You dont need to be a guest. The token is only for authentication, what gives you access to the protected file is a "license" from the Azure RMS service, which can be issued for any tenant the service recognizes (as any Azure AD user can sign up for the 'free' RMS tier, this practically translates to any other O365 customer). Details are here: https://learn.microsoft.com/en-us/azure/information-protection/secure-collaboration-documents
unified labeling
Hello,
I have one point to clarify with respect to Sensitivity Labels and AIP
Let’s say a user from one tenant ( john@sender-tenant.com) protects a WORD document and authorize a user from other tenant (mike@receiver-tenant.com)
So when Mike opens WORD app , the RMS-client employed by WORD app to open the protected document will try to collect the access-token/id-token before hitting the RMS-service in the cloud.
Which tenant would be the issuer of this token ? Would it be John’s tenant (who labeled the document) or Mike’s tenant ?
If it is John’s tenant (because the document is created and authorized by John) then I believe Mike must be one of the B2B/guest user of John’s tenant.
Besides, if John wants that the external parties also do MFA before opening the document, then that MFA must be configured in the conditional-policy of John’s tenant and hence Mike should be the B2B/guest user of John’s tenant.
Am I correct in my understanding ?
Thanks.
5 answers
Sort by: Most helpful
-
-
testuser7 271 Reputation points
2020-08-31T18:07:03.237+00:00 Thanks @Vasil Michev for your quick help.
I am on-board with your answer.One point, though.
So NO need for B2B/guest user in my tenant to protect document with external person.
The external person could be having his own AAD-tenant
OR
he could be in MSA-tenant
OR
he could be in unmanaged-tenant (RMS-for individual scenario)Depending upon the domain he puts in the AIP-viewer-app, he will be taken to that tenant for authentication and token collection.
My tenant has no role in authentication of this external person with whom the document is shared.So if I want to protect my authored document to this guy under conditional-policy of MFA, how does the flow get diverted to my tenant so that he fulfills MFA check ?
Thanks.
-
testuser7 271 Reputation points
2020-08-31T19:20:15.73+00:00 Thanks @Vasil Michev
I am studying your input and the link. Not fully able to connect the dots.
If MFA claim is contained in the token, that token has to be generated by my tenant. And for that RMS-client has to direct the user to my tenant.This does not makes sense as same approach should be taken for non-mfa protected documents also.
-
testuser7 271 Reputation points
2020-09-03T13:17:43.98+00:00 @Vasil Michev
Looks like guest user creation happens in our tenant for every external user who is opening the encrypted doc.
Following is the excerpt from the https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwideWhen a user with a Microsoft account opens an encrypted document in this way, it automatically creates a guest account for the tenant if a guest account with the same name doesn't already exist. When the guest account exists, it can then be used to open documents in SharePoint and OneDrive by using a browser (Office on the web), in addition to opening encrypted documents from the Windows desktop app.
Please have a look and help me understand if I am interpreting wrongly.
Thanks.
-
testuser7 271 Reputation points
2020-09-15T14:56:55.677+00:00 I think I got it now. Just for anybody's benefit,
The external person could be having his own AAD-tenant
OR
he could be in MSA-tenant
OR
he could be in unmanaged-tenant (RMS-for individual scenario)if we are protecting a document with somebody like john@Stuff .com or john@mbox.com then HE HAS TO BE IN MSA-tenant and he must be B2B user in our tenant
When he signs in MSA-tenant, it automatically creates a guest account in our tenant OR you can invite & redeem him beforehand
so irrespective of CAP, such users always ends up in our tenant.
for users in unmanaged-tenant or own AAD-tenant, they NEED NOT BE in our tenant if CAP is not involved
for users in unmanaged-tenant or own AAD-tenant, they must be B2B user in our tenant if CAP is involved.
Of course only CAP-MFA works. For CAP that involves device state options, external users must also be excluded.I hope this works for both type of keys i.e., BYOK and DKE (replacement of HYOK)
Thanks