Forum Discussion

Iron Contributor

Oct 08, 2025

External people can't open files with Sensitivity Label encryption.

Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels? Hi all. I've been investigating proper setup of sensitivity labels in Purview, a...

Authentication

Azure AD

Azure Information Protection

MVP

Oct 09, 2025

Just for luck, I asked Copilot about the issue. Here's what the AI says:

In Microsoft Purview (formerly part of Microsoft Information Protection), the "All authenticated users" access right for sensitivity labels refers to granting access to any user who has successfully signed in to a Microsoft 365 tenant—not just users within your organization.

Here's what it means in practice:

✅ Includes: All users with a valid Microsoft 365 account (Azure AD authenticated), including external users if they are invited and authenticated.
❌ Does not include: Anonymous or guest users who haven't signed in.

Implications for Sensitivity Labels:

If a sensitivity label is configured to allow access to "All authenticated users," then:

Anyone who can authenticate with Microsoft 365 (including external collaborators) can access the content protected by that label.
It's not restricted to your organization unless you explicitly scope it to internal users.
This setting is often used for broad sharing scenarios, like documents meant for partners or cross-tenant collaboration.

OzOscroft

Iron Contributor

Oct 10, 2025

That's certainly how we want it to work, but does add another question. One of the documented benefits of forcing authentication is that you have an audit log of who has opened a document. But if the external recipients aren't authenticating back to your tenant, how / where would this audit log be available?

And the other question is obviously "what is stopping external people opening docs we send out?" ... and why does almost every other organisation seemingly have the same issue? Really can't face 17 hours on calls and a gazillion emails with Microsoft Support to not solve the issue.

TonyRedmond
MVP
Oct 10, 2025
I really don't know what to say. I cannot see your tenant settings so don't know what might be happening. Microsoft support can check things out, which is a good reason to get them involved.

As another test, I sent a protected email to a new contact in Microsoft. I have many guests from Microsoft in my tenant, but this wasn't one. He was able to open and read the email, and was perplexed because he couldn't reply to it due to access rights kicking in...