Secure external attachments with Purview encryption
If you are using Microsoft Purview to secure email attachments, it’s important to understand how Conditional Access (CA) policies and Guest account settings influence the experience for external recipients. Scenario 1: Guest Accounts Enabled ✅ Smooth Experience Each recipient is provisioned with a guest account, allowing them to access the file seamlessly. 📝 Note This can result in a significant increase in guest users, potentially in hundreds or thousands, which may create additional administrative workload and management challenges. Scenario 2: No Guest Accounts 🚫 Limited Access External users can only view attachments via the web interface. Attempts to download then open the files in Office apps typically fail due to repeated credential prompts. 🔍 Why? Conditional Access policies may block access to Microsoft Rights Management Services because it is included under All resources. This typically occurs when access controls such as Multi-Factor Authentication (MFA) or device compliance are enforced, as these require users or guests to authenticate. To have a better experience without enabling guest accounts, consider adjusting your CA policy with one of the below approaches: Recommended Approach Exclude Microsoft Rights Management Services from CA policies targeting All resources. Alternative Approach Exclude Guest or External Users → Other external users from CA policies targeting All users. Things to consider These access blocks won’t appear in sign-in logs— as this type of external users leave no trace. Manual CA policy review is essential. Using What if feature with the following conditions can help to identify which policies need to be modified. These approaches only apply to email attachments. For SharePoint Online hosted files, guest accounts remain the only viable option. Always consult your Identity/Security team before making changes to ensure no unintended impact on other workloads. References For detailed guidance on how guest accounts interact with encrypted documents, refer to Microsoft’s official documentation: 🔗 Microsoft Entra configuration for content encrypted by Microsoft Purview Information Protection | Microsoft LearnPurview Webinars
REGISTER FOR ALL WEBINARS HERE Upcoming Microsoft Purview Webinars JULY 15 (8:00 AM) Microsoft Purview | How to Improve Copilot Responses Using Microsoft Purview Data Lifecycle Management Join our non-technical webinar and hear the unique, real life case study of how a large global energy company successfully implemented Microsoft automated retention and deletion across the entire M365 landscape. You will learn how the company used Microsoft Purview Data Lifecyle Management to achieve a step up in information governance and retention management across a complex matrix organization. Paving the way for the safe introduction of Gen AI tools such as Microsoft Copilot. 2025 Past Recordings JUNE 10 Unlock the Power of Data Security Investigations with Microsoft Purview MAY 8 Data Security - Insider Threats: Are They Real? MAY 7 Data Security - What's New in DLP? MAY 6 What's New in MIP? APR 22 eDiscovery New User Experience and Retirement of Classic MAR 19 Unlocking the Power of Microsoft Purview for ChatGPT Enterprise MAR 18 Inheriting Sensitivity Labels from Shared Files to Teams Meetings MAR 12 Microsoft Purview AMA - Data Security, Compliance, and Governance JAN 8 Microsoft Purview AMA | Blog Post 📺 Subscribe to our Microsoft Security Community YouTube channel for ALL Microsoft Security webinar recordings, and more!
