What’s New with

Azure Rights
Management
White Paper
September 2014

White Paper
 Contents

Introduction .......................................................... 3
Challenges ............................................................................... 3
Sharing data securely............................................................ 4
Sharing between organizations.......................................... 4
Maintaining control ............................................................... 4

The Microsoft approach .................................... 5

History of AD RMS ................................................................. 5
Into the future with Azure RMS .......................................... 6

Architecture .......................................................... 7
How RMS works .................................................. 8
Deployment models ........................................... 9
Application integration ...................................... 10
Working with Azure RMS .................................. 11
Summary ............................................................... 15

© 2014 Microsoft Corporation. All rights

reserved. This document is provided “as-is.”
Information and views expressed in this
document, including URL and other Internet
Web site references, may change without
notice. You bear the risk of using it. This
document does not provide you with any legal
rights to any intellectual property in any
Microsoft product. You may copy and use this
document for your internal, reference
purposes. You may modify this document for
your internal, reference purposes.

What’s New with Azure Rights Management

 Microsoft Rights Management Services (RMS) solutions provide you with

Introduction the ability to share virtually any file on any platform securely inside or
outside of your organization. Whether the file is on-premises or in the
cloud, RMS can protect your organization’s critical information in a way
that is customizable and easy to manage.

This white paper explains what RMS is, explores what it can do for your
organization, and discusses the latest updates and innovations that are
included in Microsoft Azure RMS.

In today’s cloud-based environment, organizations are going to great

Challenges lengths to make relevant data more accessible for critical workloads.
Data is meant to be shared and has the capability to lead to better
decision making when used effectively. But with such increased
openness and accessibility, organizations are now facing a number of
security challenges:

 Increased regulations – Government and industry standards have

grown more extensive to match the explosion of data gathering
and sharing organizations are engaged in.
 Consumerization of IT – Individual users, not administrative IT, are
setting the pace for what technologies (devices and services) are
being used in the workplace.
 Bring Your Own Device – More and more employees are bringing
their own personal devices (such as laptops, phones, and tablets)
to work, and using them to access company information and
applications.
 Increased adoption of cloud-based software-as-a-service (SaaS)
applications – Sharing applications of all kinds have risen in
popularity. The cloud has changed many traditional notions about
storage.
 Administrative controllers – Aside from regular employees, users
who are granted broad administrative control have a greater
opportunity to inflict lasting damage to an organization’s
infrastructure. Recent data breaches suggest control permissions
must be better managed in this area.1

1 Rammurthy, Govind. “The Snowden Effect on Enterprise Security in 2014.” PCQuest. 20 Dec 2013.

http://www.pcquest.com/pcquest/column/204634/the-snowden-effect-enterprise-security-2014

What’s New with Azure Rights Management 3

 While no single solution can fully address all of these challenges, RMS
Sharing data does address many of them in a manner that is easy to understand and
implement.

securely RMS allows users to encrypt individual files and safely share them with
the intended recipients. There are no file type restrictions, so users are
free to send any file to whoever needs to receive it. This occurs via any
transport mechanism, such as email or a cloud-drive storage sync.
Additionally, users can access these files on the most commonly-used
device types, including PCs (Windows and Mac) and mobile devices
(Windows, iOS, and Android).

Open sharing between independent organizations continues to increase

Sharing as collaboration technologies advance. Many of these sharing
applications have become more accessible as user interfaces have grown

between more intuitive. However, increased accessibility has resulted in growing

security concerns for organizations, as they seek to avoid the damage

organizations
that can result from sensitive files falling into the hands of external users.
Furthermore, there can be compatibility concerns for participants who
have not adopted the security software being utilized.

To help individuals share files more securely, Microsoft has released

Rights Management for Individuals. This free service is an effective
option that allows users to consume and produce RMS-protected
content. To make usage even more convenient, the RMS sharing
application adds buttons to the Microsoft Office ribbon for Word, Excel,
and PowerPoint so that users can easily and quickly share protected
files, and integrates with File Explorer to provide a right-click context
menu.

When considering RMS, it is important to understand that user

Maintaining autonomy and control are central to its design. This begins with its
customizable policy templates, which give IT the ability to define

control templates that meet business and compliance requirements. Microsoft

RMS offers two different deployment topologies (cloud and on-
premises) that enable customers to choose and adopt the most
appropriate option, and it is important to note that throughout the
entire encryption process, customers retain exclusive access to their
data; the RMS service never accesses, captures, or views customer data.

What’s New with Azure Rights Management 4

 In addition to these features, there are updates coming in the near
future that will increase the control users enjoy. These include new
dashboards for easy document tracking, notifications to the document
owner, and an approval system which allows permissions to be revoked
or granted upon request.

With RMS, Microsoft has three core objectives:

The 1. Compatibility with virtually any file type – Regardless of the file
type, it can be protected.
Microsoft 2. Choice of platform – Regardless of the user’s device, a full-
fledged RMS experience is available.

approach 3. Management flexibility – Administrators have full control over

security and policymaking.
4. Rich integration with back-end systems – RMS-protected content
is transparently processed by cloud and on-premises systems,
making full functionality and a rich experience available to users
and administrators.
Keeping these priorities at the forefront has enabled RMS to be
accessible to many different user types and unobtrusive to existing
processes. Ultimately, the Microsoft approach provides an effective
security solution without getting in the way of user productivity.

Microsoft has had document-level information protection since it was

History of first released with Windows Server 2003, providing protection for Office
2003 documents on Windows 2000 and XP clients. The service has been

AD RMS improved and updated since then with each major release of Windows
and Office, but the proliferation of mobile devices and the adoption of
additional platforms requires a new approach.

What’s New with Azure Rights Management 5

 Azure RMS brings the Rights Management experience to the cloud,
Into the including a number of benefits that will be explored later in this paper.
One of the most significant benefits, however, is that Azure RMS is

future with continually receiving updates and improvements to bolster security and
refine the user experience.

Azure RMS Beginning in August 2014, Microsoft will roll out the following additional
capabilities for RMS:

 When customers send an Office document using Share Protected,

a protected PDF duplicate of the original document is
automatically generated and also sent to the user. This PDF
“sidecar” functionality helps ensure that the recipient of the
document can always open it.
 Along with the PDF sidecar, an updated RMS sharing application
that natively renders protected PDF documents will be shipped.
 When using Azure RMS to securely share documents, senders can
optionally receive notifications when the recipient has opened the
document, including access denied alerts if anyone other than the
recipient attempts to open the document.
 Users and IT will be provided with portals so they can gain insight
into their protected document sharing activities. Users will be able
to see their own information, while IT can see company-level
information.
 The RMS SDK continues to be updated so application developers
can easily integrate RMS into their applications and natively
support the creation and consumption of protected documents,
as well as build additional value on top of RMS such as redacted
content support.

What’s New with Azure Rights Management 6

 This section provides an overview of Microsoft RMS and how it is

Architecture currently set up. There are two ways to approach RMS, as Figure 1
shows: Active Directory RMS (AD RMS) (on the left of the diagram) or
Azure RMS (on the right of the diagram).
Figure 1) Microsoft RMS overview

Windows Server Active Directory RMS, as Figure 1 illustrates, is a role in

Windows Server tightly integrated with Active Directory and interacts
with on-premises users, devices, and applications (such as Exchange,
SharePoint, and File Servers) in establishing user authentication.

Azure RMS operates in two modes, cloud only and hybrid, through on-
premises connectors. Azure RMS relies on Azure Active Directory for
user identity and authentication, and is integrated with Office 365.

Azure RMS provides the best of both worlds, allowing users to connect
to both on-premises servers and cloud services, while still offering
greater integration opportunities with Office 365.

For each subscribing organization, there is an assigned tenant key within

Azure RMS. This tenant key is the server licensor certificate, which is
linked to all other Azure RMS security artifacts for the organization.

Azure RMS grants multiple levels of control to the customer for storing
and managing this key. The important point to remember is a customer
can opt not to give Microsoft any control over these keys, retaining all
control themselves.

What’s New with Azure Rights Management 7

 This section explains the process RMS uses to protect documents. As

How RMS Figure 2 shows, when a document is protected by RMS (regardless of

what application is used), its content is encrypted with a symmetric key.
That key is then encrypted with the RMS public key of the service. The
works user can then create a usage rights policy that specifies the level of
access the intended recipient will have.
Figure 2) Protecting and accessing a document

The service then takes all essential components—the encrypted

symmetric key, public key, and usage rights—and bundles them all up
together as an encrypted policy, which is embedded into the document.
In order to access the contents of the document a client has to
authenticate to the service before passing the policy to it, which returns
the artifacts the client needs to open the document. To unprotect the
document, the recipient will need to have proper authentication as
stipulated by the usage rights.

As noted previously, none of the contents from the secured file ever get
sent to the RMS server or service. That content cannot be accessed
because RMS never actually receives the files, only the policy settings for
those files. As Figure 3 demonstrates, enforcement of the rights occurs
through the RMS compatible applications which work in unison with
Azure RMS through SDKs that communicate the policy restrictions to the
server. While compatibility issues between the files and available
applications had previously been a challenge, virtually any file type will
now work with Azure RMS.

What’s New with Azure Rights Management 8

 Figure 3) Rights Management 101

In choosing to adopt RMS, it is not a question of what needs to change.

It is more a matter of what best fits the needs of your organization. Most
Deployment organizations fit into one of three categories: cloud ready, cloud
accepting, or cloud averse. Organizations, in general, are starting to

models migrate to the cloud, but that does not necessarily mean it is the right
move for everyone (at least right now). To meet the diverse set of
business requirements, Microsoft has readied RMS for each type of
customer.

Cloud ready
RMS in Office 365 is designed for cloud-ready organizations and is by
far the easiest platform to manage. It offers a wide-range of RMS-
enlightened apps, live support, and other exciting features such as Data
Loss Prevention functionality in Exchange. Office 365 is equipped for
organizations that are ready to experience Office anywhere, without
being bound to a physical location. Enabling RMS is a single-click
process.

Cloud accepting
For cloud-accepting organizations that are not ready to fully commit to
Office 365, there is a compelling hybrid alternative—the Microsoft
Rights Management connector. This connector runs on-premises and
acts as a communicator between existing on-premises servers and the
cloud-based Azure RMS.

What’s New with Azure Rights Management 9

 Figure 4) Connectors and connections

Azure RMS is integrated with Azure AD (through syncing with Active

Directory), RMS SDKs, and Office 365, as Figure 4 illustrates. On-
premises offerings however, such as File Classification Infrastructure
(FCI), SharePoint, or Exchange, require the connector in order to relay
information to the cloud environment. The setup for RMS in this
environment requires the connector, but the keys, licenses, and policies
remain in the cloud. The connector is merely acting as an intermediary
to help the on-premises servers relay information to the cloud and back.

Cloud averse or blocked

Organizations that are reluctant to join the cloud platform (or are
blocked through a business or regulatory compliance requirement) can
still experience RMS through Active Directory RMS. On-premises servers
handle authentication, license creation, and relays. The setup is more
involved than the cloud-dependent offerings but for some organizations
this is still the choice that will make the most sense given their existing
infrastructures.

In exploring the capabilities of Azure RMS, there are a number of

Application application integrations that are important to understand. Becoming

aware of these integrations will increase your understanding of how
these technologies can improve your organization’s security.
integration Office
AD RMS was created with Office applications in mind. While programs
like Microsoft Word, Excel, and PowerPoint have the ability to read and
publish RMS-protected content, they also provide easy-to-use
functionality that can enable RMS when sharing new documents with
other users.

What’s New with Azure Rights Management 10

 Office 365
Azure RMS was built originally for Office 365, offering the easiest-to-
manage RMS experience available. Also, because it resides in the cloud
users can access Office 365 from virtually any device or location.

Windows PowerShell
Azure RMS can be run using Windows PowerShell commands, or
PowerShell can be used to connect other applications to the service.

Native vs. Share Protected

Once RMS integration is in effect, protecting individual files can be as
simple as executing a right-click to bring up these protection options:

 Native or Protect In Place will protect the individual file as it is (in

place).
 Share Protected will protect a copy of the file, while leaving the
original file in its prior state.

RMS SDKs
Microsoft has recently released SDK 4.0. This includes AD RMS support,
offline consumption, and a redesigned API. SDKs are available for all
device types, including Android, iOS, and OS X.

This section provides an overview of the administrative capabilities and

Working other integrations of Azure RMS, in addition to some of the steps users
need to follow to unify all of the RMS offerings.

with Azure Administrative

Operating the administrative controls for Azure RMS is a straightforward

RMS
process. Microsoft has made the experience consistent across the
different platform types. Once deployment is complete, customers must
activate the RMS service and then customize individual template types.

Microsoft is still refining monitoring and tracking functionalities in Azure

RMS, but the goal is for there to be a full administrative dashboard
where individual documents and usage can be followed. This will not
only follow what has been accessed, but also the attempted usage for
critical documents as well.

Templates
Managing templates within Azure RMS was designed to be robust, yet
easy to do. This is where policies governing document usage rights are
created and saved. If it is a recurring document or file that needs to
receive consistent treatment per organizational standards, the option to
save the template and reuse the same settings in the future is here.

What’s New with Azure Rights Management 11

To create a template in Office 365, follow these steps:

1. To enable Azure RMS, click activate in the admin center.

2. To further manage and create your policy settings, which you can
make available to your desired users, select additional
configurations.
3. To save your policy usage settings as a template, fill out the
required fields.

It is possible to further customize usage rights. For example, you can

grant View rights to a Sales group while giving Author rights to an
Engineering group. Additionally, you can easily manage your library of
templates and edit them as desired.

Data Loss Prevention and Dynamic Access Control

As added enhancements, Azure RMS has further integrations with both
Data Loss Prevention (DLP) and Dynamic Access Control (DAC).

DLP is an extension of Exchange that automatically protects content

based on its properties and presents auto-generated tips when

What’s New with Azure Rights Management 12

authoring an email (see Figure 5). The tips act as notifications to the
sender indicating for example that content will be automatically
protected or that the message requires additional authorization from
senior management.
Figure 5) Using DLP in Azure RMS

File Classification, which acts as the auditing and data oversight system
for Windows Server 2012 and R2, integrates with DAC to provide a
mechanism to discover important information in a file server, classify it,
and then perform tasks against it such as automatically applying RMS.
DAC can use either AD RMS or Azure RMS for access protection.

User interaction with documents

This section explores the steps required to send and receive a protected
file using screenshots from the free-to-use RMS for Individuals
application. This example assumes you are finalizing a document in
Word and you want to share a protected version with someone who
works for a partner organization.

1. In the Ribbon of the Word document, locate the RMS Share

Protected icon.

What’s New with Azure Rights Management 13

 2. Click Share Protected. This opens up a window that provides a
quick and easy way to set the level of permissions using a slider.

3. Choose your settings, and then click Send. This will create and
open an email, with an attachment that includes default text
explaining that you are attaching a protected document.

The recipient will be guided to download and install the free RMS
sharing application to view the content with the rights granted by the
sender. A mobile version of this app is also available, as Figure 6 shows.

What’s New with Azure Rights Management 14

 Figure 6) Viewing an RMS-protected document on an iPhone

After the receipient completes the log in, he or she will be able to unlock
the protected content and see the level of permissions granted to him
or her.

Microsoft RMS addresses enterprise security without requiring your

Summary organization to make extensive changes or complete a complicated

setup process. Executing the secure exchange of information and
keeping track of what files are being accessed has never been easier.

Azure RMS offers the following data protection capabilities to

customers:

 Protects virtually any file

 Enables users to share files with anyone
 Supports cloud, hybrid, and on-premises deployment options

Learn more
To further explore the capabilities of Azure RMS, visit some of the
available resources from Microsoft’s RMS team.

 RMS website: www.microsoft.com/rms

 RMS blog: http://blogs.technet.com/b/rms/
 Enabling Azure RMS in Office 365 with Exchange and SharePoint
 How Applications Support Azure Rights Management
 Requirements for Azure Rights Management

What’s New with Azure Rights Management 15