Hello all

 We have two AD forests .com and .us. In the .com Ad forest we have a connector in azure ad connectr that pulls user accounts from the .us forest into the metaverse of the azure ad connect server that is part of the .com AD forest. We have azure ad connect rules that transform these user objects into contacts, and then sync these contacts to exchange online in the .com Azure ad tenant. 

We have the same configuration setup in the .us AD forest. We do this to create a command gal in the two environments.  When a user that is in the commercial .com exchange online environment sends an encrypted email to a user in the gcc high environment, the email is being sent to the recipients external address which is email address removed for privacy reasons . The recipient  in the gcc high environment receives the email and when they click on the link to receive the otp, they get the otp code, but when they paste in the otp code they get the below error message . When a user in the gcc high environment sends an encrypted email to a user in commercial . the user can view the encrypted email, no issues.  It appears gcc high wants the recipient to receive the otp with the same ID that the email was sent to.