Forum Discussion
External people can't open files with Sensitivity Label encryption.
Thanks Tony, so much to consider in this space and very helpful having people like you who kindly share their knowledge!
We've applied a label which controls access using the 'Any authenticated users' option to a document, attached that to an email, and sent to a number of external users. We've found that if they already exist as a Guest in our tenant (or their tenant is setup via B2B Direct Connect) they can open the document, but if they don't, they can't - they get the error that their account doesn't exist in our tenant. Same experience using labels where you pick users when assigning the label.
I think you're saying they shouldn't need to be a Guest or have B2B setup for this to all work, but it doesn't. Could this be that we haven't got something configured correctly somewhere else please?
Thinking about this again.
- The label encrypts content using the special any authenticated user group.
- The label is applied to documents that are attached to emails (which means that the messages are also protected by the label).
- The messages are sent to external users in other Microsoft 365 tenants.
- Users with guest accounts in your tenant can open and access the message and attachments. Users without guest accounts cannot.
- https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#requirements-and-limitations-for-add-any-authenticated-users emphasizes that the application being used to open the encrypted items "must support be able to support the authentication being used". Up to now, I assumed that the applications are OWA or Outlook (any recent build of classic, new, or mobile) because these definitely support the necessary authentication. Is this the case?
- If it is, send a test encrypted message to Michelle.Best AT O365Maestro.onmicrosoft.com to see if it arrives there successfully. This is a brand-new account in a test Microsoft 365 tenant configured for sensitivity labels where I know that the clients can successfully read and send encrypted email and documents.