In our environment we do not use AD RMS on-premises and you cannot add the on-premises federation mailbox to the online superusersgroup.
From what we have been told by MS all that should be required for this to work is to run the Set-IRMConfiguration -Journa.ReportDecryptionEnabled $true. We are looking for EOL to send a decrypted copy to whatever journal target we use.
We did install the Rights Management Connector on-premises to see if that would help, but saw no change.
https://learn.microsoft.com/en-us/azure/information-protection/deploy-rms-connector