Encrypted e-mail error AADSTS90072

I was sent an encrypted e-mail.  The sender is also using Office 365.
If I go into portal.office.com and look at outlook online, I can read this e-mail FINE.  It's me, logged into my office365, reading my e-mail without incident.

Now when I try to open it in my Outlook client, it hassles me to verify my username and password, does not prompt me for my MFA code, then fails to sign in with error AADSTS90072.

What am I doing wrong?

I get this AADSTS90072 error that my e-mail doesn't exist in the sender's tenant.  Of course my e-mail doesn't exist in their tenant.  It exists in my tenant.  They sent the e-mail to *** Email address is removed for privacy *** ........ 

|

Hi Jason Brown,

Based on the error messages, there might be a conditional access policy in the sender tenant that has been created before enabling Azure Information Protection. That policy might include enabling MFA for guest accounts needing all guests and external users needed to authenticate with MFA for all cloud apps.

And since Azure information protected mails cannot be opened unless the user is added as a guest on the sending Tenant. Therefore, when the account that you sign in with doesn't exist on the tenant that you signed into; so you can't satisfy the MFA requirements for the tenant. 

If that is the case, please contact the sender to ask their administrator to exclude the Microsoft Azure Information Protection cloud app from these policies. Also add you as a guest account in their tenant, then sign out and sign in with a different Azure AD user account to check the result.

For your reference: Azure AD Authentication and authorization error codes.

Best regards,

Jennifer

---------------------
* Beware of scammers posting fake support numbers here.

* Kindly Mark and Vote this reply if it helps please, as it will be beneficial to more Community members reading here.

2 people found this reply helpful

Was this reply helpful?

Yes
No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Jason Brown,

 

Feel free to let me know if you need further suggestions.


Regards,

Jennifer

---------------------
* Beware of scammers posting fake support numbers here.

* Kindly Mark and Vote this reply if it helps please, as it will be beneficial to more Community members reading here.

Was this reply helpful?

Yes
No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Is the O365 secure mail feature not meant to pass e-mail from an e-mail address on one tenant to an e-mail address on another tenant?

If it is truly working as intended, I'll pass that along.  
My people are just super confused on why the client cannot use the send secure feature to send mail from their e-mail addresses to our e-mail addresses and since they can view those e-mails in OWA, it 'feels' like it's 'kinda' working. 

Was this reply helpful?

Yes
No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Jason Brown,

Using AIP with Exchange Online provides the additional benefit of sending protected emails to any internal or external users. These emails should be encrypted at rest and in transit, and be read only by the original recipients. 

And when sending encrypted emails to external users with AIP, it requires Office 365 Message Encryption capabilities. If the recipients cannot open the protected email in their native email client, let's say Outlook desktop client, they can use a one-time passcode to read the sensitive information in a browser. Therefore, users will still be able be view encrypted messages in OWA.

However, if you also want to read encrypted messages in Outlook desktop client, you need to contact the sender to ask their administrator to add your external user accounts as a guest users in their tenant or exclude the Microsoft Azure Information Protection cloud app as I suggested in my previously reply. 

For your reference: What is Azure Information Protection?.

Best regards,

Jennifer

---------------------
* Beware of scammers posting fake support numbers here.

* Kindly Mark and Vote this reply if it helps please, as it will be beneficial to more Community members reading here.

Was this reply helpful?

Yes
No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Jason Brown,

Do you have any other concerns?

Regards,

Jennifer

---------------------
* Beware of scammers posting fake support numbers here.

* Kindly Mark and Vote this reply if it helps please, as it will be beneficial to more Community members reading here.

Was this reply helpful?

Yes
No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Jason - I'm seeing the exact same behavior in my tenant.  OWA and Outlook mobile work fine for reading messages protected with OME.  Outlook desktop client asks for credentials and I get the same error. This does not feel like behavior that is supposed to happen.   OME should bring the user to a browser if it can't read the OME 'Encrypt Only' template properly in Outlook.  

Was this reply helpful?

Yes
No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Could someone from MS or with prior experience please provide detail on HOW to exclude AIP from the appropriate conditional access policy in order for this to work correctly?  

Ideally with a least access necessary implementation...

I think I understand what the issue is but then I wonder: why AIP/OME would NOT add the user as a guest in the directory much like sending a onedrive link to an external user would?

Was this reply helpful?

Yes
No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

To exclude AIP from your existing Require-MFA Conditional Access policy:


If you want to still require it for internal users (good idea) make another policy just for AIP, and exclude guests and external users: 

8 people found this reply helpful

Was this reply helpful?

Yes
No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated September 8, 2021 Views 3,196 Applies to: