Forum Discussion
GrahamP67
Oct 10, 2023Copper Contributor
Outlook Encrypted Email Issues
I have deployed M365DLP controls to block password protected atachments that cannot be scanned and am telling users to use Outlook Encryption instead to protect outgoing email attachments.
However, a number of external companies have reported not being able to open the encrypted messages and the screenshots provided show that they are trying to authenticate as a guest user in my Entra ID instance (rather than using their own IdP, SSO or an OTP).
What would cause that and how do I resolve?
Hi GrahamP67,
First all the error code AADSTS90072:
"...The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant... The account must be added as an external user in the tenant first"
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes
Emails can only be opened in the Outlook Desktop App when the recipients are added as Azure guests to your tenant. This is by design. Please note that the behavior possibly is different in the Outlook Mobile App or in Outlook on the web.You might also need to exclude "Microsoft Azure Information Protection" cloud app from CA policies that enforce multifactor authentication on your tenant.
- MathieuVandenHautteSteel Contributor
Hi GrahamP67,
First all the error code AADSTS90072:
"...The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant... The account must be added as an external user in the tenant first"
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes
Emails can only be opened in the Outlook Desktop App when the recipients are added as Azure guests to your tenant. This is by design. Please note that the behavior possibly is different in the Outlook Mobile App or in Outlook on the web.You might also need to exclude "Microsoft Azure Information Protection" cloud app from CA policies that enforce multifactor authentication on your tenant.
- GrahamP67Copper ContributorThanks, this is helpful.
I dont want them to have guest accounts, so I guess I need to work out what is driving the MFA requirement - will that be on my side?- LuisLopez1981Copper Contributor
Did you ever figured out what was driving the MFA requirement? I'm facing a similar issue for a client that is sending encrypted emails to outside parties and they are unable to open the encrypted email, prompting to log in.
We do have conditional access policies in place and I'm thinking one of these policies is the cause.