Forum Discussion
Authenticated user very easy to steal
Hello,
I am testing Azure information protection and it seems like an easy to use product.
My only question is it safe enough?
i tried to send an email to my gmail account with full rights, but with the authenticatedusers permission.
i than took the link i got in my mail and adjusted the link with another email and it was no trouble so sign in wit the other mail. is that supposed to be like that?
that make me question the rest of the security of the product.
When you say "authenticatedusers permission", are you referring to the option "Add any authenticated user" option in the Azure portal? If yes, did you read up about this option, more information here and includes:
This setting doesn't restrict who can access the content that the label protects, while still encrypting the content and providing you with options to restrict how the content can be used (permissions), and accessed (expiry and offline access).
...
Some typical scenarios for the any authenticated users setting:
- You don't mind who views the content, but you want to restrict how it is used. For example, you do not want the content to be edited, copied, or printed.
- You don't need to restrict who accesses the content, but you want to be able to track who opens it and potentially, revoke it.
- You have a requirement that the content must be encrypted at rest and in transit, but it doesn't require access controls.
So if you want to restrict the email to specific Gmail users, you must use a different configuration. For example, specify the Gmail accounts in the label configuration (the admin controls the user access) or use the User-defined option of Do Not Forward (the user controls the user access). For different configurations that are possible, you might find it useful to look over the examples at the end of the documentation I quoted.
- Carol BaileyMicrosoft
When you say "authenticatedusers permission", are you referring to the option "Add any authenticated user" option in the Azure portal? If yes, did you read up about this option, more information here and includes:
This setting doesn't restrict who can access the content that the label protects, while still encrypting the content and providing you with options to restrict how the content can be used (permissions), and accessed (expiry and offline access).
...
Some typical scenarios for the any authenticated users setting:
- You don't mind who views the content, but you want to restrict how it is used. For example, you do not want the content to be edited, copied, or printed.
- You don't need to restrict who accesses the content, but you want to be able to track who opens it and potentially, revoke it.
- You have a requirement that the content must be encrypted at rest and in transit, but it doesn't require access controls.
So if you want to restrict the email to specific Gmail users, you must use a different configuration. For example, specify the Gmail accounts in the label configuration (the admin controls the user access) or use the User-defined option of Do Not Forward (the user controls the user access). For different configurations that are possible, you might find it useful to look over the examples at the end of the documentation I quoted.
- Tor Marius LillestølCopper Contributor
Helo,
And thank you! Yes you have understood me correct.
This explains what i didnt get.
But is there a way to ensure only the external emailaccount you send to can open the dokument?
will do not forward button solv that?
regards
Tor Marius
- Carol BaileyMicrosoft
Yes, you can use the Do Not Forward option - which means that end users rather than admins control who can open the email. You can implement the Do Not Forward option in many ways, which does include the Do Not Forward button as an Azure Information Protection policy setting. But you can also implement it with a label that is displayed only in Outlook, with the user-defined permissions configuration (see the first example in the link I provided). When you use this configuration rather than the Do Not Forward button, it has the benefit that the email is classified as well as protected.