Forum Discussion

mevaibhav831345's avatar
mevaibhav831345
Copper Contributor
Jun 04, 2025

AADSTS50020: protected PDF issue for external users

I have been recently (don't know when it was started) observed getting error from protected PDF (sensitivity label with user defined permission) file while trying to open that pdf via AIP viewer mobile app (Android/iOS) AS external user (who has permission to open/view).

 

No issue with Office file types protected.

 

external (not internal, not guest) user (currently testing with gmail.com account, other O365 tenant user) getting error as attached from AIP view mobile app.

 

We do have AIP excluded at conditional access policy which helped so far to avoid this problem for external users.

 

Is there been any recent change in behavior around user defined protected PDF? Since user having problem is external, have no clue where to look for log and start investigation.

 

Error code: AADSTS50020

 

AADSTS50020
AIP
externaluser
sensitivity label

2 Replies

Sort By
  • mevaibhav831345's avatar
    mevaibhav831345
    Copper Contributor
    Jun 05, 2025

    Here is the observation:

     

    1. Tenant1 user protect pdf#1 with admin defined permission based sensitivity label where 'authenticated user' should be able to view file
      1. outcome:
        1. Windows device: If the user is microsoft or school account (other entra id tenant) then they can view that pdf via AIP client (aip viewer) from device but non-microsoft account - OK
        2. Windows device: If the user is non-microsoft or school account (like gmail.com, outlook.com or xyz.com) then they can't view protected pdf - NO OPTION to open protected PDF
        3. Android device: both microsoft (recipient entra id tenant) and non-microsoft account (like gmail.com) external user (not guest) with Android AIP viewer - UNABLE TO VIEW/OPEN protected PDF (keep getting above error: AADSTS50020) - 
    • mevaibhav831345's avatar
      mevaibhav831345
      Copper Contributor
      Jul 24, 2025

      Here is the fact (poor product design):

       

      1. MIP App viewer on mobile (Android/iOS) DOES NOT support protected pdf for external (not guest) user and since MIP App viewer is going to deprecate by end of May 2026 there won't be any fix or improvement (as of July 2025)
      2. Adobe Mobile App DOES NOT support protected pdf for external (not guest) user (as of July 2025)

       

      In summary, microsoft wants you to invite whole world as GUEST user if you need consistent user experience with protected content which is great example of poor product design and shipping things without enough coverage.

Resources