How to send encrypted documents outside organization without adding guest user accounts in tenant

Brass Contributor


we have a problem and would like to know the thoughts on how to address it.

We want to send encrypted documents to any outside users/organizations (that are not part of our tenant and have not been added as a guest user)
if I use "Let user assign permissions" in the label then the label disappears in the Ms Office (word, excel etc...) so I cant use this option

If i use "Assign permissions now" and select "all authenticated users" then the label comes back, I can apply the label but since the user is outside my organization and not even registered as a guest user in the tenant then they cannot open the file. Practically there are over 5000 users in our organization and we cannot simply add all outside organizations into new M365 groups to have them added in our tenant.

how can we address this issue?? I am running out of thoughts here.

any help is appreciated.


3 Replies

@FahadAhmed I have the same challenge. My approach is to use DLP. If the document has the sensitivity label highly confidential then remove the label and create a secure email instead. But I am still working on this to complete. Anyone a good suggestion?

HI FahadAhmed, in your tenant, are you using conditional access policy that requires MFA even for Guest users? If yes, exclude "Microsoft Azure Information Protection" cloud app from it.
best response confirmed by FahadAhmed (Brass Contributor)

Hi, @FahadAhmed,


Concur with the conditional access recommendations.


Also, when you say the "user defined" label disappears, are you referring to office on the web or the desktop application?


It is known at this time that user-defined labels are not fully supported in office on the web but this feature is in public preview and is set to hit general availability in September 2023. Here's the roadmap item:


Microsoft 365 Roadmap | Microsoft 365