External Users Cannot Open RMS protected Email & Attachment. RRS feed

  • Question

  • I am testing Azure RMS and have the following Scenario ....

    • O365 [Trail] with registered Domain xyz.com & users, Groups synced from AD Onpremise
    • Azure Subscription [Paid] used for AAD + VM's for emulating Onpremise AD + AAD Connect.
    • EMS [Trial]

    I have integrated all the three and deployed AD RMS + created multiple RMS templates etc.

    Users in xyz.com domain when connected to O365 mailbox using Outlook 2016 can see and apply the RMS policies.

    RMS Protection within the organization work fine, but when a protected mail is sent to a different/external domain hosted on other O365 tenant, users cannot view the mail [in outlook].

    The message displayed to the users is "The message with restricted permissions cannot be viewed in the reading pane until you verify your credentials. Open the Item to read its contents and verify your credentials", even though the users is signed in with his credentials.

    The external recipients system already has AD RMS 2.1 Client installed.

    Please advise what I could be doing wrong.

    Monday, June 6, 2016 10:09 AM

All replies

  • Is this symptom limited to the preview pane?
    If this user opens the email does it succeed?

    Wednesday, June 8, 2016 11:02 PM
  • When the recipient user tries to open the mail in Outlook 2013, it popups the following screen. Inspite of authenticating, the below screen keeps popping up. I have tested this on many systems but the result is the same.

    When viewed in OWA, we see the below

    Note: Both the sender and recepient have O365 Exchange Online mailboxes from different tenanant/domain

    • Edited by CosmicStrom Thursday, June 9, 2016 2:08 AM Images did not load
    Thursday, June 9, 2016 2:04 AM
  • What permission policy are you using?  Are you protecting emails with rights policy templates or the Do Not Forward policy?



    Monday, June 13, 2016 9:33 PM
  • Hello,

    I just happened to provide rights by adding a distribution group with external contacts as members to the Policy template.

    This worked. The external domain recipient can now view the mails with restrictions as applied via the policy.

    I am further testing this scenario and will revert in case there are any hurdles.

    Tuesday, June 14, 2016 3:27 PM
  • Hi,

    As you commented, if you want to send protected mails to an external user, you have to add it as a contact in your tenant and add it to a group, then, you will be able to assign the permissions to those users.


    Wednesday, August 3, 2016 8:25 AM
  • This is expected if you are protecting with templates other than Do Not Forward.

    Some questions about your scenario:

    Was the external users tenant also enabled for RMS?

    Were you protecting with Do Not Forward and/or did you get the same behavior if you did ad-hock protection on a Word document?

    Friday, August 12, 2016 11:29 PM
  • I am getting the same error, testing similar scenario.

    Office365  paid subscription E5 + EMS

    I am testing using a completely separated external user tenant, not enabled for RMS or other Office365 services. 

    I protected e-mails with "Do not forward" , default templates and other custom, but same error in external user Outlook :   "You do not have credentials that allow you to open this message. ... "

    However, external user could open an ad-hoc protected word document.


    Sunday, December 18, 2016 7:18 AM