Problem sending or receiving protected emails externally?

Last week was the tenth time I helped an organization that couldn’t send protected emails externally.

In other words, it’s worth a blog article.

It’s all about a very common misconfiguration of Conditional Access.

The scenario is that (RMS) protected emails can be opened internally but if they are either sent or received externally, they can’t be opened in Outlook.


In all cases the issue have been that the sender’s organization has required MFA for all users to all cloud apps.

Multifactor Authentication (MFA) is in most cases what we want to enforce to increase the security but in this case it simply doesn’t work.

Let me start to explain how to solve this issue.

If your MFA Conditional Access rule looks like the following you simply need to exclude the app Microsoft Azure Information Protection from the specific rule.

All users All Cloud apps Require MFA
image image



If you have other Conditional Access rules that require MFA against the app Microsoft Azure Information Protection, you need to exclude this for external users.

As soon as the exclusion has been done, protected emails will be able to be opened (decrypted) in Outlook.


Let me explain why

Outlook as an App supports MFA. For example, if MFA is required internally, you can sign-in to Outlook to your own organization with MFA. The problem comes when you need to decrypt a rights protected message (rpmsg). One of the best things with RMS encryption is that is works seamless with Office files both internally and externally. During decryption, the authentication of your signed-in account in Office is used to verify your permissions against the organization that encrypted the content, both internally and externally (without any additional password/certificate that most 3-party solutions use).
The problem when you need to authenticate to decrypt a protected message that comes from an external organization is that Outlook uses the signed in account and its token to authenticate to the sender’s tenant. If MFA is required Outlook doesn’t support  re-authenticating to the sender’s organization with MFA against this tenant.

Detta inlägg publicerades i Conditional Access, Microsoft Information Protection och märktes , , . Bokmärk permalänken.


Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

Du kommenterar med ditt Logga ut /  Ändra )


Du kommenterar med ditt Facebook-konto. Logga ut /  Ändra )

Ansluter till %s