Outlook Classic can’t read encrypted messages from other tenants
Posted by Fabulous_Cow_4714@reddit | sysadmin | View on Reddit | 5 comments
I was able to open the same messages using OWA and also the Outlook Mobile app, but the message won‘t open in Outlook Classic and you are then redirected to use the encryption portal.
I found this known bug page.
However, that says this issue was fixed in Office 2602 and newer builds.
I‘m seeing this issue in 2604 builds of Outlook Classic though.
Are there special configuration needed on either the sender or recipient side to allow these messages to open from Outlook Classic?
petergroft@reddit
Despite the fix in build 2602, Outlook Classic often fails to decrypt messages when the AIP (Azure Information Protection) service uses a cached, outdated policy or when "Shared Office Computer" mode is misconfigured. Try clearing the %localappdata%\Microsoft\Office\16.0\Licensing folder to force a fresh identity token, which usually prompts the client to re-handshake with the external tenant's encryption key.
Fabulous_Cow_4714@reddit (OP)
I checked the system and found there is no \Licensing existing at that location.
Fabulous_Cow_4714@reddit (OP)
I found that link in the message wasn’t pointing to the encryption portal. It just looked like it because the message wasn’t downloading images and the visible text in the message was very vague to what it was linking to.
When I clicked on it, it linked to open the message in OWA instead of the encrypted message portal. Still extra steps, but at least no extra sign-in or OTP code was required, but still an ugly, unintuitive experience.
I’ll try clearing that folder later just to see if it makes a difference, but even if that worked, that isn’t something we will be able to expect recipients receiving our protected messages to do.
CeC-P@reddit
I ran into this one time a few years ago. It had nothing to do with versioning and was some seriously encrypted, a-typical encryption system that MS somehow supports. Usually, it's insurance or lawyers or medical benefits people using it. You do indeed need them to add your tenant ID and then I guess they do something with a key exchange and then it all just works. But that did work for the Outlook Classic last I checked. It was a while ago though.
Fabulous_Cow_4714@reddit (OP)
I noticed an exclamation point in the Outlook classic Account options.
The error ends with “The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.”
Outlook Classic is apparently trying to authenticate to something in the other tenant that it doesn’t have access to,
Why would this be an issue for the Outlook classic desktop client, but not other Outlook apps or OWA?