When you invite a guest user to a SharePoint site, they may receive a message that access is denied even though you set the correct sharing permissions. This problem often occurs because a Microsoft 365 sensitivity label applied to the site or its documents includes encryption that prevents external access. The label may restrict access to specific users or groups and block guests entirely. This article explains why label-based encryption overrides site permissions and what settings a site owner must verify to allow guest access.
Key Takeaways: What to Check When Label Encryption Blocks Guests
- Microsoft 365 compliance center > Sensitivity labels > Encryption settings: Controls whether guests can decrypt labeled content. Must be set to allow external users.
- SharePoint admin center > Active sites > Site sensitivity label: The label applied to a site can inherit encryption that blocks guests. Check the site’s current label assignment.
- Microsoft Purview Information Protection > Label policies > Published labels: Determines which labels users can apply. Ensure the label is published to the correct groups and includes guest-friendly encryption.
Why Label-Based Encryption Blocks Guest Access
Sensitivity labels in Microsoft 365 can enforce encryption on documents and sites. When a label is applied to a SharePoint site, the label’s encryption settings define who can read or edit content. If the label restricts access to users inside your organization only, any guest user who tries to access the site or a labeled document will be denied.
The root cause is that SharePoint permissions and sensitivity label encryption operate independently. SharePoint sharing settings may allow external sharing, but the label’s encryption acts as a separate layer. Even if a guest appears in the site’s member list, the encrypted content remains inaccessible to them. The label’s encryption rules are applied at the file level and override site-level permissions.
How Encryption Works in Sensitivity Labels
A sensitivity label uses Azure Rights Management to apply encryption. The label can assign specific users or groups as authorized viewers or editors. By default, many labels are configured with the setting “Assign permissions now” and the list includes only internal users. When you select “Let users assign permissions” instead, the label becomes more flexible but still may not allow guests unless explicitly configured.
Labels can also be applied automatically through auto-labeling policies. In that case, the encryption is added to documents without user intervention. If a guest attempts to open a file that has been auto-labeled with encryption that excludes external users, access is blocked.
Steps to Check and Fix Label Encryption for Guest Access
To restore guest access, you must review the sensitivity label applied to the site and its documents. Follow these steps to identify and adjust the encryption settings.
- Identify the sensitivity label on the SharePoint site
Go to the SharePoint admin center. Under Sites, select Active sites. Click the site name that has guest access issues. In the panel that opens, look for the Sensitivity label field. If a label is assigned, note the label name. If no label is assigned, the issue may come from labels applied directly to documents. - Open the label in the Microsoft 365 compliance center
Go to the Microsoft 365 compliance center. Under Solutions, select Information protection. Click the Sensitivity labels tab. Find the label you noted in step 1 and click its name to open the label settings. - Check the encryption configuration
In the label settings, scroll to the Encryption section. Click Edit. If encryption is turned off, the label does not block guests. If encryption is turned on, review the Assign permissions now option. Click Assign permissions now and then the Assign permissions link. Look at the Users and groups list. If the list contains only internal users or groups that exclude guests, guests cannot decrypt content. - Add guests or change the encryption scope
To allow guests, you can add individual guest email addresses to the Users and groups list. Alternatively, change the encryption to Let users assign permissions. This option allows the person applying the label to choose who can access the file. You can also select the checkbox “Allow offline access” and set a custom expiration if needed. Save the label settings. - Publish the updated label
After you change the label, click Publish labels. Select the policy that contains this label and choose Next. Ensure the label is published to the correct users. If you want the label to be available for manual application, include it in a label policy assigned to the site owners or editors. Complete the publishing wizard. - Verify guest access after the change
Ask the guest to sign out and sign in again. Have the guest navigate to the SharePoint site and open a document that previously failed. If the label was the cause, the guest should now be able to access the content. If access is still denied, check if the document itself has a different label applied directly.
If Guest Access Is Still Blocked After the Main Fix
Document-Level Labels Override Site Labels
A document may have a sensitivity label applied directly that differs from the site label. To check, open the document in SharePoint. Click the information icon in the top-right corner. Look for Sensitivity in the details pane. If a label is shown, note its name and repeat the steps above for that label. The document label takes precedence over the site label.
Auto-Labeling Policies Apply Encryption Automatically
If your organization uses auto-labeling policies, documents may be labeled and encrypted without any manual action. In the compliance center, go to Information protection > Auto-labeling. Review any policies that target SharePoint sites. If a policy applies a label with encryption that excludes guests, you must either modify the label or create an exception for guest-accessible sites.
Guest Access Requires a Microsoft 365 Guest Account
Even with correct label settings, a guest must have a valid Microsoft 365 guest account. The guest must accept the invitation and sign in with their Microsoft account or Azure AD B2B guest account. If the guest account is expired or blocked, access will fail. Check Azure AD > Users > Guest users to verify the account status.
Site Label vs Document Label: Encryption Effect on Guests
| Item | Site Label (Encryption Applied) | Document Label (Encryption Applied) |
|---|---|---|
| Scope | Affects all documents in the site unless they have their own label | Affects only that specific document |
| Guest access | Blocked if encryption excludes external users | Blocked if encryption excludes the guest |
| Override behavior | Document label overrides site label | Highest priority label applies |
| How to fix | Change label encryption or assign a different label to the site | Remove or change the document label |
As a site owner, you can now identify whether a sensitivity label is blocking guest access and adjust the encryption settings accordingly. Start by checking the label assigned to the site in the SharePoint admin center. Then modify the label’s encryption to include guest users or switch to a label that allows user-assigned permissions. For persistent issues, inspect document-level labels and auto-labeling policies. A practical next step is to create a test site with a guest account to validate that your label configuration works before rolling out changes broadly.