G Suite Sync with Microsoft Outlook and RMS

Leave a comment

Today I had the opportunity to try out sending RMS protected messages to external recipients who use native Exchange-Outlook and G Suite Sync with Outlook.

I send a message to the external recipients from Outlook.

The external recipient with Outlook (I’ll call her Carmen) already has AIP client installed and RMS enabled in her tenant. The message opens with no issues.

The external recipient with G Suite Sync and Outlook (I’ll call him Ben) receives the message with the following text in the reading pane.

This message with restricted permission cannot be viewed in the reading pane until you verify your credentials. Open the item to read its contents and verify your credentials.

After double clicking on the message, the message below is displayed. Note that the sender is MOD Administrator from the sender tenant.

RMSProtectedMessage

After the Ben verifies his credentials, the email message is displayed.

So far so good.

Carmen replies all from Outlook; all is normal.

Ben replies all from his Outlook client; the original sender (MOD Administrator) and Carmen see this:

ReplyFromGSuite

However, when Ben replies all from Gmail via the Web browser, he sees the following message:

“You’ll automatically get an email copy of this message.” along with the label and the owner of the messages.

The original sender (MOD Administrator) and Carmen can view the message with no issues.

Ben, however, sees that the message comes from Office365@messaging.microsoft.com, not from his email address.

RMSReplyAllMessage

After the Ben verifies his credentials, the email message is displayed.

In summary – if you are using G Suite Sync with Outlook and responding to an encrypted message, be aware that your recipients may not be able to view your responses.

Thanks for reading!

Advertisements

Azure Information Protection (AIP) – Forward Permissions

Leave a comment

This post is another one of those “I found interesting” topics.

In Azure Information Protection, I configured users to use Viewer, one of the preset permissions templates. I accepted the default settings that the users have rights to View content, Reply, and Reply all.

AIPViewerPermissions

I sent an e-mail with an attachment classified as Restricted. This document is encrypted with Azure RMS.

The recipient of the e-mail could NOT print, edit, copy and paste into a different document. However, the recipient COULD forward the e-mail to a different recipient.

After much testing and researching, I found that the Forward option enables users to forward an e-mail message and to add recipients to the To and Cc lines. This right does not apply to documents; only e-mail messages. This information is referenced here.

I hope this helps in case you need to explain this to users during your AIP rollout.

Thanks for reading!

Encrypt E-mail with Attachments

Leave a comment

As I continue to test different settings in Azure Information Protection, I want to share one that I find interesting.

I configured AIP for e-mail message with attachments to automatically apply a label that matches the highest classification of those attachments.

I created an e-mail where a default label ‘Official Use’ is automatically applied to my e-mail message. I then attached a document classified as ‘Restricted’, the classification of my e-mail message automatic changed to ‘Restricted \ All Employees’. This is the expected behavior.

I then sent the e-mail with the attachment to a trusted partner (in this case myself with a different domain) which I have configured ‘Viewer’ rights to view and reply the e-mail and the attachment.

Below is the e-mail message I sent to the trusted partner.

EmailRestrictedAttachment

However, when the trusted partner (again, myself with a different domain) received the e-mail and tried to click on the ‘Read the message’ link (image below shows e-mail message received by the trusted partner), the trusted partner received “You do not have permission to view this message.”

EncryptedMessage

After much testing, in order to allow my trusted partner to read the message, I had to change permissions from ‘Viewer’ to ‘Reviewer’ in Azure Information Protection.

As I continue to work with Azure Information Protection, I find myself learning new things every day.

Thanks for reading!