Share via

unified labeling

testuser7 271 Reputation points
2020-08-31T16:51:52.077+00:00

Hello,
I have one point to clarify with respect to Sensitivity Labels and AIP

Let’s say a user from one tenant ( john@sender-tenant.com) protects a WORD document and authorize a user from other tenant (mike@receiver-tenant.com)
So when Mike opens WORD app , the RMS-client employed by WORD app to open the protected document will try to collect the access-token/id-token before hitting the RMS-service in the cloud.
Which tenant would be the issuer of this token ? Would it be John’s tenant (who labeled the document) or Mike’s tenant ?

If it is John’s tenant (because the document is created and authorized by John) then I believe Mike must be one of the B2B/guest user of John’s tenant.
Besides, if John wants that the external parties also do MFA before opening the document, then that MFA must be configured in the conditional-policy of John’s tenant and hence Mike should be the B2B/guest user of John’s tenant.

Am I correct in my understanding ?

Thanks.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
522 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 97,386 Reputation points MVP
    2020-08-31T17:46:36.95+00:00

    You dont need to be a guest. The token is only for authentication, what gives you access to the protected file is a "license" from the Azure RMS service, which can be issued for any tenant the service recognizes (as any Azure AD user can sign up for the 'free' RMS tier, this practically translates to any other O365 customer). Details are here: https://learn.microsoft.com/en-us/azure/information-protection/secure-collaboration-documents

    1 person found this answer helpful.
    0 comments
  2. testuser7 271 Reputation points
    2020-08-31T18:07:03.237+00:00

    Thanks @Vasil Michev for your quick help.
    I am on-board with your answer.

    One point, though.

    So NO need for B2B/guest user in my tenant to protect document with external person.
    The external person could be having his own AAD-tenant
    OR
    he could be in MSA-tenant
    OR
    he could be in unmanaged-tenant (RMS-for individual scenario)

    Depending upon the domain he puts in the AIP-viewer-app, he will be taken to that tenant for authentication and token collection.
    My tenant has no role in authentication of this external person with whom the document is shared.

    So if I want to protect my authored document to this guy under conditional-policy of MFA, how does the flow get diverted to my tenant so that he fulfills MFA check ?

    Thanks.

  3. testuser7 271 Reputation points
    2020-08-31T19:20:15.73+00:00

    Thanks @Vasil Michev
    I am studying your input and the link. Not fully able to connect the dots.
    If MFA claim is contained in the token, that token has to be generated by my tenant. And for that RMS-client has to direct the user to my tenant.

    This does not makes sense as same approach should be taken for non-mfa protected documents also.

  4. testuser7 271 Reputation points
    2020-09-03T13:17:43.98+00:00

    @Vasil Michev
    Looks like guest user creation happens in our tenant for every external user who is opening the encrypted doc.
    Following is the excerpt from the https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide

    When a user with a Microsoft account opens an encrypted document in this way, it automatically creates a guest account for the tenant if a guest account with the same name doesn't already exist. When the guest account exists, it can then be used to open documents in SharePoint and OneDrive by using a browser (Office on the web), in addition to opening encrypted documents from the Windows desktop app.

    Please have a look and help me understand if I am interpreting wrongly.

    Thanks.

    0 comments
  5. testuser7 271 Reputation points
    2020-09-15T14:56:55.677+00:00

    I think I got it now. Just for anybody's benefit,

    The external person could be having his own AAD-tenant
    OR
    he could be in MSA-tenant
    OR
    he could be in unmanaged-tenant (RMS-for individual scenario)

    if we are protecting a document with somebody like john@Stuff .com or john@mbox.com then HE HAS TO BE IN MSA-tenant and he must be B2B user in our tenant
    When he signs in MSA-tenant, it automatically creates a guest account in our tenant OR you can invite & redeem him beforehand
    so irrespective of CAP, such users always ends up in our tenant.
    for users in unmanaged-tenant or own AAD-tenant, they NEED NOT BE in our tenant if CAP is not involved
    for users in unmanaged-tenant or own AAD-tenant, they must be B2B user in our tenant if CAP is involved.
    Of course only CAP-MFA works. For CAP that involves device state options, external users must also be excluded.

    I hope this works for both type of keys i.e., BYOK and DKE (replacement of HYOK)

    Thanks

    0 comments