Sensitivity Label Permissions

Hey Tiffanyb​ 

Yes, this is expected behavior.

Why Outlook users skip the OTP prompt

When an external user has an Outlook.com or Microsoft account, Azure Rights Management authenticates them silently using their existing Microsoft identity. No OTP needed. Gmail and Yahoo don't have that trust relationship with Microsoft's identity platform, so OTP is the fallback.

Can you force OTP for Microsoft accounts?

No. You can't override the Microsoft account auth path for Outlook.com users. Their Microsoft account is the credential. AIP trusts that session.

What about MFA for external users?

MFA enforcement isn't controlled at the label level. It's a Conditional Access decision. If you need true MFA for external Microsoft account users, you'd either bring them in as Entra B2B guests and apply a CA policy, or ask them to open the protected message in Outlook on the web or mobile, which handles decryption in the service rather than against your AIP endpoint.

OTP is the ceiling for non-Microsoft external users on labeled email. There's no configuration today that forces authenticator app or SMS MFA before opening a labeled message for that audience.

One thing worth revisiting

"Authenticated Users" on Confidential and Highly Confidential means anyone with any Microsoft account or supported social identity. For those labels, consider whether named recipients or domain-scoped permissions better fit your risk posture.

Please mark as solution if you find this helpful. It helps others in the community find the solution quickly.