Error messages when applying labels with the Azure Information Protection client.


This post describes some of the issues I have had/seen with the AIP Client and Office. Usually everything works well, and you can just start using the labels, but when things go wrong, it is not alway easy to see why. 


I had a problem applying labels with protection, and received a lot of «interesting» error messages when I tried the different protections. After setting up AIP with labels and protection I installed the newest AIP client, and tried to use one of the labels I had created. The ones without protection went well, but as soon as I tried to use one with protection, I got one of these.

Azure Information Protection cannot apply this label
And this:
Argh .. What administrator?

I also noticed some error messages in the eventlog. Event 101:
Error: No matching template found.
The error message confused me. It said no matching template found. It seemed to me like the client had problems communication with AIP, but the labels were updated, so I tried to retrieve the templates from the set permission option.
Set Permissions
After a little while with this message:
Retrieving templates from server ...
I receive the following message:

The logged in users could not be authenticated
The logged in users could not be authenticated. Please check your credentials or try signing out and signing in again. I then tried to use the Classify and protect option in file explorer, which went well so it seemed like the problem was with Office and the client. I tried the usual troubleshooting tips like resetting the client settings:
In the Protect option in Outlook, choose Help and Feedback
Select to Reset Settings
When you select the Reset Settings option, you will be warned that this action will delete registry settings that you might need to connect to Azure Information Protection. Sounds serious, but it will be re-added when you start up Office again.
Delete settings you might need
It will tell you it has reset AIP settings
But the problem still remained.I then tried to manually remove all settings from the AIP client in registry and file explorer, but that didn't do any good either. I also removed and reinstalled the AIP client, which didn't change anything. Since Classify and protect worked, and I received the error message about the logged in user, I then tried to switch account in Office to make sure it was not related to credentials:
In word for instance, select your name and Switch account
But no help. I still got the same error messages when trying to use the labels. Since none of the things i tried did any good, and the problem seemed to be related to my Office client I removed Office (uninstalled everything Office related) and added it again. I refreshed the AIP Client, and voila: it worked.

Comments

  1. I have the exact same issues with AIP in our customer's test environment. However logging out of O365 in Office (not AIP) seems to fix the problem. As soon as I log in, the problems start again though.
    I'm suspecting that the problems relate to the identities used. I'll open a support ticket with Microsoft.
    Out of interest: Are the user's UPNs and e-mail address attributes identical in your environment or do they differ?

    ReplyDelete
    Replies
    1. Glad you were able to get it working. I did not have any luck with logging out of O365 unfortunately. In my case the UPN and e-mail was identical, but as I found out there had been a UPN change earlier.

      Delete
  2. In our environment we had the identical error message. For us it turned out, that we had Microsoft Office hardening in place, which misconfigured the Office IRM functionality. Make sure to check following GPO settings: https://docs.microsoft.com/en-us/archive/blogs/rmssupp/tip-o-the-day-12292006-all-you-can-eat-office-registry-keys-for-irm-and-a-bag-of-chips

    ReplyDelete
    Replies
    1. @phroxvs Having the same issue, working in a STIG'd environment and driving my self crazy with the GPO settings that could impact this function. The link that you have is no longer valid. Do you by chance remember the Policy that was breading IRM?

      Delete

Post a Comment

Popular posts from this blog

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label