How to give access to IRM protected file to user from another organization?

Vitalii Liashuk 150 Reputation points
2023-05-02T10:47:20.26+00:00

Hi,

I created the file and protected it with IRM. I gave the access to user from another organization. I don`t have any relations with his\her organization. User's image

After that, I sent this file to user and he\she downloaded it. Then he\she tried to open it but Microsoft redirected he\she to my company login page and tried to authenticate to my organization. Why Microsoft tries to authenticate another user to my organization?

User's image

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
525 questions
{count} votes

Accepted answer
  1. Sreeju Nair 12,026 Reputation points
    2023-05-02T11:40:22.2666667+00:00

    You need to check your portal settings. for e.g. if you enabled conditional access policies and for e.g. if you enable the policy to have MFA authentication required for all cloud access, and if the other user is not enabled MFA, they will receive this error.

    Under the Assignments > Users and groups > Include for All guest and external users.

    Refer the following blog post and see whether it helps you.

    https://pupuweb.com/solved-fix-caa200004-aadsts90072-outlook/

    https://www.cloudsecuritea.com/2020/01/caa20004-aadsts90072-user-account-from-identity-provider-does-not-exist-in-tenant/

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Sreeju Nair 12,026 Reputation points
    2023-05-02T11:05:03.1833333+00:00

    By default, the Azure Rights Management service uses an Azure Active Directory account and an associated email address for user authentication, which makes business-to-business collaboration seamless for administrators. So if the other organization is in Azure Active Directory, there shouldn't be a problem. refer the following FAQ sections.

    https://learn.microsoft.com/en-us/azure/information-protection/faqs-rms#when-i-share-a-protected-document-with-somebody-outside-my-company-how-does-that-user-get-authenticated

    https://learn.microsoft.com/en-us/azure/information-protection/faqs-rms#can-i-prevent-users-from-sharing-protected-documents-with-specific-organizations

    If the user's organization doesn't have managed accounts in Azure, users can sign up for RMS for individuals, which creates an unmanaged Azure tenant and directory for the organization with an account for the user, so that this user (and subsequent users) can then be authenticated for the Azure Rights Management service.

    Refer more below.

    https://learn.microsoft.com/en-us/azure/information-protection/rms-for-individuals

    Hope this helps.

    0 comments No comments