Knowledge Base

How to fix problems with emails encrypted by Azure RMS

Problem:

You use Azure Rights Management (Azure RMS) to encrypt your email messages in Office 365. The recipients of these messages cannot access the encrypted content, and the following error is displayed:

Sorry, we can't display your message right now
Something went wrong and your encrypted message couldn't be opened. Please try again by following the instructions in the original email message in 5 minutes.

Solution:

If your recipients are not able to open Azure RMS encrypted messages that you sent, this issue might be caused by message encryption services in your Office 365. If you used Office 365 Message Encryption and then moved to the Azure RMS encryption, there might be a conflict between these two services in your organization. Use the links below to learn more.

Inspecting encryption rules in Office 365

To check if your problem is related to the conflict between the Office 365 and the Azure RMS encryption services, you need to:

  1. Open your Exchange admin center.
  2. Choose mail flow from the left menu and go to the rules tab.
  3. Find the Exchange Online transport rule that is responsible for message encryption in your organization and click it (Fig. 1.).

671-1
Fig. 1. Exchange Online transport rules in EAC: a sample encryption rule.

  1. Check the encryption method applied by the rule. This information is displayed in the right panel, in the Do the following section. You can also double-click the rule and check the associated actions.

Info

If your transport rule utilizes Office 365 Message Encryption (as in Fig. 1.), this leads to a conflict with your Azure RMS encryption and blocks Azure RMS encrypted messages.

Solving the conflict between encryption services

Now, to fix the problem with encrypted messages, you need to modify the transport rule responsible for message encryption:

  1. Follow steps 1-2 above and double-click the transport rule that encrypts your emails (see Fig. 1.).
  2. Change the action to Apply rights protection, as shown in Fig. 2.

671-2
Fig. 2. Changing message encryption to Azure RMS.

  1. Select an RMS template that matches your preferences and click OK.
  2. Save the rule's configuration.
  3. You need to wait (sometimes up to 24 hours) for the changes to propagate in your Office 365 organization.

The conflict between the encryption services should now be solved and emails encrypted by Azure RMS should be fully functional.