AIP: Contact your IT admin to sign up

Question

Good day!

To open the AIP protected document
If you don't have a domain in Office 365, you have to signup on AIP and configure OTP.

but after verifying the txt record as domain admin why getting the below message

"Contact your IT admin to sign up
There's no existing account for this email address. Ask your IT administrator to create an account for you. And then come back to try this product and finish signing up."

Note: we are not able to invite the user ie info@keyman .com as the domain is already verified and getting an error message "user is from the verified domain of this tenant". 2nd if you create new user then two identities (not an option)

How the IT admin can consent for all the users? or all the users will need to signup?
and if only the txt is verified what's the solution?

Answer 1

EXTERNAL PROTECTED DOCUMENT DELIVERY

Documents delivery to external users and the end user experience is different from email and below are the detailed steps to understand the scenario.
1 User creates a word document and selects label
2 User selects read only option and provides the external user email/domain
3 User confirms from the tooltip that the document is protected with AIP
4 User attaches the document in the email / other channel and send to external end user
5 External user receives the email and downloads the attachment
6 External user opens the document with word
7 External user will be prompted to enter their credentials
Note: If the external user is having Microsoft Azure identity, he will be automatically able to see the document as he is already signed in to the office application.
8 User will be shown the ("we could't find an account wiht that email address or phone number")error as he is not part of Azure AD tenant
9 Users need to register for RMS for individuals
User needs to navigate to the below url for starting the rms for individual registration. Then the user enters the organizational email.
https://aka.ms/rms-signup
10 User needs to provide an option and input his mobile number for confirmation
11 User will receive an OTP in his organization email and he needs to enter it to sign up
12 User needs to select yes if he is using the same email.
13 User needs to input his information and select a password for the new Microsoft account.
Note: If this is the first user registering for this a azure ad orphan tenant will be created in
background based on the selection of the country.
14 He shall again receive a confirmation code in his email for filling the form.
15 Once done, Microsoft will create the account and status will be as shown.
16 Once completed you will see the Azure information protection clinet to downlaod
Note: This is required is the user needs to read only and doesn’t have Microsoft office applications
17 The user will open the word document again and input his company email again along with the newly created password.
18 The document will be opened now and the labels are applied based on the policy applied.

Answer 2

@shini

Thank you for reaching out to us. If i understand your question, you are looking for ""process to share encrypted documents with external users"

This article has the steps/screenshot on secure external collaboration https://techcommunity.microsoft.com/t5/security-compliance-and-identity/secure-external-collaboration-using-sensitivity-labels/ba-p/1680498

Following are the options we have for distribution of encrypted documents with external counterparties

One option is to create these guest accounts yourself. You can specify any email address that these users already use. For example, their Gmail address.
The advantage of this option is that you can restrict access and rights to specific users by specifying their email address in the encryption settings. The downside is the administration overhead for the account creation and coordination with the label configuration.

Another option is to use SharePoint and OneDrive integration with Azure AD B2B so that guest accounts are automatically created when your users share links.
The advantage of this option is minimum administrative overhead because the accounts are created automatically, and simpler label configuration. For this scenario, you must select the encryption option Add any authenticated user because you won't know the email addresses in advance. The downside is that this setting doesn't let you restrict access and usage rights to specific users.

https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide#:~:text=Sharing%20encrypted%20documents%20with%20external%20users

https://learn.microsoft.com/en-us/azure/information-protection/prepare#:~:text=Assigning%20usage%20rights%20and%20access%20controls%20to%20external%20users

https://learn.microsoft.com/en-us/azure/information-protection/secure-collaboration-documents#:~:text=and%20external%20users.-,Example%20configuration%20for%20a%20label%20to%20apply%20protection%20to%20support%20internal%20and%20external%20collaboration,-This%20example%20walks

Let me know if the above information helps or you have any questions.