SOLVED

External users cannot open encrypted email

Brass Contributor

Hi all, I searched the communities but couldn't find the answers I need in regards to Office 365 Message Encryption.

 

We have a customer that wants to send encrypted emails from Outlook.

 

When a non-Microsoft recipient (e.g. Gmail user) receives these emails they cannot open them. They get the following:

 

telecaster_0-1590989795644.png

 

It's my understanding that external recipients should be able to view encrypted email as per this article.

 

Can someone please help?

 

The sending user has a Microsoft 365 Business Premium license, and Azure Information Protection is active under the 365 tenant.

 

Thanks


Ash

25 Replies

@ashmelburnian 

 

Hi, my experience with this is that non Microsoft users such as Gmail will have to enable their accounts as Microsoft accounts.  Are the Gmail users not being prompted to do this?

Thanks for your quick reply.

I sent a test email to a Gmail account (not connected to a Microsoft account) which showed the message in my post above. No prompt to "Click here to read your message".

I still get the same message after connecting a Microsoft account. :(

@ashmelburnian 

 

OK, can you please show me the steps you are taking when you protect the message?  

@PeterRising The user selects any of the following Encrypt options:

 

telecaster_0-1591149325911.png

 

 

@ashmelburnian 

 

Will send you a DM with my Gmail address.  If you are happy to send me a test message it would be good to see the experience?

@ashmelburnian Hey guys, this is interesting so I'm going to enter the conversation as well :) The first two options are associated with OME (built-in Office Message Encryption) and the two others are the pretty old default policy templates from AIP, not being created as of april 2019 for new customers. When using OME the external (anonymous) recipients should indeed get a link to enter the OME portal, either with their social id or pass code depending on the OME-configuration. Perhaps this is old news for you, I just wanted to say something entering the conversation!

best response confirmed by ashmelburnian (Brass Contributor)
Solution

@ashmelburnian 

 

Hi, I received your test message and whilst I was unable to access it via the Gmail web interface, I was able to open it via Outlook using the AIP viewer.  This is going to be the only way that the Gmail users will be able to do this.

 

As @ChristianBergstrom pointed out, the options you are using for encryption are the built-in OME / and older default AIP templates.  I would recommend taking a look at updating your labels and policies.  Could be a good time to start looking to migrate to Sensitivity Labels from the Security and Compliance Center, as Microsoft are planning to "sunset" the older AIP method in 2021 as per https://techcommunity.microsoft.com/t5/azure-information-protection/announcing-timelines-for-sunsett...

 

But, for the meantime, if you want Gmail accounts to access the encrypted emails, then Outlook and the. AIP viewer is going to be the way.

Thanks for all the help. It looks like we'll need to look at a third party solution for the customer's requirement to send encrypted emails to non-Microsoft clients.

@ashmelburnian Hey! There's really no need to look for third-party solutions when you have them built-in with your subscriptions. Not only in Office Message Encryption but you mentioned AIP as well. If you don't want to update your AIP settings or migrate to the unified labeling experience you could at least configure OME (for the end-users to choose as an option or as mail flow rule) as it should solve the particular external encryption issue.

 

"All Microsoft 365 end-users that use Outlook clients to read mail receive native, first-class reading experiences for encrypted and rights-protected mail even if they're not in the same organization as the sender. Supported Outlook clients include Outlook desktop, Outlook Mac, Outlook mobile on iOS and Android, and Outlook on the web (formerly known as Outlook Web App)."

 

Recipients of encrypted messages who receive encrypted or rights-protected mail sent to their Outlook.com, Gmail, and Yahoo accounts receive a wrapper mail that directs them to the OME Portal where they can easily authenticate using a Microsoft account, Gmail, or Yahoo credentials.

 

End-users that read encrypted or rights-protected mail on clients other than Outlook also use the OME portal to view encrypted and rights-protected messages that they receive."

 

OME FAQ

https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-faq?view=o365-worldwide

@ChristianBergstrom 

 

Completely agree with this!

 

@ashmelburnian 

 

If you go third party I think you will ultimately end up with further frustrations. It's all there for you with Microsoft.  It's just a matter of finding the right settings that work for you.  :smile:

@ChristianBergstrom  Thanks for your help. I'm beginning to understand the process now.

 
I'm currently working through https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-new-message-encryption-capabilities... and have run into the following PowerShell warning & failure:
 
Test-IRMConfiguration -sender user@domain.com
 
Results : Checking Exchange Server ...
              - PASS: Exchange Server is running in Datacenter.
          Loading IRM configuration ...
              - PASS: IRM configuration loaded successfully.
          Retrieving RMS Certification Uri ...
              - WARNING: Failed to retrieve RMS Certification Uri.
 
          OVERALL RESULT: PASS with warnings on disabled features
 
Test-IRMConfiguration -RMSOnline
 
Results : Checking organization context ...
              - PASS: Organization context checked; running as tenant administrator.
          Loading IRM configuration ...
              - PASS: IRM configuration loaded successfully.
          Checking RMS Online tenant prerequisites ...
              - PASS: RMS Online tenant prerequisites passed.
          Checking RMS Online authentication certificate ...
              - PASS: The RMS Online authentication certificate is valid.
          Checking that a Trusted Publishing Domain can be obtained from RMS Online ...
              - FAIL: Failed to obtain a Trusted Publishing Domain from RMS Online.
          ----------------------------------------
          RMS Online error code: TenantIdNotFound
          Microsoft.Exchange.Management.RightsManagement.RmsOnlineImportTpdException: RMS Online returned an error for
          tenant with external directory organization ID 123456-789-abcd-b882-fdfef4302be3
             at Microsoft.Exchange.Management.RightsManagement.RmsUtil.ThrowIfErrorInfoObjectReturned(TenantInfo
          tenantInfo, Guid externalDirectoryOrgId)
             at Microsoft.Exchange.Management.RightsManagement.RmsOnlineTpdImporter.Import(Guid externalDirectoryOrgId)
             at Microsoft.Exchange.Management.RightsManagement.RMSOnlineValidator.ValidateTPDCanBeObtainedFromRMSOnline
          (RmsOnlineTpdImporter tpdImporter, TrustedDocDomain& tpd)
          ----------------------------------------
 
          OVERALL RESULT: FAIL
 
 
There are no default RMS templates to select under Exchange mail flow rules:
 
Annotation 2020-06-09 122357.png
 
Can you please assist further?
Thanks for all the help! Those 2 articles got me across the line.
That is great news! Well done!

We had been using the previous version of OME; however, encryption via the mail flow rule that was set up stopped working for one user some time ago. Other accounts, and new ones, were not affected. Suddenly on December 16 the previous version of OME stopped working for all. We switched to the new version, Azure Information Protection. It works for internal staff members who are using the Outlook client. It does not work for external recipients, as described by telecaster below. We have read extensively on what to do, reviewed the steps provided below, and have run numerous PowerShell scripts that are published in Microsoft's extensive library. All our efforts have not brought us closer to collaborating securely with outside users, which we were able to do with the previous version of OME before December 16. And out internal users cannot decrypt their secure messages when signed in to Outlook Web Access e-mail. Does anyone have suggestions? Where do we go from here?

@piekedahla Hi, this is a rather delicate subject trying to explain in the community. So I'm just going to start by saying that as I understand it you've been using legacy OME (only mail flow rules possible) and then you have moved on to AIP. What you could have done is to upgrade to the new OME instead of going over using AIP. OME is built on Azure RMS as part of AIP, securing only the email/attachments while AIP are securing the documents wherever they may be in all products and services. If you do use AIP labels right now you need to migrate to the sensitivity labels before March 31st.

 

You mentioned you have read extensively but I wonder if you been reading the associated docs? I'm attaching a couple of links, if it still doesn't make sense I recommend you contact Microsoft for assistance.

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/ome?view=o365-worldwide

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-new-message-encryption-capabilities... 

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-version-comparison?view=o365-worldwide... 

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-faq?view=o365-worldwide 

 

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels 

Sorry if this is somewhat off the beaten path.    Perhaps it is a piece of the puzzle.
I use Microsoft 365 for Family.   So,...it is indeed M365.

Using Outlook on the Web (OWA).

It offers the Encrypt function when sending a new email.

When I send to an M365-Family recipient, and/or an "Outlook.com personal account", the recipient can open and read the Encrypted email.    Recipient using OWA on Chrome.   Recipient sees a Lock icon in the Inbox list, and when message is open shows message--  This message is encrypted. 

So...it works OK.

----

However, the same email, sent to a recipient using Google gmail.com, cannot read the email.

The gmail recipient receives the email.

   (note-- always seems to be delayed about 10 minutes).

Sees:   --- has sent you a protected message.     A blue box with --Read the message--.

When the recipient clicks on that blue box,  sees this:

--

Sorry, we can't display your message right now
Something went wrong and your encrypted message couldn't be opened.
Please try again by following the instructions in the original email message in 5 minutes.

--

With  M365 Family  I probably do not have any "Exchange system admin" tools.

---

Note:  a few months ago, this did indeed work correctly.   The Gmail recipient was asked to Logon with an account or receive a one-time code.   The recipient used the one-time code, and then was able to read the encrypted email.

 

Thanks.

==========

@ChristianBergstrom, we already had reviewed all the articles you referenced. None of them help. We seem to be configured properly. Our mail flow rules work for internal users. Again, the previous version of OME worked for everyone until December 16. The new version never worked for outside recipients. We want them to be able to request a one-time passcode. They do not get the option. We also tried to enable those with Gmail and other major provider accounts the ability to to sign in. None of the steps we have taken have resolved the issue. We still cannot collaborate securely with our outside partners. The change in our ability to manage our encryption capabilities continues to be a mystery.

@Mike-Moon-Crater, thanks for the information. It did not help. Our outside recipients are not given the options you describe. 

1 best response

Accepted Solutions
best response confirmed by ashmelburnian (Brass Contributor)
Solution

@ashmelburnian 

 

Hi, I received your test message and whilst I was unable to access it via the Gmail web interface, I was able to open it via Outlook using the AIP viewer.  This is going to be the only way that the Gmail users will be able to do this.

 

As @ChristianBergstrom pointed out, the options you are using for encryption are the built-in OME / and older default AIP templates.  I would recommend taking a look at updating your labels and policies.  Could be a good time to start looking to migrate to Sensitivity Labels from the Security and Compliance Center, as Microsoft are planning to "sunset" the older AIP method in 2021 as per https://techcommunity.microsoft.com/t5/azure-information-protection/announcing-timelines-for-sunsett...

 

But, for the meantime, if you want Gmail accounts to access the encrypted emails, then Outlook and the. AIP viewer is going to be the way.

View solution in original post