Should I expect AWS to respect Azure Information Protection (AIP) protected e-mails?




When selecting "do not forward" in an Outlook e-mail, and sharing your screen in MS Teams while displaying that e-mail, the screen for the remote viewers in all black.  However when we share that same e-mail from an AWS session, the screen is not blacked out and the viewers can see the content.  Has anyone ever come across this and found any resolution?  We'll be opening a case as well.  


Joe Cistaro

5 Replies

@Joe Cistaro can you describe what is an AWS session? are you referring to the Amazon Chime application?


The screen blocking is a function of the screen sharing application versus a function of the email. So while Teams may respect the information protection of emails, it sounds like you may be using an amazon product for your screen sharing which may not.

@msExchangeDude Teams knows nothing about Office 365 Message Encryption, so it wouldn't apply any protection to messages with DNF set when displayed in a screen sharing session. All of which goes to prove that it's important people understand that encryption is not a perfect way to stop message content leaking. For instance, people can still take a screen photo of a message and send it to someone else with WhatsApp. 


I have no idea what Amazon Chime might be doing with the display, but I suggest that this is their problem, not Microsoft's.

@Tony Redmondand @msExchangeDude thanks for replies.  AWS=Amazon Workspace which is a Windows 10 desktop that lives in the Amazon cloud, domain connected and for all intents and purposes, the same setup as my laptop but virtual.


@Tony RedmondTeams has some awareness I feel when Do Not Forward is selected for an Outlook mail.  i.e. When I try and share my screen with a message protected by Office Message Encryption in MS Teams from my Windows 10 physical laptop, the remote users see a black screen.  When I perform that same exact action from my AWS Windows 10 virtual desktop, Teams displays the e-mail during the screen sharing session.

We are aware that where there is a will there is a way, and bad actors can exfiltrate our data in other ways than forwarding a message or screen sharing.


I was curious to know if others can reproduce this and help me to understand where I should be taking this concern.  i.e. is MS responsible to ensure that their O/S (whether on a VM or physical machine) operates consistently or is the responsibility with Amazon in some way?

per your description of the issue, i would point to the display driver in use on the virtual machine and how the desktop is rendered as this may be a dependency for teams' ability to black out certain windows. 

Teams doesn't know anything about the DNF-protected message because Outlook has already fetched a use license to decrypt and display the content before Teams gets a chance to show the message in the meeting window. As far as Teams is concerned, it's just displaying an Outlook message. I tried to replicate this issue in my tenant and couldn't using a physical Windows 10 workstation connected to an E3 or an E5 account.