AIP Question User "reuse"

%3CLINGO-SUB%20id%3D%22lingo-sub-2716383%22%20slang%3D%22en-US%22%3EAIP%20Question%20User%20%22reuse%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2716383%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20I%20question%20how%20this%20scenario%20is%20handled.%3C%2FP%3E%3CP%3E%3CSPAN%3EUser%20A%20was%20granted%20access%20to%20a%20document.%20After%20a%20while%20User%20A%20leaves%20the%20company%20and%20his%20account%20is%20deleted.%3CBR%20%2F%3EAfter%20a%20while%20User%20B%20start%20to%20work%20in%20the%20company%2C%20in%20a%20different%20role.%20But%20he%20has%20the%20identical%20name%20(from%20User%20A)%20and%20so%20he%20gets%20the%20identical%20Azure%20AD%20ProxyAddresses%20attribute%20and%20Azure%20AD%20UserPrincipalName.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWhat%20will%20happen%20when%20User%20B%20tries%20to%20open%20(read)%20the%20document.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECan%20he%20read%20the%20document%20because%20he%20has%20the%20%E2%80%9Cidentical%E2%80%9D%20attributes%2C%20or%20does%20AIP%20recognize%20(hopefully)%20that%20he%20is%20a%20different%20user%3F%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20AIP%20recognize%20these%20accidental%20doubles%20and%20prohibited%20unwanted%20access%2C%20what%20are%20the%20technical%20details%3F%20User%20Object%20ID%20or%20something%20else%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOr%20do%20we%20need%20to%20deal%20with%20this%20problem%20on%20an%20organization%20level%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2716383%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%20and%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2716535%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Question%20User%20%22reuse%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2716535%22%20slang%3D%22en-US%22%3EDon't%20have%20any%20direct%20experience%2C%20but%20I%20would%20certainly%20expect%20Microsoft%20to%20use%20the%20Object%20(GU)ID%20for%20these%20things%2C%20or%20some%20other%20unique%20GUID%20associated%20with%20a%20user.%20Things%20like%20e-mail%20addresses%2C%20and%20a%20UPN%2C%20can%20of%20course%20change.%20Perhaps%20someone%20else%20has%20more%20direct%20experience%20with%20this.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello, 

I have I question how this scenario is handled.

User A was granted access to a document. After a while User A leaves the company and his account is deleted.
After a while User B start to work in the company, in a different role. But he has the identical name (from User A) and so he gets the identical Azure AD ProxyAddresses attribute and Azure AD UserPrincipalName.

What will happen when User B tries to open (read) the document.

Can he read the document because he has the “identical” attributes, or does AIP recognize (hopefully) that he is a different user?

If AIP recognize these accidental doubles and prohibited unwanted access, what are the technical details? User Object ID or something else?

Or do we need to deal with this problem on an organization level?

2 Replies
Don't have any direct experience, but I would certainly expect Microsoft to use the Object (GU)ID for these things, or some other unique GUID associated with a user. Things like e-mail addresses, and a UPN, can of course change. Perhaps someone else has more direct experience with this.
Thanks, something like that is what I expect.
From that documentation
https://docs.microsoft.com/en-us/azure/information-protection/how-does-it-work#cryptographic-control...
this part:

What's happening in step 1: The authenticated user sends the document policy and the user’s certificates to the Azure Rights Management service. The service decrypts and evaluates the policy, and builds a list of rights (if any) the user has for the document. To identify the user, the Azure AD ProxyAddresses attribute is used for the user's account and groups to which the user is a member. For performance reasons, group membership is cached. If the user account has no values for the Azure AD ProxyAddresses attribute, the value in the Azure AD UserPrincipalName is used instead.

This talks about a user certificate.
I hope someone from Microsoft can clarify.