Last September, we announced new capabilities in Office 365 Message Encryption that enable users to seamlessly collaborate on protected emails with anyone. This release included Do Not Forward an out-of-the-box policy that encrypts emails and Office attachments, and restricts the content and email from being forwarded, printed or copied.


Today, we are happy to share that we are releasing another out-of-the-box policy called encrypt only. With the encrypt-only policy, users can send encrypted email to any recipient, whether they are inside or outside the organization, and the protection follows the lifecycle of the email. That means recipients can copy, print and forward the email, and encryption will not be removed. This new policy provides more flexibility in the type of protection that can be applied to your sensitive emails.


This is valuable for organizations that want persistent encryption, but do not want to add additional restrictions. For example, a doctor looking to protect an email containing sensitive personal information, can apply the encrypt-only policy, and the patient receiving the email can easily consume the protected message regardless of their email provider, and forward that email to another trusted party.  


With this new, flexible policy, users and admins can apply different levels of protection to best fit their data protection needs. 


Read more to understand what the encrypt-only policy looks like and how to apply the policy.  


How the encrypt-only policy works

The encrypt-only policy is an out-of-the box policy that can be used without additional configuration, and as the name suggests, only applies encryption to the email. You can apply the policy through end-user controls in Outlook or through automatic admin managed controls in the Exchange admin center. Users can apply this policy to individual emails through end-user controls in Outlook, and Admins can apply this policy automatically to any email that matches the set criteria through admin-managed controls in the Exchange admin center.


Customers that have enabled the new Office 365 Message Encryption capabilities will see the encrypt-only policy first through Outlook on the web and in the Exchange admin center under mail flow rules. Updates to Outlook for Windows and Outlook for Mac are planned for the coming months.


How to send an email with the encrypt-only policy in Outlook on the web

Users can apply protection with the encrypt-only policy by clicking on the protect button and changing the permissions to just encrypt. While the other options encrypt the message, the encrypt option will apply the encrypt-only policy to the message, therefore enabling recipients to forward, copy and print the message.


Applying this option will offer added flexibility for recipients to share the email with other trusted parties while encryption continues to persist and throughout the lifecycle of the email.

  outlook on the web with permissions drop down.pngIn Outlook on the web, users can click on the protect button to change the permissions of the email. Once a user clicks on protect, the users can click on encrypt, to only encrypt the email.  Outlook on the web client view with encrypt only policy applied.pngOnce the encrypt-only policy is applied, the user will see a notification that encryption has been applied.

How to apply the encrypt-only policy through Exchange mail flow rules

As an administrator, you can apply the encrypt-only policy automatically to emails that meet certain conditions by creating a mail flow rule. When you do this, email affected by the encrypt-only policy is encrypted in transport by Office 365.


For instructions on creating a mail flow rule that employs the encrypt-only policy, see define mail flow rules to encrypt email messages in Office 365

 mail flow rule with encrypt only policy.pngYou as an administrator can create new mail flow rule to automatically apply the encrypt-only policy to emails.


How to read encrypt-only email using Outlook on the web and Outlook mobile

Office 365 recipients can easily read and reply to emails that have been applied with the encrypt-only policy using Outlook on the web and Outlook mobile directly from the client.


Outlook mobile with encrypt only policy applied.jpgUsers can read the encrypted message natively directly in Outlook on the web and Outlook mobile.


The inline reading experience for Outlook desktop (Windows and Mac) will be available in the coming months. In the meantime, Office 365 users using Outlook desktop will see the encrypted mail as an html mail with an rpmsg_v2 attachment.


How to read encrypt-only emails for non-Office 365 users (on-prem, Gmail, and Outlook.com users)

Non-Office 365 users, receive an html mail with an rpmsg_v4 attachment. Once they click Read Message they are redirected to the Office 365 Message Encryption portal where they can reply, forward, print, or take other allowed actions. More information can be found in this article.


Get started!

The new encrypt-only policy rolls out starting today as part of Office 365 Message Encryption.


Office 365 Message Encryption is offered in Office 365 E3 and E5, or as an add-on -you can find the full list of where Office 365 Message Encryption is offered here.


Please let us know what you think here or give us your feedback on uservoice



Occasional Contributor

Hi @Sven Mihály-Bison, BA - but this is the exact behavior needed for Shared Mailboxes no?

Senior Member

Encrypted messages are sent from company A who has an O365 tenant with OMEv2 enabled to company B who has an O365 tenant..  Users at Company B are running Outlook 2016 Version 1805 (Build 9330.2124 Click-to-Run).  Most users can decrypt and read encrypted messages from Company A without issues but two users ran into issues opening encrypted messages from Company A..  When they attempt to open an encrypted message they receive the following: "The logged in users could not be authenticated.  Please check your credentials or try signing out and signing back in".  They appear to be logged in with there Azure AD account but cannot decrypt and read the encrypted messages from Company A.  I tried having one user "Add Account"  and "Sign In" but it did not resolve the issue.  Is this a bug.  How can I troubleshoot?


@Gary Howard Is it possible those 2 users from Company A have a different version of Outlook that has not been updated to the minimum level that supports the templates?  Only other suggestion I can think of is to remove the stored credentials from the client using the Credential Manager if on PC. If this is on Mac, I think it is in the Key Ring?

Senior Member

Update regarding the following issue.   I found that one user is running Outlook 2016 Version 1805 (Build 9330.2124 Click-to-Run) and the other user is running Outlook 2016 Version 1806 (Build 10228.20021 Click-to-Run).   I requested that each user go through the procedure to Add Account.  The user running Version 1805 is now able to decrypt and read the encrypted messages from Company A.  The latter user did the same but is still having an issue decrypting and reading encrypted messages from Company A.


Encrypted messages are sent from company A who has an O365 tenant with OMEv2 enabled to company B who has an O365 tenant..  Users at Company B are running Outlook 2016 Version 1805 (Build 9330.2124 Click-to-Run).  Most users can decrypt and read encrypted messages from Company A without issues but two users ran into issues opening encrypted messages from Company A..  When they attempt to open an encrypted message they receive the following: "The logged in users could not be authenticated.  Please check your credentials or try signing out and signing back in".  They appear to be logged in with there Azure AD account but cannot decrypt and read the encrypted messages from Company A.  I tried having one user "Add Account"  and "Sign In" but it did not resolve the issue.  Is this a bug.  How can I troubleshoot?

Occasional Contributor

 Gary said "

When a message is encrypted using the Encrypt Only option, the recipient cannot open an Excel attachment in the encrypted message and receives the following message:

You do not have credentials that allow you to open this workbook.  You can request updated permission from...

Why might this be happening?"


Our recipients were getting this message also.  I was able to fix part of the problem for non-O365 users by applying the new Admin control setting "Set-IRMConfiguration -DecryptAttachmentFromPortal <$true|$false>" found HERE.  This setting removes encryption and rights management for an attachment only for non-O365 users.  Microsoft specifically says "This setting does not apply to Office 365 users who use Outlook for Windows, or Outlook on the web to consume protected email. They will continue to receive encrypted content directly in these Outlook clients."


So the Encrypt option or rule not only encrypts the email it also applies rights management to any Office attachment.  It assigns permissions to view that attachment to recipients that the email was sent to.  However, I have found that it does not always work properly and still some O365 users cannot view the attachment because of the rights management thing.  


This is very annoying.  Encrypt only should mean encrypt only and not encrypt and add rights to attachments.  I called Microsoft support and they did not even know about the new admin setting to remove encryption was the attachment was downloaded by the command ""Set-IRMConfiguration -DecryptAttachmentFromPortal <$true|$false>"

They told me to make sure our employees had Outlook updated and I said "so you want me to tell a 1000 of our partners to update their Outlook also.


I have no choice but to revert back to OMEv1 because O365 recipients cannot view attachments because of the incorrectly applied rights.

Occasional Contributor

This is the reason why I am still on v1

Senior Member

OME v2 is basically unusable if your intent is to send an encrypted email to external domains.  There is no way to guarantee that the recipient will be able to open the email and use it's contents as you have intended.  Ironically Microsoft has caused the most problems with sending between it's own customers.  OMEv1 is not enabled by default, but you should be able to still turn it on.  Stick with v1 unless your use case is more centered around internal email and document protection.

Occasional Visitor


Would anyone like to comment on or confirm the following please:


1. Despite trawling through a truck-tonne of documentation there is no explicit indication that OME is not integrated into Outlook on any version of office OTHER THAN ProPlus editions? We have ended up somewhat embarrassed having recommended and upgraded a customer from O365 Business Essentials to O365 Business Premium and adding Azure Information Protection P1 - which works nicely in OWA, but the desktop Office in O365 Business does not include RMS and therefore OME capabilities - so we've now had to move them to E3 to get ProPlus which is nearly 2x monthly cost.


The only documentation I found on this is mentioned in passing in a doc for Azure IRM, which was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard' - here. It says:

"Azure Information Protection is not included but can be purchased as a separate add-on and will enable the supported Information Rights
Management (IRM) features. Some Azure Information Protection features require a subscription to Office 365 Pro Plus, which is not included
with Office 365 Business Essentials, Office 365 Business Premium, Office 365 Enterprise E1, Office 365 Education, or Office 365 Enterprise F1."

without going into any detail about which features require ProPlus.


2. The only way to send encrypted emails from a mobile device is to use OWA? Although the Outlook App can display encrypted messages you've been sent (and presumably your response is encrypted also), you can't compose a message and choose to have it encrypted - unless maybe you've got a server-side rule that would cover it for you.




Just found 1 mention about issue 1 here - so it is known but not well documented/publicised:


In comment from Caroline Shin  at 10-30-2017 05:41 PM

Occasional Contributor

Its ridiculous that this is forced upon use.  What if I want my attachment to be shared by the recipients I send the email and attachment to.  All I want to is encrypt an email in transit and at rest.  I do not want the attachment to have IRM automatically attached to it.  This should be our decision and there should be away to disable IRM on attachments when the recipient is outside our organization and also uses O365.

"Encrypt Only" should mean encrypt only....not Encrypt and add IRM to attachments.   Not only that, there will be so many people who do not have the right version of Outlook, its outdated or they are signed into Outlook with a different account than the one the email was sent to.   This is going to cause alot of problems in the future.  I will never be able to use OMEv2 if this is not fixed.  We would have to use a different encryption service if OMEv1 goes away.


Im not downing O365, I think its great and especially for the price.  They just need to give us some options with this and use overkill with OMEv2

Senior Member

We are only using the two RMS Templates:


The above is from an ETR/Mail Flow rule I setup to test. When I send attachment (Excel) to that non Office 365 email address I receive the email stating 'Galvin, Mark (mark.galvin@xxxxxxx.co.uk) has sent you a protected message.'. I have click the link and it opens in the OME Portal. I have then clicked the 'request one-time passcode to view the message' (as I am testing this from the perspective of a user that does not have Office 365 or any other Microsoft account). Once the one time passcode arrives in my non Office 365 account, I copy the passcode and it opens the email in the OME portal. I then am able to download the Excel file and open without any issue.


Using same Office 365 account I can use the 'Protect' --> 'Encrypt' option in OWA:


Same result as the ETR/Mail Flow rule - perfect.


Now, we mainly use Outlook 2016 ProPlus so I need that Encrypt option to appear in Outlook Desktop. I had read from here that we need to have at least the 1804 build, so I have updated to the 1806 version:



Restarted Outlook and I do not see the Encrypt button anywhere. I have tried under 'Options' then 'Permissions' but just see the 'Connect to Rights Management Server to get templates' and when I click on that nothing happens.


I have installed the AIP Client (we have the Azure Information Protection Plan 1 license on top of our E3 license) but that only gives me any Labels setup in AIP Portal and not the Encrypt option. It does give me the Do Not Forward option but when I click on it it gives error.


Any one know how to get working please?





Senior Member

Managed to get it to work although I'm not sure if it was this or just being patient! I sent a test email from OWA to an external account (which also has a redirect all incoming email back to my Office 365 account). when I tried to open that encrypted email I get:

Microsoft Outlook
Sorry, something went wrong opening Information Rights Management protected content. The request is not supported.


Before that appeared, a box briefly appeared what looked like it was connecting to the server and then in a new email:


Senior Member

I have sent a test email from Outlook (Office 365 E3) to my iCloud and another Office 365 (Business Premium) that I have. 


iCloud - works perfectly. I get the 'Galvin, Mark (mark.galvin@) has sent you a protected message.' email and I get click the link to open the OME portal and get the one time pass code etc- cool.


Other Office 365 account - when I double click that email in Outlook I get the 'Sorry, something went wrong opening Information Rights Management protected content. The request is not supported.' error. Open OWA for that second account and in the message preview window I see the email and its attachment. Double click it and:



Any ideas here?





Quick update on cross-tenant bug in Outlook desktop: the fix is available in Build 16.0.10219.10000+. Customers on the Insider channel can test it out today.  Customers on the production monthly update channel will get the update July 24thish.  

Senior Member

@Salah AhmedAny news on Outlook Desktop Users not able to open Sent Items they have sent with OME Encryption? They can of course open in OWA but our users need to have that functionality within the Desktop Client.

Occasional Contributor

@Salah Ahmed   So what exactly was fixed?  ANything to do with attachments "not" having IRM applied automatically?

Occasional Visitor

@Salah Ahmed Looking at setting up OME V2 to replace V1 which we currently use. Sending out is great and a lot easier for external recipients however when they reply I can’t automatically decrypt using a transport rule like I can on V1. Currently got a case open with MS, should this work? If not how are you expecting users to read the message? All users use Desktop version of Outlook, some using older versions. OWA is not used and disabled for security reasons so they can’t use that to open the messages either. If this is not going to work I’ll have to find and use an alternative.

@Mark Galvin and @Gary Howard, I dropped in to this post looking for a more graceful solution than the one I have found to the exact issue you have reported regarding the following error message when attempting to open an OMEv2 encrypted message in the Outlook desktop client:

"The logged in users could not be authenticated.  Please check your credentials or try signing out and signing back in"


FWIW, you can also confirm the (non)functionality of Office IRM/credentials when selecting to encrypt a message using the "Options/Permission/Connect to Information Rights Management server" dialog in a new message. If message protection templates are missing, it is a pretty good sign that IRM/OMEv2 is not going to work.

I have resolved this issue on 99% of my systems with the following procedure:

  1. Ensure Office 365 is 1805 or higher
  2. Force an "Office 365 authentication event" by signing the user out of Word or Excel through the "switch account" interface. Clicks are:
    • "Switch account" (top right on opening Word or Excel)
    • "Sign out" at the top of the new dialog box
    • "Sign out" next to the name in the same dialog box
    • Click "yes"
    • Dialog box closes, click "Sign In" at the top right
    • User logs in with Office 365 credentials
  3. Usually it is best to perform this with Outlook closed, then reopen Outlook after forcing the sign-in event
  4. Click on an encrypted message, wait 5-10 seconds (presumably for the very first authentication event)
  5. FINALLY read encrypted messages as intended

This fix only appears to be necessary for the first time a user opens an encrypted message, I have not had to repeat these steps in several weeks of usage after performing this fix. I am not running the AIP client on any machines. 


This failed for me on ONE machine only, I went to Credential Manager instead and wiped out everything that was cached for MSOffice, then repeated the steps above with success. It appears clearing saved credentials might also be a solution but I haven't had enough test cases to know for certain.


Hope that helps for your environments, and I hope MS comes up with something better with regards to documentation surrounding the initial use (and failure) of encrypted messages in the Outlook desktop client. 

Senior Member

@Jonathan Altschul


Thanks for that. Followed the steps you posted (crossing fingers & toes) but it still didn't work :-(


I sent an email from Office365  - Company A. Version 1807 Build 10325.20075). I selected Encrypt from the Options/Permissions list. Attached CSV file and sent the email to Office 365 - Company B.


Office 365 - Company B Version 1806 Build 10228.20134. Email recieved and I can see its encrypted. Try to open it and I get:

"The logged in users could not be authenticated.  Please check your credentials or try signing out and signing back in".


From Company A I can open the Sent Item so that is now fixed (it wasn#t working before today's update).


From Company B OWA I can access the email with out fail.


sad face.

@Mark Galvin, sorry to hear that didn't help. I should have also clarified that my environment is 95% Windows 7 and we have a mix of Office builds 9330 up to 10228. On the one machine for which the steps above did not work I took a shotgun approach so I don't know which may have actually resolved the issue (high stress users, never easy to take a scientific approach to problem resolution). In that separate case I performed the following:


  1. Deleted everything in Credential Manager related to Office
  2. Applied the regfix/workaround from here https://support.microsoft.com/en-my/help/4025962/can-t-sign-in-after-update-to-office-2016-build-16-...
  3. Rebooted
  4. Signed them out of Office 365 via Word and back in again
  5. Opened Outlook, success


On a related note, I just tried clearing everything from Credential Manager on a machine exhibiting the error without performing the sign out/in procedure without success (no reboot though...shouldn't be necessary?) After performing the Office 365 account sign out/in process (no reboot) the encrypted messages opened as advertised. 

Regular Visitor

@Jonathan Altschul


Unfortunately I have the same issue as Mark Galvin and can confirm that I am experiencing the same behaviour. I have attempted your fix Jonathan, but without success.



Company A  (OMEv2 tenant) is sending encrypted emails to Company B (recently upgraded OMEv2 tenant). Emails can be viewed via OWA mail client, but not Outlook desktop client. Persisting with Authentication/Login failed prompts. Encrypted Emails within the domain are functional and default RMS templates are downloaded and available on user's clients.


Our variations

Environment = Win 7 x64 | Latest patches.

Office = 365 Pro Plus click-to-run (E3 licences) | Current production version x86 1805 16.0.9330.2087

OneLogin Proxy for O365 login and various other apps.



1. Tested outside of our environment to exclude OneLogin causing said authentication issues. Result = same as inside Domain/LAN.

2. Completely uninstalled Office via the o15-ctrremove.diagcab tool. 

3. Cleared all Credential Manager entries related to Office16. 

4. Checked for Registry entries under HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity. The whole Identity folder was missing after uninstall, so no change there.

5. Rebooted.

6. Installed fresh version of the production version above, then immediately updated to 1807 10325.20075 click-to-run prior to opening desktop mail client.

7. Run mail client following the above, created new profile, sync, etc. then attempted to open the third party encrypted mail. Result = Fail again, same authentication message.


Message Sequence as follows:


1. Configuring your computer for Information Rights Management.....

2. The logged in users could not be authenticated. Please check your credentials or try signing out and signing back in. OK.

3. Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Cannot read item. OK.




This to me seems to be clearly a bug! The question is, how long will we have to tolerate this behaviour???


MS care to comment? I can confirm "Restart Outlook" doesn't work!


Senior Member

@Jonathan Altschulthanks for that.


It seems @George McDonald and I are having exactly the same issue here. Microsoft need to resolve these issues - @Caroline Shin @Salah Ahmed any updates from your side. My UK based clients could really do with this working for GDPR (which came into affect May 25th). Using OWA is not an option for these clients.


Can we please have some feedback?

Senior Member

I do find the irony somewhat staggering that OMEv2 works well for sending straight-forward messages (no attachments) to everyone apart from other Office 365 users. We can successfully send tests to Gmail users, and other non Microsoft email platforms, but messages to our sister company which is a an unconnected tenant) cannot be opened from Outlook.


Hopefully when the July/Aug updates roll out for Outlook desktop this will be resolved.

Regular Visitor

For the purposes of completion regarding the subject to not being able to view encrypted emails from Outlook, MS Tech support got back to me and requested that I apply a PS command "Set-AadrmOnboardingControlPolicy" (see attached).


I was advised to wait 60 minutes after applying the change to our tenant to view the result. I did this end of play on a Friday and didn't test until next Monday. The result = no change! Oddly enough, another 24hrs later and I was able to view the encrypted email via message presented by O365 in the body of the email requesting to click a link which opened it's own IE session and the body of the actual encrypted email from the third party. In essence, click the link and we'll open the content via a standalone OWA session. This was on software running version 1806 that was earlier than the one stated below.


The client advised that the behaviour I was seeing is how they are able to view encrypted emails, until they upgraded to 1806 (Build 10228.20080 C2R), after which the email body and content opens inside the Outlook UI and not an OWA session.


I though, great, all I have to do now is upgrade to the latest version, so now I'm running 1807 (Build 1035.20082 C2R) and.........back to square one again. Not access to encrypted content and back to the user rights management messages as described in a post above.


I know that MS are working in the background on this, but it doesn't inspire much confidence, as they provide bandaid's then break everything again??? Some of us don't have weeks to be guinea pigs for MS's product testing!


Appaling and Irresponsible behaviour!

Regular Visitor


Occasional Contributor

All I want is for the new OME is to stop applying IRM to attachments in encrypted emails to other O365 tenants! I know how to stop it for non-O365 users but not with other tenants......or at least give us the option to turn it off.  It should be our right to add IRM to a document or not.


Then ability to remove encryption from attachments for all recipients for the Encrypt-only template is coming soon. It will show up as an IRMConfiguration setting DecryptAttachmentForEncryptOnly. Eta is 1 month for full worldwide deployment. 

Occasional Contributor

Once the ability to remove IRM from attachments, I think most problems will be solved with people have problems with the rights managements in Outlook because most people just want to encrypt the email and not necessarily apply IRM to attachments.

Regular Visitor

@Salah Ahmedis it possible to get access to test the DecryptAttachmentForEncryptOnly for our tenant? /Christian

New Contributor

Hi everyone, I need help to create a new AIP button, with the Encrypt-Only protection, available from the Outlook Desktop app (Office 2016 suite).

The idea is to have the same experience that we have with the DNF protection but with the Encrypt-Only protection.


Do you if it's possible to do that yet ? Or when the feature will be available in our AIP admin portal?

Today I can only see the Encrypt-Only option from Outlook online (from O365 portal)...

Thanks in advance for your help !


Occasional Visitor

I'm curious if there's any update on when this functionality will be making it's way into the Outlook 2016 client for macOS. This is a lifesaver for our company from a workflow perspective, but unfortunately most of our user base our on macOS clients. I would love to be able to take advantage of this with them!

Frequent Visitor

We are having some major issues with OMEv2. When using the "Do Not Forward" template with a transport rule, our partner company (also an Office 365 tenant) can open the encrypted emails. However, we do not want to limit their ability to print/save. So we've tried using the "Encrypt" (called "encrypt-only" here) template, and those users cannot open the email in Outlook at all. It gives a popup error reading "The application received an unexpected response from the Rights Management server due to a misconfiguration or a server error."


Another external Office 365 user couldn't open an email in the Office 365 web client using Internet Explorer, they got an error "The message you tried to open is protected with Information Rights Management and can only be opened using Outlook. Download a free trial of Microsoft Outlook."


This is ridiculous. We are a healthcare agency and we rely heavily on encrypted emails actually working...

Regular Visitor
Allow admins to remove Rights added to attachments when encrypting with the new OME The new Office 365 message encryption OME automatically adds rights to attachments and says who can open the attachment when encrypting an email. A Lot of our recipients cannot open the attachments because the rights/permissions were added wrong to the attachment. I also, we want them to beable to share the attachment but they cannot because it is rights protected. Admins should be allowed to not have rights protection added to an attachment when we simply want the email encrypted. I am already seeing alot of issues with this and people not being able to open attachments. It will be a big mess if you do not allow to not add rights protection to attachments. Please vote for this issue at the user voice page. https://office365.uservoice.com/forums/264636-general/suggestions/34523527-allow-admins-to-remove-ri...
Senior Member

Hello all


I was eagerly awaiting the update and I can now see the DecryptAttachmentForEncryptOnly option in our tenant. I turned it on, on Monday:



I then sent a test email (Outlook 2016 (1807 Build 10325.20082)) to my other Office 365 tenant and used the 'Encrypt Only' option. Email received and when I try to open it in Outlook 2016 (1807 Build 10325.20082) I get:

RMS Error.png


Any help here would be great.




Established Member

Another external Office 365 user couldn't open an email in the Office 365 web client using Internet Explorer, they got an error "The message you tried to open is protected with Information Rights Management and can only be opened using Outlook. Download a free trial of Microsoft Outlook."

Having this issue also, would appreciate any insight into how our partner agency can access the encrypted message.

Regular Visitor

Please vote for this issue at the user voice page so that Microsoft will hear our issue. https://office365.uservoice.com/forums/264636-general/suggestions/34523527-allow-admins-to-remove-ri...

Occasional Contributor

I am testing this with 2 users, both users have the same licenses.  


User 1: Has full functionality in Outlook Desktop

User 2: Does not get the Permission options in Outlook Desktop

Any one know what could cause this? 


Tool Bar.png

Frequent Contributor
Any update on this? The roadmap item has been marked complete but so far the only Outlook desktop client that supports inline decryption that I've tested is O365 ProPlus on the Monthly - Targeted track.
Established Member

We are having the same issue. Users with Outlook 2016 and Exchange Online licenses are getting the message "The message you tried to open is protected with Information Rights Management and can only be opened using Outlook. Download a free trial of Microsoft Outlook." Does this require a Click-to-Run version of Outlook, in order to read the messages?

Senior Member

I had hoped this would all be in place for Outlook 2016 users by now but either its not or I'm missing something obvious! 


Two Office 365 E3 Tenatns (same tenants I have posted on here about before). 


I have updated both PCs for both tenants to 'Outlook 2016 1808 Build 10730.20088 Click-To-Run'. 


On PC 1, in a new email under Permissions's all OME option gone :-( (was there before!!). Checked Office 365 Tenant and OME tests fine:


On PC 2 I see 'Encrypt Only' and 'Do Not Forward. Sent test email from PC 2 to PC 1. On opening the email on PC 1 I get "The logged in users could not be authenticated. Please check your credentials, or try signing out and signing back in.".


As any one managed to get this to work?

Occasional Contributor

Does anyone know how to apply an inbox rule in Outlook Web Access on any emails received with protection enabled? 


User wants all protected emails to route to a specific sub folder. 

Occasional Contributor

@Stefanie Cortese Tricky question! I first tried searching the body for the text "Do Not Forward" or "Encrypt: This message is encrypted. Recipients can't remove encryption" ... but the rules can't see that ... which would make sense.


However, if you look for this in the message header "Microsoft.Exchange.RMSApaAgent.ProtectionTemplateId" - which the rules can see, I got incoming encrypted messages to route to a subfolder. This header exists for both Do Not Forward and Encrypt-Only, although the template IDs should be different.


Does this work for you? 

Senior Member

We are receiving the error as well and it's only when sending to another Office 365 tenant.  I currently have an open ticket with MS on this, but so far it is just gathering information from my tenant as well as a customer's tenant.  so, it's not progressing very fast.  I will send an update as soon as we come to an end.

You can add another frustrated admin and end-user to this list. Office Enterprise E3 with Office Pro Plus installed, including the Azure Information and Protection Client. Outlook version 1809 build 10827.20138 Manually created labels, which i can apply to an email, will result in that a external recipient won't be able to open it. I have to add the domain into the label to get things working properly.... Why is it so difficult to create an Encrypt button and a Do not Forward button in the Outlook desktop Client. I can't get my head around this. If i understand correctly, the Azure Information and Protection Client, is not adding anything positive to the Outlook desktop Client, end user experience.

If you have the latest Outlook ProPlus version, and still not seeing the Encrypt, you should open a support ticket with Outlook desktop.

Senior Member

Anyone else experiencing this error?  When sending encrypted message to another 365 tenant, This error appears upon trying to open the email.

ome-error (2).jpg


Occasional Contributor

@Brian Phillips

We all are.  I just got a w weeks worth of back and forth emails with Microsoft about this issue.  I had to show all kinds of proof that my settings were right and the problem was still there so they can send the case up to the next tier.  Its actually is getting worse for me, even an encrypted
email with no attachment gives me the same error when sending from one  tenant to a different one and both using Outlook.


If you check the encrypted email with OWA, everything works great and also works great when sending to a gmail or yahoo user.  Its Outlook desktop that is the only problem.

Occasional Contributor

We have been working with Microsoft and the members of the 365 data loss prevention team. They have found some areas that they are going to "tweek" according to them. While they could not provide an ETA at this time, I believe they now understand the issue and are working to find a resolution.


Senior Member



We also have several O365 customers that cannot read encrypted mail in Outlook client. OWA works fine.

The error is: 

  • "The application received an unexpected response from the Rights Management server due to a misconfiguration or a server error"

Have opened a ticket with MS but they only want proof of the version of O365 used, and they haven´t been able to help so far. So hopefully they will get a fix soon, or someone here finds a solution themself. One thing I noticed is that this is just O365 tenants on domain joined computers with an on-premise AD. Anyone else noticed the same?


Senior Member

We are experiencing the same issue with other tenants that use Office 365.  We have no problems with clients that don't use Office 365 for their email.  We were wanting to discontinue the use of our secure email provider, but OMEv2 has been one problem after another.