When you select an encrypted email in Outlook and ask Copilot to summarize it, Copilot returns an error or refuses to generate a summary. This happens because Copilot cannot access the decrypted content of messages protected by Microsoft Purview Message Encryption or Office 365 Message Encryption. The encryption layer blocks Copilot from reading the email body, which is required for summarization. This article explains why the block occurs and provides the exact steps to fix it so Copilot can process encrypted messages.
Key Takeaways: Fixing Copilot Summarization for Encrypted Email
- Microsoft Purview compliance portal > Message encryption > IRM-protected messages: Copilot cannot read IRM-protected email content, so summarization fails by design.
- Outlook > File > Options > Trust Center > Trust Center Settings > Email Security > Encrypted email: Disabling S/MIME or removing IRM templates from allowed senders may enable Copilot access.
- Microsoft 365 admin center > Settings > Org settings > Microsoft Purview > Message encryption: Admins can configure encryption policies to exclude Copilot from the protected scope.
Why Copilot Cannot Summarize Encrypted Email
Copilot in Outlook generates summaries by reading the email body, headers, and attachments through the Microsoft Graph API. When a message is encrypted using Microsoft Purview Message Encryption or S/MIME, the email body is stored in an encrypted format that Copilot cannot decrypt. The Graph API returns an access-denied error for encrypted content, so Copilot has no text to summarize.
The encryption types that block Copilot include:
Microsoft Purview Message Encryption
This is the default encryption method for many Microsoft 365 organizations. It wraps the email in an encrypted envelope. Only the recipient who authenticates can view the decrypted body. Copilot, as a service, does not have the recipient’s decryption key and cannot read the content.
S/MIME Encryption
S/MIME uses a public/private key pair that is unique to each sender and recipient. Copilot does not have access to the private keys stored in the user’s certificate store. Therefore, any S/MIME-encrypted message is invisible to Copilot’s summarization engine.
Information Rights Management
IRM-protected messages restrict actions like forwarding, printing, or copying. Copilot cannot apply its own rights to read the message content, so it cannot generate a summary.
Steps to Enable Copilot Summarization for Encrypted Email
The fix depends on who controls the encryption policy. If you are an end user, you can change your Outlook encryption settings. If you are an administrator, you can modify organization-wide encryption policies. Follow the method that matches your role.
Method 1: Disable S/MIME Encryption in Outlook
- Open Outlook Options
In Outlook, go to File > Options. - Open Trust Center
Select Trust Center in the left pane, then click Trust Center Settings. - Open Email Security settings
In the Trust Center, select Email Security. - Clear S/MIME encryption options
Under Encrypted email, uncheck Encrypt contents and attachments for outgoing messages. Also uncheck Add digital signature to outgoing messages if it is selected. - Apply and restart Outlook
Click OK on all open dialog boxes. Restart Outlook for the changes to take effect.
After disabling S/MIME, new messages you send will not be encrypted. Copilot can then summarize those messages. However, this does not affect already-encrypted messages in your inbox.
Method 2: Remove IRM Protection from Individual Messages
- Open the encrypted message
Double-click the encrypted email in your Outlook inbox to open it in a separate window. - Remove IRM permission
Go to File > Info > Set permissions. If the message is IRM-protected, you will see an option like Change permission or Remove permission. Click Remove permission. - Save and close
Click Save on the message. Close it and reopen it. Copilot should now be able to summarize the message.
This method only works if you are the sender of the message or if you have been granted full control rights by the sender. If you are the recipient, you cannot remove IRM protection.
Method 3: Admin Configures Encryption Exclusions in Microsoft Purview
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with a global admin or compliance admin account. - Navigate to Message encryption
In the left navigation, select Data classification > Message encryption. - Modify encryption policy
Find the policy that applies to the emails you want Copilot to summarize. Click the policy name to open it. - Add an exclusion for Copilot
Under Settings, look for a section called Exclude specific applications or Service exclusions. Add Microsoft Copilot or Microsoft Graph API to the exclusion list. The exact label depends on your tenant configuration. - Save the policy
Click Save and wait up to 30 minutes for the change to propagate to all users.
After the admin exclusion is applied, Copilot can read the decrypted content of messages that were previously encrypted by that policy. Existing messages may still be encrypted; new messages will be excluded from encryption.
If Copilot Still Has Issues After the Main Fix
Copilot Returns Generic Output Instead of Tenant-Specific Data
If Copilot summarizes a message but the summary contains only generic phrases like “This email discusses a topic” rather than actual content, the message may still be partially encrypted. Open the message and look for a banner that says “This message is encrypted.” If the banner is present, the decryption key was not applied. Use Method 2 to remove the protection or contact your admin to check the encryption policy.
Copilot Does Not Show the Summarize Button at All
If Copilot does not offer a summarize button for any email, not just encrypted ones, the Copilot add-in may be disabled. Go to Outlook > Get Add-ins > Admin managed and ensure Microsoft Copilot is listed as enabled. If it is missing, contact your Microsoft 365 admin to assign a Copilot license to your account.
Copilot Summarizes Some Emails but Not Others
This usually indicates that only certain emails are encrypted. Check the sender’s domain. If the sender is outside your organization, their email may be encrypted by their own policy, which you cannot override. For internal emails, ask the sender to send a non-encrypted version or use Method 3 to exclude Copilot from the encryption policy.
Copilot Summarization: Encrypted vs Non-Encrypted Email
| Item | Encrypted Email | Non-Encrypted Email |
|---|---|---|
| Copilot access | Blocked by encryption layer | Full read access via Graph API |
| Summarization result | Error or no summary generated | Complete summary with key points |
| Required fix | Disable encryption or add admin exclusion | No fix needed |
| Impact on security | Reduces protection for that message | No change |
| Admin control | Can exclude Copilot from policy | Not applicable |
Copilot summarization works reliably only on non-encrypted email. For encrypted messages, you must either remove the encryption or configure an admin policy to allow Copilot access.
Now you can identify why Copilot cannot summarize an encrypted email and apply the correct fix. If you are an end user, start with Method 1 or 2. If you are an admin, use Method 3 to adjust the Purview encryption policy. For ongoing protection, consider creating a separate encryption policy that excludes Copilot while keeping encryption for other services.