Forum Discussion
External people can't open files with Sensitivity Label encryption.
Which email domain do the external users come from? Is it another Entra ID commercial or consumer domain? If not, then the identity presented by the external user cannot be authenticated… unless they have a guest account.
This might help:
https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#requirements-and-limitations-for-add-any-authenticated-users
https://alberthoitingh.com/2021/07/09/sensitivity-labels-authenticated-users/#:~:text=The%20%22Authenticated%20Users%22%20setting%20in%20sensitivity%20labels,*%20Microsoft%20or%20RMS%20for%20individuals%20account
The external users are coming from other Entra ID commercial domains (I know this as we manage them).
Well, a label that allows access to all authenticated users should work perfectly well with other Microsoft 365 tenants. I tested this with two different tenants by creating labels in both tenants with this access and sending email and email with protected attachments from one side to the other and vice versa. Everything worked. Here's an example of an email with a protected attachment (label is partner-accessible content) being read with OWA on the target tenant. The email has been protected as expected because of the presence of the protected attachment, and both the message and attachment content are visible using the Viewer right.
Time to ask Microsoft support to help?
That was my original expectation of how it should work too, but all the reading I've done since has suggested that the recipient either needs to be a Guest in your tenant, or a B2B trust relationship needs to be setup between the tenants for it to work. Could you just confirm there are no trust relationships between the two tenants you tested on, and that the recipient isn't a Guest in the host tenant please?
I heard back from the person that I sent a protected email to in a completely disconnected tenant and they were able to read the content.