Share via

Outlook - Protect (Encrypt) vs Sensitivity Label (Legacy Azure Rights Management vs Purview Sensitivity Labels)

Anonymous
2025-04-11T22:03:55+00:00

After Azure Rights Management was migrated to Purview, I'm noticing we have some old "Protection" related Encrypt policies showing up in Outlook.

In the screenshot below, where are these encrypt options coming from? Back in 2021, we migrated our sensitivity labels, etc. to an AIP policy within Purview. But as I was looking at the "Encrypt" settings on a new e-mail message, these last four are some type of azure rights management policies that were created by an employee. One of them has the employees name next to the policy.

I can't see these in Purview's Information Protection area. Any idea how I can delete these? I assume they're the old legacy Azure Rights Management encrypt templates(?).

Microsoft 365 and Office | Install, redeem, activate | For business | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Anonymous
    2025-04-14T17:33:19+00:00

    Dear James, The old "Encrypt" policies you're seeing in Outlook are likely legacy Azure Rights Management (Azure RMS) templates that weren't fully deprecated during your migration to Microsoft Purview. These templates are separate from Purview's sensitivity labels and must be managed in the Azure portal. Here's how to resolve this:

    1. Check for Legacy Templates:
      - Under Protection templates, look for the old policies (e.g., "Encrypt" options with employee names). These may still be Active or Archived.
      - If templates were created by users (e.g., "Employee's Policy [Name]"), they might be custom templates created via PowerShell or older AIP clients.

    2. Delete/Deactivate Templates:
      - Deactivate or Deleteany unwanted templates. Note:
        - Archived templates can be reactivated, so deletion is recommended if no longer needed.
        - Default Microsoft templates (e.g., "Confidential" or "Do Not Forward") cannot be deleted but can be archived.**3. Verify via PowerShell (If Templates Don’t Appear in UI)**If templates aren’t visible in the Azure portal, use the AIPService PowerShell module:

    Connect-AipService # Authenticate with Global Admin credentials
    Get-AipServiceTemplate# List all templates
    Remove-AipServiceTemplate -TemplateId " # Delete a templateAlso, if the issue persists, I would recommend you raise a support case with Microsoft Entra, a Support Engineer will be able to look into this issue and assist you better. You can raise support ticket from New support request - Microsoft Entra admin center Best regards,

    HungLa - MSFT | Microsoft Community Support Specialist

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-04-15T17:39:10+00:00

    Thank you HungLa,

    The AIPService PowerShell cmdlets do the job well. The RMS URL https://account.activedirectory.windowsazure.com/RmsOnline/Manage.aspx is no longer accessible; however, the AIPService cmdlets work great! I am able to see a bunch of templates that were created, and can get rid of most if not all, since "Do Not Reply" and "Encrypt" are the default ones and can't be removed anyway.

    Dear James, The old "Encrypt" policies you're seeing in Outlook are likely legacy Azure Rights Management (Azure RMS) templates that weren't fully deprecated during your migration to Microsoft Purview. These templates are separate from Purview's sensitivity labels and must be managed in the Azure portal. Here's how to resolve this:

    1. Check for Legacy Templates:
      - Under Protection templates, look for the old policies (e.g., "Encrypt" options with employee names). These may still be Active or Archived.
      - If templates were created by users (e.g., "Employee's Policy [Name]"), they might be custom templates created via PowerShell or older AIP clients.

    2. Delete/Deactivate Templates:
      - Deactivate or Deleteany unwanted templates. Note:
        - Archived templates can be reactivated, so deletion is recommended if no longer needed.
        - Default Microsoft templates (e.g., "Confidential" or "Do Not Forward") cannot be deleted but can be archived.**3. Verify via PowerShell (If Templates Don’t Appear in UI)**If templates aren’t visible in the Azure portal, use the AIPService PowerShell module:

    Connect-AipService # Authenticate with Global Admin credentials
    Get-AipServiceTemplate# List all templates
    Remove-AipServiceTemplate -TemplateId " # Delete a templateAlso, if the issue persists, I would recommend you raise a support case with Microsoft Entra, a Support Engineer will be able to look into this issue and assist you better. You can raise support ticket from New support request - Microsoft Entra admin center Best regards,

     

    HungLa - MSFT | Microsoft Community Support Specialist

    Was this answer helpful?

    0 comments
  2. Anonymous
    2025-04-14T13:12:58+00:00

    I ended up finding the correct PowerShell cmdlets. AipService.

    Get-AipServiceTemplate and Remove-AipServiceTemplate.

    And then the Outlook Template Store needed to be cleared by deleting the mip directory here: %LOCALAPPDATA%\Microsoft\Outlook\MIPSDK\mip

    Was this answer helpful?

    0 comments