Forum Discussion

VasilMichev's avatar
VasilMichev
MVP

Well, I tried it in few tenants I have access to, no luck. It doesn't even seem to be available in the definition of the Set-IRMConfiguration cmdlet, so it's not an issue with user, permissions or licenses. Most likely another case of the documentation being ahead of the actual rollout.

 

I've left feedback on the documentation just in case.

ItsNotALakeItsAnOcean's avatar
ItsNotALakeItsAnOcean
Copper Contributor
Dec 13, 2018

Thank you very much for your reply. I've tried it in several tenants as well and luckily, it finally worked in the one where I wanted to implement it (customer). Thank you for reporting it, though. In the end, it needs to work everywhere.

  • Carol Bailey's avatar
    Carol Bailey
    Icon for Microsoft rankMicrosoft
    Dec 16, 2018

    We've just learned that DecryptAttachmentFromPortal is deprecated and instead, you should use the DecryptAttachmentForEncryptOnly parameter.  The Azure Information Protection documentation has been updated with this information & I'm told the PowerShell reference documentation update is in progress.

    • ItsNotALakeItsAnOcean's avatar
      ItsNotALakeItsAnOcean
      Copper Contributor
      Dec 17, 2018

      Thank you very much for your reply, Carol Bailey. However, as far as I understand, the DecryptAttachmentForEncryptOnly parameter only makes it possible to decrypt attachments for users with an Azure AD account. What's the proper solution if I were to send an encrypted email to a GMail user? After downloading the attachments, he won't be able to open them since he can't authenticate, right? If that's the case, it would be a huge step back for many customers I am in contact with. Or maybe I am missing a point here and you can make me a merry christmas by clarifying this point. ;-)

      • Carol Bailey's avatar
        Carol Bailey
        Icon for Microsoft rankMicrosoft
        Dec 17, 2018

        It's the other way around - when you use the DecryptAttachmentForEncryptOnly parameter, encryption is removed for the attachment for all recipients after they have authenticated, no matter what authentication method they used or how they view the email. This makes it a consistent end user experience. Whereas for the older parameter, encryption was removed only if they couldn't be authenticated by Azure AD and therefore had to use the portal.

         

        The difference is when decryption occurs: For the DecryptAttachmentFromPortal parameter, as the name suggests, decryption happened only in the portal and at the point when somebody requested to download the attachment.  For a recipient using Outlook or Outlook on the web (they have an Azure AD account), the attachment would remain encrypted. For the DecryptAttachmentForEncryptOnly, decryption happens as soon as the email is opened (which happens only when the recipient is successfully authenticated).

         

        So for your recipients using the portal, they won't see any difference in behavior (the downloaded attachment isn't encrypted). 

         

        Hope you have time to try it out before your Christmas break!

Resources