question

Steve-1990 avatar image
0 Votes"
Steve-1990 asked KyleXu-MSFT edited

Error with Email Encryption with Label Sensitivity

Hi All

I have setup a sensitivity label called Forwarding in Office365 information protection and I published the label to one user (i.e. smith@xx.com, the one user has a Office365 E3 license attached). Additionally, I have enabled the protection service using PowerShell by running this command: enable-AipService (reference: https://docs.microsoft.com/en-us/azure/information-protection/activate-service).

Additionally, I have run this command: in PowerShell: Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "7900b022-c487-4cf1-8359-a001d600b422" - this is so that the users within the group called Security Group (object id 7900b022-c487-4cf1-8359-a001d600b4220) can protect documents and emails with the sensitivity label Forwarding.

The issue I face is, after waiting for 24 hours for our Office365 tenant to propagate, I try to send an email from the one user who has access to the sensitive label Forwarding. When it is applied and when I hit send (the recipient is the sender, tried using other recipients) I get an error immediacy after sending - the errors say (blanked out the email addresses)

Delivery has failed to these recipients or groups:

xx xx (xx@xx.com)
Your message couldn't be delivered because it couldn't be encrypted.








Diagnostic information for administrators:

Generating server: ME3PR01MB5912.ausprd01.prod.outlook.com

xx@xx.com
Remote Server returned '550 5.3.101 RmsSvcAgent; Cannot RMS protect the message because Encryption is disabled in Microsoft Exchange Transport.'

Original message headers:

Authentication-Results: xx.com; dkim=none (message not signed)
header.d=none;operatorsimulation.com; dmarc=none action=none
header.from=operatorsimulation.com;
Received: from ME2PR01MB2500.ausprd01.prod.outlook.com (2603:10c6:201:1b::15)
by ME3PR01MB5912.ausprd01.prod.outlook.com (2603:10c6:220:db::10) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18; Fri, 8 Oct
2021 11:19:42 +0000
Received: from ME2PR01MB2500.ausprd01.prod.outlook.com
([fe80::9c9f:e080:6072:6196]) by ME2PR01MB2500.ausprd01.prod.outlook.com
([fe80::9c9f:e080:6072:6196%7]) with mapi id 15.20.4587.020; Fri, 8 Oct 2021
11:19:42 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary

I tried correcting this issue by updating the label to no avail. Below is the encryption settings applied to the senstity label Forwarding

138846-image.png



Any help is greatly appreciated.

azure-information-protection
image.png (177.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KyleXu-MSFT avatar image KyleXu-MSFT ·

@Steve-1990
Based on your description, this question is related with Azure Information Protection, so I will help you change the tag to a suitable one(azure-information-protection). Thanks for your understanding.

0 Votes 0 ·

1 Answer

sbairu avatar image
0 Votes"
sbairu answered Steve-1990 commented

Hi @Steve-1990 ,

The 'Unified Labeling Support Tool' provides the functionality to reset all corresponding client services (UL, AIP, MIP, etc.). Its main purpose is to delete the currently downloaded sensitivity label policies and thus reset all settings, and it can also be used to collect data for failure analysis and problem-solving of labels.

https://github.com/microsoft/UnifiedLabelingSupportTool

Note: Before using the support tool, can you please disable the IRM on exchange and conclude the issue with encryption.

https://docs.microsoft.com/en-us/exchange/enable-or-disable-information-rights-management-on-client-access-servers-exchange-2013-help

and please post the results.

Thank & Regards,
Sarat

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Steve-1990 avatar image Steve-1990 ·

Thanks Sarat. Just do I understand, is the purpose of the Unified Labelling Support Tool to remove all labels I setup and start over? Just a little confused

I will post back. Thank you!

0 Votes 0 ·
Steve-1990 avatar image Steve-1990 ·

Hi Sarat

Disabled the IRM on our Office365 exchange by running Set-IRMConfiguration -InternalLicensingEnabled $false - I then confirmed InternalLicensingEnabled is set to false, after running Get-IRMConfiguration.

I then used the Unified Labelling Support Tool - I ran UnifiedLabelingSupportTool -Reset Default in PowerShell admin. I was then asked to reboot the computer, which I did. Not sure what to do from here, let me know what other information you need. Again thank you for your help, really appreciate it!

0 Votes 0 ·