Howdy guys,


I've ran into another scenario that I wanted to bring to everyone's attention in the Azure RMS world.


This involves Exchange Online Dynamic Distribution groups:


For those you are unfamiliar with DDG's here is a quick link:


Environment Layout:

*Cloud Environment

Office 365

Exchange Online

Azure AD

Azure Information Protection enabled


Here are some things I've discovered when you send an email to an EXO Dynamic Distribution group that has an RMS protected template applied.  You'll notice the following symptoms,


  1. If you're opening the email with Outlook, it'll inform you that the username is incorrect. Prompting for another username or asking the owner of the email for permission to open the protected content.
  2. OWA Users will be able to open the email
    1. What is OWA?


This is by design:


Two common questions on why does it work in OWA but not our Office applications?


Answer to number 1:


The reason why it's requesting for another username or password is the Azure RMS server is unable to find the distribution group within Azure AD. Azure RMS searches Azure AD for the DDG and fails to discover who's in the group. I discovered EXO doesn't sync to Azure AD with DDG's.


Answer to number 2:


The reason why OWA is working is due to being hosted by Exchange itself. Exchange hosts its own IRM configuration within to allow OWA to read protected content.


You'll remember that process here when you're uploading your TPD into the exchange server: