External recipient can't open encrypted email

By Ashwin Venugopal -

 







Symptoms

A member of your Microsoft Exchange organization sends an encrypted email to an outside recipient who attempts to access it using their Microsoft Outlook desktop application. However, the recipient either:
  • Can't open the encrypted message.
  • Receives a message that has a "Read message" link in the message body. 

Cause

The symptoms can occur for either of the following reasons:
  • To open an email message encrypted with Microsoft Purview Message Encryption, the recipient's Outlook desktop application needs to connect to the Azure Information Protection (AIP) endpoint associated with your Exchange Online tenant.  However, the Outlook desktop client might not connect to AIP endpoint if either of the following conditions are true:

  • An outward-facing Conditional Access (CA) policy in the tenant utilized by the sender prevents access to the endpoint. 

  • The Multifactor Authentication (MFA) policy implemented in the tenant utilized by the sender provides an additional security measure that prevents access to the endpoint. 

  • The sender used a sensitivity label to encrypt the content, but this label also imposes additional access restrictions. For example, the label limits accessibility to internal recipients only.

Resolution

  • If a policy from an external-facing CA in tenant utilized by the sender restricts access to the AIP from the list of cloud applications that the policy restricts. 

  • If the sender applied the sensitivity label to encrypt the content, they should review the label for any additional access limitations. 

Workarounds

  • If the tenant's external-facing CA policy used by the sender prohibits external users but permits guest users to access the AIP endpoint, then add the external recipient as a guest user. 

  • If a multifactor authentication policy in the tenant utilized by the sender introduces an additional security measure that prevents access to the AIP endpoint, the external recipient must either-

    • Access the encrypted message using Outlook on the web, or via Outlook for Android or iOS. These applications manage decryption within the service itself and do not necessitate access to the AIP endpoint.

    • Remove the recipient (as well as potentially all guests and external users) from your organization's MFA policy. MFA settings can be adjusted in Microsoft Entra Identity Protection and in Conditional Access polices. 

     Conclusion

The issue that the external recipient can't open encrypted email is resolved. 








































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can...
Read more