Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Symptoms
External users who are mail contacts in a Microsoft 365 group report that they have no access, or only intermittent access, to encrypted content.
Cause
This known issue affects mail contacts in groups that have usage rights to content that's encrypted by Microsoft Purview Information Protection.
Note: Encryption is commonly applied by using sensitivity labels that are created and published from the Microsoft Purview portal.
Workaround
Use the following steps to work around the issue:
Identify all group members that are mail contacts:
Run the following PowerShell cmdlets to connect to Microsoft Graph PowerShell:
Install-Module Microsoft.Graph.Groups -Scope CurrentUser -Force Connect-MgGraph -Scopes "Group.Read.All", "GroupMember.Read.All"
Run the following PowerShell commands to verify the object type for each group member:
# Specify the DisplayName of the group. $groupDisplayName = "<group DisplayName>" # Get the group ID. $groupId = (Get-MgGroup -Filter "displayName eq '$groupDisplayName'").Id # List group members including their Id, DisplayName, and ObjectType. Get-MgGroupMember -GroupId $groupId -All | Select-Object -Property Id, @{Name='DisplayName';Expression={$_.AdditionalProperties.'displayName'}}, @{Name='ObjectType';Expression={$_.AdditionalProperties.'@odata.type'}} | FL
The following command output lists the group members, showing whether they're mail contacts or users:
Id : c0a70f60-9927-4841-9e10-ef58455422e1
DisplayName : Erwin Mendosa
ObjectType : #microsoft.graph.userId : 34b63b74-66f7-4be1-ab7f-b7f7d003e0c6
DisplayName : Qamar Mounir
ObjectType : #microsoft.graph.orgContact
For each external user that's identified as a mail contact in the affected group, select one of the following options:
Convert to a guest: Add the external user to the group as a guest.
Grant direct permissions: Directly grant the external user permissions on the encrypted content rather than through group membership.
Remove the mail contacts from the group.