Office 365 Message Encryption: Error setting DecryptAttachmentFromPortal to $true

%3CLINGO-SUB%20id%3D%22lingo-sub-482988%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Message%20Encryption%3A%20Error%20setting%20DecryptAttachmentFromPortal%20to%20%24true%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482988%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F98839%22%20target%3D%22_blank%22%3E%40Carol%20Bailey%3C%2FA%3E%26nbsp%3Bwe%20have%20enabled%20Encrypt%20option%20in%20our%20tenant%20but%20our%20users%20not%20able%20to%20open%20encrypted%20email%20in%20outlook%20and%20whether%20we%20need%20to%20update%20to%20latest%20patch%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302913%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Message%20Encryption%3A%20Error%20setting%20DecryptAttachmentFromPortal%20to%20%24true%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302913%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20the%20other%20way%20around%20-%20when%20you%20use%20the%20%3CSPAN%3EDecryptAttachmentForEncryptOnly%26nbsp%3Bparameter%2C%20encryption%20is%20removed%20for%20the%20attachment%20for%20all%20recipients%20after%20they%20have%20authenticated%2C%20no%20matter%20what%20authentication%20method%20they%20used%20or%20how%20they%20view%20the%20email.%20This%20makes%20it%20a%20consistent%20end%20user%20experience.%20Whereas%20for%20the%20older%20parameter%2C%20encryption%20was%20removed%20only%20if%20they%20couldn't%20be%20authenticated%20by%20Azure%20AD%20and%20therefore%20had%20to%20use%20the%20portal.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20difference%20is%20when%20decryption%20occurs%3A%20For%20the%20DecryptAttachmentFromPortal%20parameter%2C%20as%20the%20name%20suggests%2C%20decryption%20happened%20only%20in%20the%20portal%20and%20at%20the%20point%20when%20somebody%20requested%20to%20download%20the%20attachment.%26nbsp%3B%20For%20a%20recipient%20using%20Outlook%20or%20Outlook%20on%20the%20web%20(they%20have%20an%20Azure%20AD%20account)%2C%20the%20attachment%20would%20remain%20encrypted.%20For%20the%20DecryptAttachmentForEncryptOnly%2C%20decryption%20happens%20as%20soon%20as%20the%20email%20is%20opened%20(which%20happens%20only%20when%20the%20recipient%20is%20successfully%20authenticated).%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ESo%20for%20your%20recipients%20using%20the%20portal%2C%20they%20won't%20see%20any%20difference%20in%20behavior%20(the%20downloaded%20attachment%20isn't%20encrypted).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHope%20you%20have%20time%20to%20try%20it%20out%20before%20your%20Christmas%20break!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302804%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Message%20Encryption%3A%20Error%20setting%20DecryptAttachmentFromPortal%20to%20%24true%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302804%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20very%20much%20for%20your%20reply%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F98839%22%20target%3D%22_blank%22%3E%40Carol%20Bailey%3C%2FA%3E.%20However%2C%20as%20far%20as%20I%20understand%2C%20the%26nbsp%3B%3CSPAN%3EDecryptAttachmentForEncryptOnly%26nbsp%3Bparameter%20only%20makes%20it%20possible%20to%20decrypt%20attachments%20for%20users%20with%20an%20Azure%20AD%20account.%20What's%20the%20proper%20solution%20if%20I%20were%20to%20send%20an%20encrypted%20email%20to%20a%20GMail%20user%3F%20After%20downloading%20the%20attachments%2C%20he%20won't%20be%20able%20to%20open%20them%20since%20he%20can't%20authenticate%2C%20right%3F%20If%20that's%20the%20case%2C%20it%20would%20be%20a%20huge%20step%20back%20for%20many%20customers%20I%20am%20in%20contact%20with.%20Or%20maybe%20I%20am%20missing%20a%20point%20here%20and%20you%20can%20make%20me%20a%20merry%20christmas%20by%20clarifying%20this%20point.%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302477%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Message%20Encryption%3A%20Error%20setting%20DecryptAttachmentFromPortal%20to%20%24true%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302477%22%20slang%3D%22en-US%22%3E%3CP%3EWe've%20just%20learned%20that%20%3CFONT%3EDecryptAttachmentFromPortal%3C%2FFONT%3E%20is%20deprecated%20and%20instead%2C%20you%20should%20use%20the%20%3CSPAN%3EDecryptAttachmentForEncryptOnly%20parameter%3C%2FSPAN%3E.%26nbsp%3B%20The%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-usage-rights%23encrypt-only-option-for-emails%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Information%20Protection%20documentation%3C%2FA%3E%20has%20been%20updated%20with%20this%20information%20%26amp%3B%20I'm%20told%20the%20PowerShell%20reference%20documentation%20update%20is%20in%20progress.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301246%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Message%20Encryption%3A%20Error%20setting%20DecryptAttachmentFromPortal%20to%20%24true%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301246%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20very%20much%20for%20your%20reply.%20I've%20tried%20it%20in%20several%20tenants%20as%20well%20and%20luckily%2C%20it%20finally%20worked%20in%20the%20one%20where%20I%20wanted%20to%20implement%20it%20(customer).%26nbsp%3BThank%20you%20for%20reporting%20it%2C%20though.%20In%20the%20end%2C%20it%20needs%20to%20work%20everywhere.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301243%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Message%20Encryption%3A%20Error%20setting%20DecryptAttachmentFromPortal%20to%20%24true%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301243%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20I%20tried%20it%20in%20few%20tenants%20I%20have%20access%20to%2C%20no%20luck.%20It%20doesn't%20even%20seem%20to%20be%20available%20in%20the%20definition%20of%20the%20Set-IRMConfiguration%20cmdlet%2C%20so%20it's%20not%20an%20issue%20with%20user%2C%20permissions%20or%20licenses.%20Most%20likely%20another%20case%20of%20the%20documentation%20being%20ahead%20of%20the%20actual%20rollout.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20left%20feedback%20on%20the%20documentation%20just%20in%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299450%22%20slang%3D%22en-US%22%3EOffice%20365%20Message%20Encryption%3A%20Error%20setting%20DecryptAttachmentFromPortal%20to%20%24true%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299450%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20implement%20Office%20365%20Message%20Encryption%20using%20Azure%20Information%20Protection.%20Per%20default%2C%20attachments%20are%20being%20encrypted%20with%20the%20same%20policy%20as%20the%20email%20itself.%20Thanks%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%20I%20am%20aware%20of%20the%26nbsp%3BDecryptAttachmentFromPortal%20attribute%20for%20the%20Information%20Rights%20Management%20(IRM).%20Setting%20that%20to%20%24true%20results%20in%20an%20automatic%20decryption%20of%20any%20attachment%20when%20downloading%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20always%20get%20an%20error%20when%20I%20try%20to%20do%20that%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OME_PS_Fehler.PNG%22%20style%3D%22width%3A%20929px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F62509i704C38BDC804EA95%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22OME_PS_Fehler.PNG%22%20alt%3D%22OME_PS_Fehler.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20can%20see%2C%20the%20(relatively%20similar)%20option%26nbsp%3BDecryptAttachmentForEncryptOnly%26nbsp%3Bworks%20perfectly.%20However%2C%20the%20option%26nbsp%3B%3CSPAN%3EDecryptAttachmentFromPortal%3C%2FSPAN%3E%20which%20I'd%20like%20to%20use%20doesn't%20work%20although%20the%20syntax%20seems%20to%20be%20right%20and%20I%20am%20referencing%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-usage-rights%23encrypt-only-option-for-emails%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eofficial%20Microsoft%20documentation%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOf%20course%2C%20I%20searched%20for%20possible%20solutions%20on%20the%20internet%20but%20only%20found%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FAdmin-control-for-attachments-now-available-in-Office-365%2Fba-p%2F204007%22%20target%3D%22_blank%22%3Eone%20hit%3C%2FA%3E.%20The%20recommendation%20to%20create%20a%20new%20administrator%20and%20try%20this%20process%20with%20its%20(new)%20credentials%20did%20not%20work%20for%20me%20though.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20help%20me%20with%20this%20error%3F%20Maybe%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50311%22%20target%3D%22_blank%22%3E%40Caroline%20Shin%3C%2FA%3E%3F%26nbsp%3BI%20would%20highly%20appreciate%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20and%20have%20a%20great%20day!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-299450%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%20%26amp%3B%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hello everyone,

 

I would like to implement Office 365 Message Encryption using Azure Information Protection. Per default, attachments are being encrypted with the same policy as the email itself. Thanks to @Vasil Michev, I am aware of the DecryptAttachmentFromPortal attribute for the Information Rights Management (IRM). Setting that to $true results in an automatic decryption of any attachment when downloading it.

 

However, I always get an error when I try to do that:

 

OME_PS_Fehler.PNG

 

As you can see, the (relatively similar) option DecryptAttachmentForEncryptOnly works perfectly. However, the option DecryptAttachmentFromPortal which I'd like to use doesn't work although the syntax seems to be right and I am referencing on the official Microsoft documentation.

 

Of course, I searched for possible solutions on the internet but only found one hit. The recommendation to create a new administrator and try this process with its (new) credentials did not work for me though.

 

Can anyone help me with this error? Maybe @Caroline Shin? I would highly appreciate it.

 

Thanks and have a great day!

6 Replies

Well, I tried it in few tenants I have access to, no luck. It doesn't even seem to be available in the definition of the Set-IRMConfiguration cmdlet, so it's not an issue with user, permissions or licenses. Most likely another case of the documentation being ahead of the actual rollout.

 

I've left feedback on the documentation just in case.

Thank you very much for your reply. I've tried it in several tenants as well and luckily, it finally worked in the one where I wanted to implement it (customer). Thank you for reporting it, though. In the end, it needs to work everywhere.

We've just learned that DecryptAttachmentFromPortal is deprecated and instead, you should use the DecryptAttachmentForEncryptOnly parameter.  The Azure Information Protection documentation has been updated with this information & I'm told the PowerShell reference documentation update is in progress.

Thank you very much for your reply, @Carol Bailey. However, as far as I understand, the DecryptAttachmentForEncryptOnly parameter only makes it possible to decrypt attachments for users with an Azure AD account. What's the proper solution if I were to send an encrypted email to a GMail user? After downloading the attachments, he won't be able to open them since he can't authenticate, right? If that's the case, it would be a huge step back for many customers I am in contact with. Or maybe I am missing a point here and you can make me a merry christmas by clarifying this point. ;)

It's the other way around - when you use the DecryptAttachmentForEncryptOnly parameter, encryption is removed for the attachment for all recipients after they have authenticated, no matter what authentication method they used or how they view the email. This makes it a consistent end user experience. Whereas for the older parameter, encryption was removed only if they couldn't be authenticated by Azure AD and therefore had to use the portal.

 

The difference is when decryption occurs: For the DecryptAttachmentFromPortal parameter, as the name suggests, decryption happened only in the portal and at the point when somebody requested to download the attachment.  For a recipient using Outlook or Outlook on the web (they have an Azure AD account), the attachment would remain encrypted. For the DecryptAttachmentForEncryptOnly, decryption happens as soon as the email is opened (which happens only when the recipient is successfully authenticated).

 

So for your recipients using the portal, they won't see any difference in behavior (the downloaded attachment isn't encrypted). 

 

Hope you have time to try it out before your Christmas break!

@Carol Bailey we have enabled Encrypt option in our tenant but our users not able to open encrypted email in outlook and whether we need to update to latest patch