Secure your data with Rights Management Services
Benoit HAMET – Cloud Solut ion ConsultantMVP Off ice 365
Agenda
• What is Right Management Services?• Differences between Active Directory Right
Management Services (ADRMS) and Azure Right Management (AADRMS)
• Enable and configure AADRMS for Office 365
• Use AADRMS with your On Premises systems
10/12/14 5
What is Rights Management Services?• Windows Rights Management Ser vices (also called Rights
Management Services, Active Directory Rights Management Services or RMS) is a form of Information Rights Management used on Microsoft Windows that uses encryption for limiting access to documents (such as corporate e-mail, Office documents) and the operations authorized to the users (like editing, printing or copying content).
• Permissions are embedded onto the document itself.• RMS appeared as add-on for Windows Server 2003, with client API
libraries made available for Windows client (from 2000 to Windows 8).• RMS has been renamed to Active Directory Rights Management
Services, to reflect the tight relation/integration with AD.• With Office 365 (and Microsoft Azure), RMS has been provided to
selected Office 365 Plans (Enterprise) and relies on Azure Active Directory
10/12/14 7
What is Rights Management Services?• Information Protection technology
– Protection is persisted with the data, content can travel anywhere (desktops, file shares, USB keys, network and devices)
• Combines encryption, access controls and policy expression and enforcement– Prevent the accidental disclosure of sensitive data by applying
usage polices (cannot forward, cannot print, read-only)• Simple to use
– Authors just select a policy option, consumers just open documents
– Securely share data with individuals within and outside of your organization
10/12/14 8
How RMS Works?
10/12/14 10
Galactic Empire Confidential – You cannot copy, print or export this information in unprotected form to droids of any class.
User certificates Use LicenseGalactic Empire Confidential – You cannot copy, print or export this information in unprotected form to droids of any class.
Publishing License + keys
Differences between On Premises and Online Solution
On Premises• Supports on-premises Microsoft server
products such as Exchange Server, SharePoint Server, and file servers that run Windows Server and File Classification Infrastructure (FCI)
• Trusts must be explicitly defined between two organizations by using either trusted user domains (TUDs) or federated trusts using Active Directory Federation Services (AD FS)
• There are no default rights policy templates; you must create and then distribute these
Online• Supports information rights management
(IRM) capabilities in Microsoft Online services such as Exchange Online and SharePoint Online, as well as Office 365. – Also supports on-premises Microsoft
server products, such as Exchange Server, SharePoint Server, and file servers that run Windows Server and File Classification Infrastructure (FCI)\
• Enables implicit trust between organizations and users in any organization
• Provides two default rights policy templates that restrict access of the content to the organization; one read-only viewing and another provides write or modify permissions
10/12/14 12
Differences between On Premises and Online Solution
On Premises• Minimum supported version:
– Windows Vista SP2 + Office 2007– Microsoft Office for Mac 2015:
Supported– Microsoft Office for Mac 2011:
Supported• Supports the RMS sharing application for
Windows and mobile devices– Sharing is restricted to the
organization and does not support email notification, which lets the sender know when somebody tries to open a protected attachment
• Mobile device support includes Windows Phone, Android, iOS, and Windows RT, and requires the Active Directory Rights Management Services Mobile Device Extension
Online• Minimum supported version:
– Windows 7 + Office 2010, which requires the RMS sharing application
– Microsoft Office for Mac 2015: Supported
– Microsoft Office for Mac 2011: Not supported
• Supports the RMS sharing application for Windows and mobile devices
• Mobile device support includes Windows Phone, Android, iOS, and Windows RT
• Email support by using Exchange ActiveSync IRM is also supported on all mobile device platforms that support this protocol
10/12/14 13
Differences between On Premises and Online Solution
• On Premises Solution– Requires important infrastructure• Certification Authority• ADRMS server role – usually in high availability
configuration• Remote access publication
– Is mainly/limited to On Premises use (application, directory)• Can be complex for cross organization
– Support wider OS and Office version
10/12/14 14
Differences between On Premises and Online Solution
• Online Solution– Easy to setup and use
• Start protecting data within minutes of when you subscribe to Office 365
• Integrated within Exchange Online(*), SharePoint Online and Office
– Capabilities• Simple mechanism to enable Rights management
capabilities across applications and services• Cross organization sharing
– Provides default templates• Simple templates to restrict access to users
10/12/14 15
Enable RMS for Office 365
• Activation from the administration portal• Automatically enabled for SharePoint Online– Need to apply RMS Policy on document library
• Automatically enabled for Exchange Online– Available for Outlook client– Need additional configuration steps to enable on
OWA– Not supported with ActiveSync
10/12/14 17
Enable RMS for OWA• Requires Windows Azure Active Directory Module for Windows PowerShell and Windows Azure
AD Rights Management Administration PowerShell modules– $user = "<your Office 365 administrator email">– $cred = Get-Credential -Credential $user– Import-Module MSOnline– Import-Module AADRM– Connect-MsolService -Credential $cred– Connect-AadrmService –Credential $cred– Enable-Aadrm (if not yet enabled)– $msoExchangeURL = "https://ps.outlook.com/powershell/"– $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionURI
https://ps.outlook.com/powershell/ -Credential $Cred -authentication Basic –Allowredirection– Import-PSSession $session– Enable-OrganizationCustomization– Set-IRMConfiguration –RMSOnlineKeySharingLocation <location depend of your geographical zone>
• North America: https://sprms.na.aadrm.com/TenantManagement/ServicePartner.svc• Europe: https://sprms.eu.aadrm.com/TenantManagement/ServicePartner.svc• Asia: https://sprms.ap.aadrm.com/TenantManagement/ServicePartner.svc
– Import-RMSTrustedPublishingDomain –RMSOnline –Name “RMS Online”– Set-IRMConfiguration -InternalLicensingEnabled $true
10/12/14 18
Enable RMS on SharePoint
• From SharePoint Online Administration Center
• Activate at the Document Library settings level– Automatic RMS policy application
10/12/14 19
Use Azure RMS to secureOn Premises
• Sort of “hybrid” configuration of Right Management Services
• Support:– Exchange 2010 SP3/CU6 or 2013 CU3– SharePoint 2010 or 2013– File Server
• No On Premises infrastructure required– Use a connector– Update for RMS client may be required (Windows
Server 2008/2008 R2)
10/12/14 30
Use Azure RMS to secureOn Premises
• Authorizing On Premises servers to use Azure RMS– For Exchange servers, use the default Exchange
Servers group to automatically allow all Exchange servers
– For SharePoint servers, use the service account used to run the SharePoint application pool
– For file servers, use the server account or a dedicated groups containing all file servers to be allowed to use the connector
• Configuring On Premises servers using PS Script provided (always use Run As Administrator )
10/12/14 31
Take Away
• Azure RMS is included with Office 365 E plans (or Azure AD Premium)
• Connector with On Premises “free of charge”• Permissions is embedded onto the document
and apply even if the document is out of the corporate environment
• Azure RMS helps to share and protect document with external users
10/12/14 35
Links and Downloads• Azure Rights Management PowerShell Modules
http://www.microsoft.com/en-us/download/details.aspx?id=30339• Azure RMS portal https://portal.aadrm.com/• Active Directory Rights Management Service Client 2.1
http://www.microsoft.com/en-us/download/details.aspx?id=38396• Active Directory Rights Management Services Mobile Device
Extension (server) http://www.microsoft.com/en-us/download/details.aspx?id=43738
• Active Directory Rights Management Services Mobile Device Extension (client) http://go.microsoft.com/fwlink/?LinkId=303970
• Azure Rights Management Service Connector http://go.microsoft.com/fwlink/?LinkId=314106
10/12/14 37
Glossary• IRM: Information Rights Management• DRM: Digital Rights Management• RMS: Right Management Server• RMS Online (AADRM): Cloud based Right
Management Service• Publishing License: the license a document is
published with• Usage License: the license to use the document• AD: Active directory• ADRMS: Active Directory Rights Management Service• ADFS: Active Directory Federation Services
10/12/14 39
Top Related