Today we’ll run a RMS scenario in our demo office 365 environment. RMS provides the ability to restrict certain actions to documents ( office and other ) depending on the authenticating user by encrypting the required files. This way you can share confidential data in an easy way and make sure only the allowed persons can perform some actions with the documents.
You can find a clear overview here ( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms )
What is Azure Rights Management? | Azure Information Protection
Now, we’ll start by enabling the feature on a limited group.
Step 1 : we’ll limit the usage to a test group so we’ll use the procedure described in https://docs.microsoft.com/en-us/rights-management/deploy-use/activate-service
We have downloaded and installed the required Azure AD Rights Management Administration toolset.
Hmm. Apparently we need the MS Online Services Sign-in assistant first.
Ok straightforward setup of both components.
Now let’s create a test group that will be used in order to validate the RMS functionality. In this case we create a azure security group.
You’ll need to install the azure AD powershell module in order to retrieve the id of the group.
Then run some commands in order to retrieve the required ID.
Now we can set the RMS feature active for a specific security group and only if the user has the correct
PS C:\Windows\system32> Set-AadrmOnboardingControlPolicy -UseRMSUserLicense $True -SecurityGroupObjectId 532a71c3-f370-47bb-9dd8-34026ea751cf
WARNING: The tenant user on-boarding control policy will be updated by this operation.
Verify the result by using get-aadrmonboardingControlPolicy
Ok done, now let’s add our test user to the group.
And let’s add the required license to our user. In this case the allready assigned E3 license covers RMS ( see https://technet.microsoft.com/nl-be/library/office-365-plan-options.aspx and https://technet.microsoft.com/en-us/dn858608 )
And enable it !
You can now check the status by using portal.azure.com -> Rights management status
If you click through you’ll see that there are 2 templates allready published
On the client device download and install the rights management sharing application for Windows. This application is available for multiple OS’s.
Set it up
All went well
Now if you create a word document and save it then you can use explorer to add RMS based security to this document
If you use the protect in place option then you will see that the client will download the policies from the RMS system and then present the options to use these templates ( 2 templates are created by default )
As soon as the document is protected you’ll see the RMS banner if you open the document in Word.
Now you can also share the content in a secure way, this will create a secured attachment with specific rights included
However when I tried to share it with an external user with commercial email ( @hotmail / @gmail / … ) this will not work ( yet, this functionality will be implemented in a next version of the product )
But you can share it with other ( non commercial ) email addresses. Now there are 2 possbilities :
-> The recipient already uses an azure service so it has a azure active directory and can authenticate
-> The recipient does not already use an azure service so it needs to be enrolled in Azure ad in order to be able to authenticate
The user can use this link ( https://docs.microsoft.com/en-us/information-protection/understand-explore/rms-for-individuals-user-sign-up )
Once done you can track usage etc by using web link ( the specific link will be added to your email message )
Additional info and faqs can be found here : https://docs.microsoft.com/en-us/information-protection/get-started/faqs-rms
Overall some great functionality at your fingertips !