Office 365 User Group meeting
Presentation of Right Management Services included with Office 365 (Azure RMS), with comparison with AD RMS (on premises solution) and integration between On Premises and Azure RMS (use with Exchange, SharePoint or file servers hosted On Premises
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
2014 12-10 - office 365 sydney user group - secure your data with right management services
1. Secure your data with Rights
Management Services
Benoit HAMET – Cloud Solution
Consultant
MVP Office 365
2. Agenda
• What is Right Management Services?
• Differences between Active Directory Right
Management Services (ADRMS) and Azure
Right Management (AADRMS)
• Enable and configure AADRMS for Office
365
• Use AADRMS with your On Premises systems
10/12/14 5
4. What is Rights Management Services?
• Windows Rights Management Ser vices (also called Rights
Management Services, Active Directory Rights Management Services or
RMS) is a form of Information Rights Management used on
Microsoft Windows that uses encryption for limiting access to
documents (such as corporate e-mail, Office documents) and the
operations authorized to the users (like editing, printing or copying
content).
• Permissions are embedded onto the document itself.
• RMS appeared as add-on for Windows Server 2003, with client API
libraries made available for Windows client (from 2000 to Windows 8).
• RMS has been renamed to Active Directory Rights Management
Services, to reflect the tight relation/integration with AD.
• With Office 365 (and Microsoft Azure), RMS has been provided to
selected Office 365 Plans (Enterprise) and relies on Azure Active
Directory
10/12/14 7
5. What is Rights Management Services?
• Information Protection technology
– Protection is persisted with the data, content can travel
anywhere (desktops, file shares, USB keys, network and
devices)
• Combines encryption, access controls and policy
expression and enforcement
– Prevent the accidental disclosure of sensitive data by applying
usage polices (cannot forward, cannot print, read-only)
• Simple to use
– Authors just select a policy option, consumers just open
documents
– Securely share data with individuals within and outside of your
organization
10/12/14 8
6. How RMS Works?
Galactic Empire Confidential – You cannot copy, print or export this
information in unprotected form to droids of any class.
User certificates Use License
Galactic Empire Confidential – You cannot copy, print or export this
information in unprotected form to droids of any class.
Publishing
License +
keys
10/12/14 10
8. Differences between On Premises and
Online Solution
On Premises
• Supports on-premises Microsoft server
products such as Exchange Server,
SharePoint Server, and file servers that
run Windows Server and File
Classification Infrastructure (FCI)
• Trusts must be explicitly defined between
two organizations by using either trusted
user domains (TUDs) or federated trusts
using Active Directory Federation
Services (AD FS)
• There are no default rights policy
templates; you must create and then
distribute these
Online
• Supports information rights management
(IRM) capabilities in Microsoft Online
services such as Exchange Online and
SharePoint Online, as well as Office 365.
– Also supports on-premises Microsoft
server products, such as Exchange
Server, SharePoint Server, and file
servers that run Windows Server and
File Classification Infrastructure (FCI)
• Enables implicit trust between organizations
and users in any organization
• Provides two default rights policy templates
that restrict access of the content to the
organization; one read-only viewing and
another provides write or modify
permissions
10/12/14 12
9. Differences between On Premises and
Online Solution
On Premises
• Minimum supported version:
– Windows Vista SP2 + Office 2007
– Microsoft Office for Mac 2015:
Supported
– Microsoft Office for Mac 2011:
Supported
• Supports the RMS sharing application for
Windows and mobile devices
– Sharing is restricted to the
organization and does not support
email notification, which lets the
sender know when somebody tries to
open a protected attachment
• Mobile device support includes Windows
Phone, Android, iOS, and Windows RT, and
requires the Active Directory Rights
Management Services Mobile Device
Extension
Online
• Minimum supported version:
– Windows 7 + Office 2010, which
requires the RMS sharing application
– Microsoft Office for Mac 2015:
Supported
– Microsoft Office for Mac 2011: Not
supported
• Supports the RMS sharing application for
Windows and mobile devices
• Mobile device support includes Windows
Phone, Android, iOS, and Windows RT
• Email support by using Exchange
ActiveSync IRM is also supported on all
mobile device platforms that support this
protocol
10/12/14 13
10. Differences between On Premises and
Online Solution
• On Premises Solution
– Requires important infrastructure
• Certification Authority
• ADRMS server role – usually in high availability
configuration
• Remote access publication
– Is mainly/limited to On Premises use (application,
directory)
• Can be complex for cross organization
– Support wider OS and Office version
10/12/14 14
11. Differences between On Premises and
Online Solution
• Online Solution
– Easy to setup and use
• Start protecting data within minutes of when you subscribe
to Office 365
• Integrated within Exchange Online(*), SharePoint Online
and Office
– Capabilities
• Simple mechanism to enable Rights management
capabilities across applications and services
• Cross organization sharing
– Provides default templates
• Simple templates to restrict access to users
10/12/14 15
13. Enable RMS for Office 365
• Activation from the administration portal
• Automatically enabled for SharePoint Online
– Need to apply RMS Policy on document library
• Automatically enabled for Exchange Online
– Available for Outlook client
– Need additional configuration steps to enable on
OWA
– Not supported with ActiveSync
10/12/14 17
14. Enable RMS for OWA
• Requires Windows Azure Active Directory Module for Windows PowerShell and Windows Azure
AD Rights Management Administration PowerShell modules
– $user = "<your Office 365 administrator email">
– $cred = Get-Credential -Credential $user
– Import-Module MSOnline
– Import-Module AADRM
– Connect-MsolService -Credential $cred
– Connect-AadrmService –Credential $cred
– Enable-Aadrm (if not yet enabled)
– $msoExchangeURL = "https://ps.outlook.com/powershell/"
– $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionURI
https://ps.outlook.com/powershell/ -Credential $Cred -authentication Basic –Allowredirection
– Import-PSSession $session
– Enable-OrganizationCustomization
– Set-IRMConfiguration –RMSOnlineKeySharingLocation <location depend of your geographical zone>
• North America: https://sprms.na.aadrm.com/TenantManagement/ServicePartner.svc
• Europe: https://sprms.eu.aadrm.com/TenantManagement/ServicePartner.svc
• Asia: https://sprms.ap.aadrm.com/TenantManagement/ServicePartner.svc
– Import-RMSTrustedPublishingDomain –RMSOnline –Name “RMS Online”
– Set-IRMConfiguration -InternalLicensingEnabled $true
10/12/14 18
15. Enable RMS on SharePoint
• From SharePoint Online Administration
Center
• Activate at the Document Library settings
level
– Automatic RMS policy application
10/12/14 19
18. Use Azure RMS to secure
On Premises
• Sort of “hybrid” configuration of Right
Management Services
• Support:
– Exchange 2010 SP3/CU6 or 2013 CU3
– SharePoint 2010 or 2013
– File Server
• No On Premises infrastructure required
– Use a connector
– Update for RMS client may be required (Windows
Server 2008/2008 R2)
10/12/14 30
19. Use Azure RMS to secure
On Premises
• Authorizing On Premises servers to use Azure
RMS
– For Exchange servers, use the default Exchange
Servers group to automatically allow all Exchange
servers
– For SharePoint servers, use the service account used
to run the SharePoint application pool
– For file servers, use the server account or a
dedicated groups containing all file servers to be
allowed to use the connector
• Configuring On Premises servers using PS Script
provided (always use Run As Administrator)
10/12/14 31
22. Take Away
• Azure RMS is included with Office 365 E
plans (or Azure AD Premium)
• Connector with On Premises “free of charge”
• Permissions is embedded onto the document
and apply even if the document is out of the
corporate environment
• Azure RMS helps to share and protect
document with external users
10/12/14 35
24. Links and Downloads
• Azure Rights Management PowerShell Modules
http://www.microsoft.com/en-us/download/details.aspx?id=30339
• Azure RMS portal https://portal.aadrm.com/
• Active Directory Rights Management Service Client 2.1
http://www.microsoft.com/en-us/download/details.aspx?id=38396
• Active Directory Rights Management Services Mobile Device
Extension (server) http://www.microsoft.com/en-us/
download/details.aspx?id=43738
• Active Directory Rights Management Services Mobile Device
Extension (client) http://go.microsoft.com/fwlink/?LinkId=303970
• Azure Rights Management Service Connector
http://go.microsoft.com/fwlink/?LinkId=314106
10/12/14 37
26. Glossary
• IRM: Information Rights Management
• DRM: Digital Rights Management
• RMS: Right Management Server
• RMS Online (AADRM): Cloud based Right
Management Service
• Publishing License: the license a document is
published with
• Usage License: the license to use the document
• AD: Active directory
• ADRMS: Active Directory Rights Management Service
• ADFS: Active Directory Federation Services
10/12/14 39