User Profile
OzOscroft
Iron Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Re: External people can't open files with Sensitivity Label encryption.
That's certainly how we want it to work, but does add another question. One of the documented benefits of forcing authentication is that you have an audit log of who has opened a document. But if the external recipients aren't authenticating back to your tenant, how / where would this audit log be available? And the other question is obviously "what is stopping external people opening docs we send out?" ... and why does almost every other organisation seemingly have the same issue? Really can't face 17 hours on calls and a gazillion emails with Microsoft Support to not solve the issue.19Views0likes1CommentRe: External people can't open files with Sensitivity Label encryption.
Thanks Samuel Agyei . When you say the current setup aligns with best practice, do you mean that having to add users as Guests or setup B2B Direct Connect with individual tenants is the way to do it? I've seen mention of permitting RMS under the inbound access settings, does that mean having that as a default for B2B Direct Connect or do you have to set up each external tenant separately and allow it for each one? And can you point me at instructions for how to do this please as I've searched and failed!38Views0likes1CommentRe: External people can't open files with Sensitivity Label encryption.
Thanks for your help with this Tony, it's very kind of you. You'll see from others commenting on this thread that their understanding / experience is the same as mine (i.e. that external people need to be a Guest / B2B Direct Connect needs to be setup for them to be able to open encrypted documents attached to emails). I've spun up an MDX Purview tenant to send myself some labelled documents to see what the experience is there. The confusion continues!!!!3Views0likes0CommentsRe: External people can't open files with Sensitivity Label encryption.
Thanks Nilson_ , really reassuring to know my understanding wasn't way off the mark. It sounds like the options I listed were correct, and that sharing links are ideal wherever possible. We can also setup B2B Direct Connect with orgs we want to regularly share encrypted content with. The confusing thing is that I think TonyRedmond is saying that the external users should NOT need to be a Guest or for us to have B2B Direct Connect set up with their tenant. #StillSlightlyConfused18Views0likes0CommentsRe: External people can't open files with Sensitivity Label encryption.
That was my original expectation of how it should work too, but all the reading I've done since has suggested that the recipient either needs to be a Guest in your tenant, or a B2B trust relationship needs to be setup between the tenants for it to work. Could you just confirm there are no trust relationships between the two tenants you tested on, and that the recipient isn't a Guest in the host tenant please?12Views0likes3CommentsRe: External people can't open files with Sensitivity Label encryption.
Thanks Tony, so much to consider in this space and very helpful having people like you who kindly share their knowledge! We've applied a label which controls access using the 'Any authenticated users' option to a document, attached that to an email, and sent to a number of external users. We've found that if they already exist as a Guest in our tenant (or their tenant is setup via B2B Direct Connect) they can open the document, but if they don't, they can't - they get the error that their account doesn't exist in our tenant. Same experience using labels where you pick users when assigning the label. I think you're saying they shouldn't need to be a Guest or have B2B setup for this to all work, but it doesn't. Could this be that we haven't got something configured correctly somewhere else please?46Views0likes4CommentsExternal people can't open files with Sensitivity Label encryption.
Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels? Hi all. I've been investigating proper setup of sensitivity labels in Purview, and the impact on user experience. The prerequisites are simple enough, creating and configuring the labels reasonably straightforward, and publishing them is a breeze. But using them appears to be a different matter! Everything is fine for labels that don't apply encryption (control access) or when used internally. However, the problems come when labels do apply encryption and information is sent externally. The result is that we apply a label to a document, attach that document to an email, and send it externally - and the recipient says they can't open it and they get an error that their email address is not in our directory. This is because due to the encryption, the external user needs to authenticate back to our tenant, and if they're not in our tenant they obviously can't do this so the files won't open. So, back to the question above. What's the easiest / most secure / best way to add any user we might share encrypted content with to our tenant. As I see it we have the following options: Users have to request Admins add the user as a Guest in our tenant before they send the content. Let's face it, they'll not do this and/or get frustrated. Users share encrypted content directly from SharePoint / OneDrive, rather than attaching it to emails (as that would automatically add the external person as a Guest in the tenant). This will be fine in some circumstances, but won't always be appropriate (when you want to send them a point-in-time version of a doc). With good SharePoint setup, site Owners would also have to approve the share before it gets sent which could delay things. Admins add all possible domains that encrypted content might be shared with to Entra B2B Direct Connect (so the external recipient doesn't have to be our tenant). This may not be practical as you often don't know who you'll need to share with and we work with hundreds of organisations. The bigger gotcha is that the external organisation would also have to configure Entra B2B Direct Connect. Admins default Entra B2B Direct Connect to 'Allow All'. This opens up a significant attack surface and also still requires any external organisation to configure Entra B2B Direct Connect as well. I really want to make this work, but it need to be as simple as possible for the end users sharing sensitive or confidential content. And all of the above options seem to have significant down-sides. I'm really hoping someone who uses Sensitivity Labels on a day-to-day basis can provide some help or advice to share their experiences. Thanks, Oz.The best Microsoft solution to deliver a client portal?
Hi all. I'm trying to work out the best solution from the Microsoft suite to create a client portal. Somewhere simple to share documents and ideally collaborate. Yes, Teams and SharePoint have that functionality, but they largely have to be setup manually for each client, either adding relevant users as Guests, creating shares, or setting up Azure B2B Direct Connect with each client individually. Does anyone know of any Microsoft product which provides 'proper' client portal functionality - perhaps one of the Dynamics 365 products?9.7KViews0likes1CommentSet historic calendar entries for a specific user to private
Hi all. To improve engagement and to make organising meetings easier, I'd like to automatically set everyone's calendar so that everyone else in the organisation can see the title & location of appointments / meetings. For this I'm going to use the following Exchange Online PowerShell script: Get-Mailbox | ForEach-Object {Set-MailboxFolderPermission $_”:\calendar” -User Default -AccessRights LimitedDetails} However, before I do this, I'd like to offer individuals who have a lot of sensitive meetings (e.g. HR, Finance, Exec's) the option to set all their historic calendar entries to Private (so only invitees would be able to see any details). Is it possible to do this with PowerShell please? It's easy to set their whole calendar to Private, but I'd just like to set historic calendar entries with this tag. Hope you can help, and thank you.Re: Preset policies have suddenly started notifying users of quarantined messages
Hi tommyg845 - I've no idea why Microsoft have made this change. I agree that it's not a positive one and is increasing the risk of users releasing potentially malicious messages without appropriate due dilligence. Here's hoping the feedback request to allow us to apply different notification policies gets enough upvotes and is heeded!7.4KViews0likes0CommentsRe: Preset policies have suddenly started notifying users of quarantined messages
Hi all. As well as encouraging anyone who doesn't like this change to head to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter/:/messages/MC505088 and hit the Dislike button at the bottom, I've added a request in the feedback portal. Please upvote if you think that Admins should be able to configure when users receive quarantine notifications: Allow Admins to configure quarantine notifications for Standard and Strict preset threat policies · Community (microsoft.com)8.4KViews1like2CommentsRe: Preset policies have suddenly started notifying users of quarantined messages
Thanks alexhudish - that's the update we all seem to have missed! Not being able to configure this is terrible, but at least we know why the change has happened. I'd encourage anyone who doesn't like this change to head to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter/:/messages/MC505088 and hit the Dislike button at the bottom! Here's the main text (excluding the detailed table of changes) for info.: ------------------------ Message Summary Updated March 22, 2023: We have updated the rollout timeline below. Thank you for your patience. We are updating the recommended quarantine notification policy in the Standard and Strict preset security policies. With the DefaultFullAccessWithNotificationPolicy, Users will receive quarantine notifications for emails quarantined due to the corresponding threat policy. *Note that the Quarantine policy assigned here is ineffective since the delivery location is Junk folder Here is what the quarantine notification looks like: View image in new tab When this will happen: We will begin rolling this out in mid-February 2023 and complete rolling out by mid-April 2023 (previously mid-March). How this will affect your organization: If your organization has enabled preset security policies, these will be automatically updated to include the quarantine notification policies (DefaultFullAccessWithNotificationPolicy) as listed in the above table for the standard and strict protection preset profiles. What you need to do to prepare: No action required. Please review the following links to learn more: What are quarantine notifications? Quarantine notifications (end-user spam notifications) in Microsoft 365 - Office 365 | Microsoft Learn Specific controls set in Preset Security Policies: Microsoft recommendations for EOP and Defender for Office 365 security settings - Office 365 | Microsoft Learn We recommend enabling preset security policies for your organization: Steps to quickly set up the Standard or Strict preset security policies for Microsoft Defender for Office 365 - Office 365 | Microsoft Learn8.3KViews0likes3CommentsRe: Preset policies have suddenly started notifying users of quarantined messages
Thanks TV202 . The change you've highlighted is about how bulk messages are flagged and handled. It doesn't mention anything about changing notifications and even says there should be no impact on users. Unforutnately I therefore don't think this answers why users have suddenly started receiving quarantine notifications.8.4KViews0likes0CommentsRe: Preset policies have suddenly started notifying users of quarantined messages
Thanks WDebruyne . However, we're using the Strict and Standard preset policies which do not allow you to change (or even see) which quarantine policy is being applied. The only other policies in use are the default ones, but standard and strict take precedence so they wouldn't come into play (even so, I've checked the defaults and they're set to AdminOnlyAccessPolicy anyway). This is why I suspect Microsoft have changed the configuration of the notifications and there's nothing we can do about it.8.4KViews0likes0CommentsRe: Preset policies have suddenly started notifying users of quarantined messages
teetotal_mike TV202 - thanks for confirming my suspicions that it's a change Microsoft have made, nothing we've done. For info., we first noticed it on Saturday 17th March, was this the same with you? We also think it's only affecting those covered by the strict preset policy rather than those on standard - is this your experience as well please? For info., I've raised a ticket with Microsoft and will keep you posted.8.6KViews0likes3CommentsPreset policies have suddenly started notifying users of quarantined messages
Hi all. We have been using preset policies (standard and strict) for some time and were happy with the fact that they don't notify users of messages which have been quarantined (and nor is it possible to change the notification policy). However, quarantine notifications suddenly started turning up in users' mailboxes at the weekend. Have Microsoft changed something or released an unplanned change? Hoping you can help clarify the situation.Solved10KViews0likes24Comments
Recent Blog Articles
No content to show