My company is just starting to utilize O365 email encryption for sensitive information, which I know a lot of people are already using.
One thing we've run into is when sending a sensitive email to a third-party vendor, a lot of them utilize shared mailboxes/distribution groups, so the encryption is not allowing the members of the external mailbox/group to open the encrypted email as their account doesn't have permissions (the group email address does, instead of their individual account).
The only way I've come up with to solve this issue is setting the encrypted emails to not allow a "social" sign-on for decryption, and instead only offer "send a one-time passcode" as the authentication method, then the group/mailbox receives the code to view the email.
Curious how others have combatted this issue if they've crossed it, this feature has been around a while and I am unable to find much on Google about it specifically.
For the moment, users are just re-sending the encrypted email to the external recipient that replies "We can't open this email", which solves the problem but creates more work and takes longer for everyone.