Resolve Microsoft Purview Message Encryption Issues

By Ashwin Venugopal -

 




Symptoms

User in your organization experience one or more of the following issues:
  1. They can't open encrypted email messages in Microsoft Outlook or Outlook on the web.
  2. They can't send encrypted email messages.
  3. The Encrypt button is missing in both Outlook and Outlook on the web. 

Cause

These issues can occur due to several reasons, such as:
  • Your organization's Microsoft 365 subscription doesn't support Microsoft Purview Message Encryption. 

  • The tenant used by your organization is misconfigured.

  • The account that's used by the affected users to sign in to Outlook or Outlook on the web isn't assigned a valid license to use the Microsoft Purview Message Encryption (Office 365 Message Encryption) feature. 

Resolution

To resolve the issues, follow these steps in the given order:

Step 1: Run the diagnostic for Microsoft Purview Message encryption

  1. Select the "Run Tests: Microsoft Purview Message Encryption" button to open the diagnostic in the Microsoft 365 admin center.
  2. Select Run Tests. 

If this didn't help in resolving your issues then go to step 2.

Step 2: Verify the Microsoft 365 Subscription

In order to utilize Microsoft Purview Message Encryption, your organization needs to have a subscription that includes this feature.

Step 3: Verify the tenant configuration

  • Use Exchange Online PowerShell to verify that your tenant is configured correctly for Microsoft Purview Message Encryption.

  • Run the following cmdlet to check whether Information Rights Management (IRM) features are enabled in Outlook on the web-

Get-OwaMailboxPolicy | FL *IRMEnabled*

If the value of IRMEnabled is false then use the following cmdlet-

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -IRMEnabled $true

  • If the Encrypt button is missing in Outlook on the web, run the following cmdlet-

Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

Step 4: Verify the affected users' account licenses

Users who are impacted need to ensure that the account they use to log in to Outlook or Outlook on the web has the correct license to utilize the Microsoft Purview Message Encryption feature. 

Step 5: Verify connection to the Azure Rights Management service 

The output of PowerShell command should show that the issuing Certificate Authority (CA) is a Microsoft CA. If you see a CA that is not from Microsoft, your secure client-to-service connection was probably terminated and has to be reconfigured on your firewall. 

Step 6: Check for sensitivity labels

When sensitivity labels are used on email messages, It is essential to assign permissions accurately so that recipients are able to access the messages. 

Should the problem continue after following all the above steps, reach out to Microsoft Support for additional assistance. 

More Information

  • If members of your organization encounter problems when sending or receiving encrypted messages with individuals outside of your organization, review the Conditional Access policies and guest account setup in both organizations. 

  • Individuals can access encrypted email messages directed to a shared mailbox. For messages originating from within the same organization, users can view them while logged into a compatible Outlook client. However, if message comes from an outside organization, users are required to utilize Outlook on the web. 

Conclusion

The issue regarding Microsoft Purview Message Encryption is resolved. 



















Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can...
Read more