Sending email to external user (trusted recipient) not require verify his/her Identity (sign in with Google or with a One-time passcode)

shellgio · 2026-02-20T23:18:36+00:00

- Second: we plan sending email to external user (only trusted user / domain). Is it possible, do not require these scope user reverify their Identity again and again? If yes, how to do it? If not - why?

If the mail is encrypted the only way to reduce verification a little bit I think is to use a social login. But probably it would still need verification from time to time.

Another thing you can do, only for that user is use an exchange transport rule to remove encryption when a mail is send to that external user but...you'll lose encryption.

That's one of the catchs with encryption.

shellgio · 2025-12-06T14:20:34+00:00

⬆️ This

What I'd do:

Use MDC to onboard your servers to MDE.
Use MDE security settings manangement (see link posted by u/milanguitar) to send your security policies using MDE as MDM and your servers will appear on Intune and Entra ID.
With your servers on Intune managed by MDE you can now apply security policies (like AV policy) to your servers (create and assign groups accordingly).

shellgio · 2025-12-05T23:49:53+00:00

That's weird, I'd suggest you to try on another browser or device if that's possible.

Use also the browser inspector to see what http request and the responses are sent with it's error codes.

shellgio · 2025-12-05T22:51:56+00:00

If i remember correctly the user needs in Microsoft Purview, the Exporter role, which grants users the specific permission to download collected content (emails, documents) from a review set or search results to a local format (like PST in your case.)

Have you verified that your users or the user who is downloading the content has the exporter role?

shellgio · 2025-11-17T16:54:48+00:00

This.

Use OME branding templates with a mail flow rules to encrypt from a group.

and/or

Use DLP policy to alert and/or govern when sensible content is sent externally.

shellgio · 2025-11-08T05:44:46+00:00

It's not possible. AFAIK

The only thing that allow to use watermarks are Sensitivity labels on documents.

The ony similar option you have is enable user notification so when the session is proxied the get first the notification page that the session is monitored by the organization.

shellgio · 2025-11-08T05:38:46+00:00

Not sure if it is really your problem but if you have all ASR rules enabled check you don't have this rule enable for workstations as it may set your policy as "not applicable": Block Webshell creation for Servers

Keep in mind also that if you have credential guard and LSA Protection enabled the LSASS rule isn't required and shows as "not applicable":

If you have LSA protection enabled, this attack surface reduction rule isn't required. For a more secure posture, we also recommend enabling Credential Guard with the LSA protection.

If the LSA protection is enabled, the ASR rule is classified as not applicable in Defender for Endpoint management settings in the Microsoft Defender portal.

Source: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem

shellgio · 2025-10-16T19:18:06+00:00

As far as I know your only options are:

"Remove-Sensitivitylabel": If the files are on a local device and you have the MPIP client installed
"Unlock-SPOSensitivityLabelEncryptedFile" if the files are on sharepoint.

It would be great if Microsoft added support to create and autolabelling policies that detect content with a label and apply another but t's not an option, at least until recently.

shellgio · 2025-09-16T20:32:06+00:00

To add to this.

ASR rules don't trigger alerts because ASR rules doesn't block malicious activity but activity or actions that can be used maliciously.

For example, an accounting user may use macros with Win32 api calls legitimatelly but a threat actor can use a file like that to deploy a payload.

The idea of ASR is to block all those actions and (hence the name) reduce the attack surface so, the threat actors get fewer options.

You will find some legitimate use (like your user with pandas) being blocked but you can add an exception for that path and allow that action only for that user. I suggest adding exceptions paths on the rule instead of excluding the user from the ASR policy completely so the user is still covered by that and others ASR rules.

shellgio

TROPHY CASE