Mail contacts in groups have intermittent access to encrypted content

  • Article
  • Applies to:
    Microsoft 365 (Enterprise, Business, Government, Education)

Symptoms

Consider the following scenario:

  • You're working with some content that's encrypted by the Azure Information Protection service.
  • Usage rights are assigned to a group that contains mail contacts.

In this scenario, the mail contacts lose access to the encrypted content or have only intermittent access to the content.

Note: A typical way to apply this encryption is to use sensitivity labels that are created and published from the Microsoft Purview compliance portal.

Cause

This issue occurs because of a known issue that affects mail contacts in groups that are assigned usage rights.

In this case, the mail contacts are users outside your organization who have a Microsoft Entra object type of Contact instead of User. In the Exchange admin center, these contacts display a Contact Type of MailContact.

To verify the object type for group members, run the following Get-AzureADGroupMember cmdlet:

Get-AzureADGroupMember -ObjectId <ObjectID>| fl

Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.

Note: In this cmdlet, replace <ObjectID> with the affected group ID. To obtain the group ID, open the group from the Azure portal. In the output, check whether the ObjectType attribute displays User or Contact for each group member.

Workaround

Add users who are outside your organization as guest users instead of as mail contacts in the existing group that you have granted usage rights and access to. Alternatively, specify the affected mail contacts directly instead of using the existing group.