Any Authenticated Users Permission Now Generally Available for Sensitivity Labels

Protect but Don’t Block

Office 365 tenants who use Rights Management with Azure Information Protection (and use a cloud key rather than their own key, or HYOK) can now include the special Any Authenticated Users in the permissions configured for protection templates. Previously, you could only define permissions for users within the same tenant or named individuals in other domains *(using their email addresses). Any Authenticated User is a special permission which grants a set of permissions defined in a template to any user who authenticates by signing into:

  • An Azure Active Directory account. For example, anyone in another Office 365 tenant.
  • A Microsoft Services (MSA) account. For example, anyone who uses Outlook.com.
  • A directory service federated with Azure Active Directory (like Google) or where a one-time passcode is used to access protected content. These types of protection are usually involved when sending email to recipients of non-Microsoft email services.

The intention behind the Any Authenticated Users permission is to give tenants a method to encrypt information sent outside the organization so that it is protected in transit and at rest while still supporting granular permissions and access control (such as expiration and offline access). In effect, you’re not worried about who opens the content if they can authenticate, but you still want some control over what they can do with the content.

Like the permissions assigned to individuals or groups, you can grant specific permissions to Any Authenticated User. For instance, you can stop people who use the permission from copying or printing the content. You can also track and revoke access to the content at any time.

Any Authenticated Users and Sensitivity Labels

As you might know, Microsoft is currently in the process of unifying protection labels as defined in the Azure Information Protection portal with Office 365 labels. This doesn’t mean that we will have a single set of labels. Rather, Office 365 will have two sets, both of which are managed through the Classification section of the Security and Compliance Center:

  • Sensitivity labels, which apply protection and are shared with Azure Information Protection.
  • Retention, which define for how long Office 365 keeps information like documents and email.

The migration of labels from Azure Information Protection to Office 365 is still a work in progress. Here’s what I report in Petri.com on the topic.  You can add the Any Authenticated Users to a template in the Azure portal and it will be synchronized to the Security and Compliance Center. However, you can’t yet add the permission to a label through the Security and Compliance Center.


For more information about rights management, read Chapter 24 of the Office 365 for IT Pros eBook.

One Reply to “Any Authenticated Users Permission Now Generally Available for Sensitivity Labels”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.