Forcing Message Encryption on certain domains

%3CLINGO-SUB%20id%3D%22lingo-sub-1133382%22%20slang%3D%22en-US%22%3EForcing%20Message%20Encryption%20on%20certain%20domains%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133382%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20I%20am%20writing%20this%20as%20an%20addendum%20sort%20of%20to%20Mike%20Parker's%20relatively%20usefull%20guide%20for%20Forcing%20OME%20by%20domain.(%20%3CA%20href%3D%22https%3A%2F%2Fpractical365.com%2Fexchange-online%2Fautomatically-encrypting-exchange-online-emails-with-office-message-encryption%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpractical365.com%2Fexchange-online%2Fautomatically-encrypting-exchange-online-emails-with-office-message-encryption%2F%3C%2FA%3E)%3C%2FP%3E%3CP%3EIn%20some%20cases%2C%20you%20may%20be%20asked%20to%20force%20OME%20on%20anything%20that%20isn't%20TLS%20encrypted%2C%20and%20I%20enhanced%20Mikes%20process%20by%20building%20out%20a%20script%20that%20scrapes%20exchange%20online%20Trace%20results%20for%20messages%20to%20domains%20that%20are%20held%20up%2C%20collects%20them%2C%20compares%20them%20to%20the%20domains%20in%20existing%202%20rules%2C%20and%20then%20updates%20the%20rule%20with%20an%20alphabetical%20split%20balance%20of%20Domains.%26nbsp%3B%3CBR%20%2F%3EIt%20needs%20to%20be%20fleshed%20out%20a%20bit%2C%20but%20I%20felt%20it'd%20be%20a%20great%20starting%20point%2C%20and%20as%20is%2C%20could%20easily%20be%20slipped%20into%20An%20Azure%20automation%20for%20regular%20updating.%26nbsp%3B%3C%2FP%3E%3CP%3EA%20bit%20of%20documentation%20%3A%3C%2FP%3E%3CP%3EDesigned%20to%20be%20utilized%20with%20either%20Azure%20automation%2C%20or%20in%20a%20powershell%20ISE%20session%20after%20'connect-exchangeonline'%20is%20run.%3CBR%20%2F%3EFiltering%20is%20done%20in%202%20parts%2C%20the%20query%20that%20builds%20'TRACECURRENT'%2C%20and%20the%20function%20'TRACE-DETAILS'%3C%2FP%3E%3CP%3EI%20suggest%20editing%20the%20where-object%20in%20TRACECURRENT%20with%20common%20typo's%20seen%20in%20your%20org%2C%20or%20other%20things%20you%20may%20know%20you%20don't%20care%20about..%20automation%20that%20cant%20handle%20responses%2C%20etc.%3CBR%20%2F%3EThe%20filtering%20in%20Trace%20Details%20drops%20data%20from%20the%20message%20detail%20that%20either%20slipped%20through%2C%20or%20is%20from%20a%20trace%20response%20that%20isn't%20pertinent.%3C%2FP%3E%3CP%3EDates%20pertinent%3A%20Depending%20on%20your%20use%20case%2C%26nbsp%3B%20the%20start%20date%20%26amp%3B%20end%20date%20in%20'TRACECURRENT'%20can%20be%20adjusted%2C%20Both%20are%20required%20by%20the%20'get-messagetrace'%20commandlet%2C%20Feel%20free%20to%20adjust%20your%20usage%2C%20as%20you%20need.%3C%2FP%3E%3CP%3E*An%20automated%20process%20for%20managing%20the%20dates%20will%20likely%20have%20to%20be%20added%20if%20you%20utilize%20Azure%20automation.%3CBR%20%2F%3E*This%20requires%20message%20transport%20rules%20be%20created%20following%20Mike%20Parker's%20guide%2C%20but%20must%20input%20your%20Rule%20names%20into%20the%20script%20attached.%3C%2FP%3E%3CP%3E**Final%20note%3A%20there%20are%20comments%20in%20the%20script%20that%20rules%20can%20sustain%20around%20189%20domains.%20The%20exact%20capacity%20of%20Exchange%20online%20rules%20as%20of%20this%20writing%2C%20is%20'8%20KB'.%26nbsp%3B%20The%20current%20byte%2Fbit%20usage%20of%20a%20Rule%20is%20unattainable%20at%20this%20time%2C%20except%20by%20maxing%20it%20out%20when%20you%20try%20a%20'set-transportrule'.%20THis%20is%20a%20known%20issue%2C%20and%20if%20anyone%20on%20the%20product%20team%20reads%20this%2C%20let%20me%20know%20if%20you%20can%20fix%2C%20or%20provide%20a%20proper%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20warranty%20implied%2C%20utilize%20the%20attached%20code%20at%20your%20own%20risk*%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1133382%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Contributor

Hello, I am writing this as an addendum sort of to Mike Parker's relatively usefull guide for Forcing OME by domain.( https://practical365.com/exchange-online/automatically-encrypting-exchange-online-emails-with-office...)

In some cases, you may be asked to force OME on anything that isn't TLS encrypted, and I enhanced Mikes process by building out a script that scrapes exchange online Trace results for messages to domains that are held up, collects them, compares them to the domains in existing 2 rules, and then updates the rule with an alphabetical split balance of Domains. 
It needs to be fleshed out a bit, but I felt it'd be a great starting point, and as is, could easily be slipped into An Azure automation for regular updating. 

A bit of documentation :

Designed to be utilized with either Azure automation, or in a powershell ISE session after 'connect-exchangeonline' is run.
Filtering is done in 2 parts, the query that builds 'TRACECURRENT', and the function 'TRACE-DETAILS'

I suggest editing the where-object in TRACECURRENT with common typo's seen in your org, or other things you may know you don't care about.. automation that cant handle responses, etc.
The filtering in Trace Details drops data from the message detail that either slipped through, or is from a trace response that isn't pertinent.

Dates pertinent: Depending on your use case,  the start date & end date in 'TRACECURRENT' can be adjusted, Both are required by the 'get-messagetrace' commandlet, Feel free to adjust your usage, as you need.

*An automated process for managing the dates will likely have to be added if you utilize Azure automation.
*This requires message transport rules be created following Mike Parker's guide, but must input your Rule names into the script attached.

**Final note: there are comments in the script that rules can sustain around 189 domains. The exact capacity of Exchange online rules as of this writing, is '8 KB'.  The current byte/bit usage of a Rule is unattainable at this time, except by maxing it out when you try a 'set-transportrule'. THis is a known issue, and if anyone on the product team reads this, let me know if you can fix, or provide a proper solution.

 

No warranty implied, utilize the attached code at your own risk*

0 Replies