Overview
When your organization applies Microsoft Purview sensitivity labels with encryption, third-party archiving systems cannot read the message content by default. Microsoft 365's Journal Report Decryption feature resolves this by including a decrypted copy of encrypted messages in the journal reports delivered to MCO eComms. This article covers the Exchange Online and Azure Rights Management configuration required to enable that feature.
Prerequisites
Before you begin, confirm you have the following:
Microsoft 365 Global Administrator or Exchange Administrator role in your Microsoft 365 tenant
Access to Exchange Online PowerShell
A Microsoft 365 E3 or E5 subscription with Azure Rights Management active
The MCO eComms journaling address for your organization (provided during your eComms account setup)
Note: The steps in this article are performed in Microsoft 365, not in MCO eComms. The role requirements listed above refer to Microsoft 365 roles, not eComms roles.
Step 1: Verify Azure Rights Management is enabled
Azure Rights Management (RMS) must be active in your Microsoft 365 tenant before journal report decryption can function. Most Microsoft 365 E3 and E5 tenants have RMS enabled by default.
Run the following command in Exchange Online PowerShell to confirm the service status:
Get-AipService
The output should show Enabled. If RMS is not active, enable it in the Microsoft 365 admin center under Settings > Org settings > Microsoft Azure Information Protection before proceeding.
Step 2: Enable journal report decryption
Run the following command in Exchange Online PowerShell:
Set-IRMConfiguration -JournalReportDecryptionEnabled $true
This configures Exchange Online to attach a decrypted copy of any encrypted message to the journal report. The original encrypted message is delivered to recipients unchanged.
Step 3: Configure journaling to MCO eComms
Create a journal rule in Exchange Online to route messages to MCO eComms:
In the Exchange admin center, go to Compliance management > Journal rules.
Click New rule.
Set Send journal reports to to the MCO eComms journaling address for your organization.
Set the scope under Journal messages sent or received from to include all required users or distribution groups.
Set Journal the following messages to All messages.
Save the rule.
Note: The MCO eComms journaling address must be added as an external contact in Exchange Online before it can be selected as a journal recipient.
Step 4: Confirm sensitivity label policies require no changes
No changes to your existing Microsoft Purview sensitivity label policies are required. End-users can continue applying sensitivity labels that enforce encryption. Journal Report Decryption operates at the transport layer and does not affect how labels are applied or how recipients experience encrypted messages.
Optional: Refine encryption scope with transport rules
If your organization wants to exclude certain message flows from encryption — for example, internal-only communications — you can configure Exchange Online transport rules to apply sensitivity labels selectively. This is optional and has no effect on the journaling configuration completed in the steps above.
Consult your Microsoft 365 documentation for guidance on configuring transport rules.
Expected outcome
After completing the configuration:
End-users send and receive encrypted emails as before — no change to their experience
MCO eComms receives journal reports containing both the original encrypted message and a decrypted copy available for compliance review and supervision
Limitations
Be aware of the following constraints before completing this configuration:
Messages encrypted by external organizations (outside your Microsoft 365 tenant) cannot be decrypted by this feature
S/MIME and third-party encryption methods are not supported
Sensitivity labels must be configured to permit decryption by the Exchange Online transport service — labels that restrict decryption to specific users only may prevent journal report decryption from functioning