When you apply a sensitivity label that includes encryption to a SharePoint document, guest users may lose access even if the site permissions allow sharing. This happens because the label’s encryption settings override the site-level sharing policy. In this article, you will learn why label-based encryption blocks guest access and how to identify and fix the problem using the SharePoint admin center and Microsoft Purview compliance portal.
Key Takeaways: Admin Checklist for Label Encryption and Guest Access
- Microsoft Purview > Information Protection > Label policies: Review encryption settings for each label that blocks guest access.
- SharePoint admin center > Active sites > Site permissions: Check if guest sharing is enabled at the site level.
- Label encryption > Assign permissions now: Add guest users or groups to the label’s allow list to restore access.
Why Label-Based Encryption Overrides Site Sharing Permissions
SharePoint site permissions control whether external users can access the site. When you apply a sensitivity label with encryption to a document, the label’s permissions take priority over the site-level settings. This means a guest who has site access through a sharing link or direct invitation may still be blocked from opening the document if the label does not explicitly include that guest.
Encryption in sensitivity labels uses Azure Rights Management. The label defines who can view, edit, or copy the content. If the label’s encryption settings restrict access to only internal users or specific groups, any guest user who tries to open the document will see an access denied message. The guest is not listed in the label’s permissions, so the encryption layer rejects the request before SharePoint checks site permissions.
How Encryption Overlap Works
SharePoint checks permissions in this order: label encryption first, then site permissions. If the label blocks the user, SharePoint never evaluates site permissions. This behavior is by design to protect sensitive content. As an admin, you must coordinate label encryption settings with your guest sharing policies.
Checklist to Identify and Fix Guest Access Blocked by Label Encryption
Use the following steps to diagnose and resolve guest access issues caused by label-based encryption. Perform each step in order.
- Confirm the guest access error
Ask the guest user to reproduce the error. The user should see a message similar to “You don’t have permission to open this document” or “Access denied.” Note the exact error text. If the guest can access other documents on the same site, the issue is likely label-specific. - Identify which label is applied to the document
Sign in to the SharePoint site with admin credentials. Navigate to the document library and open the document in the browser. In the document metadata or the information panel, check the Sensitivity column. If the column is not visible, add it through the library settings. Write down the label name. - Open the label in Microsoft Purview compliance portal
Go to Microsoft Purview compliance portal and select Information Protection > Labels. Find the label identified in step 2. Click the label to open its settings. - Check encryption settings on the label
In the label configuration, scroll to the Encryption section. If encryption is turned off, the label is not blocking guest access. If encryption is turned on, click Edit to view the permissions. Look for the option “Assign permissions now” or “Let users assign permissions.” If “Assign permissions now” is selected, review the user and group list for any guest users or external groups. - Verify site-level guest sharing settings
Open the SharePoint admin center at https://admin.microsoft.com/SharePoint. Go to Active sites and select the site where the document resides. Click Settings and scroll to the External sharing section. Ensure that the sharing setting is not set to “Only people in your organization.” For guest access to work, the site must allow sharing with new and existing guests. - Add the guest user to the label’s encryption permissions
If the label uses “Assign permissions now,” return to the label settings in Purview. Click Edit next to Encryption. Under Assign permissions now, click Assign permissions. Add the guest user’s email address or an external group that contains the guest. Set the desired permission level (for example, Viewer or Reviewer). Save the label settings and republish the label policy if required. - Test guest access after the change
Ask the guest user to access the document again. If the user still cannot open it, verify that the label policy has been applied to the site. Label policy propagation can take up to 24 hours. You can force a policy refresh by using the SharePoint Online Management Shell commandSet-SPOSite -Identity.-SensitivityLabel
What to Check If Guest Access Remains Blocked
Guest user is not in the same Azure AD tenant
Label encryption works by evaluating Azure AD user objects. If the guest user was invited to the SharePoint site but does not have a corresponding Azure AD B2B guest object, the label cannot resolve the user. Go to Azure AD > Users > All users and verify the guest user appears. If not, re-invite the guest through SharePoint site sharing.
Label is published to a specific group that excludes the site
A label policy can be scoped to specific users or groups. If the site’s members are not included in the label policy, the label may not be applied correctly. Check the label policy in Purview > Information Protection > Label policies. Ensure the site’s owner group or all users group is included.
Document has a custom encryption that overrides the label
If a user manually applied custom encryption to a document (for example, through the Azure Information Protection client), that encryption may persist even after a label is applied. Use the Microsoft 365 admin center to check the document’s encryption status. If custom encryption exists, remove it by re-saving the document without custom permissions.
Sensitivity Label Encryption vs Site Guest Sharing: Quick Comparison
| Item | Sensitivity Label Encryption | Site Guest Sharing |
|---|---|---|
| Scope | Applies to individual documents or emails | Applies to the entire SharePoint site |
| Permission evaluation order | Evaluated first | Evaluated only if label permits access |
| Guest user inclusion | Must be explicitly added to label permissions | Controlled by site sharing settings |
| Configuration location | Microsoft Purview compliance portal | SharePoint admin center |
| Propagation time | Up to 24 hours after label policy update | Instant for sharing link changes |
Now you can identify whether label encryption is blocking guest access and apply the correct fix. Start by verifying the label’s encryption permissions in Microsoft Purview. If the label uses “Assign permissions now,” add the guest user or an external group to the allow list. For ongoing management, create a label policy that includes guest users by default when encryption is required. As an advanced tip, use Azure AD dynamic groups to automatically include guest users in label permissions based on their email domain.