We are using automation plus a flow rule to force encrypted emails via flow rules that apply Office 365 Message Encryption and Rights Protection with the "Encrypt Only" policy.

However, when we send to people who are on remote tenants, we run into an unusual problem.  Some tenants "just work", while other tenants hard fail with a notice that says the following:

Selected user account does not exist in tenant 'Tenant Name' and cannot access the application 'UUID Here' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

Unfortunately, there's no option to bypass this for those recipients and no way to force one time password authentication options where they have to request a OTP and then use that.  It enforces the use of MS365 Tenant auth rather than OTP, which is unusual and problematic because while *certain* remote tenants "just work" others do not.

I'm confused as to where to look next.  Is there a way to force OTP-only in the outgoing encryption for a message with transport rules on the Outlook 365 admin panel?  Alternatively, is there a way to automatically permit external tenant accounts/recipients to just work?  Please feel free to ask any questions necessary to solve this on our end, it's a core component of one of our information sending systems to partners and it's not working as intended.