Microsoft’s Azure Information Protection (AIP) is a vital tool for securing data, labeling, and encrypting emails. However, sometimes organizations face issues where AIP is deactivated, email encryption isn’t working, or external users cannot access protected messages. This guide will walk you through fixing AIP, enabling Office Message Encryption (OME), and configuring OTP authentication for external recipients.
Step 1: Check and Enable Azure Information Protection (AIP)
1.0 Configure PowerShell
We’ll need to import Microsoft signed PowerShell modules, which for we have to ensure the execution policy is configured correctly. We’ll configure set it only for the current process, to not disturb the global configuration
Open PowerShell as admin, and run the following command:
Set-ExecutionPolicy RemoteSigned -Scope ProcessCode language: JavaScript (javascript)1.1 Connect to the AIP Service
Open PowerShell and run the following command:
Install-Module AipService
Connect-AipServiceThis command connects your session to the Azure Information Protection (AIP) Service.
1.2 Check AIP Status
Run the following command to check if AIP is active:
Get-AipServiceExpected Output:
- If AIP is active, you will see details about the service.
- If AIP is deactivated, you need to enable it.
1.3 Enable AIP if Deactivated
If Get-AipService shows Deactivated, enable it using:
Enable-AipServiceStep 2: Enable Rights Management for Office 365 (IRM)
AIP works with Information Rights Management (IRM) to protect email communication.
2.1 Connect to Exchange Online
Run the following command to connect to Exchange Online PowerShell:
Install-Module ExchangeOnlineManagement
Connect-ExchangeOnline2.2 Check IRM Configuration
Verify whether SimplifiedClientAccessEnabled is set to True:
Get-IRMConfigurationExpected Output:
- If
SimplifiedClientAccessEnabledis False, you need to enable it.
2.3 Enable Simplified Client Access for IRM
Run the following command to enable it:
Set-IRMConfiguration -SimplifiedClientAccessEnabled $trueCode language: JavaScript (javascript)This ensures that Microsoft Outlook and other clients can easily apply AIP-protected labels.
Step 3: Enable OTP Authentication for External Recipients
By default, Microsoft Purview Message Encryption (OME) allows external recipients to open encrypted emails using a Microsoft account. However, to allow them to open emails with a One-Time Passcode (OTP), you must configure the settings.
3.1 Check OTP Configuration
Run the following command:
Get-OMEConfiguration | FL Identity,OTPEnabledExpected Output:
- If
OTPEnabledis False, you need to enable it.
3.2 Enable OTP Authentication for External Users
Run this command to enable OTP access:
Set-OMEConfiguration -Identity "OME Configuration" -OTPEnabled $trueCode language: JavaScript (javascript)Now, external users (e.g., Gmail users) receiving AIP-protected emails will be able to authenticate using an OTP instead of a Microsoft account.
Step 4: Enable Office Message Encryption (OME) for External Users
For external users to access encrypted emails, external licensing must be enabled.
4.1 Check OME External Licensing
Run:
Get-IRMConfiguration4.2 Enable External Licensing for OME
If external licensing is not enabled, run:
Set-IRMConfiguration -ExternalLicensingEnabled $trueCode language: JavaScript (javascript)This ensures that external users can read sensitivity-labeled and encrypted messages.
Final Thoughts
By following these steps, you have: ✅ Verified and enabled Azure Information Protection (AIP). ✅ Ensured that IRM is properly configured for Microsoft 365. ✅ Enabled OTP authentication for external email recipients. ✅ Allowed external users to decrypt messages securely.
These configurations enhance security while ensuring seamless access to protected content across different email providers.
