External people can't open files with Sensitivity Label encryption.
Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels? Hi all. I've been investigating proper setup of sensitivity labels in Purview, and the impact on user experience. The prerequisites are simple enough, creating and configuring the labels reasonably straightforward, and publishing them is a breeze. But using them appears to be a different matter! Everything is fine for labels that don't apply encryption (control access) or when used internally. However, the problems come when labels do apply encryption and information is sent externally. The result is that we apply a label to a document, attach that document to an email, and send it externally - and the recipient says they can't open it and they get an error that their email address is not in our directory. This is because due to the encryption, the external user needs to authenticate back to our tenant, and if they're not in our tenant they obviously can't do this so the files won't open. So, back to the question above. What's the easiest / most secure / best way to add any user we might share encrypted content with to our tenant. As I see it we have the following options: Users have to request Admins add the user as a Guest in our tenant before they send the content. Let's face it, they'll not do this and/or get frustrated. Users share encrypted content directly from SharePoint / OneDrive, rather than attaching it to emails (as that would automatically add the external person as a Guest in the tenant). This will be fine in some circumstances, but won't always be appropriate (when you want to send them a point-in-time version of a doc). With good SharePoint setup, site Owners would also have to approve the share before it gets sent which could delay things. Admins add all possible domains that encrypted content might be shared with to Entra B2B Direct Connect (so the external recipient doesn't have to be our tenant). This may not be practical as you often don't know who you'll need to share with and we work with hundreds of organisations. The bigger gotcha is that the external organisation would also have to configure Entra B2B Direct Connect. Admins default Entra B2B Direct Connect to 'Allow All'. This opens up a significant attack surface and also still requires any external organisation to configure Entra B2B Direct Connect as well. I really want to make this work, but it need to be as simple as possible for the end users sharing sensitive or confidential content. And all of the above options seem to have significant down-sides. I'm really hoping someone who uses Sensitivity Labels on a day-to-day basis can provide some help or advice to share their experiences. Thanks, Oz.Creating a Comprehensive Inactive Guest Account Report
Many examples of how to report inactive Entra ID guest accounts with PowerShell are available on the internet, but they're all flawed because they make decisions based on the last sign in. That's a shortsighted method because it doesn't take guest activity into account. This article explains how to combine audit data with sign-in data to create an enhanced view of guest account activity so that intelligent decisions can be made to keep or retain the accounts. https://practical365.com/inactive-guest-account-report/Entra Agents are Promising but Could do More
Microsoft's Alex Simons came to the TEC 2025 conference to talk about the future of Entra ID, a lot of which hangs on the use of AI in components like the Entra agents that are now in preview. The idea of using agents to relieve hard-pressed human administrators is great, but only if those agents do more than a skilled human administrator can do, and that's not the case so far. https://practical365.com/entra-agents-could-do-more/What’s the Best Way to Manage Guest Accounts?
Guest account management should be a part of every Microsoft 365 tenant administrator’s checklist, unless the tenant has no guests. That’s possible but given the way that workloads like Teams and SharePoint Online create new guest accounts, the average tenant is likely to have quite a few guests. The question is how to manage guests – with Microsoft’s tools or using tenant-designed PowerShell scripts? https://office365itpros.com/2025/09/18/guest-account-management/
Guest accounts and groupchats
Hello everyone, I recently received a support request regarding adding a person with a guest account to a group chat. Unfortunately, Teams refused to add that account. Copilot explained that this is due to the restrictions guest accounts have when it comes to communicating within the tenant they are invited to. Apparently—and this is what I’d love for you to verify—guests are only able to communicate within channels (e.g., threads in a channel) and in 1:1 chats. After we deleted the guest account, we were able to add that person to the group chat. Are the following informations correct? Guest user in tenant: Added as a guest in your tenant’s Azure Active Directory Access: Teams channels, files, meetings Restriction: No regular group chats outside of Teams channels External user (federation): Remains in their own tenant, connected to yours through federation Access: Chats and calls like regular Teams users Advantage: Can be added to regular group chats Thank you for your help. Best Hisham
SPF, DKIM and DMARC bypassed for guest users
I manage a small non-profit using Microsoft 365 Business Basic. Most of the people on our board of directors are added as unlicensed guest users so that they can participate in Teams chats and meetings and to access our Sharepoint without using up a license. The problem: any email sent from an internal licensed user (or shared mailbox) to one of these guest users completely bypasses our domain's SPF, DKIM and DMARC configuration, resulting in bounced emails (particularly for recipients using gmail). Mail sent from an internal licensed user to any external address NOT registered as a guest user correctly passes SPF, DKIM and DMARC checks. I gather that this is because guest users are viewed as "internal" despite having external email addresses, but it seems like a serious limitation if I cannot reliably send email to anyone who is a guest user. Is there any extra configuration I can do to enable SPF, DKIM and DMARC for email to guest users?
Microsoft 365 Windows 11 external user or guest user sign in
Consider the following situation: CompanyA has a Microsoft 365 tenant with licensed users. CompanyA has a business relationship with CompanyB which also has a Microsoft 365 tenant. All of CompanyB's Windows 11 Pro computers are Entra ID joined and Intune enrolled. All of CompanyB's users have Microsoft 365 Business Premium licenses. An employee of CompanyA is stationed at CompanyB's office and needs to use one of CompanyB's computers as his primary computer. How would a technician have to configure things so that CompanyA user can sign into CompanyB's Windows 11 Pro computer and work like normal? I've done some reading online but most of the articles focus on access to cloud resources, whether that be Microsoft Teams or Entra Enterprise Apps or similar resources. I haven't found an article touching on Windows 11 sign in. Matthew
Guest Access for iOS??
We rolled out Microsoft Teams and Planner for a project at our organization. We have guest access turned on and enabled across Teams and Planner and everything seems to be working well. However, we noticed that our guest users do not seem to be able to access Planner thru the iOS app on their phone. It just says "Can't open link - You either don't have access to this item or it has been deleted" Is this a settings issue or something that isn't available on the iOS app yet?
Can't invite deleted Guest User "We ran into an issue. Please try again later."
Good morning Microsoft community We have to delete an Guest-User from our AD and reinvite the Guest-User into a team - the reason is a workaround for a PowerBI problem. I have a short, but for me an unsolveable question: I deleted the Guest-User and permanently deleted him inside of the "deleted users". After more than 24h i tried to reinvite him into a team. What now happens, is that he still get listed in the memberdropdown menu and if i click on him, the following message appears. As information: I cant just type his mailadress inside the invitation-box, without picking his saved mailadress from the dropdown-list - otherwise it doesn't recognize a new guest-user. I hope someone can help me. Thank you very much! Kind regards B_Gen
