Forum Discussion
External people can't open files with Sensitivity Label encryption.
Thanks Tony, so much to consider in this space and very helpful having people like you who kindly share their knowledge!
We've applied a label which controls access using the 'Any authenticated users' option to a document, attached that to an email, and sent to a number of external users. We've found that if they already exist as a Guest in our tenant (or their tenant is setup via B2B Direct Connect) they can open the document, but if they don't, they can't - they get the error that their account doesn't exist in our tenant. Same experience using labels where you pick users when assigning the label.
I think you're saying they shouldn't need to be a Guest or have B2B setup for this to all work, but it doesn't. Could this be that we haven't got something configured correctly somewhere else please?
Just for luck, I asked Copilot about the issue. Here's what the AI says:
In Microsoft Purview (formerly part of Microsoft Information Protection), the "All authenticated users" access right for sensitivity labels refers to granting access to any user who has successfully signed in to a Microsoft 365 tenant—not just users within your organization.
Here's what it means in practice:
- ✅ Includes: All users with a valid Microsoft 365 account (Azure AD authenticated), including external users if they are invited and authenticated.
- ❌ Does not include: Anonymous or guest users who haven't signed in.
Implications for Sensitivity Labels:
If a sensitivity label is configured to allow access to "All authenticated users," then:
- Anyone who can authenticate with Microsoft 365 (including external collaborators) can access the content protected by that label.
- It's not restricted to your organization unless you explicitly scope it to internal users.
- This setting is often used for broad sharing scenarios, like documents meant for partners or cross-tenant collaboration.
That's certainly how we want it to work, but does add another question. One of the documented benefits of forcing authentication is that you have an audit log of who has opened a document. But if the external recipients aren't authenticating back to your tenant, how / where would this audit log be available?
And the other question is obviously "what is stopping external people opening docs we send out?" ... and why does almost every other organisation seemingly have the same issue? Really can't face 17 hours on calls and a gazillion emails with Microsoft Support to not solve the issue.
I really don't know what to say. I cannot see your tenant settings so don't know what might be happening. Microsoft support can check things out, which is a good reason to get them involved.
As another test, I sent a protected email to a new contact in Microsoft. I have many guests from Microsoft in my tenant, but this wasn't one. He was able to open and read the email, and was perplexed because he couldn't reply to it due to access rights kicking in...