Blog Post

Microsoft Purview Blog
2 MIN READ

Secure external attachments with Purview encryption

Tarek_Atef's avatar
Tarek_Atef
Icon for Microsoft rankMicrosoft
Oct 29, 2025

Sharing sensitive documents externally is a common business need, but when encryption and sensitivity labels are involved, things can get complicated.

If you are using Microsoft Purview to secure email attachments, it’s important to understand how Conditional Access (CA) policies and Guest account settings influence the experience for external reci...
Updated Oct 21, 2025
Version 1.0
compliance
mip
purview
security
dl348926's avatar
dl348926
Copper Contributor
Oct 30, 2025

Great blog post, that happens to be very timely for our organisation, as we recently launched MPIP and have come across this exact issue! Having experimented in a test tenant I (finally) came to very similar conclusions as this post... on exactly the day this was published in fact!

Anyway, I'm intrigued why an RMS-based CA exclusion approach is "recommended" and a guest-based exclusion is the "alternative" approach. In our org we have upwards of 10 CA policies, almost all are scoped on "All Resources", and many do not already exclude guests. Doing an RMS app-based exclusion would, by my estimate, cause us to duplicate a large number of policies to cover off our existing CA policy set, for scenarios like internal user device compliance when accessing RMS resources.

Whereas doing a guest-based exclusion would (again, by my estimate) cause us just one additional policy - "Other external user" Guests accessing any app that isn't RMS. Which I think we could just set to block without breaking anything (though I'll have to run that in Report Only mode for a bit to confirm!)

Curious what you think Tarek_Atef​ and @eve_kilel (apologies Eve I don't seem to be able to tag you!)

Tarek_Atef's avatar
Tarek_Atef
Icon for Microsoft rankMicrosoft
Oct 30, 2025

Hi dl348926​ 

Thank you for your feedback. We agree that both approaches are viable, but it's difficult to determine which is objectively better since each organization has its own unique requirements and circumstances. However, given that the primary concern here relates to labels, I recommended excluding the associated app rather than "Other external user", as the latter could impact other workloads.

  • dl348926's avatar
    dl348926
    Copper Contributor
    Oct 30, 2025

    Thanks Tarek_Atef​ !

    If you're just trying to "get this working" with little regard to how CA policies are enforced on other users when accessing RMS resources, then yes I probably agree with you.

    But if I pose the question as "How can you allow "Other external users" to access RMS resources, without otherwise changing your CA posture", certainly for our organisation, I think the "Other external user" is the better way to go. To otherwise not change your CA posture you would need at least one new CA policy, and the guest exclusion would only require exactly one additional CA policy (I think).

    Whereas the app exclusion would require multiple CA policies duplicating various policies/scenarios for the RMS app only.

    At least that's how I see it in our organisation's environment, but I could be missing something...?