Share via

Resolve Microsoft Purview Message Encryption issues

  • Article

Symptoms

Users in your organization experience one or more of the following issues:

  • They can't open encrypted email messages in Microsoft Outlook or Outlook on the web.
  • They can't send encrypted email messages.
  • The Encrypt button is missing in both Outlook and Outlook on the web.

Cause

These issues can occur for several reasons, such as:

  • Your organization's Microsoft 365 subscription doesn't support Microsoft Purview Message Encryption.
  • The tenant that's used by your organization is misconfigured.
  • The account that's used by the affected users to sign in to Outlook or Outlook on the web isn't assigned a valid license to use the Microsoft Purview Message Encryption feature.

Resolution

To resolve the issues, follow these steps in the given order. After you complete each step, check whether the issue persists. If it does, go to the next step.

Step 1: Verify the Microsoft 365 subscription

To use Microsoft Purview Message Encryption, your organization must have a subscription that supports this feature. For information about the subscription requirements, see What subscriptions do I need to use Microsoft Purview Message Encryption.

Step 2: Verify the tenant configuration

  1. Use Exchange Online PowerShell to verify that your tenant is configured correctly for Microsoft Purview Message Encryption.

  2. Run the following cmdlet to check whether Information Rights Management (IRM) features are enabled in Outlook on the web:

    Get-OwaMailboxPolicy | fl *IRMEnabled*

    If IRMEnabled is False, run the following cmdlet:

    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -IRMEnabled $true

  3. If the Encrypt button is missing in Outlook on the web, run the following cmdlet:

    Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

Step 3: Verify the affected users' account licenses

The affected users have to make sure that the account that they use to sign in to Outlook or Outlook on the web is assigned the appropriate license to use the Microsoft Purview Message Encryption feature. If they can't determine this, users should follow these steps on their device:

  1. Sign out of Office.

  2. Remove cached credentials from Windows Credential Manager:

    1. Open Control Panel > User Accounts > Credential Manager.
    2. Select Windows Credentials.
    3. Remove all Outlook or Office credentials by expanding each credential and then selecting Remove.

  3. If the device isn't Microsoft Entra joined, remove the unlicensed account from the device:

    1. Select Start > Settings > Accounts > Access work or school.
    2. Select the account to be removed, and then select Disconnect.

  4. Sign in to Office by using a user account that's licensed to use the Microsoft Purview Message Encryption feature.

Step 4: Verify connection to the Azure Rights Management service

To determine whether the affected user's mail client can connect to the Azure Rights Management service, run the following PowerShell commands:

$request = [System.Net.HttpWebRequest]::Create("https://admin.na.aadrm.com/admin/admin.svc")
$request.GetResponse()
$request.ServicePoint.Certificate.Issuer

The output should show that the issuing Certificate Authority (CA) is a Microsoft CA. For example:

CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.

If you see a CA that isn't from Microsoft, your secure client-to-service connection was probably terminated and has to be reconfigured on your firewall. For more information, see Firewalls and network infrastructure.

Step 5: Check for sensitivity labels

If sensitivity labels are applied to email messages, permissions must be assigned correctly so that recipients can access the messages. For more information, see Restrict access to content by using sensitivity labels.

If the issue persists after you complete all these steps, contact Microsoft Support for further troubleshooting.

More information

  • If users in your organization experience issues when they send encrypted messages to or receive encypted messages from people outside your organization, check the Conditional Access policies and guest account configuration in both organizations. For more information, see Microsoft Entra configuration for encrypted content and Conditional Access policies for Azure Information Protection.
  • Users can open encrypted email messages that are sent to a shared mailbox. If the message is sent from the same organization, users can open it when they're signed in to a supported Outlook client. If the message is sent from an external organization, users must use Outlook on the web. For more information, see Message encryption FAQ.