cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AIP Question User "reuse"

Thomas Huth
Brass Contributor

‎Sep 03 2021 03:00 AM

‎Sep 03 2021 03:00 AM

AIP Question User "reuse"

Hello, 

I have I question how this scenario is handled.

User A was granted access to a document. After a while User A leaves the company and his account is deleted.
After a while User B start to work in the company, in a different role. But he has the identical name (from User A) and so he gets the identical Azure AD ProxyAddresses attribute and Azure AD UserPrincipalName.

What will happen when User B tries to open (read) the document.

Can he read the document because he has the “identical” attributes, or does AIP recognize (hopefully) that he is a different user?

If AIP recognize these accidental doubles and prohibited unwanted access, what are the technical details? User Object ID or something else?

Or do we need to deal with this problem on an organization level?

598 Views
0 Likes
2 Replies
Reply
2 Replies
pvanberlo

‎Sep 03 2021 03:52 AM

‎Sep 03 2021 03:52 AM

Re: AIP Question User "reuse"

Don't have any direct experience, but I would certainly expect Microsoft to use the Object (GU)ID for these things, or some other unique GUID associated with a user. Things like e-mail addresses, and a UPN, can of course change. Perhaps someone else has more direct experience with this.
0 Likes
Reply
Thomas Huth

‎Sep 03 2021 03:58 AM

‎Sep 03 2021 03:58 AM

Re: AIP Question User "reuse"

Thanks, something like that is what I expect.
From that documentation
https://docs.microsoft.com/en-us/azure/information-protection/how-does-it-work#cryptographic-control...
this part:

What's happening in step 1: The authenticated user sends the document policy and the user’s certificates to the Azure Rights Management service. The service decrypts and evaluates the policy, and builds a list of rights (if any) the user has for the document. To identify the user, the Azure AD ProxyAddresses attribute is used for the user's account and groups to which the user is a member. For performance reasons, group membership is cached. If the user account has no values for the Azure AD ProxyAddresses attribute, the value in the Azure AD UserPrincipalName is used instead.

This talks about a user certificate.
I hope someone from Microsoft can clarify.
0 Likes
Reply