Forum Discussion
Email to external(trusted user) not require verify user Identity(with Google or One-time passcode)
Dear Expert and Community,
I am starting with MS Purview - Data Loss Prevention. I have one point to clarify and seek your advise / comment / contribute or sharing good practice regarding with below:
- Firstly, we can send email to externally user contain sensitive information, it is encryption or blocked (result: worked as expected). If remail encrypt, the external receiver require verify the Identity via sign in with google acc / with a one time password.
- Second: we plan sending email to external user (only trusted user / domain). Is it possible, do not require these scope user reverify their Identity again and again? If yes, how to do it? If not - why?
Well appreciated for update and supporting.
Thanks,
3 Replies
I understand the user experience friction, but what you're describing (allowing sensitive encrypted content to be accessed without identity verification based on domain "trust") would break a critical architectural violation across major security frameworks. Here's why this cannot and should not be implemented:
- It breaks the Zero Trust Principle of "Never Trust, always verify"
- Breaks CIS Control 6.7 "Require MFA for all externally-exposed enterprise or third-party applications."
Then there's also the risk that you are opening your organisation if the other party had a Business Email Compromise (BEC).
An alternative is for you to add your trusted users as a Guest to your account. In this way, they'll sign-in via SSO and not have to rely on the One time Password.
So short answer: Don't over configure the label encryption for External users. Add these 'Trusted users' as guest instead.milgo It would be grate if you could share you commend / suggestion or good practice. thanks.
milgo Appreciated if could share commend/suggstion. thanks.
