Symptoms
Consider the following scenario:
-
In Microsoft Exchange Server 2019 or 2016, you enable a Microsoft Information Protection Client (MSIPC) stack by following the steps that are provided in Enable support for AES256-CBC-encrypted content in Exchange Server August 2023 SU.
-
You receive IRM messages that are protected by an Azure Rights Management Services (RMS) template that assigns permissions to “All users and groups in your organization.”
-
You use the Outlook on the Web (OWA) client to access the protected messages.
In this scenario, you notice that Exchange Server can no longer decrypt the IRM messages.
Status
Microsoft has confirmed that this is a known issue in the products that are listed in the "Applies to" section and is working on a solution to address it.
Workaround
To work around this issue, use one of the following methods:
-
Use the Outlook client instead of OWA to access the IRM-protected messages.
-
Create a Dynamic Distribution Group (DDG) that includes all user mailboxes that are hosted on Exchange Server on-premises. To do this, run the following PowerShell cmdlets:
-
Create the DDG:
New-DynamicDistributionGroup allstaff -PrimarySmtpAddress allstaff-7184ab3f-ccd1-46f3-8233-3e09e9cf0e66@contoso.onmicrosoft.com -IncludedRecipients Mailbox -RecipientContainer 'contoso.com' -
Hide the DDG and restrict it from receiving email:
Set-DynamicDistributionGroup -Name allstaff -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom administrator@contoso.com
-
-
Create a Distribution Group (DG). To do this, run the following PowerShell cmdlets:
-
Create the DG:
New-DistributionGroup -Name allstaff -PrimarySmtpAddress allstaff-7184ab3f-ccd1-46f3-8233-3e09e9cf0e66@contoso.onmicrosoft.com
-
Restrict the DG from receiving email:
Set-DistributionGroup -Name allstaff -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom administrator@contoso.com
-
Add all users who have mailboxes that are hosted on Exchange Server on-premises:
Add-DistributionGroupMember -Identity allstaff -Member user01@contoso.com
-