Forum Discussion
Email to external(trusted user) not require verify user Identity(with Google or One-time passcode)
Dear Expert and Community, I am starting with MS Purview - Data Loss Prevention. I have one point to clarify and seek your advise / comment / contribute or sharing good practice regarding with be...
I understand the user experience friction, but what you're describing (allowing sensitive encrypted content to be accessed without identity verification based on domain "trust") would break a critical architectural violation across major security frameworks. Here's why this cannot and should not be implemented:
- It breaks the Zero Trust Principle of "Never Trust, always verify"
- Breaks CIS Control 6.7 "Require MFA for all externally-exposed enterprise or third-party applications."
Then there's also the risk that you are opening your organisation if the other party had a Business Email Compromise (BEC).
An alternative is for you to add your trusted users as a Guest to your account. In this way, they'll sign-in via SSO and not have to rely on the One time Password.
So short answer: Don't over configure the label encryption for External users. Add these 'Trusted users' as guest instead.