External Sharing with Sensitivity Labels

New Contributor


Can someone confirm that the only way to share a document externally that has a sensitivity label applied, is to invite the recipient as a guest into our AD Tenant? 


Say I have a partner company, and I wish only all of my users, and all of theirs to have access to particular documents.  Do I have to add them in as a cross tenant organization, and then create guest accounts for all of their users? This would seem a little unwieldly 


Additionally if I wish as an end user to apply a confidential label with just the email address of a 3rd party company having access (they that configure at the time).  Would that 3rd party user then also have to already have a guest account in our tenant? 


Seemingly without a guest account, in both scenarios, they just receive an error that no Azure AD account exists for them in our tenant

3 Replies
No. Only if the external permissions aren’t set in the label.



Hi Christian,
Thanks for the reply.
This was my understanding. However if I configure either a direct mail account or a domain within the label. Send that document to the external party. They receive the message that there is no account for them in our Azure AD

I imagine you have some conditional access policies set up. And I think this could be a case of the Microsoft Azure Information Protection app not being allowed/selected for them. Try adding that as an approved app for the external users OR you can use the Cross-tenant access settings under External Identities in Azure AD and check the box where you trust their MFA claims. Behind the scenes I reckon the external user's clients are trying to satisfy MFA and if the above isn't configured it will not work.

Hope that helps, not necessarily what's causing the issue here but give it a try.