Office 365 Email Encryption OME

%3CLINGO-SUB%20id%3D%22lingo-sub-1824994%22%20slang%3D%22en-US%22%3EOffice%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1824994%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-subject-wrapper%20lia-component-subject%20lia-component-message-view-widget-subject-with-options%22%3E%3CSPAN%3EI%20would%20like%20to%20implement%20OME%20within%20my%20organization.%20At%20initial%20glance%2C%20it%20seems%20to%20work%20great%20with%20the%20one%20time%20passcode%20approach.%20However%20I%20have%20noticed%20that%20if%20the%20recipient%20doesn't%20check%20the%20box%20to%20remember%20the%20passcode%20for%2012%20hours%20any%20subsequent%20response%20received%20result%20in%20a%20%22Authentication%20did%20not%20complete%20message%22.%20I%20have%20scoured%20the%20internet%20and%20there%20doesn't%20seem%20to%20be%20a%20setting%20to%20force%20the%20check%20box%20to%20be%20checked.%20The%20only%20way%20I%20see%20around%20this%20is%20to%20clear%20out%20the%20cookies%20for%20outlook.office.com.%20Does%20anyone%20have%20any%20suggestions%20on%20how%20to%20make%20this%20work%20correctly%20or%20can%20recommend%20a%20different%20approach%3F%20Thanks.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1824994%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1827427%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1827427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362619%22%20target%3D%22_blank%22%3E%40Chris_Mancini%3C%2FA%3E%26nbsp%3BHi%2C%20would%20you%20mind%20elaborate%20on%20the%20post%3F%20You%20mean%20that%20if%20just%20using%20the%20default%20setting%20(15%20min%20limit%20on%20the%20OTP)%20and%20not%20checking%20the%20%22this%20is%20a%20private%20computer%22%20the%20users%20receive%20the%20message%3F%20Even%20though%20the%20OTP%20is%20used%20within%20the%2015%20minutes%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1827878%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1827878%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3BYes%2C%20default%20setting.%20I%20send%20an%20email%20from%20Outlook%20to%20a%20test%20gmail%20account%20and%20choose%20Encrypt-Only.%20In%20the%20Gmail%20account%20I%20receive%20the%20email%20that%20says%20%22Read%20Secure%20Message%22.%20I%20am%20taken%20to%20a%20page%20that%20says%20%22Sign%20in%20with%20one%20time%20passcode%22.%20I%20click%20to%20receive%20the%20passcode%20and%20it%20is%20sent%20to%20the%20test%20gmail%20account.%20I%20am%20taken%20to%20a%20screen%20to%20input%20the%20passcode.%20There%20is%20the%20%22This%20is%20a%20private%20computer...%22%20checkbox.%20If%20I%20don't%20check%20it%2C%20then%20subsequent%20encrypted%20responses%20or%20new%20messages%20to%20the%20gmail%20account%20are%20sent%20to%20the%20account.%20However%2C%20when%20I%20click%20%22Read%20Secure%20Message%22%20I%20receive%20a%20page%20with%20%22Authentication%20did%20not%20complete%22.%20If%20I%20check%20the%26nbsp%3B%22This%20is%20a%20private%20computer...%22%20then%20everything%20works%20fine.%20Thanks%20for%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1828059%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1828059%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362619%22%20target%3D%22_blank%22%3E%40Chris_Mancini%3C%2FA%3E%26nbsp%3BHi%2C%20I%20had%20to%20verify%20this%20so%20created%20a%20Gmail%20account%20and%20sent%20an%20OME%20%22encrypt%20only%22%20to%20the%20address.%20OTP%20was%20selected%20and%20a%20new%20code%20is%20always%20being%20used%20when%20replying%20or%20sending%20new%20emails%20to%20the%20Gmail%20address.%20I%20did%20not%20check%20the%20box%20to%20%22remember%20this%20device%20for%2012%20hours%22%20and%20am%20able%20to%20enter%20a%20new%20OTP%20code%20several%20times%2C%20that%20is%20for%20every%20new%20message%20and%20new%20replies%20as%20well.%20In%20other%20words%20I%20cannot%20reproduce%20your%20issue.%20I%20suppose%20it's%20browser%20related%20and%20the%20check%20box%20%22workaround%22%20you%20are%20using%20also%20suggests%20this.%20Have%20you%20tried%20using%20different%20browsers%20or%20maybe%20verify%20what%20differentiates%20your%20browser%20settings%20from%20default%20settings%20for%20example%3F%20Perhaps%20check%20with%20your%20own%20org.%20if%20you%20have%20several%20units%20managing%20applications%20(the%20browser).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1828315%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1828315%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3BGood%20advice...I%20have%20been%20using%20Chrome%20on%20my%20company%20laptop%20and%20I%20tried%20MS%20Edge%20on%20the%20same%20device%20and%20experienced%20the%20same%20behavior.%20However%2C%20when%20I%20test%20with%20my%20personal%20Macbook%20with%20Chrome%20it%20functions%20flawlessly%20so%20it%20appears%20it%20may%20be%20an%20internal%20browser%20setting.%20I%20have%20no%20idea%20what%20setting%20may%20be%20causing%20this%20but%20it%20helps%20point%20me%20in%20the%20right%20direction.%20Do%20you%20use%20OME%20consistently%20and%2C%20if%20so%2C%20have%20you%20had%20any%20issues%20with%20encryption%20outside%20of%20your%20org%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1831046%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1831046%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362619%22%20target%3D%22_blank%22%3E%40Chris_Mancini%3C%2FA%3E%26nbsp%3BHello%2C%20even%20though%20it%20has%20been%20around%20for%20years%20there%20has%20been%20a%20stalemate%20in%20our%20org.%20due%20to%20legal%20technicalities%20(such%20as%20the%20key).%20This%20has%20progressed%20lately%20and%20now%20I'm%20involved%20in%20a%20pre-study%20as%20how%20OME%20%3CEM%3Eactually%26nbsp%3B%3C%2FEM%3Ebehaves%20when%20using%20the%20%22encrypt-only%22%20template%20with%20and%20without%20attachments%20that%20are%20being%20replied%20to%2C%20as%20well%20as%20forwarded%20to%20internal%2Fexternal%20individuals%20as%20second%2C%20third%20and%20forth%20recipient.%20One%20might%20think%20this%20should%20be%20pretty%20straightforward%20(and%20it%20is%20when%20only%20the%20sender%20and%20the%20initial%20recipients%20is%20involved%20to%20answer%20your%20question)%20but%20it's%20getting%20a%20bit%20complex%20when%20adding%20the%20others.%20This%20is%20not%20a%20common%20scenario%20and%20the%20unit%20in%20need%20of%20the%20encryption%20has%20a%20flow%20that%20is%20difficult%20to%20explain.%20So%20we'll%20see%20if%20they%20can%20use%20OME%20or%20if%20we%20need%20to%20look%20at%20another%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20short.%20OME%20is%20great%20and%20easy%20to%20use%20for%20all%20users%20in%20an%20org.%20but%20if%20you're%20looking%20at%20it%20from%20a%20%22encryption%20point%20of%20view%22%20you%20could%20say%20it's%20not%20%22asymmetric%22%20but%20rather%20a%20%22symmetric%22%20solution%20which%20is%20much%20easier%20to%20manage%20and%20use.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1832925%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1832925%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3BGotcha%2C%20we%20have%20taken%20a%20look%20at%20our%20settings%20and%20can't%20figure%20out%20what%20is%20causing%20our%20original%20issue.%20If%20you%20or%20someone%20else%20has%20any%20further%20input%20it%20would%20be%20great.%20Thanks%20for%20your%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833087%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833087%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362619%22%20target%3D%22_blank%22%3E%40Chris_Mancini%3C%2FA%3E%26nbsp%3BI%20have%20to%20ask%20what%20settings%20have%20you%20looked%20at%3F%20Should%20be%20something%20with%20the%20cookies%2Fsession%20as%20it%20only%20works%20when%20checking%20the%20box%20to%20be%20remembered.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1840120%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Encryption%20OME%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1840120%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3BSo%20we%20did%20some%20further%20testing%20with%20home%20computers%20that%20aren't%20connected%20to%20our%20organization%20and%20had%20the%20same%20failure...these%20were%20Windows%20machines.%20So%20I%20am%20at%20a%20loss%20unless%20there%20are%20other%20ideas%20floating%20out%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor
I would like to implement OME within my organization. At initial glance, it seems to work great with the one time passcode approach. However I have noticed that if the recipient doesn't check the box to remember the passcode for 12 hours any subsequent response received result in a "Authentication did not complete message". I have scoured the internet and there doesn't seem to be a setting to force the check box to be checked. The only way I see around this is to clear out the cookies for outlook.office.com. Does anyone have any suggestions on how to make this work correctly or can recommend a different approach? Thanks.
18 Replies

@Chris_Mancini Hi, would you mind elaborate on the post? You mean that if just using the default setting (15 min limit on the OTP) and not checking the "this is a private computer" the users receive the message? Even though the OTP is used within the 15 minutes?

@ChristianBergstrom Yes, default setting. I send an email from Outlook to a test gmail account and choose Encrypt-Only. In the Gmail account I receive the email that says "Read Secure Message". I am taken to a page that says "Sign in with one time passcode". I click to receive the passcode and it is sent to the test gmail account. I am taken to a screen to input the passcode. There is the "This is a private computer..." checkbox. If I don't check it, then subsequent encrypted responses or new messages to the gmail account are sent to the account. However, when I click "Read Secure Message" I receive a page with "Authentication did not complete". If I check the "This is a private computer..." then everything works fine. Thanks for your help.

 

@Chris_Mancini Hi, I had to verify this so created a Gmail account and sent an OME "encrypt only" to the address. OTP was selected and a new code is always being used when replying or sending new emails to the Gmail address. I did not check the box to "remember this device for 12 hours" and am able to enter a new OTP code several times, that is for every new message and new replies as well. In other words I cannot reproduce your issue. I suppose it's browser related and the check box "workaround" you are using also suggests this. Have you tried using different browsers or maybe verify what differentiates your browser settings from default settings for example? Perhaps check with your own org. if you have several units managing applications (the browser).

@ChristianBergstrom Good advice...I have been using Chrome on my company laptop and I tried MS Edge on the same device and experienced the same behavior. However, when I test with my personal Macbook with Chrome it functions flawlessly so it appears it may be an internal browser setting. I have no idea what setting may be causing this but it helps point me in the right direction. Do you use OME consistently and, if so, have you had any issues with encryption outside of your org?

@Chris_Mancini Hello, even though it has been around for years there has been a stalemate in our org. due to legal technicalities (such as the key). This has progressed lately and now I'm involved in a pre-study as how OME actually behaves when using the "encrypt-only" template with and without attachments that are being replied to, as well as forwarded to internal/external individuals as second, third and forth recipient. One might think this should be pretty straightforward (and it is when only the sender and the initial recipients is involved to answer your question) but it's getting a bit complex when adding the others. This is not a common scenario and the unit in need of the encryption has a flow that is difficult to explain. So we'll see if they can use OME or if we need to look at another solution.

 

In short. OME is great and easy to use for all users in an org. but if you're looking at it from a "encryption point of view" you could say it's not "asymmetric" but rather a "symmetric" solution which is much easier to manage and use.

@ChristianBergstrom Gotcha, we have taken a look at our settings and can't figure out what is causing our original issue. If you or someone else has any further input it would be great. Thanks for your help

@Chris_Mancini I have to ask what settings have you looked at? Should be something with the cookies/session as it only works when checking the box to be remembered.

@ChristianBergstrom So we did some further testing with home computers that aren't connected to our organization and had the same failure...these were Windows machines. So I am at a loss unless there are other ideas floating out there.

I'd like to hop on this thread and say that my organization is also seeing these issues. I have tested this myself by sending to a Gmail and I receive the same error. I do have an attached file. This is making things hard for our users because they're having to resend their emails when the recipient doesn't save the attachment.

@akeinath I knew this wasn't an isolated issue as I have seen this from other organizations. This company has even written up a troubleshooting section on their site for their clients.

 

https://www.atgf.com/tools-publications/receiving-or-sending-encrypted-email

 

Do the proposed workaround solve the issue for you as well then? (using InPrivate / Incognito windows).

I am not able to reproduce the authentication message.

@ChristianBergstrom If I use Incognito then it will do it again until I close the incognito window and re-open it. That makes sense if the issue is with cookies. I'm using the new Edge browser.

 

The email I'm sending is from my Exchange account to a Gmail account with a PDF attached to it. The users that reported it to me were also trying to attach and send to outside addresses.

Seems very inconsistent when reading your replies. Perhaps you need to open up support tickets with Microsoft to get a proper analyze/answer of what’s going on.

Btw, you’ve enabled the pdf encryption in the IRM configuration? (not set to true by default).
Users have been sending PDFs this way for years. I doubt that it's related to a setting.

And the issue is consistent. If I open Incognito, it works the first time and then stops working. If I close that Incognito window and open another (starting a new session) it works again one time and then stops. The issue is with the cookies.

I have submitted feedback on the issue and I am going to try to open a support ticket when I have the chance.

@akeinath I agree...this issue seems to be a Microsoft issue. We have our tenant managed by Rackspace. I contacted them with the same scenario and they were able to replicate the "Authentication could not complete" issue. I am trying to work this through them with Microsoft.

Well, how could I possibly know that? Just wanted to put it out there as the Outlook client (desktop) itself cannot encrypt PDF so has to be done backend.

As for the inconsistency part I got the impression you two did not have identical issues, obviously you do. We (my org.) do not experience that same issue, cannot reproduce it either, so it sounds good that you’re going to open tickets with the official support.

Please update this conversation when they reply with an solution.
Hello! Did Microsoft find a solution to your issue?