Active Directory Rights Management Services can help companies keep data secure and meet compliance requirements....
Despite this, many companies refrain from implementing it because of its complexity.
There's an alternative that offers the same level of security at only a fraction of the complexity -- Azure RMS. As the name might already give away, Azure RMS is Microsoft's hosted version of the on-premises Right Management Services.
Azure RMS features
Just like the on-premises version, Azure RMS offers four important features:
- Persistent protection, regardless of where the data is stored: Unlike traditional permissions, which are typically granted to the container in which data is stored (e.g., file share), Azure RMS protection sticks to the protected content and remains with the document at all times.
- Integration with Office 365: You can easily activate Azure RMS in other Office 365 services such as SharePoint or Exchange Online.
- Granular control: Azure RMS allows you to define a series of usage rights, including copy, forward, edit, save and read.
- Widespread support: With the RMS application, you can share RMS-protected content on a number of systems and devices, including Apple's iOS and MAC OSX or Google Android devices.
Deploying Azure RMS
You don't have to install anything to make RMS work, so saying that you'll install Azure RMS might be misleading. Instead, you activate the service as an admin from the Office 365 portal (Figure 1).
You'll need to buy a Windows Azure subscription to use the managed version of Azure RMS. However, if you don't feel the need for custom templates, for example, your end users can still use Azure RMS; this is referred to as Azure RMS for individuals.
Integrating Azure RMS with Exchange Online
There is a series of steps to go through before you can use Rights Management Service in Exchange Online. As you'll notice, these steps are similar to what you have to do to enable Integrated Rights Management (IRM) in an on-premises Exchange environment.
Three steps are all executed from an Exchange Online PowerShell instance.
1. Configuring the RMS Online key sharing location
Set-IRMConfiguration –RMSOnlineKeySharingLocation "https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc"
2. Importing the Trusted Publishing domain
Import-RMSTrustedPublishingDomain –RMSOnline –Name "Azure RMS Online"
3. Enabling IRM
Set-IRMConfiguration –InternalLicensingEnabled $True
After completing the steps, it's a good idea to test the configuration using the
Azure RMS in a hybrid world
Not everyone uses Exchange Online, but that doesn't mean you have to miss out on Azure RMS. Using the RMS connector, you can integrate an existing on-premises infrastructure with Azure's RMS platform. The benefit is that you can quickly start using RMS without first having to deploy a full on-premises RMS deployment.
The connector is a small service you need to install on at least two on-premises servers. It acts as a bridge between the on-premises world and Azure RMS/Office 365 -- it sits between an on-premises service and Azure RMS. On-premises servers will be configured to communicate with the connector, which in turn communicates with the Azure RMS platform. The reason for having at least two servers is for high availability and load-balancing purposes.
After you install the connector, configure it to communicate to the cloud first. Then authorize the on-premises servers -- such as Exchange -- that you want to use RMS. The installation of the connector is pretty trivial and is well described in this TechNet article.
Be aware that not all on-premises services support the Azure AD RMS Connector. Exchange 2013 must be running at least Cumulative Update 3 and Exchange 2010 must be running at least Service Pack 3, Update Rollup 2.
Using Azure RMS in Exchange Online
You can protect email in two ways. A user executes a few manual steps to intentionally protect a message, or a transport rule automatically applies a pre-configured RMS template to a message. By extension, this could be a regular transport rule or a data-loss prevention rule.
To manually protect a message, click Options and then Permissions after creating the message. This should open a list of pre-configured RMS templates that you can apply to the message (Figure 2).
Outlook Web App is pretty similar. When creating a new email message, click the three dots (…) and then click Set Permission.
To automatically apply RMS protection, you can either use simple transport rules or DLP rules. In the following example, we will automatically protect all outgoing messages from the HR Manager (Marie De Smet) with the "do not forward" rights management template.
Log in to the Exchange Admin Center in Exchange Online and go to Mail Flow > Rules. Click the plus sign (+) and then select Apply rights protection to messages… (Figure 3).
Next, in the New Rule window, enter a descriptive name for the rule. Select a predicate for the rule -- in this case, The send is…. Select the appropriate user from the list. Then, verify that the selected action is Apply rights protection to the message with and select the template from the list. Click Save to confirm (Figure 4).
Azure RMS is easy to implement and allows you to take advantage of advanced protection features in a short time. It can be the perfect companion in your quest to compliance or to keep specific data out of harm's way. But just like with any technology, I don't recommend diving into it right away. Make sure you understand the value Azure RMS can bring to your organization and what it takes to manage RMS if you decide to move forward.
RMS isn't something you can easily try out, even though it's quickly activated. Once you decide to protect RMS content, keep the subscription and infrastructure in place for it to remain protected and viewable over time.
About the author:
Michael Van Horenbeeck is a technology consultant, Microsoft Certified Trainer and Exchange MVP from Belgium, mainly working with Exchange Server, Office 365, Active Directory and a bit of Lync. He has been active in the industry for 12 years and is a frequent blogger, a member of the Belgian Unified Communications User Group Pro-Exchange and a regular contributor to The UC Architects podcast.