My company is just starting to utilize O365 email encryption for sensitive information, which I know a lot of people are already using.
One thing we've run into is when sending a sensitive email to a third-party vendor, a lot of them utilize shared mailboxes/distribution groups, so the encryption is not allowing the members of the external mailbox/group to open the encrypted email as their account doesn't have permissions (the group email address does, instead of their individual account).
The only way I've come up with to solve this issue is setting the encrypted emails to not allow a "social" sign-on for decryption, and instead only offer "send a one-time passcode" as the authentication method, then the group/mailbox receives the code to view the email.
Curious how others have combatted this issue if they've crossed it, this feature has been around a while and I am unable to find much on Google about it specifically.
For the moment, users are just re-sending the encrypted email to the external recipient that replies "We can't open this email", which solves the problem but creates more work and takes longer for everyone.
Usually in these kind of situations I fall back to sharing a OneDrive / Teams (SharePoint) folder out to the external vendor. Anyone can say that they can't receive the encrypted email and there could be legitimately good reasons for that, but if they don't know how to login to 365 to access a shared folder that's on them.
Makes sense, but wouldn't you have an issue with sharing to a group/shared mailbox?
Not a fan of "anyone with a link" personally, that's the only way I can think of that working smoothly
If they absolutely refuse to allow you to share or email an individual vs. a distro group then I'd do it that way, but not using an "anyone with the link" share depending on the sensitivity of the information. If it's something that isn't as sensitive sure, but otherwise they'll need to setup credentials with that distro group and use it to login to access the shared folder.