Failed to decrypt onedrive link email for external guest users

Question

Failed to decrypt onedrive link email for external guest users

Godmaster 1

Hello,

Hello, I have a problem with all my sensitive label and share document link from onedrive.
I have done all test and its a nightmare !

the process is this :

i send an email to an external user with a sensitive label for the email and an attachment of a docx store in my onedrive, the docx is also tag with the same label.
then the user received the email who is encrypted in my gmail account ( external user )
I can read the email with the One time password i received => no problem to read the email.
Finaly when i want to open the attach link file :
"The document is protected by a rights management service, such as *Azure Information Protection"

I have also made these* https://erik365.blog/2021/05/24/enable-azure-b2b-integration-with-onedrive-and-sharepoint-online/ without good results.

Ganesh Gurram 7,295 Reputation points Microsoft External Staff Moderator

2024-12-26T12:21:18.7933333+00:00
Hi @Godmaster

Thanks for the question and using MS Q&A platform.

When sending an email with a sensitive label and an attachment to an external user, there are several factors that could prevent the external user from accessing the document. Here are some potential reasons and solutions:

Conditional Access Policies - If your organization has an external-facing conditional access (CA) policy that blocks access to the Azure Information Protection (AIP) endpoint, the external user may not be able to open the document. You may need to adjust the policy to allow access.

Sensitivity Label Restrictions - The sensitivity label applied to the document might have restrictions that limit access to internal users only. Check the label settings to ensure that external users are allowed access.

Guest Accounts - For external users to open encrypted documents, they may need to be added as guest users in your Microsoft Entra tenant. This can be done manually or through integration with SharePoint and OneDrive.

Multi-Factor Authentication (MFA) - If MFA is enforced, the external user might need to authenticate through a supported application like Outlook on the web or mobile apps to access the document.

Rights Management Service - Ensure that the external user is using an account that is compatible with the rights management service, such as a Microsoft account, to open the document.

Reviewing these aspects should help you troubleshoot the issue with the encrypted document link.

References:

External recipient can't open encrypted email that uses Microsoft Purview Message Encryption

Microsoft Entra configuration for encrypted content

Resolve Microsoft Purview Message Encryption issues

Hope this helps. Do let us know if you have any further queries.
Godmaster 1 Reputation point

2024-12-26T23:29:44.27+00:00

When i use a sensitive label for the email with onedrive link word document ( without label ) => it works with OPT password.

When i use a sensitive label for the email with onedrive link with the same label of the the email. => AIP error.

its really a problem with onedrive/ sharepoint document with sensitive label encryption and OTP.

It wont let me use a microsoft account only OTP or "sign in with google "
Godmaster 1 Reputation point

2024-12-27T09:38:07.9866667+00:00

I have tried to add gmail account as guest user in Microsoft Intra ID, the results is the same...
AIP error.
Godmaster 1 Reputation point

2024-12-27T09:40:40.0533333+00:00

I"ve tried adding the gmail account as guest user in Microsoft intra ID, same AIP error...
Ganesh Gurram 7,295 Reputation points Microsoft External Staff Moderator

2024-12-28T04:40:11.2633333+00:00

@Godmaster - If you have a support plan could you please file a support ticket for deeper investigation and do share the SR# with us?
Ganesh Gurram 7,295 Reputation points Microsoft External Staff Moderator

2024-12-30T01:02:17.6466667+00:00

@Godmaster - Did you get a chance a raise a support ticket? If yes, please do share the #SR with us.

Thank you.

1 answer

Your answer

Ganesh Gurram 7,295 Reputation points Microsoft External Staff Moderator

2024-12-26T12:21:18.7933333+00:00

Hi @Godmaster

Thanks for the question and using MS Q&A platform.

When sending an email with a sensitive label and an attachment to an external user, there are several factors that could prevent the external user from accessing the document. Here are some potential reasons and solutions:

Conditional Access Policies - If your organization has an external-facing conditional access (CA) policy that blocks access to the Azure Information Protection (AIP) endpoint, the external user may not be able to open the document. You may need to adjust the policy to allow access.

Sensitivity Label Restrictions - The sensitivity label applied to the document might have restrictions that limit access to internal users only. Check the label settings to ensure that external users are allowed access.

Guest Accounts - For external users to open encrypted documents, they may need to be added as guest users in your Microsoft Entra tenant. This can be done manually or through integration with SharePoint and OneDrive.

Multi-Factor Authentication (MFA) - If MFA is enforced, the external user might need to authenticate through a supported application like Outlook on the web or mobile apps to access the document.

Rights Management Service - Ensure that the external user is using an account that is compatible with the rights management service, such as a Microsoft account, to open the document.

Reviewing these aspects should help you troubleshoot the issue with the encrypted document link.

References:

External recipient can't open encrypted email that uses Microsoft Purview Message Encryption

Microsoft Entra configuration for encrypted content

Resolve Microsoft Purview Message Encryption issues

Hope this helps. Do let us know if you have any further queries.
Godmaster 1 Reputation point

2024-12-26T23:29:44.27+00:00

When i use a sensitive label for the email with onedrive link word document ( without label ) => it works with OPT password.

When i use a sensitive label for the email with onedrive link with the same label of the the email. => AIP error.

its really a problem with onedrive/ sharepoint document with sensitive label encryption and OTP.

It wont let me use a microsoft account only OTP or "sign in with google "
Godmaster 1 Reputation point

2024-12-27T09:38:07.9866667+00:00

I have tried to add gmail account as guest user in Microsoft Intra ID, the results is the same...
AIP error.
Godmaster 1 Reputation point

2024-12-27T09:40:40.0533333+00:00

I"ve tried adding the gmail account as guest user in Microsoft intra ID, same AIP error...
Ganesh Gurram 7,295 Reputation points Microsoft External Staff Moderator

2024-12-28T04:40:11.2633333+00:00

@Godmaster - If you have a support plan could you please file a support ticket for deeper investigation and do share the SR# with us?
Ganesh Gurram 7,295 Reputation points Microsoft External Staff Moderator

2024-12-30T01:02:17.6466667+00:00

@Godmaster - Did you get a chance a raise a support ticket? If yes, please do share the #SR with us.

Thank you.

Answer 1

@Godmaster - Thanks for the update.

When you apply a sensitive label to an email, it primarily encrypts the email content itself. The OTP (One-Time Password) you receive is for accessing the email content. When you apply a label to a OneDrive document, AIP encrypts the document content. This requires specific permissions or applications to open, which external users might not have by default.

Even though you're sharing a OneDrive link, the document itself is encrypted. External users need specific permissions (like being a guest user in your organization's tenant) to access encrypted content. OTP is primarily for email access. It's not designed for directly accessing encrypted documents shared via OneDrive links.

Add External Users as Guests - Add the external users as guest users in your Microsoft Entra tenant. This provides them with the necessary permissions to access encrypted documents shared within your organization.

Leverage Azure B2B Collaboration - If your organization uses Azure B2B collaboration, external users can use their existing work or school accounts to access the documents. However, they'll need compatible applications (like Microsoft Office or Adobe Acrobat with the AIP plugin) to open the encrypted files.

Review Label Permissions - Double-check the permissions and restrictions of the sensitive label applied to the document. Ensure it allows external users with the appropriate access level to open the encrypted content.

If you've tried the above solutions and are still facing issues, reach out to your IT administrator. They can investigate potential configuration problems within your organization's environment.

Hope this helps you find a suitable solution.

Share via

Failed to decrypt onedrive link email for external guest users

1 answer

Your answer