MicrosoftMartin_Sieber I thought so but it seems Conditional Access (or something else) gets in the way in this scenario, blocking access to the old tenant. We did a migration of an email domain from old tenant to new and attempts to open old emails in a migrated users account failed with message:
AADSTS90072: User account 'user@oldemaildomain' from identity provider 'https://sts.windows.net/%3cnew-tenant-guid%3e/' does not exist in tenant 'Old Tenant Name' and cannot access the application 'guid'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
https://docs.microsoft.com/en-us/azure/information-protection/known-issues#aip-based-conditional-access-policies states "External users who receive content protected by https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common must have an Azure Active Directory (Azure AD) business-to-business (B2B) collaboration guest user account in order to view the content." and also "We recommend enabling AIP-based conditional access policies for your internal users only."
The AADSTS90072 message indicates "Microsoft Office", not AIP.
I think our security team, et.al., might be okay if it was AIP but not blocking external access to "Office" seems risky (https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-client-support-conditional-access?view=o365-worldwide is not clear on what "Office" actually means).
Thoughts ?
