Decrypting an email that you received from outside your organization using MIP

Question

I am currently attempting to decrypt protected Emails i receive using the MIP sdk.

My current problem is that while I am currently able to decrypt mails that I receive from people within my own organization I am not able to decrypt encrypted mails sent from Email addresses outside my own organization.

I start out by getting a token

_app = PublicClientApplicationBuilder.Create(_appInfo.ApplicationId).WithAuthority(Authority2).WithDefaultRedirectUri().Build();
        string[] scopes = { "User.Read" };
        SecureString secure = new SecureString();
        foreach (char c in "password")
        {
            secure.AppendChar(c);
        }
        IAccount userAccount = _app.AcquireTokenByUsernamePassword(scopes, "username", secure).ExecuteAsync().Result.Account;
        var tokenss = _app.AcquireTokenSilent(new[] { "https://aadrm.com/user_impersonation" }, userAccount).ExecuteAsync();

        var realtoken = tokenss.Result.AccessToken;
        return realtoken;

Then i pass it through my file engine with an .msg file to be decrypted

var fileEngine = Task.Run(async () => await fileProfile.AddEngineAsync(engineSettings)).Result;

    var handler = Task.Run(async () => await fileEngine.CreateFileHandlerAsync(inputFilePath,
                                                            actualfilepath,
                                                            false)).Result;

And this works fine when the email is either sent by me or when the sender of the email is within my own organization.

Exception i get

The service didn't accept the auth token. Challenge:['Bearer resource="https://aadrm.com"

I suspect something is wrong with public and private keys, but I am in no way expert in encryption.

Answer 1

For decrypting emails that were encrypted by users or services not belonging to your tenant, you must be granted rights to do so by them.

When protected within your organization, I expect that the protection template that is used allows your account / any account to decrypt.

When protected from an AIP service outside your organization, it depends on the protection template that was used.

You can check with the administrator of the service that encrypts the emails you receive what kind of privileges were configured in the protection template.