SOLVED

External user permission error

%3CLINGO-SUB%20id%3D%22lingo-sub-154949%22%20slang%3D%22en-US%22%3ERe%3A%20External%20user%20permission%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154949%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20seems%20to%20be%20the%20same%20question%20that%20I%20answered%20on%20the%20Docs%20site%3F%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Finformation-protection%2Frms-client%2Fclient-classify-protect%23comments%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Finformation-protection%2Frms-client%2Fclient-classify-protect%23comments%3C%2FA%3E)%20You%20can't%20currently%20use%20these%20type%20of%20addresses%20with%20custom%20permissions%20because%20these%20email%20addresses%20are%20not%20supported%20by%20Azure%20Information%20Protection.%20There%20isn't%20a%20setting%20that%20you%20enable%20for%20this%20in%20Azure%20-%20there%20are%20backend%20changes%20needed%20to%20be%20completed%26nbsp%3Bon%20the%20engineering%20side%20before%20this%20will%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20the%20other%20replies%20indicate%2C%20these%20types%20of%20addresses%20are%20supported%20when%20you%20use%20the%20new%20capabilities%20from%20Office%20365%20Message%20Encryption%20-%20so%20you%20can%20use%20them%20with%20email%20because%20Exchange%20Online%20is%20doing%20the%20authentication.%26nbsp%3B%20If%20you%20use%20these%20types%20of%20addresses%20with%20labels%20or%20protection%20templates%2C%20they%20will%20work%20with%20email%20(going%20through%20Exchange%20Online)%20but%20won't%20work%20if%20you%20protect%20a%20document%20outside%20email.%20For%20permissions%20to%20work%20with%20documents%2C%20the%20email%20address%20must%20be%20from%20a%20verified%20domain%20in%20Azure.%20You'll%20find%20more%20detailed%20information%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Finformation-protection%2Fplan-design%2Fprepare%23azure-information-protection-requirements-for-user-accounts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Finformation-protection%2Fplan-design%2Fprepare%23azure-information-protection-requirements-for-user-accounts%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20understandably%20a%20very%20popular%20request%20to%20be%20able%20to%20use%20personal%20email%20addresses%20for%20documents%20as%20well%20as%20for%20emails.%26nbsp%3B%20As%20soon%20as%20the%20extra%20work%20is%20done%2C%20I'm%20sure%20it%20will%20be%20widely%20announced%20-%20and%20I'll%20update%20the%20docs%20to%20match!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154430%22%20slang%3D%22en-US%22%3ERe%3A%20External%20user%20permission%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154430%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20your%20environment%20though%2C%20we%20are%20not%20fortune%20tellers%20here%20%3A)%3C%2Fimg%3E%20If%20you%20are%20using%20Office%20365%2C%20you%20can%20enable%20the%20OME%20service%20to%20directly%20sent%20messages%20to%20Gmail%2C%20Yahoo%2C%20Outlook.com%26nbsp%3Baccounts%3A%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foffice-365-message-encryption-ome-f87cb016-7876-4317-ae3c-9169b311ff8a%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foffice-365-message-encryption-ome-f87cb016-7876-4317-ae3c-9169b311ff8a%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154274%22%20slang%3D%22en-US%22%3ERe%3A%20External%20user%20permission%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154274%22%20slang%3D%22en-US%22%3EYou%20should%20add%20Consumer%20addresses%20(Gmail%2C%20Hotmail%2C%20etc)%20to%20Azure%20AD%20as%20Guest%2Fexternal%20first%2C%20and%20then%20add%20those%20accounts%20to%20your%20custom%20templates%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Finformation-protection%2Fget-started%2Ffaqs-rms%23can-i-add-external-users-people-from-outside-my-company-to-custom-templates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Finformation-protection%2Fget-started%2Ffaqs-rms%23can-i-add-external-users-people-from-outside-my-company-to-custom-templates%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154264%22%20slang%3D%22en-US%22%3EExternal%20user%20permission%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154264%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%2C%20in%20my%20environment%20I%20am%20not%20able%20to%20use%20gmail-addresses%20or%20hotmail-addresses%20for%20custom%20permissions.%20Is%20this%20a%20setting%20in%20Azure%3F%20Where%20do%20I%20change%20it%20so%20people%20are%20able%20to%20use%20these%20addresses%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-154264%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%20%26amp%3B%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi, in my environment I am not able to use gmail-addresses or hotmail-addresses for custom permissions. Is this a setting in Azure? Where do I change it so people are able to use these addresses?

Thanks.

3 Replies
You should add Consumer addresses (Gmail, Hotmail, etc) to Azure AD as Guest/external first, and then add those accounts to your custom templates:
https://docs.microsoft.com/en-us/information-protection/get-started/faqs-rms#can-i-add-external-user...

What is your environment though, we are not fortune tellers here :) If you are using Office 365, you can enable the OME service to directly sent messages to Gmail, Yahoo, Outlook.com accounts:  https://support.office.com/en-us/article/office-365-message-encryption-ome-f87cb016-7876-4317-ae3c-9...

best response confirmed by Vasil Michev (MVP)
Solution

This seems to be the same question that I answered on the Docs site? (https://docs.microsoft.com/en-us/information-protection/rms-client/client-classify-protect#comments) You can't currently use these type of addresses with custom permissions because these email addresses are not supported by Azure Information Protection. There isn't a setting that you enable for this in Azure - there are backend changes needed to be completed on the engineering side before this will work.

 

As the other replies indicate, these types of addresses are supported when you use the new capabilities from Office 365 Message Encryption - so you can use them with email because Exchange Online is doing the authentication.  If you use these types of addresses with labels or protection templates, they will work with email (going through Exchange Online) but won't work if you protect a document outside email. For permissions to work with documents, the email address must be from a verified domain in Azure. You'll find more detailed information here: https://docs.microsoft.com/en-us/information-protection/plan-design/prepare#azure-information-protec...

 

It's understandably a very popular request to be able to use personal email addresses for documents as well as for emails.  As soon as the extra work is done, I'm sure it will be widely announced - and I'll update the docs to match!