Forum Discussion
Sensitivity Label Permissions
Hello,
I have set up sensitivity labels within my company. I have Public, Standard, Confidential and Highly Confidential. When testing with my external email (e.g. Gmail and Yahoo) I am prompted to enter the one-time passcode when opening an email from my test account. But then I tested with an external user who has an Outlook email and he was not prompted to enter the one-time passcode.
"Authenticated Users" is included in Standard, Confidential and Highly Confidential permission control when setting up the labels.
Is this the normal behavior for the one-time passcode only being prompted for Non-Microsoft emails? Can the one-time passcode be prompted for Microsoft (Outlook) domains? Also how can I have multi-factor authenticator apply to my labels for external clients/users?
Any help would be much appreciated.
Thank you!
3 Replies
Hi Tiffanyb,
All Microsoft users are natively authenticated thus they do not need to enter OTP as this step is skipped. However for any Non-Microsoft accounts they need to explicitly input OTP to complete the authentication process.
If you would like to force the Microsoft users users to enter OTP than you must remove Authenticated Users and explicitly list each email addresses, or create a conditional access policy to enforce MFA so all users can use OTP based authentication.
Alternatively you can configure advanced email encryption or have predefined permissions configured within the sensitivity label.
https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#choose-permissions
Please read the known issues before implementing this approach.
Regards, Prash
If you find the answer useful, please do not forget to like and mark it as a solution
Hey Tiffanyb
Yes, this is expected behavior.Why Outlook users skip the OTP prompt
When an external user has an Outlook.com or Microsoft account, Azure Rights Management authenticates them silently using their existing Microsoft identity. No OTP needed. Gmail and Yahoo don't have that trust relationship with Microsoft's identity platform, so OTP is the fallback.
Can you force OTP for Microsoft accounts?
No. You can't override the Microsoft account auth path for Outlook.com users. Their Microsoft account is the credential. AIP trusts that session.
What about MFA for external users?
MFA enforcement isn't controlled at the label level. It's a Conditional Access decision. If you need true MFA for external Microsoft account users, you'd either bring them in as Entra B2B guests and apply a CA policy, or ask them to open the protected message in Outlook on the web or mobile, which handles decryption in the service rather than against your AIP endpoint.
OTP is the ceiling for non-Microsoft external users on labeled email. There's no configuration today that forces authenticator app or SMS MFA before opening a labeled message for that audience.
One thing worth revisiting
"Authenticated Users" on Confidential and Highly Confidential means anyone with any Microsoft account or supported social identity. For those labels, consider whether named recipients or domain-scoped permissions better fit your risk posture.
Please mark as solution if you find this helpful. It helps others in the community find the solution quickly.
Prathista IlangoMicrosoft
Hello Tiffanyb,
The following article explains the requirements and limitations for using authenticated users and I believe this answers your query,
Hope this helps!
Regards, PI
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.
