Category: Exchange Online

No RMS templates are available in your organization

No RMS templates are available in your organization

Problem:

When configuring a transport rule for ‘Apply Office 365 Message Encryption and rights protection to the message with…” you receive the following error when attempting to select a label:

“No RMS templates are available in your organization”

No RMS Templates

Solution:

You need to configure Exchange Online for RMS. See below for powershell commands:

#Configure Credentials
$cred = Get-Credential

# Configure Exchange Online PS Session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection

# Import Exchange Online PS Session
Import-PSSession $Session

# Configure the RMS Online Key Sharing Location (Note that this url changes based on location – See the bottom of this article for locations)
Set-IRMConfiguration –RMSOnlineKeySharingLocation “https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc”

# Import the RMS Trusted Publishing Domain
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

# Test the IRM Configuration to ensure that Exchange is configured correctly
Test-IRMConfiguration -RMSOnline

The output of this command should look something like this, with the overall result as PASS.
Results : Checking organization context …

– PASS: Organization context checked; running as tenant administrator.
Loading IRM configuration …
– PASS: IRM configuration loaded successfully.
Checking RMS Online tenant prerequisites …
– PASS: RMS Online tenant prerequisites passed.
Checking RMS Online authentication certificate …
– PASS: The RMS Online authentication certificate is valid.
Checking that a Trusted Publishing Domain can be obtained from RMS Online …
– PASS: Trusted Publishing Domain successfully obtained from RMS Online. Templates available:
Confidential \ All Employees, Highly Confidential \ All Employees, Secure Email.
Checking that the Trusted Publishing Domain obtained from RMS Online is valid …
– PASS: Trusted Publishing Domain obtained from RMS Online is valid.

OVERALL RESULT: PASS

# Set the IRM Internal Licencing to True
Set-IRMConfiguration -InternalLicensingEnabled $true

Give Exchange Online 20 minutes to see the update and you should then be able to see the Templates.

Global policy issue:

Currently there is a bug with Exchange Online not being able to see labels that are NOT included in the ‘Global’ Azure Information Protection Policy. This is being investigated by Microsoft at the time of writing this article.

 

RMS Key Sharing Location URLs:

North America
https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

European Union
https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

Asia
https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

South America
https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

Office 365 for Government (Government Community Cloud)
https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc

How to Disable Office365 Integrated Apps for all Tenants (Powershell)

How to Disable Office365 Integrated Apps for all Tenants (Powershell)

Disable integrated Apps

What is it?

This very simple Powershell script is aimed at MSPs and Microsoft Partners that manage their clients Office365 environments. It will disable the ‘UsersPermissionToUserConsentToAppEnabled’ option within the clients Tenancy so that they are unable to give permission for third party Apps to access their Office365 Accounts.

Why would you want to do this?

It has been suggested that the next large ransomware attack may target cloud environments like Microsoft Office365. One of the ways that this could be accomplished is by end users granting permission for third party apps to access their Office365 accounts. For more information, see the link below.

Spiceworks – Cloud Ransomware

One of the ways of protecting against this is to disable the end users ability to grant permission to the third party apps in the first place. This is what the script does within Office365.

Things to consider:

 The Script is designed for Office365 Admins who manage a reasonable number of Office365 Tenancies. Using the script will mean that the setting doesn’t need to be applied manually per tenant.

– The Script requires you to be an Office365 Administrator with Delegation permissions over your clients environments

– You may want to check with your clients to make sure that they don’t need this feature.

– The script will presume that you have the correct execution policy configured.

– For those of you with fewer clients you can set this via the Office 365 Admin Center > Settings > Services & Add-ins > Integrated Apps (Refer to picture at the top of the page)

– I take no responsibility or liability for any unforeseen effects of the script. It is suggested that you read through any Powershell script before executing it.

The Script:

#Show Prompt to user
[System.Windows.MessageBox]::Show('This Script will Disable the "UsersPermissionToUserConsentToAppEnabled" option for each Tenant linked to your Partner Account. Click OK to continue')
#Connect to Office365 Partner Tenancy
$Cred = Get-Credential
Connect-MsolService -Credential $Cred
#Get list of Tennant ID's
$Tenant = Get-MsolPartnerContract
foreach ($ID in $Tenant) {Set-MsolCompanySettings -TenantId $ID.TenantID -UsersPermissionToUserConsentToAppEnabled $False
Get-MsolCompanyInformation -TenantId $ID.TenantId | Select DisplayName, UsersPermissionToUserConsentToAppEnabled}

Powershell Script Download:

Disable-UsersPermissionToUserConsentToAppEnabled (Partner)

PowerShell Script to connect to Microsoft Online Services (Office365)

PowerShell Script to connect to Microsoft Online Services (Office365)

Below is a simple PowerShell Script to connect to the following Microsoft Online Services:

Office365 Admin Center
Exchange Online
Sharepoint Online
Skype for Business
Security and Compliance Center

The Script has a simple Menu build in so that you can connect to the services that you need. You’re prompted for your Office365 Credentials prior to being put into the menu. Once you’re done connecting to the services, you can quit the menu (via option 6/Q) and use PowerShell as normal.

You can Dowload the script as a ZIP file from here:
Connect to all Microsoft Online Services

The Script will not set your execution policy. It’s presumed that you have the correct execution policy setup already.

Screenshot of the Simple Menu:

Connect to Office365

The Script:

Write-Host "Please Type in your Office365 Global Admin Credentials"
$cred = Get-Credential

function Show-Menu
{
param (
[string]$Title = 'Which Microsoft Online Service would you like to connect to?'
)
cls
Write-Host "================ $Title ================"

Write-Host "1: Type '1' to connect to Exchange Online."
Write-Host "2: Type '2' to connect to the Office365 Admin Center"
Write-Host "3: Type '3' to connect to Sharepoint Online."
Write-Host "4: Type '4' to connect to the Security and Compliance Center."
Write-Host "5: Type '5' to connect to Skype for Business Online"
Write-Host "Q: Press 'Q' to quit, or when you have connected to all required services."
}
do
{
Show-Menu
$input = Read-Host "Please make a selection"
switch ($input)
{
'1' {
cls
$session1 = New-Pssession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Authentication Basic -AllowRedirection -Credential $cred
Import-PSSession $session1
} '2' {
cls
$session2 = Connect-MsolService -Credential $cred
$session2
} '3'
{
cls
$orgName= Read-Host "What is the tennant Name?"
$session3 = Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $cred
$session3
} '4'
{
cls
$session4 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Authentication Basic -AllowRedirection -Credential $cred
Import-PSSession $session4
} '5'
{
cls
$session5 = New-CsOnlineSession -Credential $cred
Import-PSSession $session5
} 'q' {
return
}
}
pause
}
until ($input -eq 'q')