O365 Email Encryption to internal tenants not working

%3CLINGO-SUB%20id%3D%22lingo-sub-2468443%22%20slang%3D%22en-US%22%3EO365%20Email%20Encryption%20to%20internal%20tenants%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2468443%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20are%20using%20O365%20Business%20Premium%20E1%20license.....We've%20created%20new%20exchange%20rule%20for%20encryption%20for%20one%20of%20the%20test%20user%20only%20and%20assigned%20the%20Right%20mgmt%20license%20to%20that%20specific%20user%20but%20while%20sending%20an%20email%20with%20encrypt%20option%20enabled%20it%20works%20only%20for%20Gmail%20services%20whereas%20internal%20tenants%20and%20Hotmail%20appears%20plain%20text%20with%20a%20mail%20tip.%3C%2FP%3E%3CP%3Echecked%20the%20rule%20is%20correctly%20configured%20but%20Right%20mgmt%20service%20shows%20disabled%20tried%20to%20manually%20activate%20the%20service%20but%20didn't%20work%20so%20we've%20raised%20the%20ticket%20to%20Microsoft%20to%20investigate%20on%20this%20and%20as%20per%20their%20confirmation%2C%20Encryption%20works%20only%203rd%20party%20services%20like%20Gmail%20not%20for%20own%20domain%20users%20and%20Hotmail.%3C%2FP%3E%3CP%3EHowever%2C%20I%20disable%20the%20encryption%20rule%20and%20remove%20the%20Right%20mgmt%20license%20to%20everyone%20yet%20all%20users%20can%20still%20able%20to%20send%20encrypt%20msg%20to%20Gmail%20and%20it%20works%20but%20not%20for%20internal%20users%20and%20Hotmail%2C%20I've%20attached%20the%20IRM%20test%20config%20for%20your%20easy%20reference%2C%20kindly%20review%20and%20advice%20if%20this%20is%20normal%20or%20do%20I%20need%20to%20do%20some%20changes%20in%20order%20to%20work%26nbsp%3B%3C%2FP%3E%3CP%3EAppreciate%20your%20support.%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2468443%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%20Encryption%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2469005%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Email%20Encryption%20to%20internal%20tenants%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2469005%22%20slang%3D%22en-US%22%3EHave%20you%20gone%20through%20this%20article%3F%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fset-up-new-message-encryption-capabilities%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fset-up-new-message-encryption-capabilities%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2469101%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Email%20Encryption%20to%20internal%20tenants%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2469101%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588790%22%20target%3D%22_blank%22%3E%40ChristianJBergstrom%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAs%20said%2C%20Right%20mgmt%20service%20still%20disable%20whereas%20IRM%20config%20says%20pass%20result%2C%20pls.%20find%20attached%20snapshot.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rmartin0000_0-1624362987631.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F290477i6098B59011226C4E%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Rmartin0000_0-1624362987631.png%22%20alt%3D%22Rmartin0000_0-1624362987631.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rmartin0000_1-1624363057235.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F290478i94443F0B2F55463F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Rmartin0000_1-1624363057235.png%22%20alt%3D%22Rmartin0000_1-1624363057235.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2469270%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Email%20Encryption%20to%20internal%20tenants%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2469270%22%20slang%3D%22en-US%22%3EAre%20your%20org%20in%20cloud-only%3F%20Have%20you%20migrated%20to%20unified%20labeling%20from%20AIP%20classic%3F%20What's%20the%20outcome%20with%20Get-AipService%3F%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fwhat-is-azure-rms%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fwhat-is-azure-rms%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20want%20to%20use%20the%20new%20OME%20for%20encryption%20of%20email%20and%20attached%20documents%20only%2C%20or%20sensitivity%20labels%20for%20all%20services%3F%20(AIP)%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

We are using O365 Business Premium E1 license.....We've created new exchange rule for encryption for one of the test user only and assigned the Right mgmt license to that specific user but while sending an email with encrypt option enabled it works only for Gmail services whereas internal tenants and Hotmail appears plain text with a mail tip.

checked the rule is correctly configured but Right mgmt service shows disabled tried to manually activate the service but didn't work so we've raised the ticket to Microsoft to investigate on this and as per their confirmation, Encryption works only 3rd party services like Gmail not for own domain users and Hotmail.

However, I disable the encryption rule and remove the Right mgmt license to everyone yet all users can still able to send encrypt msg to Gmail and it works but not for internal users and Hotmail, I've attached the IRM test config for your easy reference, kindly review and advice if this is normal or do I need to do some changes in order to work 

Appreciate your support.

Thank you

9 Replies

Thank you @ChristianJBergstrom 


As said, Right mgmt service still disable whereas IRM config says pass result, pls. find attached snapshot.

Rmartin0000_0-1624362987631.png

 

Rmartin0000_1-1624363057235.png

 

 

 

Are your org in cloud-only? Have you migrated to unified labeling from AIP classic? What's the outcome with Get-AipService? https://docs.microsoft.com/en-us/azure/information-protection/what-is-azure-rms

Do you want to use the new OME for encryption of email and attached documents only, or sensitivity labels for all services? (AIP)

@ChristianJBergstrom 

 

Would like to know, Is there a way to encrypt email for internal tenants either outlook client / web based? regards to the AIP service pls. find below the outcome of AIP service.

 

Rmartin0000_0-1624427702012.png

 

 

Hi, well it looks good at least from what's being attached and judging from what you're saying you only want to encrypt email. Encryption with built-in Office Message Encryption is using Azure RMS part of the AIP and it's seamless (no further action required) unless using other products than Microsoft. So when encrypting internally for example, you don't have to do anything. You can either let the users choose between the options DNF or Encrypt-only or using a mail flow rule. If you need further assistance I suggest you reach out to the official support.

@ChristianJBergstrom 

 

our simple requirement is, to use encryption for both internal tenant & external domains irrespective of the platforms, same time we don't want all outgoing emails to be encrypt using exch. rule but selected users / group when needed.  currently encrypt is happening only for Gmail with or without exch. rule.

 

This issue is under investigation with MS since more than 2 months and based to their yesterday's confirmation, encrypt works only for 3rd party services like gmail not for internal / Hotmail. so would like to reconfirm if this is true?

That is not true. Of course you can use encryption with both internal and external users. The difference with Gmail for example is that you receive a "wrapper" with direction to the OME portal (or OTP). That is not necessary with Outlook.com (Hotmail). If only wanting to encrypt email one just use Office Message Encryption but if wanting to encrypt content in the other services internally/externally there are sensitivity labels.

@ChristianJBergstrom 

 

Thank you and appreciate your valuable suggestion!

Will check with MS on this and update accordingly.