WPNinjas HeaderWPNinjas Header

Microsoft Purview Information protect predefined permission groups demystified

When working with Information Protection Sensitivity Labels it’s common to create labels which also enforce encryption. Today we have multiple predefined groups available, but which users do they really include. Because of this I have played through the different scenarios and provide an overview within this blog. 

Test environment

Tenant name: contosokur.com

UserHome TenantUser type
contosokur.com
Group Membership
contosokur.com
tk@contosokur.comcontosokur.comUser MemberM365 Team 1
tk@guestdomain.comguestdomain.comExternal GuestAll Guests (M365 group)
M365 Team 1
tk@outlook.comMicrosoft AccountNone-

Options

Microsoft provides four different options to choose from:

  1. Add all users and groups in your organization
  2. Add any authenticated users
  3. Add users or groups
  4. Add specific email addresses or domains

The following section explains which users are in scope of them.

Add all users and groups in your organization

The first intension was that this option includes all users objects including guest accounts of the tenant. Also because most guests will be part of a M365 Teams group. But it behaves differently and really only contains users as and no external guests, although they are member of a group.

UserAccessAccess Audit
tk@contosokur.comYesOffice Apps --> Yes
Web Apps --> No​
tk@guestdomain.comNo-
tk@outlook.comNo-

Add any authenticated users

This option is really simple, if a user is logged on in office or can provide credentials then it is allowed to access the documents. Interesting is here that access to the documents is not audited in the Activity explorer or no sign-in is detected in the Sign-in logs of the Microsoft Account. Also no Guest account is created in Azure AD.

UserAccessAccess Audit
tk@contosokur.comYesOffice Apps --> Yes
Web Apps --> No​
tk@guestdomain.comYesOffice Apps --> No
Web Apps --> No​
tk@outlook.comYesOffice Apps --> No
Web Apps --> No​

Add users or groups

For this test I specified the “All Guests” and “M365 Team 1” groups and granted Co-Author permissions. 

UserAccessAccess Audit
tk@contosokur.comYesOffice Apps --> Yes
Web Apps --> No​
tk@guestdomain.comYesOffice Apps --> No
Web Apps --> No​
tk@outlook.comNo-

Add specific email addresses or domains

For this test I add “contosokur.com” and “guestdomain.com” and granted Co-Author permissions to them.

UserAccessAccess Audit
tk@contosokur.comYesOffice Apps --> Yes
Web Apps --> No​
tk@guestdomain.comYesOffice Apps --> No
Web Apps --> No​
tk@outlook.comNo-

Summary

Most of the options work as expected, but especially the missing audit of file read operation in web based apps is not optimal. Learn more about what is reported on Microsoft Learn.

An important discovery was that option 1, “Add all users and groups in your organization”, does not include guests although they are member of a group.

If you wish the behavior to allow all existing members and guests access to documents like I do often (With a strong guest Lifecycle management in mind we can assume that all guests have a signed NDA like employees), then you can create a dynamic group which contains all Guests and grant permissions to them. 

Follow me

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.