Forum Discussion
External people can't open files with Sensitivity Label encryption.
Which email domain do the external users come from? Is it another Entra ID commercial or consumer domain? If not, then the identity presented by the external user cannot be authenticated… unless they have a guest account.
This might help:
https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#requirements-and-limitations-for-add-any-authenticated-users
https://alberthoitingh.com/2021/07/09/sensitivity-labels-authenticated-users/#:~:text=The%20%22Authenticated%20Users%22%20setting%20in%20sensitivity%20labels,*%20Microsoft%20or%20RMS%20for%20individuals%20account
The external users are coming from other Entra ID commercial domains (I know this as we manage them).
Well, a label that allows access to all authenticated users should work perfectly well with other Microsoft 365 tenants. I tested this with two different tenants by creating labels in both tenants with this access and sending email and email with protected attachments from one side to the other and vice versa. Everything worked. Here's an example of an email with a protected attachment (label is partner-accessible content) being read with OWA on the target tenant. The email has been protected as expected because of the presence of the protected attachment, and both the message and attachment content are visible using the Viewer right.
Time to ask Microsoft support to help?