Forum Discussion
External people can't open files with Sensitivity Label encryption.
Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels?
Hi all. I've been investigating proper setup of sensitivity labels in Purview, and the impact on user experience. The prerequisites are simple enough, creating and configuring the labels reasonably straightforward, and publishing them is a breeze. But using them appears to be a different matter!
Everything is fine for labels that don't apply encryption (control access) or when used internally. However, the problems come when labels do apply encryption and information is sent externally. The result is that we apply a label to a document, attach that document to an email, and send it externally - and the recipient says they can't open it and they get an error that their email address is not in our directory.
This is because due to the encryption, the external user needs to authenticate back to our tenant, and if they're not in our tenant they obviously can't do this so the files won't open.
So, back to the question above. What's the easiest / most secure / best way to add any user we might share encrypted content with to our tenant. As I see it we have the following options:
- Users have to request Admins add the user as a Guest in our tenant before they send the content. Let's face it, they'll not do this and/or get frustrated.
- Users share encrypted content directly from SharePoint / OneDrive, rather than attaching it to emails (as that would automatically add the external person as a Guest in the tenant). This will be fine in some circumstances, but won't always be appropriate (when you want to send them a point-in-time version of a doc). With good SharePoint setup, site Owners would also have to approve the share before it gets sent which could delay things.
- Admins add all possible domains that encrypted content might be shared with to Entra B2B Direct Connect (so the external recipient doesn't have to be our tenant). This may not be practical as you often don't know who you'll need to share with and we work with hundreds of organisations. The bigger gotcha is that the external organisation would also have to configure Entra B2B Direct Connect.
- Admins default Entra B2B Direct Connect to 'Allow All'. This opens up a significant attack surface and also still requires any external organisation to configure Entra B2B Direct Connect as well.
I really want to make this work, but it need to be as simple as possible for the end users sharing sensitive or confidential content. And all of the above options seem to have significant down-sides.
I'm really hoping someone who uses Sensitivity Labels on a day-to-day basis can provide some help or advice to share their experiences. Thanks, Oz.
7 Replies
BTW, always use OWA for testing to avoid any caching issues that Outlook classic might have.
Which email domain do the external users come from? Is it another Entra ID commercial or consumer domain? If not, then the identity presented by the external user cannot be authenticated… unless they have a guest account.
This might help:
https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#requirements-and-limitations-for-add-any-authenticated-users
https://alberthoitingh.com/2021/07/09/sensitivity-labels-authenticated-users/#:~:text=The%20%22Authenticated%20Users%22%20setting%20in%20sensitivity%20labels,*%20Microsoft%20or%20RMS%20for%20individuals%20account
The external users are coming from other Entra ID commercial domains (I know this as we manage them).
Well, a label that allows access to all authenticated users should work perfectly well with other Microsoft 365 tenants. I tested this with two different tenants by creating labels in both tenants with this access and sending email and email with protected attachments from one side to the other and vice versa. Everything worked. Here's an example of an email with a protected attachment (label is partner-accessible content) being read with OWA on the target tenant. The email has been protected as expected because of the presence of the protected attachment, and both the message and attachment content are visible using the Viewer right.
Time to ask Microsoft support to help?
Thanks Tony, so much to consider in this space and very helpful having people like you who kindly share their knowledge!
We've applied a label which controls access using the 'Any authenticated users' option to a document, attached that to an email, and sent to a number of external users. We've found that if they already exist as a Guest in our tenant (or their tenant is setup via B2B Direct Connect) they can open the document, but if they don't, they can't - they get the error that their account doesn't exist in our tenant. Same experience using labels where you pick users when assigning the label.
I think you're saying they shouldn't need to be a Guest or have B2B setup for this to all work, but it doesn't. Could this be that we haven't got something configured correctly somewhere else please?
Encrypted Sensitivity Labels often block external recipients because they must authenticate to your tenant to decrypt the file. The most practical approach is to have users share sensitive documents through SharePoint or OneDrive links instead of email attachments, as this automatically provisions a guest account for the recipient. For frequent partners, you can pre-create guest accounts in bulk, and for trusted organizations using Entra ID, consider enabling B2B Direct Connect—though it’s not realistic for everyone. Avoid enabling “Allow All” in B2B Direct Connect for security reasons, and train staff to use non-encrypted or partner-friendly labels when external sharing is necessary. This combination keeps sharing simple for users while maintaining security.
Authentication is with the rights management service, not your tenant. This happens to check if the user seeking access matches any of the access rights granted by the label and to secure a use license to be able to decrypt the content. The solution is therefore to add an access right in labels that you want to protect files circulated externally to grant limited access to external users. Sensitivity labels support a special group called "All authenticated users" that will allow anyone who has an Entra ID account to access content, or you can add access for specific domains or user names (like microsoft.com or tony@contoso.com) to allow whole domains or certain external users to access the content. Whatever you do, don't grant broad access rights to external recipients unless you're happy that those recipients should have a high degree of control over sensitive information. Limit the access rights to view (and maybe edit in some circumstances) and you should be OK.
All explained in chapter 20 of the Office 365 for IT Pros eBook...
