Microsoft’s Azure Information Protection (AIP) is a vital tool for securing data, labeling, and encrypting emails. However, sometimes organizations face issues where AIP is deactivated, email encryption isn’t working, or external users cannot access protected messages. This guide will walk you through fixing AIP, enabling Office Message Encryption (OME), and configuring OTP authentication.
Step 1: Check and Enable Azure Information Protection (AIP)
1.0 Configure PowerShell
We’ll need to import Microsoft signed PowerShell modules, which for we have to ensure the execution policy is configured correctly. We’ll configure set it only for the current process, to not disturb the global configuration
Open PowerShell as admin, and run the following command:
Set-ExecutionPolicy RemoteSigned -Scope ProcessCode language: PowerShell (powershell)1.1 Connect to the AIP Service
Open PowerShell and run the following command:
Install-Module AipService
Connect-AipServiceCode language: PowerShell (powershell)This command connects your session to the Azure Information Protection (AIP) Service.
1.2 Check AIP Status
Run the following command to check if AIP is active:
Get-AipServiceCode language: PowerShell (powershell)Expected Output:
- If AIP is active, you will see details about the service.
- If AIP is deactivated, you need to enable it.
1.3 Enable AIP if Deactivated
If Get-AipService shows Deactivated, enable it using:
Enable-AipServiceCode language: PowerShell (powershell)Step 2: Enable Rights Management for Office 365 (IRM)
AIP works with Information Rights Management (IRM) to protect email communication.
2.1 Connect to Exchange Online
Run the following command to connect to Exchange Online PowerShell:
Install-Module ExchangeOnlineManagement
Connect-ExchangeOnlineCode language: PowerShell (powershell)2.2 Check IRM Configuration
Verify whether SimplifiedClientAccessEnabled is set to True:
Get-IRMConfiguration | select-object *Code language: PowerShell (powershell)Expected Output:
This should be the expected output, you should aim to change the features that are not reflecting or have missing values.
Name : ControlPoint Config
LicensingLocation : {https://GUID.rms.eu.aadrm.com/_wmcs/licensing}
InternalLicensingEnabled : True
ExternalLicensingEnabled : True
AzureRMSLicensingEnabled : True
AutomaticServiceUpdateEnabled : True
EnablePdfEncryption : True
SimplifiedClientAccessEncryptOnlyDisabled : False
SimplifiedClientAccessDoNotForwardDisabled : False
DecryptAttachmentForEncryptOnly : False
TransportDecryptionSetting : Optional
JournalReportDecryptionEnabled : True
SimplifiedClientAccessEnabled : True
ClientAccessServerEnabled : True
SearchEnabled : TrueCode language: PowerShell (powershell)2.3 Configure IRM Configuration
You can change features by running the following commands:
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
Set-IRMConfiguration -AzureRMSLicensingEnabled $true
Set-IRMConfiguration -InternalLicensingEnabled $true
Code language: PowerShell (powershell)Missing LicensingLocation can cause issues when sending encrypted email, resulting in NDR’s as seen below.
Remote server returned '550-5.7.162 OmeEncryptionAgent; Permanent Failure 550-5.7.162 Exception encountered: RmException. 550-5.7.162 Exception message: Failed get licensing URI. FailureCode:CorruptConfiguration. Recoverable:False.. 550 5.7.162 Please contact your system administrator for more information.'Code language: JavaScript (javascript)This can be resolved by configuring the Licensing Location using the following commands, you will need to be connected to AIP and Exchange Online:
$RMS = Get-AipServiceConfiguration
$LicenseUri = $RMS.LicensingIntranetDistributionPointUrl
Set-IRMConfiguration -LicensingLocation $LicenseUriCode language: PowerShell (powershell)Step 3: Enable OTP Authentication for External Recipients
By default, Microsoft Purview Message Encryption (OME) allows external recipients to open encrypted emails using a Microsoft account. However, to allow them to open emails with a One-Time Passcode (OTP), you must configure the settings.
3.1 Check OTP Configuration
Run the following command:
Get-OMEConfiguration -Identity "OME Configuration"Code language: PowerShell (powershell)Expected Output:
TemplateName SocialIdSignIn OTPEnabled ExternalMailExpiryInterval ImageUrl
------------ -------------- ---------- -------------------------- --------
OME Configuration True True 00:00:00Code language: CSS (css)3.2 Enable OTP Authentication for External Users
Run this command to enable OTP access:
Set-OMEConfiguration -Identity "OME Configuration" -OTPEnabled $trueCode language: PowerShell (powershell)Now, external users (e.g., Gmail users) receiving AIP-protected emails will be able to authenticate using an OTP instead of a Microsoft account.
3.3 Enable Social Sign-In for Yahoo, Google and Microsoft accounts
Set-OMEConfiguration -Identity "OME Configuration" -SocialIdSignIn $trueCode language: JavaScript (javascript)Once enabled, users can sign in with their email provider’s account, without verifying an OTP via email.
Final Thoughts
By following these steps, you have: ✅ Verified and enabled Azure Information Protection (AIP). ✅ Ensured that IRM is properly configured for Microsoft 365. ✅ Enabled OTP authentication for external email recipients. ✅ Allowed external users to decrypt messages securely.
These configurations enhance security while ensuring seamless access to protected content across different email providers.
