Forum Discussion

Whiteb02's avatar
Whiteb02
Copper Contributor
Nov 21, 2022

External Sharing with Sensitivity Labels

Hello, Can someone confirm that the only way to share a document externally that has a sensitivity label applied, is to invite the recipient as a guest into our AD Tenant?    Say I have a partner ...
information protection and governance
ChristianJBergstrom's avatar
ChristianJBergstrom
MVP
Nov 21, 2022
No. Only if the external permissions aren’t set in the label.
Whiteb02's avatar
Whiteb02
Copper Contributor
Nov 23, 2022

ChristianJBergstrom 

 

Hi Christian,
Thanks for the reply.
This was my understanding. However if I configure either a direct mail account or a domain within the label. Send that document to the external party. They receive the message that there is no account for them in our Azure AD

  • ChristianJBergstrom's avatar
    ChristianJBergstrom
    MVP
    Nov 23, 2022

    I imagine you have some conditional access policies set up. And I think this could be a case of the Microsoft Azure Information Protection app not being allowed/selected for them. Try excluding that app from CA or exclude the externals from the CA. When they are using an AAD tenant you can configure the Cross-tenant access settings under External Identities in Azure AD allowing the MAIP app (but only necessary when allowing some apps) and if not specified just check the box where you trust their MFA claims.

     

    Been some edits now so I’ll just add this for assitance instead https://microsoft.github.io/ComplianceCxE/resources/files/FAQ%20New%20features%20external%20collab%20using%20MIP.pdf

     

    *edit Whiteb02 Did this get sorted?

     

     

    • Whiteb02's avatar
      Whiteb02
      Copper Contributor
      Jan 18, 2023

      ChristianJBergstrom 

      Having mixed results with this at the moment.

      Having turned on B2B collaboration with partner organizations, we now have some users that can successfully open the document once they provide the credentials from their own tenant (and without the need for us to create guest accounts).

       

      We have other users from the same organization that receive the error  “Sorry, another account from your organization is already signed in on this computer”  Also a working user, from a personal device, receives the same error above.

       

      Is it necessary for all account info in Credential Manager to be cleared out? 

       

      Finally, on an individual user level.   If user A in my organization wants to specify the permissions themselves, before sending a document externally to 1 or more people.  Is the only way for the recipient(s) to be able to open the document, to be added as a guest within our tenant? (as we'll likely have no B2B setup for whoever it has been sent to.

       

      Without a guest account, we again get the error above, and the recipient receives no notification inviting them to create a guest account (if required), so we'd have to pre-stage an account for them? 

       

Resources