When you share a SharePoint document with a guest user, they may see a blank page or an access denied error. This often happens when a sensitivity label applies encryption to the file. The label encrypts the document in a way that blocks external users. This article explains why label-based encryption blocks guest access and provides step-by-step fixes to resolve the issue.
Key Takeaways: Fixing Label-Based Encryption for Guest Access
- Sensitivity label encryption settings: Labels with “Assign permissions now” encrypt files and block guests unless the label is configured to allow external users.
- Microsoft Purview compliance portal > Labels: The label must be set to allow access to external users or use a custom permission template that includes guests.
- SharePoint sharing policy: External sharing must be enabled at the tenant and site level for guest access to work.
Why Label-Based Encryption Blocks Guest Access
Sensitivity labels in Microsoft 365 protect content by applying encryption, marking, or both. When you apply a label that uses encryption, the label controls who can open and edit the document. By default, encryption restricts access to users inside your organization. Guest users are not part of your Azure AD tenant, so they cannot decrypt the file.
The root cause is the encryption configuration on the label. Labels can encrypt content using one of two methods:
Assign Permissions Now
This method lets you choose specific users or groups who can access the document. If you select only internal users or a group that excludes guests, the label blocks all external access. Even if you share the file through SharePoint, the encryption prevents the guest from opening it.
Let Users Assign Permissions
This method gives the document owner control over permissions. The owner can add guest users manually. However, SharePoint sharing does not automatically add guests to the encryption permissions. The guest still sees an access denied message until the owner updates the encryption list.
In both cases, the label encryption overrides SharePoint sharing permissions. The guest can see the file in the browser, but the encryption blocks the content from loading.
Steps to Fix Label-Based Encryption for Guest Access
You must change the label configuration or the document permissions to allow guest access. Choose one of the following methods based on your situation.
Method 1: Modify the Sensitivity Label to Allow External Users
This method requires global admin or compliance admin privileges. You change the label so that encryption permissions include guest users.
- Sign in to the Microsoft Purview compliance portal
Go tohttps://compliance.microsoft.comand sign in with admin credentials. - Open the label configuration
Select Information protection from the left menu. Then click Labels. Find the label that blocks guest access and click it to open the settings. - Edit the encryption settings
Under Define protection settings, click Edit next to encryption. In the encryption settings, select Configure encryption settings. - Change the user access list
If the label uses Assign permissions now, click Assign permissions. Remove any groups that exclude guests and add a group that includes guest users. You can also select All authenticated users to allow any authenticated user, including guests. - Save and publish the label
Click Save and then Publish the label. Changes may take up to 24 hours to apply to existing documents. To force an update, reapply the label to the document.
Method 2: Reapply the Label with Guest Permissions
If you cannot change the label, you can reapply it to the specific document with custom permissions that include the guest.
- Open the document in SharePoint or OneDrive
Navigate to the file location and open it in the browser. - Apply a label that supports custom permissions
If the current label uses Let users assign permissions, you can change the permissions. Click Edit on the label bar at the top of the document. Select a different label that allows guest access, or choose the same label and then click Assign permissions. - Add the guest user to the encryption permissions
In the permissions dialog, enter the guest email address and select the appropriate access level. Click Apply. - Save the document
Save the file to apply the new permissions. The guest can now open the file.
Method 3: Remove Encryption from the Label
If guest access is more important than encryption, you can remove encryption from the label entirely. This method is suitable for labels that do not require data protection.
- Edit the label in the Purview portal
Follow steps 1 and 2 from Method 1 to open the label settings. - Turn off encryption
Under Define protection settings, uncheck Encrypt content. Click Save. - Publish the label
Click Publish to apply the change. Documents that already have the label will lose encryption, and guests can access them.
If Guest Access Still Fails After the Fix
SharePoint External Sharing Is Disabled
Even with the correct label, guest access requires SharePoint external sharing to be enabled. Check the tenant-level and site-level sharing settings.
In the SharePoint admin center, go to Policies > Sharing. Ensure the external sharing level is set to Anyone or New and existing guests. For the specific site, go to Active sites, select the site, and click Sharing. Set the external sharing level to match the tenant policy.
Guest User Does Not Have a Microsoft Account
Guests must have a Microsoft account or be invited as a B2B collaboration user in Azure AD. If the guest uses a non-Microsoft email address, they must verify their identity. Send the guest a new sharing invitation from SharePoint. If the guest still cannot access, check the Azure AD guest user status. The guest must accept the invitation and complete the verification process.
Document Is Encrypted with a Different Label
Multiple labels may apply to the same document. Check the document properties. If another label with encryption is applied, it may override the one you modified. Remove all labels and apply only the corrected label.
Label Encryption vs SharePoint Sharing: Key Differences
| Item | Label Encryption | SharePoint Sharing |
|---|---|---|
| Scope | Applies to the file content directly | Controls access to the file location |
| Guest access | Blocks guests unless configured | Allows guests if sharing is enabled |
| Permission management | Managed in the label or document info panel | Managed in SharePoint site settings |
| Override behavior | Encryption overrides SharePoint permissions | Does not override encryption |
Label encryption and SharePoint sharing work independently. Encryption always takes priority. To allow guest access, you must configure the label to include external users.
After you fix the label or document permissions, test the access by sending a sharing link to a guest email address. The guest should be able to open the document without errors. If the problem persists, review the label encryption settings and the SharePoint sharing policy for your tenant.