Office 365 Azure Information Protection - Do Not Forward permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-173079%22%20slang%3D%22en-US%22%3EOffice%20365%20Azure%20Information%20Protection%20-%20Do%20Not%20Forward%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173079%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe're%20evaluating%20the%20different%20encryption%20options%20in%20Office365%20and%20ran%20in%20to%20a%20strange%20issue%20with%20the%20do%20not%20forward%20option%20that%20we're%20dynamically%20adding%20to%20a%20specific%20domain%20via%26nbsp%3B%20mail%20flow%20rules.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20we%20try%20to%20open%20the%20mail%20via%20the%20outlook%20desktop%20client%20we%20get%20a%20prompt%20saying%26nbsp%3B%20%22You%20are%20not%20signed%20in%20to%20Office%20with%20an%20account%20that%20has%20permission%20to%20open%20this%20message...%22.%20However%2C%20we%20are%20able%20to%20open%20and%20read%20the%20mail%20via%20outlook%20on%20the%20web%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBr%3C%2FP%3E%0A%3CP%3EMattias%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-173079%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177444%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Azure%20Information%20Protection%20-%20Do%20Not%20Forward%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177444%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20get%20this%20OME%20working%20for%20ONE%20day%20using%20my%20O365%20account%20as%20sender%20and%20my%20personal%20external%20e-mail%20as%20a%20receiver.%26nbsp%3B%20I%20tried%20to%20test%20with%20more%20staff%20and%20now%20all%20we%20get%20is%20blank%20pages%20when%20trying%20to%20view%20the%20protected%20messages.%26nbsp%3B%20I%20am%20trying%20to%20find%20if%20there%20is%20an%20outage%20for%20the%20service%20but%20I%20cannot%20find%20any%20mention%20on%20how%20to%20find%20known%20outages%20or%20incidents%20for%20the%20Azure%20OME%2FIRM%20service.%26nbsp%3B%20I%20have%20gone%20back%20over%20every%20configuration%20and%20the%20tests%20all%20return%20PASS%20but%20the%20web%20portal%20serving%20the%20messages%20just%20gives%20blank%20pages%20regardless%20of%20the%20browser%20being%20used.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-173501%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Azure%20Information%20Protection%20-%20Do%20Not%20Forward%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173501%22%20slang%3D%22en-US%22%3E%3CP%3EShouldn't%20we%20at%20least%20get%20a%20rpmsg%20file%20or%20something%20then%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20followed%20the%20setup%20in%20this%20page%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FSet-up-new-Office-365-Message-Encryption-capabilities-built-on-top-of-Azure-Information-Protection-7ff0c040-b25c-4378-9904-b1b50210d00e%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESet%20up%20new%20Office%20365%20Message%20Encryption%20capabilities%20built%20on%20top%20of%20Azure%20Information%20Protection%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20it%20says%20%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EUnlike%20Office%20Message%20Encryption%20(OME)%2C%20these%20new%20capabilities%20provide%20a%20unified%20sender%20experience%20whether%20you're%20sending%20mail%20inside%20your%20organization%20or%20to%20recipients%20outside%20of%20Office%20365.%20In%20addition%2C%20recipients%20who%20receive%20a%20protected%20email%20message%20sent%20to%20an%20Office%20365%20account%20in%20Outlook%202016%20or%20Outlook%20on%20the%20web%2C%20don't%20have%20to%20take%20any%20additional%20action%20to%20view%20the%20message%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20it's%20a%20bit%20strange%20that%20it%20only%20works%20in%20outlook%20web%20app%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBr%3C%2FP%3E%0A%3CP%3EMattias%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-173488%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Azure%20Information%20Protection%20-%20Do%20Not%20Forward%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173488%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20receiving%20side%20also%20needs%20to%20be%20configured%20(the%20templates%20are%20received%20once%20connected%20to%20the%20AIP%2FRMS%20service).%20If%20you%20are%20referring%20to%20the%20new%20%22OME%20protection%22%20feature%2C%20that%20one%20is%20only%20supported%20in%20the%20Insider%20builds%20of%20Office%20for%20the%20time%20being.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-173223%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Azure%20Information%20Protection%20-%20Do%20Not%20Forward%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173223%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20one%20the%20receiving%20side.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20a%20test%20tenant%20that%20we%20are%20sending%20mails%20to%20(tenant%20B).%20So%20in%20tenant%20A%20we%20have%20our%20own%20mailboxes%20where%20we%20have%20enabled%20Azure%20Information%20Protection%2C%20and%20then%20we%20have%20created%20a%20mail%20flow%20rule%20saying%20that%20all%20mails%20going%20to%20tenant%20B%20should%20be%20%22%3CSPAN%3Erights%20protect%20message%20with%20RMS%20template%3A%20'Do%20Not%20Forward'%22.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAnd%20it's%20when%20we%20try%20to%20read%20the%20mail%20in%20tenant%20B%20that%20we%20got%20the%20error.%20But%20only%20in%20the%20desktop%20client.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-173210%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Azure%20Information%20Protection%20-%20Do%20Not%20Forward%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173210%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Outlook%20configured%20for%20IRM%20(New%20message%20-%26gt%3B%20File%20-%26gt%3B%20Set%20permissions%20-%26gt%3B%20Add%20the%20account)%20and%2For%20the%20AIP%20add-in%3F%20This%20is%20automatically%20configured%20in%20OWA%2C%20but%20for%20Outlook%20you%20still%20need%20to%20have%20it%20configured.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-173080%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Azure%20Information%20Protection%20-%20Do%20Not%20Forward%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173080%22%20slang%3D%22en-US%22%3Edon't%20know%20what%20this%20means%20can%20you%20explain%20it%20to%20me.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

We're evaluating the different encryption options in Office365 and ran in to a strange issue with the do not forward option that we're dynamically adding to a specific domain via  mail flow rules.

 

If we try to open the mail via the outlook desktop client we get a prompt saying  "You are not signed in to Office with an account that has permission to open this message...". However, we are able to open and read the mail via outlook on the web?

 

Br

Mattias

6 Replies
Highlighted
don't know what this means can you explain it to me.
Highlighted

Is Outlook configured for IRM (New message -> File -> Set permissions -> Add the account) and/or the AIP add-in? This is automatically configured in OWA, but for Outlook you still need to have it configured.

Highlighted

It's one the receiving side.

 

We have a test tenant that we are sending mails to (tenant B). So in tenant A we have our own mailboxes where we have enabled Azure Information Protection, and then we have created a mail flow rule saying that all mails going to tenant B should be "rights protect message with RMS template: 'Do Not Forward'".

 

And it's when we try to read the mail in tenant B that we got the error. But only in the desktop client.

Highlighted

The receiving side also needs to be configured (the templates are received once connected to the AIP/RMS service). If you are referring to the new "OME protection" feature, that one is only supported in the Insider builds of Office for the time being.

Highlighted

Shouldn't we at least get a rpmsg file or something then?

 

I followed the setup in this page:

Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection

 

And it says :

 

Unlike Office Message Encryption (OME), these new capabilities provide a unified sender experience whether you're sending mail inside your organization or to recipients outside of Office 365. In addition, recipients who receive a protected email message sent to an Office 365 account in Outlook 2016 or Outlook on the web, don't have to take any additional action to view the message

 

So it's a bit strange that it only works in outlook web app?

 

Br

Mattias

Highlighted

I was able to get this OME working for ONE day using my O365 account as sender and my personal external e-mail as a receiver.  I tried to test with more staff and now all we get is blank pages when trying to view the protected messages.  I am trying to find if there is an outage for the service but I cannot find any mention on how to find known outages or incidents for the Azure OME/IRM service.  I have gone back over every configuration and the tests all return PASS but the web portal serving the messages just gives blank pages regardless of the browser being used.