Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Encrypt button disappearing from Outlook

Iron Contributor



We seem to be having an issue with the Office 365 Office Message Encryption (OME) for a couple of customers.  They are properly licensed with Business Premium and AIP Plan 1 and have the latest version of the Office desktop (1812.11126.20196).  The button has just disappeared.  Recently, it's been upgraded from the previous envelope with red circle to the new lock icon. Yesterday, it is now either grayed out or the tab has completely been removed from the "New" message window in the "Options" section.  It was working fine the day before.  Not sure if this is related to the recent update of the Office client, but other customers with the same set up are not experiencing this issue.  The current affected customers still have the ability to use OWA to use the Protect/Encrypt button or mail flow rules I created for a work around.


I have also tried using the Online Repair option, new Outlook profile, and uninstall and reinstall.  These do not resolved the issue. Also, they do not have the AIP client software installed.  I have not checked this out yet, has the other customers with the same licensing and set up or working as expected.



28 Replies

Office 365 Message Encryption (OME) and Information Rights Management (IRM)

What subscriptions do I need to use the new OME capabilities?

To use the new OME capabilities, you need one of the following plans:
• Office 365 Message Encryption is offered as part of Office 365 Enterprise E3 and E5, Microsoft Enterprise E3 and E5, Microsoft 365 Business Premium, Office 365 A1, A3, and A5, and Office 365 Government G3 and G5. Customers do not need additional licenses to receive the new protection capabilities powered by Azure Information Protection.
• You can also add Azure Information Protection Plan 1 to the following plans to receive the new Office 365 Message Encryption capabilities: Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Microsoft 365 Business Basic, Microsoft 365 Business Standard, or Office 365 Enterprise E1.
• Each user benefiting from Office 365 Message Encryption needs to be licensed to be covered by the feature.
• For the full list see the Exchange Online service descriptions for Office 365 Message Encryption.

Common Licensing Scenarios:
1. Microsoft 365 Business Basic + Azure Information Protection Plan 1
OME will be available in Outlook on the Web.
Common scenario with M365 Basic and M365 Standard licensed users in a single tenant.
User has Microsoft 365 Apps for Business installed on device. M365 Basic user will not be able to activate the product because the license does not include Office. M365 Standard user installed Office on the M365 Basic user’s device. The M365 Standard user must be the one that activates the Office install. Then the M365 Basic user can add their profile. This will enable the Encrypt button. If the M365 Standard user is removed, Office will enter its deactivated state.

2. Microsoft 365 Business Standard + Azure Information Protection Plan 1
OME will be available in Outlook (M365 App for Business) and Outlook on the Web.

3. Properly licensed user has Microsoft 365 Apps (M365 Personal or Home) installed. This version does not support OME and the Encrypt button will be grayed out.

4. Properly licensed user has Office 2016, 2019 (Volume License) installed. This version supports OME and the Encrypt button will be available.

In the second bullet above that mentions the other licenses that require Azure Information Protection to be added on can also fall into the #1 scenario. Prime example Exchange Online licenses and E1.
Once the proper licensing is in place in most newer 365 tenants, Azure Information Protection is automatically activated. In older tenants, you may need to activate it.
PowerShell commands to check OME and IRM
Connect to Exchange Online:
Make sure to up to the latest module
• Connect-ExchangeOnline
• Get-OMEConfiguration
TemplateName BackgroundColor SocialIdSignIn OTPEnabled ExternalMailExpiryInterval ImageUrl
------------ --------------- -------------- ---------- -------------------------- --------
OME Configuration True True 00:00:00 https://
Get-OMEConfiguration | FL
RunspaceId : aca7ed86-e5d3-4939-afd0-f6fb5519b741
TemplateName : OME Configuration
Image : 
ImageUrl :
EmailText : 
PortalText : 
DisclaimerText : The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If
you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply
email and destroy all copies of the original message.
BackgroundColor :
IntroductionText :
ReadButtonText :
OTPEnabled : True
SocialIdSignIn : True
ExternalMailExpiryInterval : 00:00:00
PrivacyStatementUrl :
Identity : OME Configuration
IsValid : True
ObjectState : Unchanged

• Get-IRMConfiguration
InternalLicensingEnabled : True
ExternalLicensingEnabled : True
AzureRMSLicensingEnabled : True
TransportDecryptionSetting : Optional
JournalReportDecryptionEnabled : True
SimplifiedClientAccessEnabled : True
ClientAccessServerEnabled : True
SearchEnabled : True
EDiscoverySuperUserEnabled : True
DecryptAttachmentFromPortal : False
DecryptAttachmentForEncryptOnly : False
SystemCleanupPeriod : 0
SimplifiedClientAccessEncryptOnlyDisabled : False
SimplifiedClientAccessDoNotForwardDisabled : False
EnablePdfEncryption : False
AutomaticServiceUpdateEnabled : True
RMSOnlineKeySharingLocation :
RMSOnlineVersion :
ServiceLocation :
PublishingLocation :
LicensingLocation : {}

Note the parameter SimplifiedClientAccessEnabled. This parameter will allow the Encrypt button in Outlook on the Web.
I’m also not aware of any current issues impacting OME in supported Office versions in current and latest releases.

Everything is working properly now it seems. Encryption, dlp policy, encrypt button shows in OWA and desktop. I received a response from microsoft in regards to an old ticket. Some of their support people blow my mind.....So they say I need to increase my per user cost to 35 dollars for it all to work even though it's currently working fine and has been for almost two weeks now. Be warned , you ask three different Microsoft reps you may get three different answers. 

Microsoft Support: "I had my senior tech personnel looked into your issue and it was discovered that your current license status of Microsoft 365 Business Standard license only enables you to have access to encryption in the Online web applications (OWA) and not desktop apps. for you to have access to the desktop IRM you will need to add an E3 or E5 license to your tenant"

@rdiddy I have E3 but needed Azure Information Protection Premium  license to make it work. I had E3 and couldn't make it work until I added Azure Information Protection Premium license. I use Azure Information Protection Premium P2 but P1 should work too. 

Interesting Mine works fully with business standard license , Azure information protection and Governance and protection. They have really confused the hell out of me.
Did you eliminate the possibility that a difference in network service to different test machines might be the problem? We recently discovered an undocumented resource requirement for the Outlook Report Message add-in. Connection recommendations are not to proxy O365, but your firewall cannot bypass what it does not know about.
I don't have any issues currently. I just replied with my experience from O365 support. My setup works per some of their reps but then here comes a different rep who says I need an E3/E5 license. Rubbish
Sorry, I got the wrong end of the thread. The question should have been to OP Alex Melching.

@Alex Melching 


I am having same issue on outlook web app, i dont see encrypt button anymore 



I tried the new outlook desktop experience and the encrypt button is missing from that as well. I switched back to the other look and it was there.