IRM Configuration Error

Question

Hi,

We have issue with our IRM in office 365. AADRM is enabled and verified and IRM config looks like this:

InternalLicensingEnabled                   : True
 ExternalLicensingEnabled                   : True
 AzureRMSLicensingEnabled                   : True
 TransportDecryptionSetting                 : Optional
 JournalReportDecryptionEnabled             : True
 SimplifiedClientAccessEnabled              : True
 ClientAccessServerEnabled                  : True
 SearchEnabled                              : True
 EDiscoverySuperUserEnabled                 : True
 DecryptAttachmentFromPortal                : False
 DecryptAttachmentForEncryptOnly            : False
 SystemCleanupPeriod                        : 0
 SimplifiedClientAccessEncryptOnlyDisabled  : False
 SimplifiedClientAccessDoNotForwardDisabled : False
 EnablePdfEncryption                        : False
 AutomaticServiceUpdateEnabled              : True
 RMSOnlineKeySharingLocation                : https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
 RMSOnlineVersion                           :
 ServiceLocation                            :
 PublishingLocation                         :
 LicensingLocation                          : {https://5dbe8214-3450-4564-9b7c-012d04a7e5a2.rms.eu.aadrm.com/_wmcs/licensing}

Publishing location is missing which results in this error:

Results : Acquiring RMS Templates ...
               - PASS: RMS Templates acquired.  Templates available: Highly Confidential \ All Employees, Confidential \ All Employees, Kryptera, Vidarebefordra inte.
           Verifying encryption ...
               - FAIL: Failed to verify encryption.
           ----------------------------------------
           Microsoft.Exchange.Data.RightsManagement.RmException: Failed to get publishing license. FailureCode:UnknownFailure. Recoverable:False. ---> Microsoft.Exchange.Data.RightsManagement.RmException: LicenseInformation Owner is empty. FailureCode:UnknownFailure. Recoverable:False.
              at Microsoft.Exchange.Data.RightsManagement.MSIPC.MsipcClientV2.GetEncryptionHandle(IRmEncryptionContext context, EncryptionAlgorithm algo)
              --- End of inner exception stack trace ---
              at Microsoft.Exchange.Data.RightsManagement.MSIPC.MsipcClientV2.GetEncryptionHandle(IRmEncryptionContext context, EncryptionAlgorithm algo)
              at Microsoft.Exchange.Data.RightsManagement.MSIPC.MsipcClientV2.InternalPrepareForEncryption(IRmEncryptionContext encryptionContext)
              at Microsoft.Exchange.Data.RightsManagement.MSIPC.MsipcClientV2.PrepareForEncryption(IRmEncryptionContext encryptionContext, Nullable`1 timeout)
              at Microsoft.Exchange.Management.RightsManagement.RMSValidator.ValidateEncryption(Stream& encryptedStream)
           ----------------------------------------

           OVERALL RESULT: FAIL

I tried to google but nothing is giving the answer. Test config by sender pass:

Results : Acquiring RMS Templates ...
- PASS: RMS Templates acquired. Templates available: Highly Confidential \ All Employees, Confidential \ All Employees, Kryptera, Vidarebefordra inte.
Verifying encryption ...
- PASS: Encryption verified successfully.
Verifying decryption ...
- PASS: Decryption verified successfully.
Verifying IRM is enabled ...
- PASS: IRM verified successfully.

       OVERALL RESULT: PASS

Please help..

Answer 1

How long ago did you enable it, it might simply be a replication issue. If more than a day has passed, you can try manually "refreshing" it by running the cmdlets listed in this thread: https://techcommunity.microsoft.com/t5/azure/email-encryption-in-office-365-with-azure/m-p/142164

Answer 2

Hi @Kak Tak ,
Can the mail encryption function in your organization work normally?
According to my test and research, I think the output you provided is normal. According to the Microsoft Official article, to test that Exchange online is configured IRM successfully, you could run the following first command. Before, we can also run the following second command line to verify. But according to my test, the 'RMSOnline' parameter has been deprecated.

Test-IRMConfiguration -Sender <user email address>  
Test-IRMConfiguration –RMSOnline  

For more information: Microsoft 365: Configuration for online services to use the Azure Rights Management service

About the “Publishing location” parameters. By default, information such as RMS publishing locations will not be displayed. The following screenshot are the default settings in my lab environment. If you want these parameters to display, please run the following commands. In addition, according to my test results, whether to display these parameter values will not affect the application in your actual environment.

1)	Set-IRMConfiguration -InternalLicensingEnabled $false Set-IRMConfiguration -AzureRMSLicensingEnabled $false  
2)	Set-IRMConfiguration –RMSOnlineKeySharingLocation https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc  PS:(If you are in Europe).  
3)	Import-RMSTrustedPublishingDomain –RMSOnline –Name “RMS Online”  
4)	Set-IRMConfiguration -InternalLicensingEnabled $True -AzureRMSLicensingEnabled $True  
5)	Get-IRMConfiguration  

Below screenshots is the test in my lab environment:

----------

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.