SOLVED

Authenticated user very easy to steal

%3CLINGO-SUB%20id%3D%22lingo-sub-268223%22%20slang%3D%22en-US%22%3EAuthenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268223%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20testing%20Azure%20information%20protection%20and%20it%20seems%20like%20an%20easy%20to%20use%20product.%3CBR%20%2F%3EMy%20only%20question%20is%20it%20safe%20enough%3F%3CBR%20%2F%3Ei%20tried%20to%20send%20an%20email%20to%20my%20gmail%20account%20with%20full%20rights%2C%20but%20with%20the%20authenticatedusers%20permission.%3C%2FP%3E%3CP%3Ei%20than%20took%20the%20link%20i%20got%20in%20my%20mail%20and%20adjusted%20the%20link%20with%20another%20email%20and%20it%20was%20no%20trouble%20so%20sign%20in%20wit%20the%20other%20mail.%20is%20that%20supposed%20to%20be%20like%20that%3F%3C%2FP%3E%3CP%3Ethat%20make%20me%20question%20the%20rest%20of%20the%20security%20of%20the%20product.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-268223%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281166%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281166%22%20slang%3D%22en-US%22%3E%3CP%3Ethat%20works.%20thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281138%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281138%22%20slang%3D%22en-US%22%3EMy%20guess%20would%20be%20that%20it%20needs%20to%20have%20some%20sort%20of%20protection%20if%20it%E2%80%99s%20not%20to%20inherit%20the%20protection%20from%20the%20%E2%80%9CDo%20not%20forward%E2%80%9D%20label.%20In%20theory%20you%20could%20probably%20make%20a%20label%20with%20protection%20that%20covers%20%E2%80%9Cany%20authenticated%20users%E2%80%9D%20with%20%E2%80%9Cco-owner%E2%80%9D%20permissions%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281133%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281133%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20tryed%20to%20label%20it%20wit%20a%20label%20that%20doesnt%20have%20any%20protection%2C%20but%20that%20didnt%20work.%20must%20the%20label%20have%20a%20protection%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281115%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281115%22%20slang%3D%22en-US%22%3EIf%20you%20label%2Fprotect%20the%20document%20before%20you%20attach%20it%20(with%20a%20label%2Fprotection%20that%20enables%20the%20end%20user%20to%20do%20what%20you%20want%20them%20to)%2C%20it%20shouldn%E2%80%99t%20inherit%20the%20mails%20protection%20as%20far%20as%20I%20know.%3CBR%20%2F%3EIt%E2%80%99s%20intended%20that%20a%20protection%20label%20attached%20to%20an%20email%20(e.g.%20do%20not%20forward)%2C%20also%20protects%20any%20attachments.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281057%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281057%22%20slang%3D%22en-US%22%3E%3CP%3EHelo%2C%20again%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20am%20trying%20to%20send%20a%20mail%20with%20an%20attacment%20and%20only%20want%20the%20email%20to%20be%20cryptated%2C%20not%20the%20attachement.%3C%2FP%3E%3CP%3Ehow%20can%20i%20proceed%20to%20do%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhen%20i%20use%20the%20do%20not%20forward%20button%2C%20the%20receiver%20can%20not%20download%20and%20edit%20the%20document.%3C%2FP%3E%3CP%3Ethat%20happens%20even%20if%20i%20have%20set%20a%20label%20with%20no%20restrictions%20on%20the%20dokument.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eappreciate%20anny%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271881%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271881%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20again.%20works%20like%20a%20dream!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271523%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271523%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20you%20can%20use%20the%20Do%20Not%20Forward%20option%20-%20which%20means%20that%20end%20users%20rather%20than%20admins%20control%20who%20can%20open%20the%20email.%26nbsp%3B%20You%20can%20implement%20the%20Do%20Not%20Forward%20option%20in%20many%20ways%2C%20which%20does%20include%20the%20Do%20Not%20Forward%20button%20as%20an%20Azure%20Information%20Protection%20policy%20setting.%26nbsp%3B%20But%20you%20can%20also%20implement%20it%20with%20a%20label%20that%20is%20displayed%20only%20in%20Outlook%2C%20with%20the%20user-defined%20permissions%20configuration%20(see%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy-protection%23example-1-label-that-applies-do-not-forward-to-send-a-protected-email-to-a-gmail-account%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Efirst%20example%3C%2FA%3E%20in%20the%20link%20I%20provided).%26nbsp%3B%20When%20you%20use%20this%20configuration%20rather%20than%20the%20Do%20Not%20Forward%20button%2C%20it%20has%20the%20benefit%20that%20the%20email%20is%20classified%20as%20well%20as%20protected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271394%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271394%22%20slang%3D%22en-US%22%3E%3CP%3EHelo%2C%3C%2FP%3E%3CP%3EAnd%20thank%20you!%20Yes%20you%20have%20understood%20me%20correct.%3C%2FP%3E%3CP%3EThis%20explains%20what%20i%20didnt%20get.%3C%2FP%3E%3CP%3EBut%20is%20there%20a%20way%20to%20ensure%20only%20the%20external%20emailaccount%20you%20send%20to%20can%20open%20the%20dokument%3F%3C%2FP%3E%3CP%3Ewill%20do%20not%20forward%20button%20solv%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eregards%3C%2FP%3E%3CP%3ETor%20Marius%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-271196%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticated%20user%20very%20easy%20to%20steal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271196%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20say%20%22%3CSPAN%3Eauthenticatedusers%20permission%3C%2FSPAN%3E%22%2C%20are%20you%20referring%20to%20the%20option%20%22Add%20any%20authenticated%20user%22%20option%20in%20the%20Azure%20portal%3F%26nbsp%3B%20If%20yes%2C%20did%20you%20read%20up%20about%20this%20option%2C%20more%20information%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy-protection%23more-information-about-add-any-authenticated-users%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20and%20includes%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EThis%20setting%20%3CSTRONG%3Edoesn't%20restrict%20who%20can%20access%20the%20content%3C%2FSTRONG%3E%20that%20the%20label%20protects%2C%20while%20still%20encrypting%20the%20content%20and%20providing%20you%20with%20options%20to%20restrict%20how%20the%20content%20can%20be%20used%20(permissions)%2C%20and%20accessed%20(expiry%20and%20offline%20access).%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E...%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CFONT%3ESome%20typical%20scenarios%20for%20the%20any%20authenticated%20users%20setting%3A%20%3C%2FFONT%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3E%3CFONT%3EYou%20don't%20mind%20who%20views%20the%20content%2C%20but%20you%20want%20to%20restrict%20how%20it%20is%20used.%20For%20example%2C%20you%20do%20not%20want%20the%20content%20to%20be%20edited%2C%20copied%2C%20or%20printed.%20%3C%2FFONT%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3E%3CFONT%3EYou%20don't%20need%20to%20restrict%20who%20accesses%20the%20content%2C%20but%20you%20want%20to%20be%20able%20to%20track%20who%20opens%20it%20and%20potentially%2C%20revoke%20it.%20%3C%2FFONT%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%3E%3CEM%3EYou%20have%20a%20requirement%20that%20the%20content%20must%20be%20encrypted%20at%20rest%20and%20in%20transit%2C%20but%20it%20doesn't%20require%20access%20controls.%3C%2FEM%3E%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ESo%20if%20you%20want%20to%20restrict%20the%20email%20to%20specific%20Gmail%20users%2C%20you%20must%20use%20a%20different%20configuration.%20For%20example%2C%20specify%20the%20Gmail%20accounts%20in%20the%20label%20configuration%20(the%20admin%20controls%20the%20user%20access)%20or%20use%20the%20User-defined%20option%20of%20Do%20Not%20Forward%20(the%20user%20controls%20the%20user%20access).%20For%20different%20configurations%20that%20are%20possible%2C%20you%20might%20find%20it%20useful%20to%20look%20over%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-policy-protection%23example-configurations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eexamples%3C%2FA%3E%20at%20the%20end%20of%20the%20documentation%20I%20quoted.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I am testing Azure information protection and it seems like an easy to use product.
My only question is it safe enough?
i tried to send an email to my gmail account with full rights, but with the authenticatedusers permission.

i than took the link i got in my mail and adjusted the link with another email and it was no trouble so sign in wit the other mail. is that supposed to be like that?

that make me question the rest of the security of the product.

 

 

9 Replies
Best Response confirmed by Tor Marius Lillestøl (Occasional Contributor)
Solution

When you say "authenticatedusers permission", are you referring to the option "Add any authenticated user" option in the Azure portal?  If yes, did you read up about this option, more information here and includes:

 

This setting doesn't restrict who can access the content that the label protects, while still encrypting the content and providing you with options to restrict how the content can be used (permissions), and accessed (expiry and offline access).

...

Some typical scenarios for the any authenticated users setting:

  • You don't mind who views the content, but you want to restrict how it is used. For example, you do not want the content to be edited, copied, or printed.
  • You don't need to restrict who accesses the content, but you want to be able to track who opens it and potentially, revoke it.
  • You have a requirement that the content must be encrypted at rest and in transit, but it doesn't require access controls.

So if you want to restrict the email to specific Gmail users, you must use a different configuration. For example, specify the Gmail accounts in the label configuration (the admin controls the user access) or use the User-defined option of Do Not Forward (the user controls the user access). For different configurations that are possible, you might find it useful to look over the examples at the end of the documentation I quoted.

Helo,

And thank you! Yes you have understood me correct.

This explains what i didnt get.

But is there a way to ensure only the external emailaccount you send to can open the dokument?

will do not forward button solv that?

 

regards

Tor Marius

Yes, you can use the Do Not Forward option - which means that end users rather than admins control who can open the email.  You can implement the Do Not Forward option in many ways, which does include the Do Not Forward button as an Azure Information Protection policy setting.  But you can also implement it with a label that is displayed only in Outlook, with the user-defined permissions configuration (see the first example in the link I provided).  When you use this configuration rather than the Do Not Forward button, it has the benefit that the email is classified as well as protected.

Thank you again. works like a dream!

Helo, again :)

 

i am trying to send a mail with an attacment and only want the email to be cryptated, not the attachement.

how can i proceed to do that?

 

when i use the do not forward button, the receiver can not download and edit the document.

that happens even if i have set a label with no restrictions on the dokument.

 

 

appreciate anny help.

 

If you label/protect the document before you attach it (with a label/protection that enables the end user to do what you want them to), it shouldn’t inherit the mails protection as far as I know.
It’s intended that a protection label attached to an email (e.g. do not forward), also protects any attachments.

i tryed to label it wit a label that doesnt have any protection, but that didnt work. must the label have a protection?

My guess would be that it needs to have some sort of protection if it’s not to inherit the protection from the “Do not forward” label. In theory you could probably make a label with protection that covers “any authenticated users” with “co-owner” permissions

that works. thank you.