this post was submitted on 24 Jun 2023
12 points (92.9% liked)

Sysadmin

7730 readers
3 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
[email protected]
[email protected]
[email protected]
[email protected]

founded 2 years ago
MODERATORS
12
O365 Email Encryption (self.sysadmin)
submitted 1 year ago* (last edited 1 year ago) by L3s to c/sysadmin
 

My company is just starting to utilize O365 email encryption for sensitive information, which I know a lot of people are already using.

One thing we've run into is when sending a sensitive email to a third-party vendor, a lot of them utilize shared mailboxes/distribution groups, so the encryption is not allowing the members of the external mailbox/group to open the encrypted email as their account doesn't have permissions (the group email address does, instead of their individual account).

The only way I've come up with to solve this issue is setting the encrypted emails to not allow a "social" sign-on for decryption, and instead only offer "send a one-time passcode" as the authentication method, then the group/mailbox receives the code to view the email.

Curious how others have combatted this issue if they've crossed it, this feature has been around a while and I am unable to find much on Google about it specifically.

For the moment, users are just re-sending the encrypted email to the external recipient that replies "We can't open this email", which solves the problem but creates more work and takes longer for everyone.

top 3 comments
sorted by: hot top controversial new old
[–] DarraignTheSane 4 points 1 year ago (1 children)

Usually in these kind of situations I fall back to sharing a OneDrive / Teams (SharePoint) folder out to the external vendor. Anyone can say that they can't receive the encrypted email and there could be legitimately good reasons for that, but if they don't know how to login to 365 to access a shared folder that's on them.

[–] L3s 2 points 1 year ago (1 children)

Makes sense, but wouldn't you have an issue with sharing to a group/shared mailbox?

Not a fan of "anyone with a link" personally, that's the only way I can think of that working smoothly

[–] DarraignTheSane 4 points 1 year ago

If they absolutely refuse to allow you to share or email an individual vs. a distro group then I'd do it that way, but not using an "anyone with the link" share depending on the sensitivity of the information. If it's something that isn't as sensitive sure, but otherwise they'll need to setup credentials with that distro group and use it to login to access the shared folder.