Forum Discussion
External Sharing with Sensitivity Labels
It can be tricky as you’ve noticed. And the business requirement should be the baseline for how the label config is done. I think it’s better if I simply add some links as there’s too much info on the topic.
First, did you read the FAQ above?
Read this https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide#support-for-external-users-and-labeled-content
And this https://learn.microsoft.com/en-us/microsoft-365/compliance/encryption-azure-ad-configuration?view=o365-worldwide
Hope that helps.
Whiteb02 Wrote a post on LinkedIn about this. Bear in mind guest accounts could be necessary sometimes, hence read the link https://learn.microsoft.com/en-us/microsoft-365/compliance/encryption-azure-ad-configuration?view=o365-worldwide#guest-accounts-for-external-users-to-open-encrypted-documents
—-
External sharing of protected content. What gives?
To follow up from a question in #TechCommunity I thought I should provide my take on it.
For email content and attachments you can use #MicrosoftPurviewMessageEncryption (OME) with 'Encrypt only' and 'Do not Forward' templates. The options are available in the desktop and web client. You can also choose to exclude them from one of those clients if you'd like, using regedit/GPO or PowerShell for the web interface.
There are some config that can be made such as if the recipients should use one-time passcodes and/or social sign-in for authentication. You can use some design parts too, such as informational text and a company logo and color. Here you need to use PowerShell. For more advanced features you can include mail flow rules in #EXO with Message encryption or #DataLossPrevention (DLP) as well.
The nice thing about Message encryption is that it's very easy for end-users to understand. There are only two alternatives and both encrypt the content and the attachment. The 'Do not Forward' is encryption too, just adding some more restrictions to the recipient.
As long as the recipient is using a Microsoft identity the process is really seamless and no need to use any portal or software to view the message. If using Gmail for example they will receive a wrapper in the message directing them to the Purview Message encryption portal (OME portal) where the above options will display for authentication.
The more advanced way of working with protection are #SensitivityLabels and I'm certain many of you are either using them or have seen them. They offer super granularity when it comes to permissions and configurations and can be used all over the #M365 suite, as opposed to Message encryption which is for email messages only.
This is the part when considerations and planning are introduced and must be involved with stakeholders/business representatives as it's about #classification and data knowledge. One cannot establish permission levels in sensitivity labels and publish them to users without analyzing the business requirements.
So what are the primary considerations for external sharing of protected content? From my perspective.
- The permissions granting access in the sensitivity labels.
- Any #ConditionalAccess policies that includes the #MicrosoftAzureInformationProtection app and #MFA
When it comes to #B2B collaboration there are no extra configurations to be made from a fundamental point of view but as soon as you're securing your environment and most likely are using "all apps/users" requiring MFA you have to use Azure AD #CrossTenantAccessSettings trusting those external MFA claims. If you don't do that they will need a guest account in your tenant. And if that for some reason isn't applicable you have to either exclude the app or the external users from the conditional access policy.
There's more to the topic but LinkedIn says I've reached the character limit.