Blogs by Ashwin

  Symptoms To categorize and safeguard user documents and emails within your company, you have set up sensitivity labels in the Microsoft Purview platform. The sensitivity labels are absent or the Sensitivity button is unavailable when your users attempt to apply them in Outlook, Outlook on the web, or other Office applications.  For issues related to sensitivity labels, run an automated diagnostic for sensitivity labels in the Microsoft 365 admin center. It analyzes the sensitivity labels, identifies any issues, and provides resolutions.  Run the Diagnostic For Sensitivity Labels Choose the Run Tests: Sensitivity Labels button to open the diagnostic in the Microsoft 365 admin center. Enter Label name and User Principal Name (UPN) or email address of the user.  Select Run Tests. Outlook This issue occurs for one of the following reasons: The user account that's signed in to Outlook isn't a Microsoft 365 subscriber. The security labels aren't published in the Microsof...

Symptoms External users who are mail contacts in a Microsoft 365 group report that they have no access, or only intermittent access, to encrypted content.  Cause This known issue affects mail contacts in groups that have usage rights to content that's encrypted by Microsoft Purview Information Protection.  Note- Encryption is commonly applied by using sensitivity labels that are created and published from the Microsoft Purview portal.  Workaround Use the following steps to workaround the issue: Identify all group members that are mail contacts. For each external user that's identified as a mail contact in the affected group, select one of the following options-  Convert to a guest- Add the external user to the group as a guest. Grant direct permissions- Directly grant the external user permissions on the encrypted content rather than through group membership.         3. Remove the mail contacts from the group.  Conclusion The issue regarding ...

  Symptoms You apply one of the following options to an email message by using a sensitivity label or email encryption in Outlook: Do Not Forward Encrypt-Only  When you try to send this encrypted email message to many recipients, you receive the following error message: Too many users have been granted access to this protected content. Reduce the number of users or replace users with user groups, and try again.  Note: The number of recipients that causes this error varies, depending on both the number of recipients and the length of each recipient's email address. For typical email addresses, this error usually occurs if hundreds of email addresses are added to the message. Only the number of email addresses that are individually added to the recipient list causes this error. Cause This problem arises from the size restriction of the protection policy applied to the email. In Microsoft Purview Information Protection, this rigid size cap is set at 4 MB. The protection poli...

  Issues That Affect PST Import Jobs When utilizing the Import service in the Security & Compliance Center to bring PST files into user mailboxes within your organization, the final step in your process is to initiate the import job you have created. During the execution of the import process, you may encounter problems, including sluggish performance or the failure of the job.  Import Job is Stuck Or Running Slowly The Microsoft 365 Import service typically ingests PST files into mailboxes at a rate of around 24 GB daily. While this rate is common, it cannot be assured since the Import service operates within a shared environment that accommodates multiple tenants.  Note- You should use the Import Service UI in Microsoft 365 to create new Import jobs. Using PowerShell for this task isn't supported.  If your import process is slow or seems to be halted, the PST file may exceed the recommended maximum size of 20 GB. For the ongoing job, anticipate delays if the si...

  Symptoms When utilizing the Microsoft 365 Import Service in the Security & Compliance Center to import PST files via network or drive shipping, you might encounter an error message.  Cause This problem arises when there are items that share the same user principle name (UPN) or Simple Mail Transfer Protocol (SMTP) address in Exchange Online.  Workaround To work around this issue, run the following commands to see whether the objects are recipients or soft-deleted users: Get-Recipient <SMTP_ADDRESS> Get-Mailbox <SMTP_ADDRESS> -SoftDeleteMailbox Get-MailUser <SMTP_ADDRESS> -SoftDeleteMailuser  After you find the user, you can use the Exchange GUID as the target mailbox in mapping the CSV file.  Conclusion The issue related to PST import service is resolved.

  Symptoms User in your organization experience one or more of the following issues: They can't open encrypted email messages in Microsoft Outlook or Outlook on the web. They can't send encrypted email messages. The Encrypt button is missing in both Outlook and Outlook on the web.  Cause These issues can occur due to several reasons, such as: Your organization's Microsoft 365 subscription doesn't support Microsoft Purview Message Encryption.  The tenant used by your organization is misconfigured. The account that's used by the affected users to sign in to Outlook or Outlook on the web isn't assigned a valid license to use the Microsoft Purview Message Encryption (Office 365 Message Encryption) feature.  Resolution To resolve the issues, follow these steps in the given order: Step 1: Run the diagnostic for Microsoft Purview Message encryption Select the "Run Tests: Microsoft Purview Message Encryption" button to open the diagnostic in the Microsoft 365 ...

  Symptoms A member of your Microsoft Exchange organization sends an encrypted email to an outside recipient who attempts to access it using their Microsoft Outlook desktop application. However, the recipient either: Can't open the encrypted message. Receives a message that has a "Read message" link in the message body.  Cause The symptoms can occur for either of the following reasons: To open an email message encrypted with Microsoft Purview Message Encryption, the recipient's Outlook desktop application needs to connect to the Azure Information Protection (AIP) endpoint associated with your Exchange Online tenant.  However, the Outlook desktop client might not connect to AIP endpoint if either of the following conditions are true: An outward-facing Conditional Access (CA) policy in the tenant utilized by the sender prevents access to the endpoint.  The Multifactor Authentication (MFA) policy implemented in the tenant utilized by the sender provides an additional se...

  Problem When a user of Microsoft Exchange Online attempts to open a message encrypted with Microsoft Purview Message Encryption in Outlook Web App, they receive the error message: We cannot display your message at this moment. This problem happens even when user is capable of sending encrypted messages using Outlook Web App.  Cause This issue arises due to alterations in the MIME types linked to the default Outlook Web App policy, resulting in the removal or modification of the text/html MIME type.  Solution To address this issue, restore the MIME types linked to the default Outlook Web App policy to their original settings. To achieve this, follow these steps: Connect to Exchange Online via Remote PowerShell. Run the following commands: $owapolicy = Get -OwaMailboxPolicy Set -OwaMailboxPolicy -AllowedMimeTypes @{remove = "text/html"} -BlockedMimeTypes @{remove = "text/html"} -ForcedSaveMimeTypes @{add = "text/html"} -Identity $owapolicy.Identity Conclus...

  Error: Settings Not Found Symptoms While checking the details pane for a retention policy in the Microsoft Purview portal, an error message appear, "Settings not found."  Cause The retention policy has no retention rules. Resolution To resolve this issue, use either of the following methods. Method 1: Use the Microsoft Purview Portal In the Microsoft Purview portal, search for the policy on the following tabs-  Data Lifecycle Management > Microsoft 365 > Retention policies Data Lifecycle Management > Microsoft 365 > Label policies Records Management > Label policies  Select the policy, and then select Edit. In Retention settings, add rules to the retention policy. Method 2: Use PowerShell Connect to Security & Compliance PowerShell. Use the applicable cmdlet for the workload to add rules to the retention policy.   Use the New-RetentionComplianceRule cmdlet for policies that target- Microsoft Exchange Online email Microsoft SharePoint si...

  Common Causes: There are several reasons why MRM might not process a mailbox as expected. For example-  Retention hold is applied to the mailbox . In other words, the mailbox's RetentionHoldEnabled fieldis set to True. For instance, the PST Import service is used to transfer the mailbox.  The ElcProcessingDisabled attribute of the mailbox is configured to True. This configuration stops the MFA from processing the mailbox completely. The mailbox has been applied retention tag, but that tag is presently disabled. As a result, messages in the mailbox will not be achieved or removed at any time. The mailbox awaiting processing is sizeable and holds numerous items. This may result in MFA archiving or removing content at a reduced speed.  The retention policy assigned to the mailbox consists solely of personal tags. If the user fails to apply these tags manually, MRM may not manage the mailbox.  Troubleshooting Check the RetentionHoldEnabled Property of the Mailbox ...

  Introduction Mistakes in policy can happen during  during the synchronization and distribution phases in Microsoft Purview. This step is essential for enforcing policies. The method of enforcement varies based on the specific type of policy: For retention policies, the system creates rules to enforce policy settings, such as retain and delete behaviors. For published label policies, enforcement means that the system makes published labels available for use in user-defined locations. Users can then manually apply the published labels. For autoapply label policies, enforcement means that the system applies labels to content according to user-defined criteria.  Policy errors can occur in both static and adaptive scope policies.  How to Check Policy Errors? Method 1: Use the Microsoft Purview Portal In the Microsoft Purview Portal-  Navigate to Data Lifecycle Management > Microsoft 365. For every policy listed under the Retention policies tabs, click on the pol...

  Symptoms During the use of Disposition tab in Microsoft Purview Records Management in the Microsoft Purview portal to manage disposition reviews, the following message may occur: The remote server returned an error: (401) Rbac check failed. Cause This error happens when you lack the necessary permissions for disposition reviews, causing the Role-Based Access Control verification to fail. Permissions within the Microsoft Purview portal are determined by the RBAC permissions framework. Resolution Confirm that the error is a result of the RBAC check failing. Replicate the problem and collect the relevant network activity logs from Microsoft Edge. Next, review the network logs for the presence of the RBAC "401" error message. If the error message is present, ensure that you or your associated group holds membership in one of the following role groups: Content Explorer Content Viewer Content Explorer List Viewer Microsoft Purview Records Management with the Disposition Managemen...

  Symptoms Using a query that contains particular words, phrases, or values of searchable characteristics, you can set up an auto-reply retention label. But in your company, the label does not automatically apply to the items in a user's email.  Cause This issue may occur for one or both of the following reasons: The user applied a personal tag to the items that should be auto-labeled or to folders that contain the items that should be auto-labeled.  A Message Records Management (MRM) policy applied a retention policy tag to folders that contain the items to be auto-labeled.  Resolution If the user has assigned a personal tag to either the items or the folders  housing those items, eliminate the personal tag. However, if a retention policy tag form an MRM policy has been applied to the folders containing the items, discontinue the retention policy tag associated with the MRM retention policy.  Conclusion The issues related to auto-apply retention label are ...