Forum Discussion
Solved
Sensitivity Labels & External Sharing
Can anyone help, please? We've rolled out sensitivity labels for emails and we're experiencing an issue with external recipients accessing downloaded attachments. In particular, when an encrypted ema...
PavIT5 I use these 2 solutions:
-Microsoft 365 Message Encryption (OME)
Microsoft 365 Message Encryption (OME) can be a simpler solution to send encrypted emails externally, including attachments. This method ensures that external recipients can access the protected content securely through a web portal, avoiding compatibility issues with on-premises software.
External recipients access the email through a secure link, open the message in their browser, and view the attachments directly. This reduces the possibility of format conversion issues during download.-Using a secure portal for external sharing
Use a secure portal or cloud sharing platform to send encrypted emails with attachments. This allows the recipient to access the files without having to deal with compatibility issues during download.
Instead of attaching the file directly to the email, you upload it to a secure cloud service (such as OneDrive, SharePoint, or another service), and the recipient accesses the file through a link. You can apply encryption and sensitivity labels to the document in the cloud, but the recipient views it through a web interface, avoiding download conversion issues.
Recipients can view and download the file without encountering format conversion issues.
You can control access rights, monitor downloads, and even revoke access if necessary.
Thank you for this clarification. So, what is the common practice then for when you need to send encrypted emails externally with documents containing sensitive information attached? There's no way of knowing what apps all external recipients use.
PavIT5 I use these 2 solutions:
-Microsoft 365 Message Encryption (OME)
Microsoft 365 Message Encryption (OME) can be a simpler solution to send encrypted emails externally, including attachments. This method ensures that external recipients can access the protected content securely through a web portal, avoiding compatibility issues with on-premises software.
External recipients access the email through a secure link, open the message in their browser, and view the attachments directly. This reduces the possibility of format conversion issues during download.
-Using a secure portal for external sharing
Use a secure portal or cloud sharing platform to send encrypted emails with attachments. This allows the recipient to access the files without having to deal with compatibility issues during download.
Instead of attaching the file directly to the email, you upload it to a secure cloud service (such as OneDrive, SharePoint, or another service), and the recipient accesses the file through a link. You can apply encryption and sensitivity labels to the document in the cloud, but the recipient views it through a web interface, avoiding download conversion issues.
Recipients can view and download the file without encountering format conversion issues.
You can control access rights, monitor downloads, and even revoke access if necessary.
- Thanks very much for confirming this. This is very helpful. One more question though. Does it mean that I'd need to create a separate SharePoint site for external sharing in case I have a policy preventing downloads from SharePoint (and OneDrive) on unmanaged devices? Or is there a better way?
PavIT5 Hi, in this case you do not need to create a separate SharePoint site for external sharing. Instead, you can leverage conditional access policies to block downloads to unmanaged devices for internal users, but allow external users more flexible access. If you have the necessary licenses, you can use Microsoft Defender for Cloud Apps (MCAS) session controls to monitor and control real-time actions on files, such as downloads, for external users. In addition, for even more effective management, you can combine these controls with sensitivity labels to apply appropriate sharing and access rules for different types of documents.
Translated with DeepL.com (free version)
- Thank you very much for your answer. This really does help a lot. I'm still having issues with external recipients accessing Office documents (I think because of the compatibility issue) but in those cases PDF works as a workaround.
