Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Secure external collaboration using sensitivity labels
Published Sep 19 2020 07:08 AM 32.2K Views
Microsoft

In this article we are going to clarify a topic which has been causing a lot of confusion and questions among our customers: “How do we  securely share emails and documents with someone outside of our organization using sensitivity labels?”

 

Disclaimer: Considering diversity of operating systems and productivity applications used these days and vast amount 
of possible combinations of identities and software used, we will not be able to cover all possible scenarios in this
article but will focus on the most common ones instead.

We assume that the reader has some basic knowledge about sensitivity labels, their purpose, how to create, apply, and manage them. If you are new to this field, a good place to start is here. We also highly recommend to spend fair amount of time reviewing documentation on Azure Right Management Service (RMS), which is a critical component of all our Information Protection solutions, responsible for encryption and access control management.

 

Before we jump into it, let’s  set the stage by clarifying a few things first. Everything we are going to cover in this article is applicable to both the client-based solution a.k.a. Azure Information Protection (AIP) as well as the modern built-in labeling capability in Office 365 applications which is part of a broader Microsoft Information Protection (MIP) framework. Both solutions use the same unified sensitivity labels.

 

Note: If you for some reason have not migrated your existing sensitivity labels to the Unified Labeling yet, it is 
about time to do that as the AIP classic client and label management in the Azure portal will be deprecated on
March 31, 2021. Please find more info on deprecation notice here.

 

We are also going to be focusing on Microsoft Office and Adobe PDF as the most used file types and that have full classification and protection support.

 

Alright, let’s say you need to implement a solution that will allow your users to securely share emails and documents with people outside of your organization (consumers, partners, auditors, etc.). In other words, share it with someone whose identity and device is out of your control.

 

When you create a sensitivity label, you can either determine which users get which permissions to content that has the label applied, or you can allow your users make this decision when they apply the label (also commonly known as user-defined permissions or UDPs).

 

Figure 1: Creating a new sensitivity label in the Microsoft 365 Compliance center.Figure 1: Creating a new sensitivity label in the Microsoft 365 Compliance center.

When it comes to the predefined permissions (Assign permissions now), we have four options as shown below.

 

Figure 2: Assign permissions dialog.Figure 2: Assign permissions dialog.

“Add all users and groups in you organization” is pretty much self-explanatory, all existing and future users and groups from your Azure Active Directory (AAD) tenant will be able to access and consume the protected content (emails and documents). This is a great option for secure internal collaboration, therefore, we are not going to spend a lot of time here.

 

“Add any authenticated users”, with this option we can encrypt content and limit what users can do with protected emails or documents, but can’t limit those who should be able to access this protected content – any authenticated user will be able to do so.

 

An example scenario might be when you need to share certain information (e.g. financial reports) with your customers or partners. Even if it’s overshared, it won’t cause any issues to your business, but you want prevent this information from being copied and re-used outside of your documents. In addition to that, it is possible to make the protected content time-bound as well as control whether users can access it offline and for how long. In this case your label may look like this:

 

Figure 3: A sensitivity label granting Authenticated users view-only access.Figure 3: A sensitivity label granting Authenticated users view-only access.

 

“Add users and groups”, this option allows you to provide a list of AAD users and groups and specify what permissions that user or group will have for the protected content.

Note: There are several identity and software requirements and limitations that we are going to cover in detail 
later in this article.

 

For example, you can create a label for a team working on a specific project and allow them to use that label to securely collaborate with an approved list of external partners.

 

Figure 4: Assigning permissions to AAD groups.Figure 4: Assigning permissions to AAD groups.

 

You can invite anyone to collaborate with your organization by adding them to your directory as a guest user. Guest users can sign in with their own work, school, or social identities. 

 

Note: Please take a moment to review current Azure Active Directory limitation and restrictions.

 

 Figure 5: Group membership containing guests accounts from different providers.Figure 5: Group membership containing guests accounts from different providers.

 

Figure 6: Adding a new guest user.Figure 6: Adding a new guest user.

 

This is a very granular and flexible way of managing who will be able to access your protected content but it does add additional work to your AAD administrators.

 

“Add specific email addresses or domains”, with this option you can specify a list of specific emails or the whole domains.

 

For instance, if you are a group of companies, each one with its own AAD tenant, you can list all domain names so that every user of those orgs will be able to access content protected by this label.

 

Figure 7: Permissions assigned to multiple domains.Figure 7: Permissions assigned to multiple domains.

 

If you have very complex requirements for your label you can mix and match any of those four options.

 

Last option that we have is “Let users assign permissions when they apply the label” a.k.a. the user-defined permissions, that lets users specify who should be granted permissions and what those permissions are.

 

Figure 8: Creating a label with the user-defined permissions.Figure 8: Creating a label with the user-defined permissions.

 

This is a good option when you do not know upfront who your users will be sharing the protected content with and you feel comfortable with transferring responsibility of making an appropriate security decision to the end users.

 

Note: As of this writing (9/15/2020) not all platforms support the user-defined permissions yet. Please keep an eye 
on our documentation to track our progress.

 

Now, let’s switch sides and talk about what kind of identity and software your partners/recipients would need to have in order to successfully consume the protected content (emails and documents) you would like to share with them.

 

When it comes to identity, we can determine five main categories: Work or school accounts (AAD), Microsoft Accounts, Federated social providers, Public email providers, and everything else.

 

Protected emails.

 

Identity type

OS

Email clients to open protected emails

Work or school account (Azure Active Directory)

 

Windows

MacOS

Android

  • Outlook for Android
  • Samsung Email App for Android
  • Outlook on Web (OWA)
  • In other cases, recipients would likely need to use Office 365 Message Encryption (OME) web portal using either their work credentials or a One-time passcode (OTP)

iOS

  • Outlook for iOS
  • Outlook on Web (OWA)
  • In other cases, recipients would likely need to use Office 365 Message Encryption (OME) web portal using either their work credentials or a One-time passcode (OTP)

Microsoft Account (live.com, outlook.com, hotmail.com)

Windows

  • Office 2013 SP1 and newer
  • Microsoft 365 App for enterprise (ex- Office 365 ProPlus)
  • Windows 10 Mail and Calendar App
  • Outlook.live.com
  • In other cases, recipients would get an OME-protected message redirecting them to outlook.live.com

MacOS

  • Microsoft 365 Apps for Mac (ex- Office 365 for Mac)
  • Outlook.live.com
  • In other cases, recipients would get an OME-protected message redirecting them to outlook.live.com

Android

  • Outlook for Android
  • Outlook.live.com
  • In other cases, recipients would get an OME-protected message redirecting them to outlook.live.com

iOS

  • Outlook for iOS
  • Outlook.live.com
  • In other cases, recipients would get an OME-protected message redirecting them to outlook.live.com

Federated social providers (gmail.com, yahoo.com)

Windows

  • Recipients would need to use Office 365 Message Encryption (OME) web portal using their federated social provider credentials or a One-time passcode (OTP)

MacOS

Android

iOS

Other public email providers (e.g. mail.com)

Windows

MacOS

Android

iOS

Other identity and email providers (e.g. corporate on-premises infrastructure)

Windows

MacOS

Android

iOS

 

Here are a few examples of what user experience depending on a platform and type of identity used would be.

 

Figure 9: Seamless access to a protected email in Mail and Calendar App on Windows 10.Figure 9: Seamless access to a protected email in Mail and Calendar App on Windows 10.

 

Figure 10: Seamless access to a protected email in Outlook for Mac.Figure 10: Seamless access to a protected email in Outlook for Mac.

 

Figure 11: Accessing a protected email using Outlook, Samsung Email App and Gmail App on Android.Figure 11: Accessing a protected email using Outlook, Samsung Email App and Gmail App on Android.

 

Figure 12: Protected email sent to a mail.com user.Figure 12: Protected email sent to a mail.com user.

 

Figure 13: OME authentication page for different types of identity.Figure 13: OME authentication page for different types of identity.

 

Figure 14: One-time passcode sent to a mail.com user.Figure 14: One-time passcode sent to a mail.com user.

 

Figure 15: Accessing a protected email using the OME portal.Figure 15: Accessing a protected email using the OME portal.

 

Figure 16: Unintended recipient trying to access a protected email.Figure 16: Unintended recipient trying to access a protected email.

 

Protected documents.

 

Identity type

OS

Applications to open protected documents

Work or school account (Azure Active Directory)

 

Windows

For Office documents:

For PDF documents:

  • Adobe Acrobat DC or Acrobat Reader DC with MIP plug-in. Please observe that with third-party apps, recipients from other tenants receive a consent prompt that requires them to accept the sharing of the listed permissions (documented here).
  • AIP Viewer (part of the AIP client)

MacOS

For Office documents:

For PDF documents:

  • Adobe Acrobat DC or Acrobat Reader DC with MIP plug-in. Please observe that with third-party party apps, recipients from other tenants receive a consent prompt that requires them to accept the sharing of the listed permissions (documented here).

Android

For Office documents:

  • Office App for Android

For PDF documents:

  • AIP Viewer App for Android

iOS

For Office documents:

  • Office App for iOS

For PDF documents:

  • AIP Viewer App for iOS

Microsoft Account (live.com, outlook.com, hotmail.com)

Windows

For Office documents:

For PDF documents:

  • Adobe Acrobat DC or Acrobat Reader DC with MIP plug-in. Please observe that with third-party apps, recipients from other tenants receive a consent prompt that requires them to accept the sharing of the listed permissions (documented here).

MacOS

Not supported. Please keep an eye on our documentation for updates.

Android

For Office documents:

  • Office App for Android

For PDF documents:

  • AIP Viewer App for Android

iOS

Not supported. Please keep an eye on our documentation for updates. 

Federated social providers (gmail.com, yahoo.com)

 

Recipients would have to create a Microsoft Account using their Gmail/Yahoo email address.

Windows

For Office documents:

For PDF documents:

  • Adobe Acrobat DC or Acrobat Reader DC with MIP plug-in. Please observe that with third-party apps, recipients from other tenants receive a consent prompt that requires them to accept the sharing of the listed permissions (documented here).

MacOS

Not supported. Please keep an eye on our documentation for updates.

Android

For Office documents:

  • Office App for Android

iOS

Not supported. Please keep an eye on our documentation for updates.

Other public identity providers (e.g. mail.com)

 

Recipients would have to create a Microsoft Account using their public email address.

Windows

For Office documents:

For PDF documents:

  • Adobe Acrobat DC or Acrobat Reader DC with MIP plug-in. Please observe that with third-party apps, recipients from other tenants receive a consent prompt that requires them to accept the sharing of the listed permissions (documented here).

MacOS

Not supported. Please keep an eye on our documentation for updates.

Android

For Office documents:

  • Office App for Android

iOS

Not supported. Please keep an eye on our documentation for updates.

Other identity and email providers (e.g. corporate on-premises infrastructure)

Windows

Recipients would need to sign up for RMS for Individuals using their company email address

MacOS

Android

iOS

 

Here are a few examples of what user experience of accessing a protected document depending on a platform and type of identity used would be.

 

Figure 17: Accessing a protected document shared by a user from a different AAD tenant using Office 365 for Mac.Figure 17: Accessing a protected document shared by a user from a different AAD tenant using Office 365 for Mac.

 

Figure 18: Accessing a protected document using a Microsoft Account associated with a mail.com email address in Office 365 on Windows.Figure 18: Accessing a protected document using a Microsoft Account associated with a mail.com email address in Office 365 on Windows.

 

Figure 19: Accessing a protected document using a Microsoft Account associated with a mail.com email address in Office 365 on Windows.Figure 19: Accessing a protected document using a Microsoft Account associated with a mail.com email address in Office 365 on Windows.

 

Figure 20: Accessing a protected PDF file using AIP Viewer App on Android.Figure 20: Accessing a protected PDF file using AIP Viewer App on Android.

 

Now you are probably wondering what’s about SharePoint Online, OneDrive and Teams? There is a lot of work is being done to enable different B2B and B2C scenarios for secure information sharing there and it is a subject for its own blog post. So, stay tuned…

 

References:

Configuring usage rights for Azure Information Protection

Applications that support Azure Rights Management data protection

Message Encryption

Revoke email encrypted by Advanced Message Encryption

Automatically encrypt PDF documents with Exchange Online

Configuring secure document collaboration by using Azure Information Protection

Can Rights Management prevent screen captures?

Sharing encrypted documents with external users

RMS for individuals and Azure Information Protection

Which PDF readers are supported for protected PDFs?

Update history for Microsoft 365 Apps

Known issues with sensitivity labels in Office

Sharing external doc types across tenants

 

 

P.S. Consider joining our Yammer community where you can be one of the first to learn about MIP news, announcements, preview programs, meet information protection experts from around the world, and get your questions answered. 

12 Comments
Bronze Contributor

Thanks @Stanislav Belov for this comprehensive overview.

Something I am looking for is also the ability when publishing Label Policies to Exclude some AAD group and not just Include...a bit like conditional access..Would be awesome !

 

Christophe

 

Microsoft

@ChristopheHumbert thank you for your feedback. While this is not currently possible on the label management side, you can add some logic to the group membership by leveraging dynamic AAD groups.

Bronze Contributor

Thanks @Stanislav Belov  for the feedback and the idea but I have already tested this but you can' t make a rule for dynamic group with memberof  Group xxx so the only way would to rely on a specific attribute...

Brass Contributor

Thanks @Stanislav Belov 

 

For protected documents with Federated social providers (gmail.com, yahoo.com) flow on Android , it says supported on Office apps. But Office apps on Android does not support this authentication method right. Has this changed recently ?

 

Microsoft
Brass Contributor

Thanks @Stanislav Belov.  Tested with v 16.0.13231.20180 on Android. Authentication with Microsoft account (created an account for Gmail) works, but the document opens in read only with this tool bar msg " This account does not allow editing on your device" , although the user has been granted full permission. Is this a known issue ?

Brass Contributor

Great article, compliments! ;)

Brass Contributor

The option "“Add all users and groups in you organization” doesn't include guest users (AAD member type=guest)?

Brass Contributor

Roniy;

All users and groups in your organization includes guest users in your tenant. If you select Members, the guests are excluded.

 

Brass Contributor

Thanks for this port/article Stanislav!

 

I have a question since the functionality seem to have changed here.

 

If two users in two separate domains/tenants/organizations want to share files, using their AAD accounts in CompanyA and CompanyB respectivly.
Both have MS365 E5 and AIP UL with latest AIP client, and both are running Windows 10 with Office 365 proplus click-to-run.
UserA in CompanyA.com emails a word document that was protected with AIP giving UserB in CompanyB.com the Review access role.

When UserB open the file, an error states that a guest account is required in CompanyA.

Same thing happens when we do the opposite, from CompanyB to CompanyA.

 

Have we missed something, or has there been changes to the B2B and AIP/RMS services?

 

 

Copper Contributor

Hi this post is a very good one! I have a question, in the road Map is some solution to sign in with OTP in office avoiding the creation of an MS account?

 

Thanks

Copper Contributor

this is a great article and explains everything necessary to setup the label. Now, we have setup the AIP labels (encryption) for a few external recipient domains, however they are annoyed with the process of logging in with their email ID each time when they receive any new emails from us. Is there no option wherein they aren't required to verify their identity by logging in each time. I could not find any client AIP agent that can help circumvent validation requirement by the recipients everytime they receive an email from us.

Co-Authors
Version history
Last update:
‎Jun 11 2021 10:42 AM
Updated by: