Office 365 Information Protection using Azure Rights Management
Happy Tuesday,
This is a cross-post from our TechNet RMS Blog, that we didn't want our developer audience to miss.
As promised, we're working on a series of blogs. This one was created with the help of Tejas on the team so you may see comments replied to by a new name. Here we'll focus on organizations that are looking/using Office365. Enjoy
Dan
Follow @TheRMSGuy for the latest updates
---------------------
If your organization is already using or planning on moving to Office 365, information protection is available to you via Azure Rights Management. Whether your information is on Office 365, mobile devices, computers, cloud drives, or file shares, you can now use Azure RMS to protect your data wherever it goes. Azure RMS provides your users an easy way to protect data, and for your IT pros to apply additional controls across the organization.
Azure RMS is included with E3, E4, A3, A4, plans, or you can purchase Azure RMS as a standalone subscription. For more information about licensing, please view this post. There are several different services that integrate with Azure RMS: Office, SharePoint Online and Exchange Online.
Exchange Online
Exchange Online offers a very rich set of features that are integrated with Azure RMS.
- Rights Management in Exchange Online enables users to view and create rights-protected messages in Outlook, Outlook Web App via a browser, OWA for iPad and iPhone.
- In addition, devices that have integrated with Exchange Active Sync for Rights Management, such as Windows Phone 8, enable users to view protected messages. Your users will always have a way to view rights protected content.
Exchange Online also uses RMS in conjunction with rich controls to protect your content via Transport rules and data leakage prevention (DLP). An organization using DLP with Transport rules provides a backstop to help prevent the inadvertent data leaks, and to help you meet compliance requirements by ensuring that your data is protected with your organization’s policies. For example, automated rules can be created to look for patterns of company confidential R&D information, payment card information, social security numbers, or patient data in health care organizations. Once such data is identified by Exchange Online that meets your criteria, the message can then be protected by using Rights Management and ensure that only the intended recipients have access to the message.
To aid with discovery, Exchange Online also provides search indexing on rights protected content and journal decryption to ensure your organization can use automated reasoning tools with the rights protected content.
SharePoint Online
Rights Management is supported within SharePoint Document Libraries. After configuring SharePoint for Rights Management, when a user downloads a file from a document library, RMS protection is applied according to the permissions that you specify. If the user is accessing SharePoint Online and does not have Microsoft Office installed, the protected content can also be viewed using a web browser and the Office Web Access Companion with SharePoint Online.
SharePoint provides a rich set of controls when using Rights Management. These controls includes a set of granular permissions to specify what a user can do after downloading the document. For example, cannot print, read only, and the ability to force a user to request permissions every time the document is opened.
In addition, Rights Management can also be enabled on SkyDrive Pro, to ensure your users’ data is always protected regardless of the storage location.
Applications
Rights Management is supported within Office 2010 and Office 2013. In addition, you can use the Rights Management Application (RMS App). This is a new application that works within the file explorer, Microsoft Office, and with many of today's popular devices to provide a streamlined experience to share content within and outside of your organization. The RMS App supports Windows, Windows Phone 8, iPhone, iPad, and Android. We’ll discuss our collaboration capabilities more in a later post. To use Office 2010 with Azure RMS, you must install the RMS App, which configures Office 2010 to work with Azure RMS. Here is a link to the user guide for the RMS App.
Migrating to Office 365
If your organization is in the process of migrating to Office 365 (you have users on Exchange Server or using SharePoint on premises), we have a new feature called the RMS connector that will enable protected content to work with your online services as well as your on-premises servers. Learn more about the RMS connector here: https://technet.microsoft.com/en-us/library/dn375964.aspx.
How do I get started?
In just a few minutes by using the following steps, you can enable Azure RMS, SharePoint Online, and Exchange Online to enable information protection. Do I really mean a few minutes? Yes, just a few minutes.
If you want to try this for yourself, by using a Trial Office 365 subscription, sign up here.
Activate Azure RMS
1. Login to the Office 365 Portal at https://portal.microsoftonline.com
2. Go to service settings.
3. Select rights management, and then click Manage.
4. Click activate.
5. Confirm you want to activate Rights Management.
6. RMS is now activated and users can now protect files by using the RMS Application or Microsoft Office.
Enable SharePoint Online RMS Integration
1. Go to service settings, click sites, and then click View site collections and manage additional settings in the SharePoint admin center.
2. Go to Information Rights Management.
3. Select Use the IRM service specified in your configuration.
4. Click OK.
Enable a SharePoint Online Document Library to use RMS
1. Go to a document library and click PAGE.
2. Click Library Settings.
3. Click Information Rights Management.
4. Select Restrict permissions on this library on download and add your policy title and policy description. Click SHOW OPTIONS to configure additional RMS settings on the library, and then click OK.
Start using RMS functionality in SharePoint Online
1. Create a new document or upload an existing document to the document library with RMS enabled.
2. Download a document from the library. The document will be RMS protected.
Enable Exchange Online
1. Connect to your Exchange Online account by using Windows PowerShell
2. Login with this command:
- $LiveCred = Get-Credential
3. Begin configuration of Exchange Online:
( If you haven't previously run Windows PowerShell remote commands for Exchange Online, run the following command: set-executionpolicy remotesigned )
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
- Import-PSSession $Session
4. Run the following commands to enable Rights Management within Exchange Online:
- Set-IRMConfiguration –RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"
- Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
- Set-IRMConfiguration -InternalLicensingEnabled $true
For regions outside North America, substitute .NA. with .EU. for the European Union, and .AP. for Asia e.g .: https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
e.g .: https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
Optionally test the configuration by running the following command:
- Test-IRMConfiguration -sender user@company.onmicrosoft.com