![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 49%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
1,648 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 50%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 8%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Hi @James Kenneally
If you're having issues sharing sensitive data with external guest accounts, even after enabling external sharing, the problem likely stems from either Microsoft Purview Information Protection policies or Microsoft Entra B2B collaboration settings.
Here are the key areas to check:
- Sensitivity labels and DLP policies Review the sensitivity labels applied through Microsoft Purview. Make sure they permit sharing with guests. Also, check for any DLP policies that might be blocking sharing or email delivery when sensitive data is involved.
- OneDrive and Microsoft 365 external sharing settings Go to the OneDrive admin center and ensure external sharing is enabled for guests. Confirm that the sharing link type allows access to specific people or guests, not just internal users.
- Microsoft Entra ID (formerly Azure AD) external collaboration policies In the Microsoft Entra admin portal, check the external identities configuration. Ensure guests are not blocked by restrictions like conditional access policies, required MFA, or blocked domains.
- Email encryption and delivery behavior When sending encrypted content, guests may need to authenticate with a Microsoft account or another identity provider. If the guest user doesn't meet the expected authentication model, access will fail. You can temporarily test this by sending the same file without encryption to rule out the cause.
If none of these options work, then yes, creating users directly in your tenant might be necessary if your organization requires full control over access, compliance, and auditing for external collaboration.
I hope this information helps. Please do let us know if you have any further queries.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.