Forum Discussion
AIP Question User "reuse"
Hello, I have I question how this scenario is handled. User A was granted access to a document. After a while User A leaves the company and his account is deleted. After a while User B start to...
Don't have any direct experience, but I would certainly expect Microsoft to use the Object (GU)ID for these things, or some other unique GUID associated with a user. Things like e-mail addresses, and a UPN, can of course change. Perhaps someone else has more direct experience with this.
Thanks, something like that is what I expect.
From that documentation
https://docs.microsoft.com/en-us/azure/information-protection/how-does-it-work#cryptographic-controls-used-by-azure-rms-algorithms-and-key-lengths
this part:
What's happening in step 1: The authenticated user sends the document policy and the user’s certificates to the Azure Rights Management service. The service decrypts and evaluates the policy, and builds a list of rights (if any) the user has for the document. To identify the user, the Azure AD ProxyAddresses attribute is used for the user's account and groups to which the user is a member. For performance reasons, group membership is cached. If the user account has no values for the Azure AD ProxyAddresses attribute, the value in the Azure AD UserPrincipalName is used instead.
This talks about a user certificate.
I hope someone from Microsoft can clarify.
From that documentation
https://docs.microsoft.com/en-us/azure/information-protection/how-does-it-work#cryptographic-controls-used-by-azure-rms-algorithms-and-key-lengths
this part:
What's happening in step 1: The authenticated user sends the document policy and the user’s certificates to the Azure Rights Management service. The service decrypts and evaluates the policy, and builds a list of rights (if any) the user has for the document. To identify the user, the Azure AD ProxyAddresses attribute is used for the user's account and groups to which the user is a member. For performance reasons, group membership is cached. If the user account has no values for the Azure AD ProxyAddresses attribute, the value in the Azure AD UserPrincipalName is used instead.
This talks about a user certificate.
I hope someone from Microsoft can clarify.