You have to share some details on how your CA policies are configured. Generally speaking, you should be able to work around the issue by adding and exception, either for the RMS service, or for any external users. It's up to you to decide which method works best, and you can find detailed instructions in this article: https://office365itpros.com/2024/02/12/conditional-access-mfa-email/
Encrypted email attachment is not accessible recipient after Global Condiitonal MFA policy enabled
Hello,
We have been troubleshooting this for a while now. We created a policy in our Exchange admin center to be able to send encrypted email with specific syntax in the subject line. This has been working for year. For compliance reasons we needed to implement multiple conditional access polices in our Azure tenant. Now when an end user creates an email with an attachment with the specific syntax to encrypt the recipient tries to open the attachment and a Microsoft MFA prompt comes up asking them to login using their account and then they receive this error.
AADSTS90072: User account 'xyz' from identity provider 'https://sts.windows.net/4bfbe7-1f35-4adb-9afa-22cf6d34a9f8/' does not exist in tenant 'ABC.' and cannot access the application 'd359d6-52b3-4102-aeff-aad2292ab01c'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
We don't want to have to give external domain access to our tenant but want them to be able to open the email attachment. Any thoughts where this configuration change needs to be made allow?