When working with Information Protection Sensitivity Labels it’s common to create labels which also enforce encryption. Today we have multiple predefined groups available, but which users do they really include. Because of this I have played through the different scenarios and provide an overview within this blog.
Test environment
Tenant name: contosokur.com
User | Home Tenant | User type contosokur.com | Group Membership contosokur.com |
---|---|---|---|
tk@contosokur.com | contosokur.com | User Member | M365 Team 1 |
tk@guestdomain.com | guestdomain.com | External Guest | All Guests (M365 group) M365 Team 1 |
tk@outlook.com | Microsoft Account | None | - |
Options
Microsoft provides four different options to choose from:
- Add all users and groups in your organization
- Add any authenticated users
- Add users or groups
- Add specific email addresses or domains
The following section explains which users are in scope of them.
Add all users and groups in your organization
The first intension was that this option includes all users objects including guest accounts of the tenant. Also because most guests will be part of a M365 Teams group. But it behaves differently and really only contains users as and no external guests, although they are member of a group.
User | Access | Access Audit |
---|---|---|
tk@contosokur.com | Yes | Office Apps --> Yes Web Apps --> No |
tk@guestdomain.com | No | - |
tk@outlook.com | No | - |
Add any authenticated users
This option is really simple, if a user is logged on in office or can provide credentials then it is allowed to access the documents. Interesting is here that access to the documents is not audited in the Activity explorer or no sign-in is detected in the Sign-in logs of the Microsoft Account. Also no Guest account is created in Azure AD.
User | Access | Access Audit |
---|---|---|
tk@contosokur.com | Yes | Office Apps --> Yes Web Apps --> No |
tk@guestdomain.com | Yes | Office Apps --> No Web Apps --> No |
tk@outlook.com | Yes | Office Apps --> No Web Apps --> No |
Add users or groups
For this test I specified the “All Guests” and “M365 Team 1” groups and granted Co-Author permissions.
User | Access | Access Audit |
---|---|---|
tk@contosokur.com | Yes | Office Apps --> Yes Web Apps --> No |
tk@guestdomain.com | Yes | Office Apps --> No Web Apps --> No |
tk@outlook.com | No | - |
Add specific email addresses or domains
For this test I add “contosokur.com” and “guestdomain.com” and granted Co-Author permissions to them.
User | Access | Access Audit |
---|---|---|
tk@contosokur.com | Yes | Office Apps --> Yes Web Apps --> No |
tk@guestdomain.com | Yes | Office Apps --> No Web Apps --> No |
tk@outlook.com | No | - |
Summary
Most of the options work as expected, but especially the missing audit of file read operation in web based apps is not optimal. Learn more about what is reported on Microsoft Learn.
An important discovery was that option 1, “Add all users and groups in your organization”, does not include guests although they are member of a group.
If you wish the behavior to allow all existing members and guests access to documents like I do often (With a strong guest Lifecycle management in mind we can assume that all guests have a signed NDA like employees), then you can create a dynamic group which contains all Guests and grant permissions to them.
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
0 Comments