Protection, permissions and the "Add any authenticated users" option

-

Sharing is caring they say, and when we work with AIP, we must often consider how to configure labels to use for sharing internally and externally.


When you add protection to your label, you need to add permissions as a part of the configuration. You have two options: Select from the list or Enter details:


If you choose to enter details, you have a lot of freedom, and can specify whoever you want, or what domain you want. The other option: Select from the list let's you add a user or group (or several) from your organization (or every member of your Azure AD), or you can use the "Any authenticated users" option. That is the one we will look at today.

By selecting "Any authenticated users" option you say that any user who has an email account that is authenticated by Azure AD or a federated social provider, or who is authenticated with a Microsoft account or uses a one time passcode can access the content.


If you think about that for a moment you might see how this is similar to the "Encrypt/Encrypt-Only" option where the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). And yes, like the Encrypt option the "Any authenticated users" setting doesn't restrict who can access the content that the labels protects. The content will be encrypted but using this option you are provided with the possibility to restrict how the content can be used and accessed.
Restrict or give full access. It is up to you.


Another advantage with this one compared to the Encrypt option is that this is AIP and not OME. You will therefore also be able to track and revoke the content so there are definately use cases for it. Microsoft suggests a couple of scenarios for this here: More information about add any authenticated users

  • You don't mind who views the content, but you want to restrict how it is used. For example, you do not want the content to be edited, copied, or printed.
  • You don't need to restrict who accesses the content, but you want to be able to track who opens it and potentially, revoke it.
  • You have a requirement that the content must be encrypted at rest and in transit, but it doesn't require access controls.

Comments

Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments

-
Image
Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli
Read more

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

-
Image
Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au
Read more