#RMS in Azure

December 6, 2016



Today we’ll run a RMS scenario in our demo office 365 environment. RMS provides the ability to restrict certain actions to documents ( office and other ) depending on the authenticating user by encrypting the required files. This way you can share confidential data in an easy way and make sure only the allowed persons can perform some actions with the documents.

You can find a clear overview here ( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms )


What is Azure Rights Management? | Azure Information Protection



Now, we’ll start by enabling the feature on a limited group.

Step 1 : we’ll limit the usage to a test group so we’ll use the procedure described in https://docs.microsoft.com/en-us/rights-management/deploy-use/activate-service

We have downloaded and installed the required Azure AD Rights Management Administration toolset.


Hmm. Apparently we need the MS Online Services Sign-in assistant first.

https://support.office.com/nl-nl/article/Microsoft-Online-Services-aanmeldhulp-opnieuw-installeren-6f295d05-ae37-4054-8faf-c89dd48d1827?ui=nl-NL&rs=nl-NL&ad=NL so download and install.

Ok straightforward setup of both components.


Now let’s create a test group that will be used in order to validate the RMS functionality. In this case we create a azure security group.


You’ll need to install the azure AD powershell module in order to retrieve the id of the group.

See : https://msdn.microsoft.com/en-us/library/jj151815.aspx

Then run some commands in order to retrieve the required ID.


Now we can set the RMS feature active for a specific security group and only if the user has the correct

PS C:\Windows\system32> Set-AadrmOnboardingControlPolicy -UseRMSUserLicense $True -SecurityGroupObjectId 532a71c3-f370-47bb-9dd8-34026ea751cf

WARNING: The tenant user on-boarding control policy will be updated by this operation.

license assigned.


Verify the result by using get-aadrmonboardingControlPolicy


Ok done, now let’s add our test user to the group.


And let’s add the required license to our user. In this case the allready assigned E3 license covers RMS ( see https://technet.microsoft.com/nl-be/library/office-365-plan-options.aspx and https://technet.microsoft.com/en-us/dn858608 )


And enable it !


You can now check the status by using portal.azure.com -> Rights management status


If you click through you’ll see that there are 2 templates allready published


On the client device download and install the rights management sharing application for Windows. This application is available for multiple OS’s.


Set it up


All went well


Now if you create a word document and save it then you can use explorer to add RMS based security to this document


If you use the protect in place option then you will see that the client will download the policies from the RMS system and then present the options to use these templates ( 2 templates are created by default )


As soon as the document is protected you’ll see the RMS banner if you open the document in Word.


Now you can also share the content in a secure way, this will create a secured attachment with specific rights included

However when I tried to share it with an external user with commercial email ( @hotmail / @gmail / … ) this will not work ( yet, this functionality will be implemented in a next version of the product )


But you can share it with other ( non commercial ) email addresses. Now there are 2 possbilities :

-> The recipient already uses an azure service so it has a azure active directory and can authenticate

-> The recipient does not already use an azure service so it needs to be enrolled in Azure ad in order to be able to authenticate

The user can use this link ( https://docs.microsoft.com/en-us/information-protection/understand-explore/rms-for-individuals-user-sign-up )

Once done you can track usage etc by using web link ( the specific link will be added to your email message )


Additional info and faqs can be found here : https://docs.microsoft.com/en-us/information-protection/get-started/faqs-rms

Overall some great functionality at your fingertips !


Gino D


Azure Active Directory Premium

February 3, 2015



Premium always has a nice ring to it. It sound like the best thing you can get. Seriously try adding premium to anything and it sound good.

Now as you all know active Directory, you all know that there’s a Cloud substitute named Azure Active Directory , let’s have a look at the best version of this : the Azure Active Directory Premium.

What’s the difference ?

See https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Today we’ll focus on the branding and self service password reset functionality. ( Also available in the basic version )

We’ll cover some other features, like delegated group management later.

Let’s start with opening the azure management and activating the trial premium azure ad.


Create a new group


Add a user to the group


Now assign the license to the created group.


Also add at least one user to the assigned licenses. (Won’t work with only the group applied, makes sense )


Now logoff and logon and the additional configure tabs should be present.


Now let’s enable the password reset , activate the secret password option and create a set of security questions.


Let’s also do some rebranding on the logon portal


Now let’s test …


Press Tab et voila …


Nice … no let’s try the self service password reset, logon to the http://myapps.microsoft.com page and register for the password reset.


Let’s setup the security questions in this case. ( You can also require this registration at first logon )




Okay now say we’ve lost our password how can we reset it ?

Easy go to https://passwordreset.microsoftonline.com or click the can’t access button on the portal. Make sure your test user is part of the azure premium license users or you will recieve a message that the functionality is not activated for this user. In this case the user will still have the possibility to contact the admin using a link for requesting a password reset.


Fill in the required information ( remark that the logo also applies here )


And fill in the requried questions …


And now you can select a new password




Now with the premium edition you could sync the new password back to the local AD environment.

Great features, the need for an on-premise Active Directory environment just got smaller.

Also remember that the Azure premium ad, intune and Azure rights management are now available in one license package EMS. Enterprise Mobility Suite : http://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/


Quick tip ! Azure Automation

November 19, 2014


Want to save some money on your cloud infra ? Make sure to put it off when you’re not using it.

And now you have the ability to use some automation features for this.

Compare it to orchestrator here : http://msdn.microsoft.com/en-us/library/azure/dn643629.aspx


Log on to the azure management portal and open automation



Create an account


Fill in accountname and select region


Ok now we can create a new runbook . You can create one from scratch or use an existing runbook.


In this case we want to shut down the environment.


You can review the script presented.


And modify the name, account or subscription.



Ok now go to the runbook and modify the required parameters.

Use the author command.



Test the runbook



And verify the result




As you can see we need to create a connection Asset. So back to to the runbooks -> Assets.

Additional information about the assets can be found here http://azure.microsoft.com/blog/2014/07/29/getting-started-with-azure-automation-automation-assets-2/

And add a setting. Make sure to copy your subscription ID before starting the wizard !


Select a connection, Azure, give it a name.


And create a cert and paste your subscription id.



Now create a self signed certificate for uploading to Azure.

Use server 2012 R2 web services.


Open IIS -> Server certificates



Create a self signed certificate



Modify name and leave it in personal store




Click view details and copy to file



Export once as cer without private key.


And once as .pfx with the private key.



Now add the .cer file to Azure management certificates.



Now back to Azure Automation and create an additional credential asset.



Next up browse for your .pfx file and enter your password.




Now go to the runbook and modify the parameters using the author tool.



$MyConnection -> This your Automation connection created in the assets section

$MyCert = This is the name of the new imported credential in the assets section


Also correct the Azure subscription name hardcoded in the script.




Save , test and verify result.


Haleluja ! Success !

Now all we need to do is add a schedule and that’s it.



Now create a new schedule


Name it.


In this case set to Friday , 19:00 each 7 days.


That’s it , imagine the possibilities.



Gino D

Additional info can be found here : http://blogs.technet.com/b/keithmayer/archive/2014/04/04/step-by-step-getting-started-with-windows-azure-automation.aspx


Azure RemoteApp

July 21, 2014



Today I want to show a new Microsoft cloud service : Azure Remoteapp. The solution is based on Server 2012 R2 Remote desktop services. It allows publishing Windows applications on a series of windows or non windows devices.


You can sign up to the preview service now using http://azure.microsoft.com/nl-nl/


After registration you can log on to the azure portal and create a new RemoteApp service.




You can use the quick create for a default cloud-only deployment or you can use the vpn connection for a bybrid deployment. This way the server 2012 R2 has connectivity with your on premise dc for example file server or sql connectivity required for some applications.




Name the Service.





Wait for the deployment and provisioning of the new service.


And here you are … no hassle , just make an app available in a few minutes. Nice !



The default for now if a server 2012 R2 deployment with office 2013 installed , so if you use the quick create you immediately publish some of the office apps. Okay …


Now check out the client side






Remember , there’s a client for Windows, Mac, iOS and Android.




Ok install completed, let’s get started.





Log on using you credentials.





Provide the password for your account.




And you see the available apps.





Let’s start Word.



You’ll see the the RemoteApp icon on the app in the taskbar.



Back to the config side … you’ll notice that the provisioning could take up to 30′. Untill then you can’t modify the settings




This looks like a great feature and I am curious about the prices.


After some minutes you can see the available apps ,check open sessions or select the users etc.




If you want to deploy custop apps you’ll need to supply a template based on server 2012 R2 containing your custom apps.


Additional info can be found here : http://blogs.msdn.com/b/rds/archive/2014/05/12/windows-apps-in-the-cloud-introducing-microsoft-azure-remoteapp.aspx