Encrypted email attachment is not accessible recipient after Global Condiitonal MFA policy enabled

Bob Fry (M365 Admin) 0 Reputation points
2024-08-16T14:03:43.4466667+00:00

Hello,

We have been troubleshooting this for a while now. We created a policy in our Exchange admin center to be able to send encrypted email with specific syntax in the subject line. This has been working for year. For compliance reasons we needed to implement multiple conditional access polices in our Azure tenant. Now when an end user creates an email with an attachment with the specific syntax to encrypt the recipient tries to open the attachment and a Microsoft MFA prompt comes up asking them to login using their account and then they receive this error.

AADSTS90072: User account 'xyz' from identity provider 'https://sts.windows.net/4bfbe7-1f35-4adb-9afa-22cf6d34a9f8/' does not exist in tenant 'ABC.' and cannot access the application 'd359d6-52b3-4102-aeff-aad2292ab01c'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account

We don't want to have to give external domain access to our tenant but want them to be able to open the email attachment. Any thoughts where this configuration change needs to be made allow?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,584 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,273 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 103.4K Reputation points MVP
    2024-08-17T14:10:06.14+00:00

    You have to share some details on how your CA policies are configured. Generally speaking, you should be able to work around the issue by adding and exception, either for the RMS service, or for any external users. It's up to you to decide which method works best, and you can find detailed instructions in this article: https://office365itpros.com/2024/02/12/conditional-access-mfa-email/

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.