Share via

Error with Email Encryption with Label Sensitivity

Steve 1 Reputation point
2021-10-08T11:39:49.97+00:00

Hi All

I have setup a sensitivity label called Forwarding in Office365 information protection and I published the label to one user (i.e. smith@xx.com, the one user has a Office365 E3 license attached). Additionally, I have enabled the protection service using PowerShell by running this command: enable-AipService (reference: https://learn.microsoft.com/en-us/azure/information-protection/activate-service).

Additionally, I have run this command: in PowerShell: Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "7900b022-c487-4cf1-8359-a001d600b422" - this is so that the users within the group called Security Group (object id 7900b022-c487-4cf1-8359-a001d600b4220) can protect documents and emails with the sensitivity label Forwarding.

The issue I face is, after waiting for 24 hours for our Office365 tenant to propagate, I try to send an email from the one user who has access to the sensitive label Forwarding. When it is applied and when I hit send (the recipient is the sender, tried using other recipients) I get an error immediacy after sending - the errors say (blanked out the email addresses)

Delivery has failed to these recipients or groups:

xx xx (xx@xx.com)
Your message couldn't be delivered because it couldn't be encrypted.

Diagnostic information for administrators:

Generating server: ME3PR01MB5912.ausprd01.prod.outlook.com

xx@xx.com
Remote Server returned '550 5.3.101 RmsSvcAgent; Cannot RMS protect the message because Encryption is disabled in Microsoft Exchange Transport.'

Original message headers:

Authentication-Results: xx.com; dkim=none (message not signed)
header.d=none;operatorsimulation.com; dmarc=none action=none
header.from=operatorsimulation.com;
Received: from ME2PR01MB2500.ausprd01.prod.outlook.com (2603:10c6:201:1b::15)
by ME3PR01MB5912.ausprd01.prod.outlook.com (2603:10c6:220:db::10) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18; Fri, 8 Oct
2021 11:19:42 +0000
Received: from ME2PR01MB2500.ausprd01.prod.outlook.com
([fe80::9c9f:e080:6072:6196]) by ME2PR01MB2500.ausprd01.prod.outlook.com
([fe80::9c9f:e080:6072:6196%7]) with mapi id 15.20.4587.020; Fri, 8 Oct 2021
11:19:42 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary

I tried correcting this issue by updating the label to no avail. Below is the encryption settings applied to the senstity label Forwarding

138846-image.png

Any help is greatly appreciated.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
520 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sarat Chandra 581 Reputation points
    2021-10-08T13:33:43.237+00:00

    Hi @Steve ,

    The 'Unified Labeling Support Tool' provides the functionality to reset all corresponding client services (UL, AIP, MIP, etc.). Its main purpose is to delete the currently downloaded sensitivity label policies and thus reset all settings, and it can also be used to collect data for failure analysis and problem-solving of labels.

    https://github.com/microsoft/UnifiedLabelingSupportTool

    Note: Before using the support tool, can you please disable the IRM on exchange and conclude the issue with encryption.

    https://learn.microsoft.com/en-us/exchange/enable-or-disable-information-rights-management-on-client-access-servers-exchange-2013-help

    and please post the results.

    Thank & Regards,
    Sarat