Sharing encrypted documents with external users if they don't have an Azure AD account or use a supported app.

-

A lot of what we do during a workday is exchange information, either with people inside, or outside of our organization. A question that is asked quite a bit is: How do we share encrypted information with people outside our tenant if they don't have an Azure AD account.

Sharing encrypted info hasn't always been as easy as one would think. There are scenarios where this won't work and even if more and more people have an Azure AD account, we will still encounter people who don't. 

 

So, let's look at how Microsoft has explained our possibilities: 

If external users do not have an account in Azure Active Directory:

You can create a guest account for them in your tenant. For their email address, you can specify any email address that they already use. For example, their Gmail address. This guest account can also be used to access a shared document in SharePoint or OneDrive when you have enabled sensitivity labels for Office files in SharePoint and OneDrive.

External users can also use a Microsoft account for encrypted documents when they use Microsoft 365 Apps (formerly Office 365 apps) on Windows, and now on Android (version 13029+). This capability is not yet supported for macOS or iOS.

What if you want to share encrypted data to someone with a Gmail address?

As you can see, a Microsoft account is specified, so what if you are using a Gmail account? Well, if a document is shared to you and your Gmail account, you can create a Microsoft Account with your Gmail account as email address (must match the one specified when sharing the data). When you sign in with this, you can read/edit the document based on the usage restrictions specified.

One thing that is good to know is that when a user with a Microsoft account opens a protected document, a corresponding Azure AD guest account will be created automatically. However, since this doesn't happen instantly, it is recommended to create the guest account manually when you specify a personal email account as part of the encryption settings. 

So, what is the best way to share encrypted data with external users? 

Since we don't know if external users will be using a supported Office client app, we may want to create a guest account for the users and then share links from SharePoint Online and OneDrive. This way we ensure that we don't run into some of the problems we can encounter if we do it in other ways.

Comments

Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments

-
Image
Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli
Read more

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

-
Image
Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au
Read more