Forum Discussion
External people can't open files with Sensitivity Label encryption.
Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels?
Hi all. I've been investigating proper setup of sensitivity labels in Purview, and the impact on user experience. The prerequisites are simple enough, creating and configuring the labels reasonably straightforward, and publishing them is a breeze. But using them appears to be a different matter!
Everything is fine for labels that don't apply encryption (control access) or when used internally. However, the problems come when labels do apply encryption and information is sent externally. The result is that we apply a label to a document, attach that document to an email, and send it externally - and the recipient says they can't open it and they get an error that their email address is not in our directory.
This is because due to the encryption, the external user needs to authenticate back to our tenant, and if they're not in our tenant they obviously can't do this so the files won't open.
So, back to the question above. What's the easiest / most secure / best way to add any user we might share encrypted content with to our tenant. As I see it we have the following options:
- Users have to request Admins add the user as a Guest in our tenant before they send the content. Let's face it, they'll not do this and/or get frustrated.
- Users share encrypted content directly from SharePoint / OneDrive, rather than attaching it to emails (as that would automatically add the external person as a Guest in the tenant). This will be fine in some circumstances, but won't always be appropriate (when you want to send them a point-in-time version of a doc). With good SharePoint setup, site Owners would also have to approve the share before it gets sent which could delay things.
- Admins add all possible domains that encrypted content might be shared with to Entra B2B Direct Connect (so the external recipient doesn't have to be our tenant). This may not be practical as you often don't know who you'll need to share with and we work with hundreds of organisations. The bigger gotcha is that the external organisation would also have to configure Entra B2B Direct Connect.
- Admins default Entra B2B Direct Connect to 'Allow All'. This opens up a significant attack surface and also still requires any external organisation to configure Entra B2B Direct Connect as well.
I really want to make this work, but it need to be as simple as possible for the end users sharing sensitive or confidential content. And all of the above options seem to have significant down-sides.
I'm really hoping someone who uses Sensitivity Labels on a day-to-day basis can provide some help or advice to share their experiences. Thanks, Oz.
20 Replies
JoanneCKlein - Having followed a lot of your posts on LinkedIn, I'd love to hear your perspective on all of this if you have the time please.
The current setup for Entra ID B2B cross-tenant access — covering both inbound and outbound configurations — aligns with best practices. However, instead of using “Allow all,” I suggest specifying key applications such as Microsoft Teams, SharePoint, and Office 365. Most importantly, ensure your client can open encrypted documents by permitting the Microsoft Rights Management Service (RMS) under the inbound access settings.
Thanks Samuel Agyei . When you say the current setup aligns with best practice, do you mean that having to add users as Guests or setup B2B Direct Connect with individual tenants is the way to do it? I've seen mention of permitting RMS under the inbound access settings, does that mean having that as a default for B2B Direct Connect or do you have to set up each external tenant separately and allow it for each one? And can you point me at instructions for how to do this please as I've searched and failed!
What I meant was to set up B2B collaboration with individual tenants and enable the Microsoft Rights Management Service (RMS) app. You don’t need to manually add users as guests — that quickly becomes an administrative burden.
The default cross-tenant access settings apply to all external organisations that don’t have customised, organisation-specific settings. If you’ve configured organisation-specific settings, you’ll need to allow inbound access for each of those organisations explicitly. You need to do this under B2B collaboration
https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-settings-b2b-collaboration
BTW, always use OWA for testing to avoid any caching issues that Outlook classic might have.
Which email domain do the external users come from? Is it another Entra ID commercial or consumer domain? If not, then the identity presented by the external user cannot be authenticated… unless they have a guest account.
This might help:
https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#requirements-and-limitations-for-add-any-authenticated-users
https://alberthoitingh.com/2021/07/09/sensitivity-labels-authenticated-users/#:~:text=The%20%22Authenticated%20Users%22%20setting%20in%20sensitivity%20labels,*%20Microsoft%20or%20RMS%20for%20individuals%20account
The external users are coming from other Entra ID commercial domains (I know this as we manage them).
Well, a label that allows access to all authenticated users should work perfectly well with other Microsoft 365 tenants. I tested this with two different tenants by creating labels in both tenants with this access and sending email and email with protected attachments from one side to the other and vice versa. Everything worked. Here's an example of an email with a protected attachment (label is partner-accessible content) being read with OWA on the target tenant. The email has been protected as expected because of the presence of the protected attachment, and both the message and attachment content are visible using the Viewer right.
Time to ask Microsoft support to help?
Thanks Tony, so much to consider in this space and very helpful having people like you who kindly share their knowledge!
We've applied a label which controls access using the 'Any authenticated users' option to a document, attached that to an email, and sent to a number of external users. We've found that if they already exist as a Guest in our tenant (or their tenant is setup via B2B Direct Connect) they can open the document, but if they don't, they can't - they get the error that their account doesn't exist in our tenant. Same experience using labels where you pick users when assigning the label.
I think you're saying they shouldn't need to be a Guest or have B2B setup for this to all work, but it doesn't. Could this be that we haven't got something configured correctly somewhere else please?
Thinking about this again.
- The label encrypts content using the special any authenticated user group.
- The label is applied to documents that are attached to emails (which means that the messages are also protected by the label).
- The messages are sent to external users in other Microsoft 365 tenants.
- Users with guest accounts in your tenant can open and access the message and attachments. Users without guest accounts cannot.
- https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#requirements-and-limitations-for-add-any-authenticated-users emphasizes that the application being used to open the encrypted items "must support be able to support the authentication being used". Up to now, I assumed that the applications are OWA or Outlook (any recent build of classic, new, or mobile) because these definitely support the necessary authentication. Is this the case?
- If it is, send a test encrypted message to Michelle.Best AT O365Maestro.onmicrosoft.com to see if it arrives there successfully. This is a brand-new account in a test Microsoft 365 tenant configured for sensitivity labels where I know that the clients can successfully read and send encrypted email and documents.
Just for luck, I asked Copilot about the issue. Here's what the AI says:
In Microsoft Purview (formerly part of Microsoft Information Protection), the "All authenticated users" access right for sensitivity labels refers to granting access to any user who has successfully signed in to a Microsoft 365 tenant—not just users within your organization.
Here's what it means in practice:
- ✅ Includes: All users with a valid Microsoft 365 account (Azure AD authenticated), including external users if they are invited and authenticated.
- ❌ Does not include: Anonymous or guest users who haven't signed in.
Implications for Sensitivity Labels:
If a sensitivity label is configured to allow access to "All authenticated users," then:
- Anyone who can authenticate with Microsoft 365 (including external collaborators) can access the content protected by that label.
- It's not restricted to your organization unless you explicitly scope it to internal users.
- This setting is often used for broad sharing scenarios, like documents meant for partners or cross-tenant collaboration.
That's certainly how we want it to work, but does add another question. One of the documented benefits of forcing authentication is that you have an audit log of who has opened a document. But if the external recipients aren't authenticating back to your tenant, how / where would this audit log be available?
And the other question is obviously "what is stopping external people opening docs we send out?" ... and why does almost every other organisation seemingly have the same issue? Really can't face 17 hours on calls and a gazillion emails with Microsoft Support to not solve the issue.
Encrypted Sensitivity Labels often block external recipients because they must authenticate to your tenant to decrypt the file. The most practical approach is to have users share sensitive documents through SharePoint or OneDrive links instead of email attachments, as this automatically provisions a guest account for the recipient. For frequent partners, you can pre-create guest accounts in bulk, and for trusted organizations using Entra ID, consider enabling B2B Direct Connect—though it’s not realistic for everyone. Avoid enabling “Allow All” in B2B Direct Connect for security reasons, and train staff to use non-encrypted or partner-friendly labels when external sharing is necessary. This combination keeps sharing simple for users while maintaining security.
Thanks Nilson_ , really reassuring to know my understanding wasn't way off the mark. It sounds like the options I listed were correct, and that sharing links are ideal wherever possible. We can also setup B2B Direct Connect with orgs we want to regularly share encrypted content with. The confusing thing is that I think TonyRedmond is saying that the external users should NOT need to be a Guest or for us to have B2B Direct Connect set up with their tenant. #StillSlightlyConfused
Authentication is with the rights management service, not your tenant. This happens to check if the user seeking access matches any of the access rights granted by the label and to secure a use license to be able to decrypt the content. The solution is therefore to add an access right in labels that you want to protect files circulated externally to grant limited access to external users. Sensitivity labels support a special group called "All authenticated users" that will allow anyone who has an Entra ID account to access content, or you can add access for specific domains or user names (like microsoft.com or tony@contoso.com) to allow whole domains or certain external users to access the content. Whatever you do, don't grant broad access rights to external recipients unless you're happy that those recipients should have a high degree of control over sensitive information. Limit the access rights to view (and maybe edit in some circumstances) and you should be OK.
All explained in chapter 20 of the Office 365 for IT Pros eBook...
