Microsoft
MicrosoftHi dl348926
Thank you for your feedback. We agree that both approaches are viable, but it's difficult to determine which is objectively better since each organization has its own unique requirements and circumstances. However, given that the primary concern here relates to labels, I recommended excluding the associated app rather than "Other external user", as the latter could impact other workloads.
Thanks Tarek_Atef !
If you're just trying to "get this working" with little regard to how CA policies are enforced on other users when accessing RMS resources, then yes I probably agree with you.
But if I pose the question as "How can you allow "Other external users" to access RMS resources, without otherwise changing your CA posture", certainly for our organisation, I think the "Other external user" is the better way to go. To otherwise not change your CA posture you would need at least one new CA policy, and the guest exclusion would only require exactly one additional CA policy (I think).
Whereas the app exclusion would require multiple CA policies duplicating various policies/scenarios for the RMS app only.
At least that's how I see it in our organisation's environment, but I could be missing something...?
