Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?
Using Email Encryption: Remote tenants not able to authenticate / open encrypted messages
We are using automation plus a flow rule to force encrypted emails via flow rules that apply Office 365 Message Encryption and Rights Protection with the "Encrypt Only" policy. However, when we send to people who are on remote tenants, we run into an unusual problem. Some tenants "just work", while other tenants hard fail with a notice that says the following: Selected user account does not exist in tenant 'Tenant Name' and cannot access the application 'UUID Here' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account. Unfortunately, there's no option to bypass this for those recipients and no way to force one time password authentication options where they have to request a OTP and then use that. It enforces the use of MS365 Tenant auth rather than OTP, which is unusual and problematic because while *certain* remote tenants "just work" others do not. I'm confused as to where to look next. Is there a way to force OTP-only in the outgoing encryption for a message with transport rules on the Outlook 365 admin panel? Alternatively, is there a way to automatically permit external tenant accounts/recipients to just work? Please feel free to ask any questions necessary to solve this on our end, it's a core component of one of our information sending systems to partners and it's not working as intended.
Email Encryption Issues
We have an Outlook rule in place that anything that includes “Secure:” in the subject line, that email will be sent out encrypted. The issue that has been escalated recently is that if the email has “Secure:” in the subject link, plus an attachment that is not encrypted such as a PDF or Excel file, the recipient receives the email but cannot open the file. They get an error message that says your Outlook account does not have permission to open this file, please contact [senders’ email] We have O365 E1 licensing. One user has E3 and does not experience this issue.Outlook desktop client is encrypting emails despite the sensitivity label setting
We have 3 different sensitivity labels set up - General, Internal and Confidential. The General label does not encrypt content, internal and confidential do. The default label for emails is Confidential. When someone uses the Outlook Desktop client (release 2407) and switches from Confidential to General, the email is still encrypted. This doesn't happen with the Outlook web client. If the switch from Confidential to Internal and then to General, the email is not encrypted. Has anyone else seen this behavior?How to Handle an Unwanted Sensitivity Label
Sometimes sensitivity labels defined for use within a Microsoft 365 tenant turn out to be unnecessary. The question then is what to do with these unwanted sensitivity labels. The answer is to pause for thought, gather information, and then make an informed decision, all of which we discuss here. https://practical365.com/how-to-handle-an-unwanted-sensitivity-label/
General Availability: Purview Customer Key Using Managed HSM
We are excited to announce the general availability of Purview Customer Key using Managed HSM. This new feature enhances your data security by allowing you to manage and control your own encryption keys using Azure Managed HSM. This release is the result of the efforts Microsoft 365 Data-At-Rest Encryption Engineering team. With Customer Key using Managed HSM, you can: Achieve higher security: Managed HSM provides dedicated, FIPS 140-2 Level 3 validated hardware for key protection, offering enhanced security over standard Azure Key Vaults. Ensure compliance: Meet stringent regulatory and compliance requirements with the advanced security features of Managed HSM. Maintain control: Enjoy full control over your encryption keys, including key lifecycle management, within a highly secure, tamper-resistant environment. Enhance performance: Benefit from the high availability and scalability of Managed HSM for critical workloads. Purview Customer Key now supports three different options for key storage including Standard Azure Key Vault, Premium Azure Key Vault and Managed HSM. For more details about the differences between these options, see How to choose the right key management solution. Start leveraging the enhanced security and compliance benefits of Customer Key using Managed HSM today. For more information, visit Set Up Customer Key or learn more about Azure Key Vault and Managed HSM. With Gratitude, M365 Data-at-Rest EncryptionHow to protect data and secure devices with Intune [App Protection Policy] 📱🔒
Protecting organization's data on mobile devices is crucial for companies. In this video, I'll talk about Microsoft Intune and how you can leverage the capabilities of App Protection Policy to secure your company data on mobile devices. Some scenarios covered include allowing copy/paste between trusted apps, avoiding screenshots and screen recording of organization data, sharing files only between managed apps, adding a PIN to access, and encrypting data. #DataProtection #MobileSecurity #MicrosoftIntune :mobile_phone::locked:
Outlook Encrypted Email Issues
I have deployed M365DLP controls to block password protected atachments that cannot be scanned and am telling users to use Outlook Encryption instead to protect outgoing email attachments. However, a number of external companies have reported not being able to open the encrypted messages and the screenshots provided show that they are trying to authenticate as a guest user in my Entra ID instance (rather than using their own IdP, SSO or an OTP). What would cause that and how do I resolve?Where and how are the Outlook Message Encryption templates managed?
We have Microsoft 365 Business Premium licenses. Within Outlook, when you create a new email and go to the Options tab, there is an Encrypt button with the following options; Encrypt-Only, Do Not Forward, Confidential - All Employees, and Highly Confidential - All Employees. I want to see if I can create some specific ones for certain use cases but I'll be damned if I can find where these are set. I would also like to find out the specific restrictions each of these puts in place. I can distinctly remember messing around with message encryption templates a year (or more) ago but fast forward to today and everything seems to be retired or replaced or moved and I can't for the life of me locate where these email encryption templates are located. The MS docs are all over the place and searching for things in the Azure portal pull up nothing (or old docs that aren't current anymore). I know labels are now a big thing and maybe I missed migrating these encryption templates to labels? (in my searches I've seen ARM then Azure Information Protection which seems to be replaced by Rights Management Service and then talk about labels...)E-mail encryption OME Support Req OTP Read E-mail internal Org Microsoft365 ?
Hi Every One , Now I have a problem. If I have encrypted and sent an E-mail to a destination that is Hosting Mail, gmail, Hotmail, when the recipient opens and reads the E-mail, they must Req OTP. It can work. But if I send it to Employees in the organization , And External Org User Microsoft 365 There is no Req OTP required to read the email. I need it to work like if I sent it outside but every time I read that email I need to request an OTP Can it be done? Request additional methods Thanks you
