Blog Post

Microsoft Purview Blog
2 MIN READ

Secure external attachments with Purview encryption

Tarek_Atef's avatar
Tarek_Atef
Icon for Microsoft rankMicrosoft
Oct 29, 2025

Sharing sensitive documents externally is a common business need, but when encryption and sensitivity labels are involved, things can get complicated.

If you are using Microsoft Purview to secure email attachments, it’s important to understand how Conditional Access (CA) policies and Guest account settings influence the experience for external recipients.

Scenario 1: Guest Accounts Enabled

Smooth Experience

Each recipient is provisioned with a guest account, allowing them to access the file seamlessly.

📝 Note

This can result in a significant increase in guest users, potentially in hundreds or thousands, which may create additional administrative workload and management challenges.

Scenario 2: No Guest Accounts

🚫 Limited Access

External users can only view attachments via the web interface. Attempts to download then open the files in Office apps typically fail due to repeated credential prompts.

🔍 Why?

Conditional Access policies may block access to Microsoft Rights Management Services because it is included under All resources. This typically occurs when access controls such as Multi-Factor Authentication (MFA) or device compliance are enforced, as these require users or guests to authenticate.

To have a better experience without enabling guest accounts, consider adjusting your CA policy with one of the below approaches:

Recommended Approach

Exclude Microsoft Rights Management Services from CA policies targeting All resources.

 

Alternative Approach

Exclude Guest or External Users → Other external users from CA policies targeting All users.

 

Things to consider

  • These access blocks won’t appear in sign-in logs— as this type of external users leave no trace. Manual CA policy review is essential.
    • Using What if feature with the following conditions can help to identify which policies need to be modified. 
  • These approaches only apply to email attachments. For SharePoint Online hosted files, guest accounts remain the only viable option. 
  • Always consult your Identity/Security team before making changes to ensure no unintended impact on other workloads.

References

For detailed guidance on how guest accounts interact with encrypted documents, refer to Microsoft’s official documentation:

🔗 Microsoft Entra configuration for content encrypted by Microsoft Purview Information Protection | Microsoft Learn

Updated Oct 21, 2025
Version 1.0
compliance
mip
purview
security

3 Comments

  • dl348926's avatar
    dl348926
    Occasional Reader
    Oct 30, 2025

    Great blog post, that happens to be very timely for our organisation, as we recently launched MPIP and have come across this exact issue! Having experimented in a test tenant I (finally) came to very similar conclusions as this post... on exactly the day this was published in fact!

    Anyway, I'm intrigued why an RMS-based CA exclusion approach is "recommended" and a guest-based exclusion is the "alternative" approach. In our org we have upwards of 10 CA policies, almost all are scoped on "All Resources", and many do not already exclude guests. Doing an RMS app-based exclusion would, by my estimate, cause us to duplicate a large number of policies to cover off our existing CA policy set, for scenarios like internal user device compliance when accessing RMS resources.

    Whereas doing a guest-based exclusion would (again, by my estimate) cause us just one additional policy - "Other external user" Guests accessing any app that isn't RMS. Which I think we could just set to block without breaking anything (though I'll have to run that in Report Only mode for a bit to confirm!)

    Curious what you think Tarek_Atef​ and @eve_kilel (apologies Eve I don't seem to be able to tag you!)

    • Tarek_Atef's avatar
      Tarek_Atef
      Icon for Microsoft rankMicrosoft
      Oct 30, 2025

      Hi dl348926​ 

      Thank you for your feedback. We agree that both approaches are viable, but it's difficult to determine which is objectively better since each organization has its own unique requirements and circumstances. However, given that the primary concern here relates to labels, I recommended excluding the associated app rather than "Other external user", as the latter could impact other workloads.

      • dl348926's avatar
        dl348926
        Occasional Reader
        Oct 30, 2025

        Thanks Tarek_Atef​ !

        If you're just trying to "get this working" with little regard to how CA policies are enforced on other users when accessing RMS resources, then yes I probably agree with you.

        But if I pose the question as "How can you allow "Other external users" to access RMS resources, without otherwise changing your CA posture", certainly for our organisation, I think the "Other external user" is the better way to go. To otherwise not change your CA posture you would need at least one new CA policy, and the guest exclusion would only require exactly one additional CA policy (I think).

        Whereas the app exclusion would require multiple CA policies duplicating various policies/scenarios for the RMS app only.

        At least that's how I see it in our organisation's environment, but I could be missing something...?