Mail contacts in groups have intermittent access to encrypted content
Note
Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement.
Symptoms
Consider the following scenario:
- You're working with some content that's encrypted by the Azure Information Protection service.
- Usage rights are assigned to a group that contains mail contacts.
In this scenario, the mail contacts lose access to the encrypted content or have only intermittent access to the content.
Note: A typical way to apply this encryption is to use sensitivity labels that are created and published from the Microsoft Purview compliance portal.
Cause
This issue occurs because of a known issue that affects mail contacts in groups that are assigned usage rights.
In this case, the mail contacts are users outside your organization who have an Azure Active Directory (Azure AD) object type of Contact instead of User. In the Exchange admin center, these contacts display a Contact Type of MailContact.
To verify the object type for group members, run the following Get-AzureADGroupMember cmdlet:
Get-AzureADGroupMember -ObjectId <ObjectID>| fl
Note: In this cmdlet, replace <ObjectID> with the affected group ID. To obtain the group ID, open the group from the Azure portal. In the output, check whether the ObjectType attribute displays User or Contact for each group member.
Workaround
Add users who are outside your organization as guest users instead of as mail contacts in the existing group that you have granted usage rights and access to. Alternatively, specify the affected mail contacts directly instead of using the existing group.