Opening Protected Messages from a Shared Mailbox

%3CLINGO-SUB%20id%3D%22lingo-sub-3054629%22%20slang%3D%22en-US%22%3EOpening%20Protected%20Messages%20from%20a%20Shared%20Mailbox%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3054629%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20user%20who%20has%20full%20access%20with%20auto%20mapping%20to%20a%20Shared%20mailbox%20who%20cannot%20open%20protected%20messages.%26nbsp%3B%20I'm%20not%20sure%20if%20this%20related%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Foutlook_com%2Fforum%2Fall%2Fencrypted-emails-stopped-working%2Fb252b142-c1e4-4dfc-9aa6-ff3824b25723%3Fpage%3D4%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eservice%20alert%20regard%20encrypted%20messages.%3C%2FA%3E%20The%20user%20states%20they%20were%20able%20to%20open%20the%20messages%20before%20but%20something%20has%20changed.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20they%20click%20the%20read%20message%20link%2C%20Microsoft%20Edge%20Launches%20and%20tries%20to%20open%20the%20message.%20After%20a%20while%20an%20error%20in%20Edge%20appears%20%22This%20Message%20might%20have%20been%20moved%20or%20deleted%22%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22609e34e9-7e83-4a1c-a4c9-10399e05813e.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F338043i24BFFEEA8A7F2723%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22609e34e9-7e83-4a1c-a4c9-10399e05813e.jpg%22%20alt%3D%22609e34e9-7e83-4a1c-a4c9-10399e05813e.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20appears%20that%20the%20shared%20mailbox%20has%20permissions%20to%20see%20the%20contents%20but%20when%20Edge%20is%20opened%20after%20clicking%20%22Read%20the%20Message%22%20in%20Outlook%2C%20the%20authentication%20defaults%20to%20the%20users%20account%20instead%20of%20the%20shared%20Mailbox.%26nbsp%3B%20If%20the%20user%20opens%20the%20Shared%20Mailbox%20in%20OWA%2C%20they%20can%20see%20the%20message%20no%20problem.%20The%20error%20only%20happens%26nbsp%3B%20when%20they%20access%20the%20shared%20mailbox%20from%20the%20Outlook%20desktop%20client.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWorkflow%20wise%2C%20is%20there%20a%20way%20to%20open%20this%20message%20in%20Outlook%2C%20or%20does%20the%20user%20have%20to%20use%20OWA%20from%20the%20shared%20mailbox%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20created%20a%20profile%20for%20the%20shared%20mailbox%20and%20opened%20Outlook%20with%20that%20profile.%20The%20same%20issue%20happens%20when%20Edge%20launches.%20I%20also%20tried%20adding%20a%20shared%20folder%20in%20the%20users%20OWA%20to%20the%20shared%20mailbox%2C%20but%20still%20no%20luck.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ELastly%2C%20I%20also%20removed%20the%20user%20from%20the%20shared%20mailbox%20and%20re-added%20them%20with%20automapping%20enabled%20via%20PowerShell.%20Still%20nothing.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20into%20Azure%20Information%20Protection%20client%20-%20but%20I'm%20not%20sure%20if%20that%20will%20help.%20I%20know%20this%20is%20a%20lot%20of%20info%20but%20I%20have%20been%20banging%20my%20head%20against%20my%20desk%20all%20week%20trying%20to%20understand%20this.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20running%20Hybrid%20Exchange%20and%20M365%20version%202102%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ELinks%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fuser-with-full-access-to-shared-mailbox-can-t-open-protected%2Fm-p%2F381679%22%20target%3D%22_self%22%3EUser%20with%20full%20access%20to%20shared%20mailbox%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Foutlook_com%2Fforum%2Fall%2Fencrypted-emails-stopped-working%2Fb252b142-c1e4-4dfc-9aa6-ff3824b25723%3Fpage%3D4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEncrypted%20emails%20stopped%20working%20-%20Microsoft%20Community%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foutlook%2Ftroubleshoot%2Fuser-interface%2Fencrypted-restricted-message-shared-mailbox%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECan't%20read%20encrypted%20or%20restricted%20%7C%20Microsoft%20Docs%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fome-faq%3Fview%3Do365-worldwide%26amp%3Bpreserve-view%3Dtrue%23can-i-open-encrypted-messages-sent-to-a-shared-mailbox-%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECan%20I%20open%20encrypted%20messages%20sent%20to%20a%20shared%20mailbox%3F%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3054629%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%20and%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3058655%22%20slang%3D%22en-US%22%3ERe%3A%20Opening%20Protected%20Messages%20from%20a%20Shared%20Mailbox%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3058655%22%20slang%3D%22en-US%22%3EWe%20have%20a%20user%20who%20reported%20this%20issue%20as%20well%20around%20the%20same%20time%20that%20other%20users%20reported%20the%20inability%20to%20open%20encrypted%20emails%20using%20the%20authentication%20option.%20I'm%20also%20wondering%20if%20it's%20related%20to%20the%20encryption%20advisory%20MS%20still%20has%20open.%20The%20error%20message%20was%20not%20consistent%20with%20the%20error%20message%20other%20users%20were%20receiving%20but%20I%20think%20the%20difference%20is%20encrypted%20emails%20sent%20to%20a%20shared%20mailbox%20(delegated%20access)%20versus%20sent%20directly%20to%20a%20user.%20We%20have%20an%20open%20case%20with%20Microsoft%20regarding%20the%20encryption%20issue%20so%20we'll%20run%20this%20past%20them%20as%20well.%20If%20I%20learn%20anything%20further%2C%20will%20advise.%3C%2FLINGO-BODY%3E
Occasional Contributor

I have a user who has full access with auto mapping to a Shared mailbox who cannot open protected messages.  I'm not sure if this related to the service alert regard encrypted messages. The user states they were able to open the messages before but something has changed. 

 

When they click the read message link, Microsoft Edge Launches and tries to open the message. After a while an error in Edge appears "This Message might have been moved or deleted"609e34e9-7e83-4a1c-a4c9-10399e05813e.jpg


It appears that the shared mailbox has permissions to see the contents but when Edge is opened after clicking "Read the Message" in Outlook, the authentication defaults to the users account instead of the shared Mailbox.  If the user opens the Shared Mailbox in OWA, they can see the message no problem. The error only happens  when they access the shared mailbox from the Outlook desktop client. 

Workflow wise, is there a way to open this message in Outlook, or does the user have to use OWA from the shared mailbox? 

I created a profile for the shared mailbox and opened Outlook with that profile. The same issue happens when Edge launches. I also tried adding a shared folder in the users OWA to the shared mailbox, but still no luck. 

Lastly, I also removed the user from the shared mailbox and re-added them with automapping enabled via PowerShell. Still nothing. 

 

I am looking into Azure Information Protection client - but I'm not sure if that will help. I know this is a lot of info but I have been banging my head against my desk all week trying to understand this. 

 

We are running Hybrid Exchange and M365 version 2102 

Links:
User with full access to shared mailbox - Microsoft Tech Community 
Encrypted emails stopped working - Microsoft Community
Can't read encrypted or restricted | Microsoft Docs
Can I open encrypted messages sent to a shared mailbox? 

5 Replies
We have a user who reported this issue as well around the same time that other users reported the inability to open encrypted emails using the authentication option. I'm also wondering if it's related to the encryption advisory MS still has open. The error message was not consistent with the error message other users were receiving but I think the difference is encrypted emails sent to a shared mailbox (delegated access) versus sent directly to a user. We have an open case with Microsoft regarding the encryption issue so we'll run this past them as well. If I learn anything further, will advise.
The timing of this seemed the same as the advisory. I appreciate the help! Thank you for taking the time to read this!
Reply today from Microsoft Support:
There are a handful of cases that have reported the same situation. There has been an escalation made with our Engineering team to get this resolved. There has been a fix applied to the server, but it will take around a week to fully deploy. I will follow up with you next Thursday to confirm if you are still seeing the issue, if that is okay.
I wanted to share I was able to resolve this issue. I had to directly assign permissions to the shared mail box and make sure that automapping was on. - No security Groups.

The kicker is to get IRM to kick off and check permissions. I recently learned in Outlook - Double clicking the email or reading it in pop-out mode can initiate permissions check and allow the user to read the email in the Outlook application. No more redirection via edge, the content can be read from the mail box.
Thank you for your very helpful reply. My user had direct auto-mapped access to the shared mailbox and reported that double-clicking to open the encrypted email in pop-out mode in the Outlook client worked for her!