Dear Microsoft 365 Friends,

This example is about using OME (Office Message Encryption) with a custom template. Whenever an email is sent to a specific domain (outlook.com in my example), the email should be encrypted and equipped with the custom template. The recipient can then decrypt the content with an OTP (one-time pass code).

To work with Advanced Office 365 Message Encryption you need the right licenses. You can find this information in the following link:
https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-advanced-message-encryption?view=o365-...

We start our configuration in PowerShell. With the PowerShell we can create a new template, but only with the appropriate permissions. For example, to work with New-OMEConfiguration we need the necessary permission. I will show you later how to determine which permissions are needed to run a specific cmdlet. For this demo I used the "Organization Management" Role Group. This is certainly not ideal but absolutely fine for this demo.

The necessary permissions can be configured in the Microsoft 365 Defender portal.
https://security.microsoft.com/

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish.
Please start with the following steps to begin the deployment (the Hashtags are comments): Note: In the following template I create, I make only a few adjustments. Of course you can also work with a logo, specify different text, etc.

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE.
Set-Location C:\
Clear-Host

#Install the module
Install-Module -Name ExchangeOnlineManagement -AllowClobber -Force -Verbose

#Sometimes the module must be imported
Import-Module ExchangeOnlineManagement

#Connect to exchange
Connect-ExchangeOnline -UserPrincipalName tom@tomrocks.ch

#Did it work
Get-EXOMailbox

#Get the OME branding template
$ome = Get-OMEConfiguration | fl *

#All the settings
$ome

#Check the cmdlets
Get-Command -Name *OME*

#Find the permissions required to run a cmdlet
Get-ManagementRoleEntry -Identity *\New-OMEConfiguration | ft -AutoSize

#Create an OME branding template
New-OMEConfiguration -Identity "Outlook.com"

#Background color (blue)
Set-OMEConfiguration -Identity "Outlook.com" -BackgroundColor "#0000ff"

#Text next to the sender's name and email address
Set-OMEConfiguration -Identity "Outlook.com" -IntroductionText "has sent you a secure message."

#To disable authentication with Microsoft, Google, or Yahoo identities for this custom template
Set-OMEConfiguration -Identity "Outlook.com" -SocialIdSignIn $false

#To enable authentication with a one-time pass code for this custom template
Set-OMEConfiguration -Identity "Outlook.com" -OTPEnabled $true

#Optional set expiry days
Set-OMEConfiguration -Identity "Outlook.com" -ExternalMailExpiryInDays 7

#For more Infos check:
https://docs.microsoft.com/en-us/microsoft-365/compliance/add-your-organization-brand-to-encrypted-m...

#Check the details
$customome = Get-OMEConfiguration -Identity "Outlook.com" | fl *

#All the settings
$customome

So the template is created. Now we need to set up a new mail flow rule in Exchange Online. So that when an email is sent to a specific domain (outlook.com in my example), the email is encrypted and our template is used. Please navigate to Exchange Online.
https://admin.exchange.microsoft.com/

Now we test if it works. In Outlook we create an email and send it to an @outlook.com email address.

The email has arrived and looks like this. As we can see our template has been used, among other things we can see the custom text we added with PowerShell.

I hope this article was helpful for you? Thank you for taking the time to read this article.

Best regards, Tom Wechsler

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler