Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Oct 04, 2024

Encryption of documents via Sensitivity label and external parties

Hi all,

I am wondering whether I can get some better picture of what would be the impact of sharing encrypted documents to external parties.

 

My scenario:
I am using MS Purview to create sensitivity labels. I have two labels that apply encryption and the access/permission is set to “any authenticated users” and permission set to “co-author”. Now, I’ve sent this document via email to my personal gmail account. I do not have google workspace so cant properly check if there is any difference.

 

My experience was that I could not open that document using google doc for example.

If I place the label to email - it works fine as it takes me through the One time code and can open it. However, for documents id does not go through any OTP or so (which is a known limitation from what I’ve found on MS documentations),

 

Wondering, what is the best practice… or how you ppl deal whit these scenarios?

  • In my testing, Gmail doesn't support documents encrypted with sensitivity labels.

    Encrypted emails are handled differently. The encrypted email is sent in a "wrapper" email. If the recipient's email client supports the encrypted format, the client decrypts the email.

    If the client doesn't support the encrypted format (e.g. GMail), then the end user sees the wrapper message, which redirects the recipient to a Microsoft site where they can go through the one-time-password check and view the email plus attachments.

    So, you may need to send attachments as encrypted emails to ensure that non-supported recipients can easily view attachments.
  • IvanWilson's avatar
    IvanWilson
    Iron Contributor
    In my testing, Gmail doesn't support documents encrypted with sensitivity labels.

    Encrypted emails are handled differently. The encrypted email is sent in a "wrapper" email. If the recipient's email client supports the encrypted format, the client decrypts the email.

    If the client doesn't support the encrypted format (e.g. GMail), then the end user sees the wrapper message, which redirects the recipient to a Microsoft site where they can go through the one-time-password check and view the email plus attachments.

    So, you may need to send attachments as encrypted emails to ensure that non-supported recipients can easily view attachments.
    • sumo83's avatar
      sumo83
      Iron Contributor
      ...that is exactly what I've found out as well. For encrypted attachment, I need to make sure email itself is encrypted as well to force the authentication through OTP and have it all opened in online "Microsoft 365 Message Encryption Viewer". Encrypted attachment can be then opened there.

Resources