Encrypted email issue from shared mailbox.

Question

Encrypted email issue from shared mailbox.

Sanjay Bhakuni 25

We have a scenario where a user is sending an email from a shared mailbox using “Send As” permission. The email is encrypted with the “Do Not Forward” protection level and sent to a distribution list (DL).

The issue is that some users are able to open the email without any problems, while others are unable to open it and receive an error indicating that it is an encrypted email. All members of the DL are internal user mailboxes.

What could be the possible reason for this behavior?

0 comments

2 answers

Your answer

Answer 1

Sanjay Bhakuni 25

Hello @Smaran Thoomu , I’d like to clarify the scenario to avoid any confusion.

We are sending emails from a shared mailbox using Send As permission to a Distribution List (DL). The emails are successfully delivered to the DL members, who are regular user mailboxes. In this case, there is no requirement for those users to have any permission (such as delegate access) on the shared mailbox just to receive the email.

The earlier reference to delegate access applies only when a user needs to access or open the shared mailbox itself, not when they are simply recipients of an email sent from it.

Given this, the current behavior does not appear to require any additional permissions on the shared mailbox for DL members. If there are any inconsistencies or unexpected behavior observed beyond this, we can review those separately.
Please let me know if you’d still recommend raising a Microsoft support ticket to confirm whether this scenario is fully supported,

Smaran Thoomu 35,045 Reputation points Microsoft External Staff Moderator

2026-04-22T02:26:37.9266667+00:00
Hi @Sanjay Bhakuni
Thanks for the clarification - you’re absolutely right here.

For recipients of an email (even from a shared mailbox using Send As), there’s no requirement for them to have delegate or FullAccess permissions on the shared mailbox just to read the message. Appreciate you calling that out.

Given that, the behavior you’re seeing is more likely related to how the encryption policy (“Do Not Forward”) is being enforced on the recipient side, rather than mailbox permissions.

A few things that typically cause this kind of mixed behavior:

Client differences Some Outlook clients handle encrypted emails differently. For example, users on older Outlook versions or certain desktop configurations may see issues, while others (OWA/mobile) can open it fine.

Token / identity resolution for DL expansion When sending to a DL, encryption is applied after expansion. In some cases, there can be inconsistencies in how user identity/permissions are validated during decryption.

Licensing / policy differences Even for internal users, differences in assigned licenses (OME/AIP) or conditional access policies can affect whether the message opens successfully.

At this point, since:

All recipients are internal

Delivery is successful

Only some users are unable to open

this does look more like a client/policy evaluation issue rather than a configuration gap.

As a quick check, I would suggest:

Ask one affected user to try opening the email in Outlook on the web

Compare working vs non-working users (client type + version)

If the issue is consistent for a subset of users, it would be worth raising a support ticket so the backend logs (encryption/decryption flow) can be reviewed.

Let me know what you observe from the client side - that should help narrow this down further.

Answer 2

Hey Sanjay, it sounds like you’re sending a “Do Not Forward”–protected message from a shared mailbox to a DL and only some DL members can open it. Here are the most common reasons for that behavior:

Client support for delegated decryption
- Only Outlook on the web, Outlook for Mac, Outlook for iOS/Android support opening “Do Not Forward”–protected mail in a shared mailbox via delegated access.
- Outlook for Windows does not support delegated decryption of protected content. If the users who can’t open are on Outlook Windows, that’s likely the culprit.
Permissions on the shared mailbox
- Recipients must have FullAccess on the shared mailbox or be part of a mail-enabled security group assigned full access.
- If your DL is a standard distribution group (not mail-enabled security) or users weren’t individually granted FullAccess via Add-MailboxPermission, they won’t be able to decrypt.
Mailbox and licensing requirements
- Every recipient needs an Exchange Online mailbox and an Azure Information Protection/OME license.
- If a user has no personal mailbox (e.g., only an external contact or unlicensed account), they can’t complete decryption.

What to try next:

• Have one of the affected users open the same encrypted DL message in Outlook on the web.

• Verify that each user has FullAccess (or is in a mail-enabled security group) on the shared mailbox.

• Confirm all recipients have an Azure Information Protection/OME license assigned.

Follow-up questions:

Which Outlook clients (and versions) are the users who can’t open the message using?
How did you grant permissions on the shared mailbox (FullAccess vs. security group)?
Do these users all have an Exchange Online mailbox and an OME/AIP license?

Hope that helps! Let us know what you find.

Reference list

Fix Microsoft Purview Message Encryption issues https://learn.microsoft.com/troubleshoot/microsoft-365/office-message-encryption/fix-message-encryption-issue-microsoft-purview
Message encryption FAQ (shared mailbox section) https://learn.microsoft.com/purview/ome-faq#can-i-open-encrypted-messages-sent-to-a-shared-mailbox
Troubleshoot delegated mailbox permissions in a hybrid deployment https://learn.microsoft.com/exchange/hybrid-deployment/set-up-delegated-mailbox-permissions

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

Share via

Encrypted email issue from shared mailbox.

2 answers

Your answer