SOLVED

Outlook Encrypted Email Issues

Copper Contributor

I have deployed M365DLP controls to block password protected atachments that cannot be scanned and am telling users to use Outlook Encryption instead to protect outgoing email attachments. 

However, a number of external companies have reported not being able to open the encrypted messages and the screenshots provided show that they are trying to authenticate as a guest user in my Entra ID instance (rather than using their own IdP, SSO or an OTP).

 

What would cause that and how do I resolve?

 

GrahamP67_0-1696933390197.png

 

7 Replies
best response confirmed by GrahamP67 (Copper Contributor)
Solution

Hi GrahamP67,

First all the error code AADSTS90072:
"...The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant... The account must be added as an external user in the tenant first"
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes

Emails can only be opened in the Outlook Desktop App when the recipients are added as Azure guests to your tenant. This is by design. Please note that the behavior possibly is different in the Outlook Mobile App or in Outlook on the web.

 

You might also need to exclude "Microsoft Azure Information Protection" cloud app from CA policies that enforce multifactor authentication on your tenant.

Thanks, this is helpful.
I dont want them to have guest accounts, so I guess I need to work out what is driving the MFA requirement - will that be on my side?

Hi GrahamP67,

Since you are sending the emails, it has to be done at your end.

@GrahamP67 

 

Did you ever figured out what was driving the MFA requirement? I'm facing a similar issue for a client that is sending encrypted emails to outside parties and they are unable to open the encrypted email, prompting to log in.

We do have conditional access policies in place and I'm thinking one of these policies is the cause.

@GrahamP67 

 

Yes, external federation is required 

@LuisLopez1981 

 

A couple of things can happen here when conditional access policies enforce MFA for all cloud apps. First, the external recipient does not have an Entra ID account. They can't sign in and can't satisfy the MFA challenge, so their attempt to sign in is rejected.

 

Second, the recipient has an Entra ID account and can sign in. However, when Outlook desktop attempts to secure a use license to decrypt the email, the client request to the Microsoft Rights Management Services app on the originating tenant (not the user's tenant) cannot satify an MFA challenge and ends up with access denied. In this instance, Outlook reverts to displaying the protected wrapper for the message and the recipient can go to the OME portal to read the content.

 

The workaround is to exclude the Microsoft Rights Management Service app from the CA policy that imposes MFA for cloud apps...

Thank you! this worked.
1 best response

Accepted Solutions
best response confirmed by GrahamP67 (Copper Contributor)
Solution

Hi GrahamP67,

First all the error code AADSTS90072:
"...The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant... The account must be added as an external user in the tenant first"
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes

Emails can only be opened in the Outlook Desktop App when the recipients are added as Azure guests to your tenant. This is by design. Please note that the behavior possibly is different in the Outlook Mobile App or in Outlook on the web.

 

You might also need to exclude "Microsoft Azure Information Protection" cloud app from CA policies that enforce multifactor authentication on your tenant.

View solution in original post