Azure RMS is a part of Microsoft Enterprise Mobility suite which design to support mobility and work from anywhere concepts. It will protect documents and sensitive information from unauthorized use. Each user can use the corporate published RMS polices when they send an email or sharing a valuable data file. RMS will encrypt the data according to the policy which specified who can access and what level. So it will guarantee only authorized user can access the data regardless of the device they use. This will enable BYOD for the organization.
Follow my previous post about Microsoft Enterprise Mobility suite which have more detail introduction about EMS and Azure RMS. From this post I’m focusing how to implement the Azure RMS and some customer scenarios that can be done with it.
Azure RMS implementation can be described using following key points.
- Activate Azure rights management
- Onboarding Users
- Installing the Azure RMS client
- Creating and managing templates
Activate Azure Rights Managements
By default Rights management is not activated in your office 365 or Azure subscription. After you have purchased the relevant licenses (i.e. - EMS), you can activate Azure RMS from Azure portal. If you have access to office 365 portal, then you can use it to access Azure Active directory.
- Login to the Azure Portal – http://manage.windowsazure.com or Office 365 Admin Portal – Admin Centers – Azure AD
- In Azure Portal, Select the windows Azure Active Directory
- Go to the Rights management tab and Activate the Rights Management, this will activate rights management to the tenant.
On-boarding Users
Once the Azure RMS is activated, each user should be assign to the RMS licenses. This can be done through the Office 365 portal or Azure AD. Also AD RMS client need to be installed on each users device. This is an add-on to Microsoft office and the underline Operating system. Then only the user get the RMS policies to use them encrypt the data.
Add license to users
- Create the users, select and edit, you can use the synced users from on-prem
- Assign the licenses, Enterprise Mobility Suite and if required Office 365
- Save
Installing the Azure RMS Client
- Login to the Azure RMS portal – https://portal.aadrm.com
each user can do this by their own, or central admin can push this add-on to clients. But users have to provide their credential when they first access the RMS contents.
- Provide the username and password of the Office 365 login
- Download the client for the selected device
- Install the RMS Client
- After successfully installed, you can see new option in right click shortcut menu, “Protect with RMS”
Managing RMS Templates
Create a Custom Template
- Login to the Azure portal - Azure Active Directory - Rights Management and select the Azure Active Directory name
- Select Create new policy template
- Provide the Name and the Description for the policy
- To add the rights and the scope, click Manage your rights policy templates and select the policy
- Using the rights tab you can define, what operations will be defined from the policy, i.e – view, print, save
- By default all users will get the published policies, but if you want to restrict the policty availability, specify the users or groups which the policy will available.
- After completing the Access rights and scope, you can publish the policy from configure tab. Also you can set the policy expire date and offline use settings.
Custom Scenario – All users have View and View permissions
This is a scenario that users can restrict their sharing data, only to view. So people who have access, cannot edit, save or forward it to others. Data can be from Outlook Emails or Microsoft Office files. This policy is very important to share sensitive information through emails or share files. In example – HR department want to send some sensitive information like salary slips or performance incentives, they can select this RMS policy before sending the email. It will assure user cannot forward, print or save the information.
Create a Group in Azure containing All Employees
- Dynamic group in Azure AD
you can create a group in Azure Active directory and enable Dynamic membership. Dynamic membership will azure every newly created user will be added to the group automatically. Use Account Enable Equals True, query to get all enabled accounts in to the group. Group should be mail enabled Office 365 group.
- All Users group synced from On-Prem Active directory
You can use an existing all users group in on premise environment and sync it to Azure AD.
Create the Template
- Go to the Windows Azure portal – Rights Management - Create a new template
- Add the rights, Select the All Employees Group
- Assign Custom rights
- Select View content and View Assigned Rights
- I’m not setting the scope so all users can use this policy when they share data
- Go to Configure tab and Publish the policy
Share the data using RMS template
- Login to the Outlook, create New Email, Options tab and Permissions drop down button. You can see the previously created policy is arrived, if not sign off and sign in back to Office.
- Fill the Email data and send
- On the receiving party, check all reply, forward, save and print button are disabled.
When implementing Azure RMS main challenger is to identify the policy requirements, you have to carefully planned and do this, having too many policies will be complex to the end user. Also user knowledge sharing on how to use the RMS will be a challenge. So user training and RMS guide might require for end user.
Hope this post is useful
