External users cannot open encrypted messages

When an external user tries to view the contents of an encrypted message from your organization they see the following error message after trying to enter the one time passcode:  "Sorry, we can't display your message right now
Something went wrong and your encrypted message couldn't be opened. Please try again by following the instructions in the original email message in 5 minutes."

 

A common cause of this is the mixing of the older Exchange based Office Message Encryption and the newer Azure RMS encryption that is emerging in the service.

To see if you are mingling these you need to do two things.

  1. run get-irmconfiguration and check to see if AzureRMSLicensingEnabled is set to True
  2. Look at your Transport Rule that encrypts the message.  Is the action "Encrypt the meaasge with Office 365 Message Encrption"?

If both of these are conditions are met you are mingling two different versions of Microsoft's encryption technologies.  The external recipient will never be able to open the messages.

Note:  The responses you get from test-irmconfiguration are very different for each of the two IRM versions.  Thus these results can also contribute as evidence.  The full responses in each configuration are not included in this article.

You can get further proof that you are in this situation by collecting a Fiddler of the failed attempt to access the unencrypted contents of the message.  The JSON tab of the response will show one of these error messages:

  • MessageText=The specified object was not found in the store., Cannot decode the message -itemId: E4E_M_edc899287-179d-4ab4-a115-a9e2784d1dd2, -currentUser user42@contoso.com
  • Cannot decode the message -itemId: E4E_M_fcf2a6f5-1396-434f-b376-67a0e2a01478, -currentUser user42@contoso.com","ResponseCode":"ErrorRightsManagementPermanentException","ResponseClass":"Error","Items":null"

 

There are two ways to address this.  The simplest is you can force the system back to OMEv1 by using this command:

Set-IRMConfiguration -AzureRMSLicensingEnabled $False

Now new messages encrypted with the transport rule will work when received by the external recipients.

 

The better approach is to modify the Transport Rule's action to "Apply Rights Protection" and then select the Do Not Forward template.

Before proceeding with this modification you should make sure that all implementation steps have been completed.  Here are a couple of articles related to enable Azure Rights Management:

https://docs.microsoft.com/en-us/information-protection/deploy-use/activate-service

https://support.office.com/en-us/article/Set-up-new-Office-365-Message-Encryption-capabilities-built-on-top-of-Azure-Information-Protection-7ff0c040-b25c-4378-9904-b1b50210d00e