Sharing encrypted documents with external users if they don't have an Azure AD account or use a supported app.

A lot of what we do during a workday is exchange information, either with people inside, or outside of our organization. A question that is asked quite a bit is: How do we share encrypted information with people outside our tenant if they don't have an Azure AD account.

Sharing encrypted info hasn't always been as easy as one would think. There are scenarios where this won't work and even if more and more people have an Azure AD account, we will still encounter people who don't. 


So, let's look at how Microsoft has explained our possibilities: 

If external users do not have an account in Azure Active Directory:

You can create a guest account for them in your tenant. For their email address, you can specify any email address that they already use. For example, their Gmail address. This guest account can also be used to access a shared document in SharePoint or OneDrive when you have enabled sensitivity labels for Office files in SharePoint and OneDrive.

External users can also use a Microsoft account for encrypted documents when they use Microsoft 365 Apps (formerly Office 365 apps) on Windows, and now on Android (version 13029+). This capability is not yet supported for macOS or iOS.

What if you want to share encrypted data to someone with a Gmail address?

As you can see, a Microsoft account is specified, so what if you are using a Gmail account? Well, if a document is shared to you and your Gmail account, you can create a Microsoft Account with your Gmail account as email address (must match the one specified when sharing the data). When you sign in with this, you can read/edit the document based on the usage restrictions specified.

One thing that is good to know is that when a user with a Microsoft account opens a protected document, a corresponding Azure AD guest account will be created automatically. However, since this doesn't happen instantly, it is recommended to create the guest account manually when you specify a personal email account as part of the encryption settings. 

So, what is the best way to share encrypted data with external users? 

Since we don't know if external users will be using a supported Office client app, we may want to create a guest account for the users and then share links from SharePoint Online and OneDrive. This way we ensure that we don't run into some of the problems we can encounter if we do it in other ways.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label