M365 Protected Sensitivity Label Failures

Scenario: You have created Sensitivity Labels which include the Protection feature (Encryption + Rights Management). You have published the labels to end users thru a Label Policy within the Compliance Center. When users attempt to use the Sensitivity Labels, they receive one of the following errors listed below.

Error 1: Azure Information Protection cannot apply this label because it’s configured for a protection template that can’t be found. Try again in a few minutes. If the problem persists, contact your help desk or administrator.

This error is presented by the Azure Information Protection Unified Labeling Client.

Error 2: Remote Server returned ‘550-5.7.162 OmeEncryptionAgent; Permanent Failure 550-5.7.135 Exception encountered: RmExecption. 550-5.7.162 Exception message: Failed to get template. Template<TemplateID>. FailureCode:UnknownFailure. Recoverable:False.. 550 5.7.162 Please contact your system administrator for more information.

Root Problem: The root of this issue is that the AIP Service Template is not in a published state, rather it is in archive. See below:

Fix Action: Run the following PowerShell command to publish the template required:

Set-AipServiceTemplateProperty -TemplateId <TemplateID> -Status Published

Note: Ensure that you have installed the AIPService PowerShell Module. After the module is installed user the Connect-AipService cmdlet to connect. See this article for additional information: Connect-AipService.

If you need to manually install the PowerShell module into your user profile (no Admin Permissions), see this article: Manual Package Download.

Technical Discussion, Explanation, and Demonstration

Microsoft 365 tenants provide organizations with the options to create and publish Sensitivity Labels from the M365 Compliance Center (formerly Security and Compliance Center).

When we discuss Sensitivity Labels, think of them as a device, rather than the label itself. They are a device which will apply a defined set of parameters to emails or files. These parameters often consist of markings, such as headers and footers, encryption, and permissions/rights.

An important concept to understand when we discuss encryption and permissions/rights is to understand that while encryption is important to the overall protection of the information, its actually the rights we are most concerned with. That is because, the information is encrypted to everyone, and its actually the rights which grant users the ability to use/modify the information.

In turn, we must ensure that the Rights Management Service (RMS) templates are available to all services and clients which require access to them.

Step 1: Connect to ExchangeOnline and AIPService

Use the following commands to install the necessary modules and connect to the necessary services:

Install-Module ExchangeOnline

Install-Module AipService



Step 2: Identify the currently published RMS Templates

The following command will display the currently published RMS templates within Exchange Online:


Step 3: Obtain the AIP Service Template TemplateId

Now that you are aware of the templates which are published, identify the new AIP Service Templates which you need to publish.


In this example, I am attempting to publish a child Sensitivity Label of CUI – REL TO, which is a sub-label of the Global CUI Sensitivity Label. Upon locating this label, you must use the TemplateId to properly publish it.

Step 4: Validate the Status of the AIP Service Template

The following command will display the current status of the AIP Service Template. Validate that it is in Archive Status. Ensure to insert the appropriate TemplateId into the command.

Get-AipServiceTemplateProperty -TemplateId <TemplateId> -Status


Get-AipServiceTemplateProperty -TemplateId dc90db2d-bc89-4e8e-b2de-a75607bcf5ff -Status

We can see from this that the template is currently in an Archived state. We need this to be in a Published state.

Step 5: Publish the AIP Service Template

The following command will publish the AIP Service Template:

Set-AipServiceTemplateProperty -TemplateId <TemplateId> -Status Published


Set-AipServiceTemplateProperty -TemplateId dc90db2d-bc89-4e8e-b2de-a75607bcf5ff -Status Published

You should then get a message indicating that the template was published.

We can validate this by running Step 4 again.

Step 6: Validate the AIP Service Template is now Published In Exchange Online

Here, return to Step 2. Run the following command:


We can now see that the template has been published to Exchange Online.

The Azure Information Protection Unified Labeling client will now be able to download the template and apply it on the desktop resolving Error 1.

Exchange Online will now have access to the necessary RMS template to apply to email messages. This will resolve Error 2.

Note: It can take up to 24 hours for this process to be reflected at the client. See the following article to assist in troubleshooting:

Refreshing Templates for Users and Services