When Conditional Access policies enforce MFA across all cloud apps and include external users, encrypted attachments may require additional considerations. This post explains why.
This behavior applies only in environments where all of the following are true:
- Microsoft Purview encryption is used for emails and attachments
- A Conditional Access (CA) policy is configured to:
- Require MFA
- Apply to all cloud applications
- Include guest or external users
The Situation: Email Opens, Attachment Doesn’t
When an email is encrypted using:
- Microsoft Purview Sensitivity Labels, or
- Information Rights Management (IRM)
Any attached Office document automatically inherits encryption. This inheritance is intentional and enforced by the service, Ensures consistent protection of sensitive content. That inheritance is mandatory and cannot be disabled.
So far, so good. But here’s where things break for external recipients.
The Hidden Dependency: Identity & Conditional Access
Reading an encrypted email and opening an encrypted attachment are two different flows.
External users can usually read encrypted emails by authenticating through:
- One-Time Passcode (OTP)
- Microsoft personal accounts
- Their own organization’s identity
However, encrypted attachments use Microsoft Rights Management Services (RMS) — and RMS expects an identity the sender’s tenant can evaluate.
If your organization has:
- A global Conditional Access policy
- Enforcing MFA for all users
- Applied to all cloud apps
external users can get blocked even after successful email decryption.
This commonly results in errors like:
“This account does not exist in the sender’s tenant…”
AADSTS90072: The external user account does not exist in our tenant and cannot access the Microsoft Office application. The account needs to be added as an external user in the tenant or use an alternative authentication method.
When It Works (and Why It Often Doesn’t)
External access to encrypted attachments works only when one of these conditions is met:
- The sender trusts the recipient’s tenant MFA via Cross‑Tenant Access (MFA trust)
- The recipient already exists as a guest account in the sender’s tenant
In real-world scenarios, these conditions often fail:
- External recipients use consumer or non‑Entra identities
- Recipient domains are not predictable
- Guest onboarding does not scale
- Cross‑tenant trust is intentionally restricted
In such cases, Conditional Access policies designed for internal users can affect RMS evaluation for external users.
So what’s the alternative?
The Practical, Secure Alternative
When the two standard access conditions (cross‑tenant trust or guest presence) cannot be met , you can refine Conditional Access evaluation without weakening encryption. The goal is not to remove MFA, but to ensure it is applied appropriately based on identity type and access path.
In this scenario:
- MFA remains enforced for all internal users, including access to Microsoft Rights Management Services (RMS)
- MFA remains enforced for external users across cloud applications other than RMS
The Key Idea
Let encryption stay strong, but stop blocking external RMS authentication.
This is achieved by:
- Keeping the existing Conditional Access policy that enforces MFA for all internal users across all cloud applications, including RMS
- Excluding guest and external users from that internal‑only policy
- Deploying a separate Conditional Access policy scoped to guest and external users to:
- Continue enforcing MFA for external users where supported
- Explicitly exclude Microsoft Rights Management Services (RMS) from evaluation
RMS can be excluded from the external‑user policy by specifying the following application (client) ID:
RMS App ID: 00000012-0000-0000-c000-000000000000
Why This Is Still Secure
This approach:
- ✅ Keeps email and attachment encryption fully intact
- ✅ Internal security posture is unchanged
- ✅ External users remain protected by MFA where applicable
- ✅ Allows external users to authenticate using supported methods
- ✅ Avoids over-trusting external tenants
- ✅ Scales for large, unpredictable recipient sets
Final Takeaway
Encrypted attachment access is governed by identity recognition and policy design, not by email encryption alone.
By aligning Conditional Access with how encrypted content is evaluated, organizations can enable secure external collaboration while maintaining strong protection standards
Microsoft