Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Sharing Protected documents to external user

Copper Contributor

Hi all,


I have a scenario where I have setup 3 labels:  Public; Internal; Confidential.


My question is how to share a document that has been labelled "Confidential" to external users who are not in my tenant?

The document can be on SharePoint sites or OneDrive.


Any help/guide would be greatly appreciated.




3 Replies
Hello @Vinay,

Thank you for the post as this something many companies have questions about. My name is Mike and I hope to help you better understand this situation, but to do so I will need a little more information from you.

For your labels, when you configured Confidential, what encryption settings did you set the label to? The encryption settings you configured will be crucial to whether or not the recipient can access the file, and if they can, what level of access they will have.

The sharing process would best be done by sharing it as a link through OneDrive or SharePoint, depending on where it is stored. If you are not familiar with this process, this link should help:

If you'd like to send your configurations as a direct message, you can, and I will reply to this thread.

Hi @Vinay 


You want to share labeled and/or protected content with external partner. You have O365 and MPIP license and all requirements are meet for functional Sensitivity Labeling solution.


  • For emails, Azure B2B is not required for external collaboration where OME portal is independent from B2B accounts. Azure B2B is only helpful when external users needs to classify content with your labels. Azure B2B is recommended approach for most other collaboration workloads such as Teams, SPO, ... since sharing via SPO / Teams requires two permissions sets, the MIP and SPO/Teams permissions (via B2B account).
  • External partners do not require Microsoft Cloud (O365 / Azure), where for email scenario consumer identities and OTP would work but AAD identity is required for Word/Excel/PowerPoint.
  • The limitation for external collaboration is encryption or custom permissions. Hence, the recommended approach for external collaboration is Azure B2B.

If you agreed with your partner for MIP consumption with creating a label or sublabel with encryption which include external accounts via groups, then your partner require the use of Azure AD and provide group names (be aware of conditional access policy). Alternatively, you can use individual accounts via internal distribution list (or individual accounts instead of groups) which would not require external partner to have Azure AD.



Thank you and kind regards

Thanks for the guide