Forum Discussion
Solved
Outlook Encrypted Email Issues
I have deployed M365DLP controls to block password protected atachments that cannot be scanned and am telling users to use Outlook Encryption instead to protect outgoing email attachments. However,...
Hi GrahamP67,
First all the error code AADSTS90072:
"...The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant... The account must be added as an external user in the tenant first"
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes
Emails can only be opened in the Outlook Desktop App when the recipients are added as Azure guests to your tenant. This is by design. Please note that the behavior possibly is different in the Outlook Mobile App or in Outlook on the web.You might also need to exclude "Microsoft Azure Information Protection" cloud app from CA policies that enforce multifactor authentication on your tenant.
Hi GrahamP67,
First all the error code AADSTS90072:
"...The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant... The account must be added as an external user in the tenant first"
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes
Emails can only be opened in the Outlook Desktop App when the recipients are added as Azure guests to your tenant. This is by design. Please note that the behavior possibly is different in the Outlook Mobile App or in Outlook on the web.
You might also need to exclude "Microsoft Azure Information Protection" cloud app from CA policies that enforce multifactor authentication on your tenant.
Thanks, this is helpful.
I dont want them to have guest accounts, so I guess I need to work out what is driving the MFA requirement - will that be on my side?
I dont want them to have guest accounts, so I guess I need to work out what is driving the MFA requirement - will that be on my side?
Did you ever figured out what was driving the MFA requirement? I'm facing a similar issue for a client that is sending encrypted emails to outside parties and they are unable to open the encrypted email, prompting to log in.
We do have conditional access policies in place and I'm thinking one of these policies is the cause.
A couple of things can happen here when conditional access policies enforce MFA for all cloud apps. First, the external recipient does not have an Entra ID account. They can't sign in and can't satisfy the MFA challenge, so their attempt to sign in is rejected.
Second, the recipient has an Entra ID account and can sign in. However, when Outlook desktop attempts to secure a use license to decrypt the email, the client request to the Microsoft Rights Management Services app on the originating tenant (not the user's tenant) cannot satify an MFA challenge and ends up with access denied. In this instance, Outlook reverts to displaying the protected wrapper for the message and the recipient can go to the OME portal to read the content.
The workaround is to exclude the Microsoft Rights Management Service app from the CA policy that imposes MFA for cloud apps...
- Thank you! this worked.
Hi GrahamP67,
Since you are sending the emails, it has to be done at your end.
