Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms 

Consider the following scenario:

  • In Microsoft Exchange Server 2019 or 2016, you enable a Microsoft Information Protection Client (MSIPC) stack by following the steps that are provided in Enable support for AES256-CBC-encrypted content in Exchange Server August 2023 SU.

  • You receive IRM messages that are protected by an Azure Rights Management Services (RMS) template that assigns permissions to “All users and groups in your organization.”

  • You use the Outlook on the Web (OWA) client to access the protected messages.

In this scenario, you notice that Exchange Server can no longer decrypt the IRM messages.

Status  

Microsoft has confirmed that this is a known issue in the products that are listed in the "Applies to" section and is working on a solution to address it. 

Workaround

To work around this issue, use one of the following methods: 

  • Use the Outlook client instead of OWA to access the IRM-protected messages.

  • Create a Dynamic Distribution Group (DDG) that includes all user mailboxes that are hosted on Exchange Server on-premises. To do this, run the following PowerShell cmdlets:

    1. Create the DDG:

      New-DynamicDistributionGroup allstaff -PrimarySmtpAddress allstaff-7184ab3f-ccd1-46f3-8233-3e09e9cf0e66@contoso.onmicrosoft.com -IncludedRecipients Mailbox -RecipientContainer 'contoso.com'

    2. Hide the DDG and restrict it from receiving email: 

      Set-DynamicDistributionGroup -Name allstaff -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom administrator@contoso.com

  • Create a Distribution Group (DG). To do this, run the following PowerShell cmdlets: 

    1. Create the DG:

      New-DistributionGroup -Name allstaff -PrimarySmtpAddress allstaff-7184ab3f-ccd1-46f3-8233-3e09e9cf0e66@contoso.onmicrosoft.com

    2. Restrict the DG from receiving email:

      Set-DistributionGroup -Name allstaff -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom administrator@contoso.com 

    3. Add all users who have mailboxes that are hosted on Exchange Server on-premises: 

      Add-DistributionGroupMember -Identity allstaff -Member user01@contoso.com   

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×