Fix Issues with opening encrypted content from external organizations using Conditional Access
If an external organization sends you an encrypted email or file but is also restricting remote access by either requiring multi-factor authentication for guest users then the recipient cannot open the file or email. The recipient receive an error notification in the Outlook Desktop App that contains the codes CAA20004 and AADSTS90072 containing the text “The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account”.
This problem also occurs if there are conditional access rules blocking remote/guest users from accessing AIP.
This is a super frustrating issues because the recipient cannot do anything about the problem and requires the sender to loosen restrictions on MFA or AIP.
It should not be possible to restrict access to AIP to guest users or external orgnaizations. This defeats the whole purpose of AIP and securing external communications and files.