)’

It can be defined in the Exchange Admin Center (EAC), which can be accessed within Office 365 via Admin > Exchange:

From the EAC, go to mail flow > rules:

Select + > Create a new rule…

Create a new rule to encrypt email messages


Enter the Name (for example ‘Encrypted CRMONL workflow email’) and click on the More options… button in the opening pop-up window as shown below:

 Specify rule details


Then specify when the rule should be applied. So select The subject or body > subject or body matches these text patterns:

Select when the rule should apply


Enter the phrase (for example: ‘(This email was encrypted using Microsoft Office 365)), press the + sign and finally press Ok as shown below:

Specify words or phrases


The last step to set Office 365 Message Encryption by selecting Modify the message security… > Apply Office 365 Message Encryption as shown below and then press Save:

Set Office 365 Message Encryption 


More information how to Define rules to encrypt or decrypt email messages.

5. Create a test CRM workflow and test it

The final step is to create a workflow where we want to use the email encryption and test it in practice.

We are creating a simple workflow which is fired when an account is created and sends an encrypted notification email. Assuming that the reader is familiar with the Dynamics CRM workflow basic, the relevant parts are highlighted here.

When you define the workflow, specify the

  • Process Name: Account create – encrypted mail
  • Entity: Account
  • Category: Workflow
  • Start condition: Record is created
  • Step: Send email: Create new message

as shown below:

Define a workflow


And add the email properties as the following:

Specify email properties


The key elements of the workflow notification email is the last sentence in the message body – (This email was encrypted using Microsoft Office 365) – which should be the same string as we defined the message encryption rule.

Let’s Save and Activate the workflow, before we can test our work.

Finally, to test our work, first let’s create a new account in CRM:

Create a new account record.


Then we receive the encrypted account creation notification email, which is actually an html email attachment:

Encrypted account creation notification email


When we try to open the html file in a browser, we have two options:

  • Sign in with our Office 365 credentials or
  • Use a one-time passcode

Message when opening the encrypted message in a browser


Now, using the one-time passcode option, we will get another email including the one-time passcode:

Use the one-time passcode option


After specifying the passcode, we can read the workflow notification email:

Read workflow notification email



– Miklos Hoffmann



We're always looking for feedback and would like to hear from you. Please head to the Dynamics 365 Community to start a discussion, ask questions, and tell us what you think!