Azure Information Protection : Decrypting messages stored in PST - Unprotect-RMSFile cmdlet missing

Question

Hi all,

I'm trying to decrypt messages that were encrypted with M365 Message Encryption.

I have the encrypted messages stored in a .pst file and I intended to use the Unprotect-RMSFile cmdlet within the AIP module to do this but the latest release no longer has this cmdlet.

Is there a workaround?

Thanks,
Ethan

Answer 1

@Ethan Chalmers

Update:

Messages that are encrypted with OME (M365 Message Encryption) is no longer supported by the AIP cmdlets, this process only now works when using AIP sensitivity labels with the encryption option. eDiscovery is the only way around this limitation as that can decrypt OME messages but only on an individual message level.

Let me know if you have any questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

@Ethan Chalmers

Thank you for reaching out to us.

Unprotect-RMSFile initially being used to applied to the classic client of the AIP add-in which is deprecated as of March 31st 2021.
The goal can be achieved using the Unified Labeling client and Set-AIPFileLabel -RemoveProtection with the below steps:

Navigate to https://aka.ms/aipclient and click the Download button to get the Azure Information Protection client that we will require for this operation. File name: AzInfoProtection_UL.exe

If you have Office installed in the machine where you are going to perform the decrypt operation, my recommendation is to close all Office apps before installing the above executable

Follow the steps to configure the Super User feature since this is disabled by default: https://learn.microsoft.com/en-us/azure/information-protection/configure-super-users#configuration-for-the-super-user-feature

The Add-AipServiceSuperUser (AIPService) cmdlet adds an individual account to the super user list for your organization (eg. Add-AipServiceSuperUser -EmailAddress "superuser@Company portal .com") - Reference https://learn.microsoft.com/en-us/powershell/module/aipservice/add-aipservicesuperuser?view=azureipps

Enable-AipServiceSuperUserFeature (AIPService) this is recommended to be run only when there is a requirement to unprotect a file that your team has no longer access to it and it doesn't require and switches: Enable-AipServiceSuperUserFeature - Reference https://learn.microsoft.com/en-us/powershell/module/aipservice/enable-aipservicesuperuserfeature?view=azureipps

The removal of protection from compressed files is not enabled by default either, so we need to follow these steps in case you are going to remove protection from .pst, .rar, .7zip files, etc.:

Connect to SCC (Security and Compliance Center) through an elevated PowerShell (commands in bold):

**$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking**

(OPTIONAL) If you use MFA the above method which uses basic authentication may not work. To Connect to SCC using MFA follow these steps: https://learn.microsoft.com/en-us/powershell/exchange/mfa-connect-to-scc-powershell?view=exchange-ps

Connect-IPPSSession -UserPrincipalName user@Company portal .com

Once connected run the following cmdlet to enable the required advanced setting:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableContainerSupport="True"}

Also if you would like to clear the value (turn it off):

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableContainerSupport=""}

Reference link: https://learn.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-customizations#enable-removal-of-protection-from-compressed-files

Use the Set-AIPFileLabel (AzureInformationProtection) cmdlet to unprotect the required documents or files, reference - https://learn.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipfilelabel?view=azureipps

From the above document Example 8 shows how to remove protection from a single file:

Set-AIPFileLabel "C:\Projects\Analysis.docx" -RemoveProtection

Once the operation is complete, remember to Disable-AipServiceSuperUserFeature (AIPService), reference - https://learn.microsoft.com/en-us/powershell/module/aipservice/disable-aipservicesuperuserfeature?view=azureipps

Let me know if you have any questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

@GirishVaryani

Thank you very much for the detailed instructions! I appreciate your time.

I got through all the steps but I have an issue trying to run:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableContainerSupport="True"}

I receive this error message:

Policy "Global" wasn't found. Make sure you typed the policy name correctly.

I am successfully connected to SCC when I run this cmdlet. When I try Get-LabelPolicy I see a policy named Secure Messaging Policy. Can I use this policy to apply the advanced setting or should I create a new dedicated label policy called Global instead?

Best wishes
Ethan