Resolve Microsoft Purview Message Encryption issues

Users in your organization experience one or more of the following issues:

• They can't open encrypted email messages in Microsoft Outlook or Outlook on the web.
• They can't send encrypted email messages.
• The Encrypt button is missing in both Outlook and Outlook on the web.

Cause

These issues can occur for several reasons, such as:

• Your organization's Microsoft 365 subscription doesn't support Microsoft Purview Message Encryption.
• The tenant that's used by your organization is misconfigured.
• The account that's used by the affected users to sign in to Outlook or Outlook on the web isn't assigned a valid license to use the Microsoft Purview Message Encryption (Office 365 Message Encryption) feature.

Resolution

To resolve the issues, follow these steps in the given order. After you complete each step, check whether the issue persists.

Step 1: Run the diagnostic for Microsoft Purview Message Encryption

To run the diagnostic, you must be a Microsoft 365 global administrator.

Follow these steps to run the diagnostic:

Select the following button to open the diagnostic in the Microsoft 365 admin center.

If you ran the diagnostic but its findings didn't help resolve your issue, go to Step 2.

Step 2: Verify the Microsoft 365 subscription

To use Microsoft Purview Message Encryption, your organization must have a subscription that supports this feature. For information about the subscription requirements, see What subscriptions do I need to use Microsoft Purview Message Encryption.

Step 3: Verify the tenant configuration

1. Use Exchange Online PowerShell to verify that your tenant is configured correctly for Microsoft Purview Message Encryption.
2. Run the following cmdlet to check whether Information Rights Management (IRM) features are enabled in Outlook on the web:

Get-OwaMailboxPolicy | FL *IRMEnabled* 

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -IRMEnabled $true 

Set-IRMConfiguration -SimplifiedClientAccessEnabled $true 

Step 4: Verify the affected users' account licenses

The affected users must make sure that the account that they use to sign in to Outlook or Outlook on the web is assigned the appropriate license to use the Microsoft Purview Message Encryption feature. If they can't determine this, users should follow these steps on their device:

1. Sign out of Office.
2. Remove cached credentials from Windows Credential Manager:
   1. Open Control Panel >User Accounts >Credential Manager.
   2. Select Windows Credentials.
   3. Remove all Outlook or Office credentials by expanding each credential and then selecting Remove.
   1. Select Start >Settings >Accounts >Access work or school.
   2. Select the account to be removed, and then select Disconnect.

   Step 5: Verify connection to the Azure Rights Management service

   To determine whether the affected user's mail client can connect to the Azure Rights Management service, run the following PowerShell commands:

   $request = [System.Net.HttpWebRequest]::Create("https://admin.na.aadrm.com/admin/admin.svc") $request.GetResponse() $request.ServicePoint.Certificate.Issuer 

   The output should show that the issuing Certificate Authority (CA) is a Microsoft CA. For example:

   CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.

   If you see a CA that isn't from Microsoft, your secure client-to-service connection was probably terminated and has to be reconfigured on your firewall. For more information, see Firewalls and network infrastructure.

   Step 6: Check for sensitivity labels

   If sensitivity labels are applied to email messages, permissions must be assigned correctly so that recipients can access the messages. For more information, see Restrict access to content by using sensitivity labels.

   If the issue persists after you complete all these steps, contact Microsoft Support for further troubleshooting.

   More information

   • If users in your organization experience issues when they send encrypted messages to or receive encrypted messages from people outside your organization, check the Conditional Access policies and guest account configuration in both organizations. For more information, see External recipient can't open encrypted email, Microsoft Entra configuration for encrypted content, and Conditional Access policies for Azure Information Protection.
   • Users can open encrypted email messages that are sent to a shared mailbox. If the message is sent from the same organization, users can open it when they're signed in to a supported Outlook client. If the message is sent from an external organization, users must use Outlook on the web. For more information, see Message encryption FAQ.