#RMS in Azure

December 6, 2016

 

Hello,

Today we’ll run a RMS scenario in our demo office 365 environment. RMS provides the ability to restrict certain actions to documents ( office and other ) depending on the authenticating user by encrypting the required files. This way you can share confidential data in an easy way and make sure only the allowed persons can perform some actions with the documents.

You can find a clear overview here ( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms )

clip_image002

What is Azure Rights Management? | Azure Information Protection

https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms

 

Now, we’ll start by enabling the feature on a limited group.

Step 1 : we’ll limit the usage to a test group so we’ll use the procedure described in https://docs.microsoft.com/en-us/rights-management/deploy-use/activate-service

We have downloaded and installed the required Azure AD Rights Management Administration toolset.

clip_image004

Hmm. Apparently we need the MS Online Services Sign-in assistant first.

https://support.office.com/nl-nl/article/Microsoft-Online-Services-aanmeldhulp-opnieuw-installeren-6f295d05-ae37-4054-8faf-c89dd48d1827?ui=nl-NL&rs=nl-NL&ad=NL so download and install.

Ok straightforward setup of both components.

clip_image006

Now let’s create a test group that will be used in order to validate the RMS functionality. In this case we create a azure security group.

clip_image008

You’ll need to install the azure AD powershell module in order to retrieve the id of the group.

See : https://msdn.microsoft.com/en-us/library/jj151815.aspx

Then run some commands in order to retrieve the required ID.

clip_image010

Now we can set the RMS feature active for a specific security group and only if the user has the correct

PS C:\Windows\system32> Set-AadrmOnboardingControlPolicy -UseRMSUserLicense $True -SecurityGroupObjectId 532a71c3-f370-47bb-9dd8-34026ea751cf

WARNING: The tenant user on-boarding control policy will be updated by this operation.

license assigned.

clip_image012

Verify the result by using get-aadrmonboardingControlPolicy

clip_image014

Ok done, now let’s add our test user to the group.

clip_image016

And let’s add the required license to our user. In this case the allready assigned E3 license covers RMS ( see https://technet.microsoft.com/nl-be/library/office-365-plan-options.aspx and https://technet.microsoft.com/en-us/dn858608 )

clip_image018

And enable it !

clip_image020

You can now check the status by using portal.azure.com -> Rights management status

clip_image022

If you click through you’ll see that there are 2 templates allready published

clip_image024

On the client device download and install the rights management sharing application for Windows. This application is available for multiple OS’s.

clip_image026

Set it up

clip_image028

All went well

clip_image030

Now if you create a word document and save it then you can use explorer to add RMS based security to this document

clip_image032

If you use the protect in place option then you will see that the client will download the policies from the RMS system and then present the options to use these templates ( 2 templates are created by default )

clip_image034

As soon as the document is protected you’ll see the RMS banner if you open the document in Word.

clip_image036

Now you can also share the content in a secure way, this will create a secured attachment with specific rights included

However when I tried to share it with an external user with commercial email ( @hotmail / @gmail / … ) this will not work ( yet, this functionality will be implemented in a next version of the product )

clip_image038

But you can share it with other ( non commercial ) email addresses. Now there are 2 possbilities :

-> The recipient already uses an azure service so it has a azure active directory and can authenticate

-> The recipient does not already use an azure service so it needs to be enrolled in Azure ad in order to be able to authenticate

The user can use this link ( https://docs.microsoft.com/en-us/information-protection/understand-explore/rms-for-individuals-user-sign-up )

Once done you can track usage etc by using web link ( the specific link will be added to your email message )

clip_image040

Additional info and faqs can be found here : https://docs.microsoft.com/en-us/information-protection/get-started/faqs-rms

Overall some great functionality at your fingertips !

Enjoy.

Gino D


Azure Active Directory Premium

February 3, 2015

 

Hello,

Premium always has a nice ring to it. It sound like the best thing you can get. Seriously try adding premium to anything and it sound good.

Now as you all know active Directory, you all know that there’s a Cloud substitute named Azure Active Directory , let’s have a look at the best version of this : the Azure Active Directory Premium.

What’s the difference ?

See https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Today we’ll focus on the branding and self service password reset functionality. ( Also available in the basic version )

We’ll cover some other features, like delegated group management later.

Let’s start with opening the azure management and activating the trial premium azure ad.

clip_image001

Create a new group

clip_image002

Add a user to the group

clip_image003

Now assign the license to the created group.

clip_image004

Also add at least one user to the assigned licenses. (Won’t work with only the group applied, makes sense )

clip_image005

Now logoff and logon and the additional configure tabs should be present.

clip_image006

Now let’s enable the password reset , activate the secret password option and create a set of security questions.

clip_image007

Let’s also do some rebranding on the logon portal

clip_image008

Now let’s test …

clip_image009

Press Tab et voila …

clip_image010

Nice … no let’s try the self service password reset, logon to the http://myapps.microsoft.com page and register for the password reset.

clip_image011

Let’s setup the security questions in this case. ( You can also require this registration at first logon )

clip_image012

Done.

clip_image013

Okay now say we’ve lost our password how can we reset it ?

Easy go to https://passwordreset.microsoftonline.com or click the can’t access button on the portal. Make sure your test user is part of the azure premium license users or you will recieve a message that the functionality is not activated for this user. In this case the user will still have the possibility to contact the admin using a link for requesting a password reset.

clip_image014

Fill in the required information ( remark that the logo also applies here )

clip_image015

And fill in the requried questions …

clip_image016

And now you can select a new password

clip_image017

Done.

clip_image018

Now with the premium edition you could sync the new password back to the local AD environment.

Great features, the need for an on-premise Active Directory environment just got smaller.

Also remember that the Azure premium ad, intune and Azure rights management are now available in one license package EMS. Enterprise Mobility Suite : http://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/

Enjoy.


Quick tip ! Azure Automation

November 19, 2014

Hello,

Want to save some money on your cloud infra ? Make sure to put it off when you’re not using it.

And now you have the ability to use some automation features for this.

Compare it to orchestrator here : http://msdn.microsoft.com/en-us/library/azure/dn643629.aspx

 

Log on to the azure management portal and open automation

 


 

Create an account

 


Fill in accountname and select region

 


Ok now we can create a new runbook . You can create one from scratch or use an existing runbook.

 


In this case we want to shut down the environment.

 

You can review the script presented.

 


And modify the name, account or subscription.

 


 

Ok now go to the runbook and modify the required parameters.

Use the author command.

 


 

Test the runbook

 


 

And verify the result

 

 


 

As you can see we need to create a connection Asset. So back to to the runbooks -> Assets.

Additional information about the assets can be found here http://azure.microsoft.com/blog/2014/07/29/getting-started-with-azure-automation-automation-assets-2/


And add a setting. Make sure to copy your subscription ID before starting the wizard !


 

Select a connection, Azure, give it a name.

 


And create a cert and paste your subscription id.

 

 

Now create a self signed certificate for uploading to Azure.

Use server 2012 R2 web services.

 

Open IIS -> Server certificates

 


 

Create a self signed certificate

 


 

Modify name and leave it in personal store

 

 

 

Click view details and copy to file

 


 

Export once as cer without private key.

 


And once as .pfx with the private key.

 


 

Now add the .cer file to Azure management certificates.

 


 

Now back to Azure Automation and create an additional credential asset.

 


 

Next up browse for your .pfx file and enter your password.

 


 

 

Now go to the runbook and modify the parameters using the author tool.

 


 

$MyConnection -> This your Automation connection created in the assets section

$MyCert = This is the name of the new imported credential in the assets section

 

Also correct the Azure subscription name hardcoded in the script.

 

 


 

Save , test and verify result.


 

Haleluja ! Success !

Now all we need to do is add a schedule and that’s it.

Publish.


 

Now create a new schedule

 


Name it.

 


In this case set to Friday , 19:00 each 7 days.

 


That’s it , imagine the possibilities.

 

Enjoy.

Gino D

Additional info can be found here : http://blogs.technet.com/b/keithmayer/archive/2014/04/04/step-by-step-getting-started-with-windows-azure-automation.aspx

 



Azure RemoteApp

July 21, 2014

Hello,

 
 

Today I want to show a new Microsoft cloud service : Azure Remoteapp. The solution is based on Server 2012 R2 Remote desktop services. It allows publishing Windows applications on a series of windows or non windows devices.

 
 

You can sign up to the preview service now using http://azure.microsoft.com/nl-nl/

 
 

After registration you can log on to the azure portal and create a new RemoteApp service.

 
 


 
 

 
 

You can use the quick create for a default cloud-only deployment or you can use the vpn connection for a bybrid deployment. This way the server 2012 R2 has connectivity with your on premise dc for example file server or sql connectivity required for some applications.

 
 

 
 


 
 

Name the Service.

 
 


 
 

 
 

 
 

Wait for the deployment and provisioning of the new service.

 
 


And here you are … no hassle , just make an app available in a few minutes. Nice !

 
 


 
 

The default for now if a server 2012 R2 deployment with office 2013 installed , so if you use the quick create you immediately publish some of the office apps. Okay …

 
 

Now check out the client side

 
 

https://www.remoteapp.windowsazure.com/

 
 

 
 


 
 

Remember , there’s a client for Windows, Mac, iOS and Android.

 
 

 
 


 
 

Ok install completed, let’s get started.

 
 

 
 


 
 

 
 

Log on using you credentials.

 
 


 
 

 
 

 
 

Provide the password for your account.

 
 


 
 

 
 

And you see the available apps.

 
 

 
 


 
 

 
 

Let’s start Word.

 
 


 
 

You’ll see the the RemoteApp icon on the app in the taskbar.

 
 


 
 

Back to the config side … you’ll notice that the provisioning could take up to 30′. Untill then you can’t modify the settings

 
 

 
 


 
 

This looks like a great feature and I am curious about the prices.

 
 

After some minutes you can see the available apps ,check open sessions or select the users etc.

 
 

 
 


 
 

If you want to deploy custop apps you’ll need to supply a template based on server 2012 R2 containing your custom apps.

 
 

Additional info can be found here : http://blogs.msdn.com/b/rds/archive/2014/05/12/windows-apps-in-the-cloud-introducing-microsoft-azure-remoteapp.aspx

 
 

Enjoy.