This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 94%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
We have turned on the journal report decryption option on a tenant, but are not seeing a clear text copy being generated. We opened a case with MS on the issue, but so far no resolution. Has anyone seen this issue before?
Thanks.
A few details on the setup. The on-prem environment is Exchange 2016. The tenant has AIP enabled and we have setup various sensitivity labels for testing purposes such as owner-restricted, internal-only, block-forwarding, etc. We do see the decryption happening on a development tenant, but so far not on the prod tenant. All the settings appear to be the same when comparing the tenants from what we have seen.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @JBeasley
Do you mean the only difference between development tenant and prod tenant is AIP and sensitivity labels set up?
Have you checked if the application log recorded any related error?
The AIP setup and sensitivity labels setup is similar on both tenants.
No application log errors during use of labels that we see. It creates the message and does the encryption fine. The messages get sent with the label as expected. There is just no decryption happening when the journal agent creates the journal report.
We did a bit more testing and it appears the decrypted copy is generated if we use an external recipient as the target for the journal report. So the issue appears to be when using an on-prem journal mailbox. It could be a setting in the hybrid setup, but it is not clear what that would be at this point.
Hi,
Thanks for providing more information, is there any progress so far with the ticket you opened with Microsoft?
And you may also check if you have met the requirement introduced here: Configuring journal report decryption
In our environment we do not use AD RMS on-premises and you cannot add the on-premises federation mailbox to the online superusersgroup.
From what we have been told by MS all that should be required for this to work is to run the Set-IRMConfiguration -Journa.ReportDecryptionEnabled $true. We are looking for EOL to send a decrypted copy to whatever journal target we use.
We did install the Rights Management Connector on-premises to see if that would help, but saw no change.
https://learn.microsoft.com/en-us/azure/information-protection/deploy-rms-connector
Hi,
Thanks for feeding back. If so, I would suggest you open a service request to o365 backend to see if any diference between your two tenants:
https://learn.microsoft.com/en-us/microsoft-365/business-video/get-help-support?view=o365-worldwide