No RMS templates are available in your organization

No RMS templates are available in your organization

Problem:

When configuring a transport rule for ‘Apply Office 365 Message Encryption and rights protection to the message with…” you receive the following error when attempting to select a label:

“No RMS templates are available in your organization”

No RMS Templates

Solution:

You need to configure Exchange Online for RMS. See below for powershell commands:

#Configure Credentials
$cred = Get-Credential

# Configure Exchange Online PS Session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection

# Import Exchange Online PS Session
Import-PSSession $Session

# Configure the RMS Online Key Sharing Location (Note that this url changes based on location – See the bottom of this article for locations)
Set-IRMConfiguration –RMSOnlineKeySharingLocation “https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc”

# Import the RMS Trusted Publishing Domain
Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

# Test the IRM Configuration to ensure that Exchange is configured correctly
Test-IRMConfiguration -RMSOnline

The output of this command should look something like this, with the overall result as PASS.
Results : Checking organization context …

– PASS: Organization context checked; running as tenant administrator.
Loading IRM configuration …
– PASS: IRM configuration loaded successfully.
Checking RMS Online tenant prerequisites …
– PASS: RMS Online tenant prerequisites passed.
Checking RMS Online authentication certificate …
– PASS: The RMS Online authentication certificate is valid.
Checking that a Trusted Publishing Domain can be obtained from RMS Online …
– PASS: Trusted Publishing Domain successfully obtained from RMS Online. Templates available:
Confidential \ All Employees, Highly Confidential \ All Employees, Secure Email.
Checking that the Trusted Publishing Domain obtained from RMS Online is valid …
– PASS: Trusted Publishing Domain obtained from RMS Online is valid.

OVERALL RESULT: PASS

# Set the IRM Internal Licencing to True
Set-IRMConfiguration -InternalLicensingEnabled $true

Give Exchange Online 20 minutes to see the update and you should then be able to see the Templates.

Global policy issue:

Currently there is a bug with Exchange Online not being able to see labels that are NOT included in the ‘Global’ Azure Information Protection Policy. This is being investigated by Microsoft at the time of writing this article.

 

RMS Key Sharing Location URLs:

North America
https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

European Union
https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

Asia
https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

South America
https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

Office 365 for Government (Government Community Cloud)
https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc

[amazon_link asins=’1509304789,1509304797,B07DFPMXX9′ template=’ProductGrid’ store=’412294wp-21′ marketplace=’UK’ link_id=’cfcdc236-7528-11e8-809a-dfacb79ea481′]

27 Replies to “No RMS templates are available in your organization”

  1. Great article. David.

    When I run the command “Test-IRMConfiguration -RMSOnline” for one of my organizations, part of the output reads (I have included xxxxxxxx here to hide the organization name):-

    PASS: Trusted Publishing Domain successfully obtained from RMS Online. Templates available: xxxxxxxxxxxx – Confidential View Only, xxxxxxxxxxxx – Confidential.
    Checking that the Trusted Publishing Domain obtained from RMS Online is valid …

    Your output David has “……Confidential \ All Employees, Highly Confidential \ All Employees, Secure Email…….” where as mine has “Confidential View Only”

    Does this mean I cannot setup encryption or need higher licensing plan in place ?

    1. Hello, thank you for the comment.

      You should have an Azure Information Plan licence for this to work. That output is just the templates that I’ve created from Azure.

  2. Hi David, When I try to test it, it gives me the following error:

    Results : Acquiring RMS Templates …
    – FAIL: Failed to acquire RMS templates. This failure may cause features such as Transport Protection Rul
    es, IRM in OWA, and IRM in EAS to not work.

    OVERALL RESULT: FAIL

    1. Hi Michel,

      Have you enabled the Azure Information Protection yet?
      Office365 Admin Center> Settings> Services & Add-ins> Microsoft Azure Information Protection> Manage Microsoft Azure Information Protection Settings

      One in there, make sure it’s activated. Then give it 30 mins and re-test.

      David

        1. I can only really suggest that you leave it with Microsoft Support. It sounds like there is an issue behind the scenes somewhere. It might be worth re-testing as well – Changes on Office365 aren’t always immediate.

          If Microsoft do manage to resolve it, it would be interesting to know how though as it may help others with the same issue.

          1. Well, the reaction I got from Microsoft Support, they can’t seem to help me any further:

            We got a response from our escalation, and unfortunately, the news is not good:

            Direct quotes:

            “This is a known gap and will be fixed soon. Scoped templates will be available in Exchange mail flow rules. …
            No definitive eta yet. Aiming for early August to be released in production.”

            I apologize for the projected delay. At this time, I can do nothing else.

  3. So, I’ve contacted Microsoft again and they came up with a solution. It seems that when you have an older tenant you have to jump start some stuff. The steps in your post are still necessary to make this work.

    #install aadrm module

    install-module aadrm
    Connect-AadrmService

    # Activate the service
    Enable-Aadrm

    # Get the configuration information needed for message protection.
    $rmsConfig = Get-AadrmConfiguration
    $licenseUri = $rmsConfig.LicensingIntranetDistributionPointUrl

    # Collect IRM configuration for Office 365.
    $irmConfig = Get-IRMConfiguration
    $list = $irmConfig.LicensingLocation
    if (!$list) { $list = @() }
    if (!$list.Contains($licenseUri)) { $list += $licenseUri }

    # Enable message protection for Office 365.
    Set-IRMConfiguration -LicensingLocation $list
    Set-IRMConfiguration -AzureRMSLicensingEnabled $True -InternalLicensingEnabled $true

    # Enable new Protect button in Outlook on the Web
    Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

    # Afterwards, to test that the IRM configuration is good, run the Test-IRMConfiguration cmdlet for a user in your tenant

    1. That’s excellent news. Thank you for updating me as well.

      Hopefully it will help someone else with the same issue.

      Kind Regards,

      David

    2. Michael

      YOU ARE A GOD AMONG MERE MORTALS. I have a case opened with Microsoft for two weeks with no help. But following your commands verbatim finally, finally, finally got me moving forward.

      I thank you so much,
      Greg

      1. This blog & this comment were exactly the help I needed! I too had the case open for a few weeks with Support with no help in sight. The encryption was only working as an old protection template, visible only in Outlook desktop clients, with OWA & iOS Outlook clients unable to read messages protected that way.

        It turned out that despite enabling AIP as the documentation says, some of these configurations didn’t properly apply themselves. When looking at Get-IRMConfiguration, I had these completely blank:

        RMSOnlineKeySharingLocation
        RMSOnlineVersion
        ServiceLocation
        PublishingLocation
        LicensingLocation

        So no surprise I was getting:
        Retrieving RMS Certification Uri …
        – WARNING: Failed to retrieve RMS Certification Uri.
        when testing it.

        You are GODS indeed 😉

  4. Great article. Thanks for posting. I run into an issue right at [$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection].

    It tells me this [WARNING: Your connection has been redirected to the following URI: “https://ps.outlook.com/PowerShell-LiveID?PSVersion=5.1.17134.228 “]

    Any ideas?
    Thanks,
    N.Z.

    1. Hi N.Z.

      This shouldn’t cause an error with the actual command. It’s just letting you know that you’re being redirected from the initial URI which was specified. The -AlloWRedirection switch grants authorisation to do this.

      Is it stopping you from continuing?

      David

      1. Hi David,
        Thank you for your response. I was able to get over that hump, but ran into other issues.

        First when I got to running Test-IRMConfiguration -RMSOnline, The only thing that failed was “Failed to obtain a Trusted Publishing Domain from RMS Online”, but it would say RMS configuration, authentication and prereqs are successful. However, after running the commands in Michel ten Hove ‘s post above, now I get just one line – FAIL: Failed to acquire RMS templates.

        BEFORE
        ===============
        Checking organization context …
        – PASS: Organization context checked; running as tenant administrator.
        Loading IRM configuration …
        – PASS: IRM configuration loaded successfully.
        Checking RMS Online tenant prerequisites …
        – PASS: RMS Online tenant prerequisites passed.
        Checking RMS Online authentication certificate …
        – PASS: The RMS Online authentication certificate is valid.
        Checking that a Trusted Publishing Domain can be obtained from RMS Online …
        – FAIL: Failed to obtain a Trusted Publishing Domain from RMS Online.
        —————————————-
        Microsoft.Exchange.Security.RightsManagement.RightsManagementException: InvalidIssuanceLicenseTemplate
        at Microsoft.Exchange.Security.RightsManagement.Errors.ThrowOnErrorCode(Int32 hr, LocalizedString contextMessage)
        at Microsoft.Exchange.Security.RightsManagement.Errors.ThrowOnErrorCode(Int32 hr)
        at Microsoft.Exchange.Security.RightsManagement.RmsTemplate.GetTemplateNamesAndDescriptions(String template)
        at Microsoft.Exchange.Security.RightsManagement.RmsTemplate.ServerRmsTemplate.GetNameAndDescription(CultureInfo locale, String& templateName, String&
        templateDescription)
        at Microsoft.Exchange.Security.RightsManagement.RmsTemplate.get_Name()
        at Microsoft.Exchange.Management.RightsManagement.RmsUtil.TemplateNamesFromTemplateArray(String[] templateXrMLArray)
        at Microsoft.Exchange.Management.RightsManagement.RMSOnlineValidator.ValidateTPDCanBeObtainedFromRMSOnline(RmsOnlineTpdImporter tpdImporter,
        TrustedDocDomain& tpd)
        —————————————-

        OVERALL RESULT: FAIL

        ===================

        AFTER
        ====================
        Test-IRMConfiguration -Sender [email protected]

        Results : Acquiring RMS Templates …
        – FAIL: Failed to acquire RMS templates. This failure may cause features such as Transport Protection Rules, IRM in OWA, and IRM in EAS to not work.

        OVERALL RESULT: FAIL
        ======================

        Looks like I made my situation worse. Any advice?

        1. Hi David,
          The problems I described in my previous message got fixed when I went back and reversed all changes, I made following Michel ten Hove ‘s post above. But that put me back to square one, which was:
          1. Test-IRMConfiguration -RMSOnline would return bunch of PASS, but FAIL on Failed to obtain a Trusted Publishing Domain from RMS Online.
          2. Test-IRMConfiguration -Sender [email protected] wold return PASS with warnings on disabled features (- WARNING: Failed to retrieve RMS Certification Uri.).
          Upon further research and checking logs I discovered a MS article (sorry, don’t have the link, that was more than a month ago) saying that the error I got could be related to a protection policy/label in Azure if it has the “;” character in it. While I did not find any such characters in the Protection labels, I did have a couple of labels I had created. I had to go in and delete them all.
          After that, I re-applied the fix that you suggested and now I have progress as follows:
          – If I use “Encrypt messages with the previous version of OME” it actually works. E-mails get encrypted and recipients can decrypt them – all as expected, however I prefer to use new OME, not old.
          – If I want to choose Apply Office 365 Message Encryption and rights Protection” now I can choose from a drop down of templates and I obviously choose “encrypt”. It was not even an option I could choose before, so this is a progress.
          – The problem is, when I send e-mails out using the latest option with the template “Encrypt” that finally shows, they get kicked back to me with error ‘550-5.7.162’.
          Here is the full error message:
          Remote Server returned ‘550-5.7.162 OmeEncryptionAgent; Permanent Failure 550-5.7.162 Exception encountered: RightsManagementException. 550-5.7.162 Failure Code: TemplateDoesNotExist. 550-5.7.162 A failure occurred when trying to look up Rights Management Server template ‘c026002d-cda6-401e-bfad-28de214d0fba’. 550 5.7.162 Please contact your system administrator for more information.’
          The part that is the most curious is “”Failure Code: TemplateDoesNotExist”, even though I can choose the Encrypt” template from the drop down menu and save the rule, so it clearly exists.
          Any ideas?
          Thanks!
          N.Z.

          1. One last update:

            After all the steps already described and the rules configured with using the templates, I ran the following one more time (as was suggested above) and now everything is working:

            Set-IRMConfiguration -AzureRMSLicensingEnabled $True

          2. Glad to here that you got it resolved and thank you for letting us know how you managed it. Hopefully it will help someone else with the same issue.

            David

  5. Hi again. I was able to find this MS article that described exactly the problem I was having above. Their described cause and solution was as follows:

    This issue occurs if a template in Microsoft Azure Information Protection contains a semicolon (;) or colon (:). Remove the semicolon or colon from the template in Azure Information Protection.

    While I was not able to locate any ; or : in the templates, I just deleted all the templates I had manually created (you have to use powershell to fully deleted them, if using the portal it just archives them).

    Once I did that, I was able to run Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online” without problems and the test returned all PASS. As a result, all the remplates started loading!

    With templates loading I created the mail flow rules, but there is still a problem with “365 Office Encryption”, while the OME encryption is now working fine without problems.

    When using the Office 365 Message Encryption and triggering the encryption to kick in, e-mails get returned with “Remote Server returned ‘550-5.7.162 OmeEncryptionAgent; Permanent Failure 550-5.7.162 Exception encountered: RightsManagementException. 550-5.7.162 Failure Code: TemplateDoesNotExist. 550-5.7.162 A failure occurred when trying to look up Rights Management Server template ‘***********’. 550 5.7.162 “.

    I will give it few more hours – hopefully this is just a propogation issue.

    1. After a couple of days, encryption with choosing option “Apply previous version of OME” is working fine. No problems at all.

      However, when choosing “Apply Office 365 Message Encryption and rights protection…..” I still get bounced back e-mails with the following errors:
      Remote Server returned ‘550-5.7.162 OmeEncryptionAgent; Permanent Failure 550-5.7.162 Exception encountered: RightsManagementException. 550-5.7.162 Failure Code: TemplateDoesNotExist. 550-5.7.162 A failure occurred when trying to look up Rights Management Server template ‘******’. 550 5.7.162 Please contact your system administrator for more information.’

      1. Hey N.Z, sorry for the slow reply I missed the commend emails in my inbox.

        I’ve removed some of your other posts as requested and have changed the email address so that it’s not showing your work one in the output.

        Did you manage to get around that recent error? Or are you still having an issue with it?

        David

  6. Great article however when I run the command below:

    # Import the RMS Trusted Publishing Domain
    Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

    Failed to get Trusted Publishing Domain from the RMS Online service

    The error was: RMS Online returned an error for tenant with external directory organization ID etc. etc.

    1. Hi Nigel,

      Thank you for taking the time to comment with the new method! Hopefully it will help a couple of people.

      Dave

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.