Microsoft Rights Management
Dan Plastina
Translation to <language> by <translator(s)>
Organizations share information. The Microsoft Rights Management services (RMS) offering helps
organizations keep their information secure, both inside and outside of the organization, by protecting
documents both at rest and in motion. Information protection is critical and, at this time, Microsoft is
redoubling its investment in RMS. This document outlines our newest feature set, with a strong emphasis
on the July preview deliverables. The following links complement this document with further information:
http://channel9.msdn.com/Events/TechEd/Europe/2013/WCA-B322 and WCA-B321
http://microsoft.com/rms and http://blogs.technet.com/b/rms
Microsoft RMS enables the flow of protected data on all important devices, of all important file types,
and lets these files be used by all important people in a user’s collaboration circle. Yes, RMS will now
protect any file type (not just Microsoft Office documents), let you access them on many devices (not
just Windows PCs), and enable sharing with other organizations (not just within your organization).
Furthermore ITPros can perform simple, planned deployments of RMS or, if not deployed by the ITPro,
Information workers (IWs) can adopt RMS on their own (dubbed ‘RMS for Individuals’) for free.
The Microsoft Rights Management suite is implemented as a Windows Azure service. For brevity, we
reference it within as Azure RMS so as not to confuse with Windows Server AD Rights Management
Services (aka ADRMS). It comprises a set of RMS applications that work on all your common devices, a
set of software development kits, and related tooling. By leveraging Windows Azure Active Directory,
the Azure RMS service acts as a trusted hub for secure collaboration where one organization can easily
share information securely with other organizations without additional setup or configuration. The other
organization(s) may be existing Azure RMS customers but if not, they can use a free Azure ‘RMS for
Individuals’ capability.
This offering is in preview as of July 29 followed by general availability in October. Follow our blog at
blogs.technet.com/b/rms for details. Also visit the updated www.microsoft.com/rms site.
The Elephant in the Room
There is no escaping the recent news. If you’ve not yet seen Microsoft’s blog on this matter, please take
a moment to read it now. In this section we’re going to ask that you consider this complex problem in
layers and not idiomatically; please don’t ‘throw the baby out with the bathwater’. Specifically, the
ability to protect and limit access to sensitive files from:
A) A broad base of your own internal employees
B) A collection of organizations you choose to collaborate with
C) Various exposure risks you are subject to when stored in the cloud
Each of these capabilities poses different challenges and it’s clearer now than ever that no solution can
address every possible aspect of data protection in every possible situation. Fortunately, you can solve
some of your data protection challenges now.
Let us begin with a few very facts about Microsoft’s Azure-hosted Rights Management service:




Azure RMS is at the core of the Rights Management suite and relies on Windows Azure services.
A document is protected by RMS without the document being sent to the Azure service.
Viewing or sharing protected documents is enabled without the documents themselves being sent
to the Azure service.
Sharing a file occurs without the document being relayed via the Azure RMS service.
Shared amongst all of the above statements: The Azure RMS service never sees your data. This is a
common misunderstanding about the RMS technology stack, and we want to set the record straight:
Actual customer content is never accessible to RMS data protection services, nor to anyone compelling
the service to do something on their behalf.
Let’s dive in deeper with a diagram of the fictional US company Contoso, who is sharing data. It is a very
accommodating company that shares data via the four modern data storage models:
1) The document is kept on premise. A presumption here is that the company has full control over its
security perimeter, something that may not always be true. This caveat aside, the document is
generally considered as being most private (note: we did not say ‘most secure’).
2) The document is shared with a second party named Fabrikam, a fictional company. The document
is shared, in private, via what both parties deem to be a secure means (e.g. email, USB storage).
3) The document resides in any cloud provider’s SaaS application. From there, it is shared with others.
4) The document resides in any cloud provider’s storage. From there, it is shared with others.
3
Office 365
Azure SaaS/PaaS/IaaS
SalesForce
Amazon Web Services
Conventional SaaS Offers
Azure
AD and RMS
Conventional Hosters
Contoso
(North America)
1
4
Fabrikam
(Europe)
2
In all four of these cases (1/2/3/4 above) the ITPro at Contoso, not Microsoft, was in charge of making
storage location and transfer transport policy choices (though we all know the users often make their
own choices). While those location and policy choices do have exposure related consequences, none of
them result in the Azure RMS service having access to the data. Microsoft RMS is file transport and file
storage agnostic. It operates on files only when they are ‘activated’ (protected, opened/consumed).
Tying this back with the A/B/C challenges above, the RMS offer is highly adept at handling the protection
at rest needs of scenario A (protection within the organization) and scenario B (protection of a private
communication between organizations).
For scenario C (data stored in the cloud; storage models 3 and 4 above) the considerations are more
complex given that data has left the trusted perimeter of Contoso and the partially-trusted perimeter of
Fabrikam. There is now a new actor that must provide a trusted storage perimeter in the eyes of the
Security Officer. The media frenzy over data protection has turned this into a statement of distrust for
the cloud but, the savvy readers know well that the problem is far more subtle than this narrow view.
We, the RMS team, often talk with customers whose own perimeter has been challenged by ‘unwanted
guests’. In this context one ITPro recently said to us, “You have far more to lose (your reputation; your
many Saas/IaaS customers) than I do so, I must recognize the effort that you must be investing into
establishing cloud security and trust”. This ITPro was spot on, we are investing a huge effort.
The Microsoft RMS components are scrutinized closely as they play a critical role in the overall secure
document protection framework. Specifically, they enable the following:
A) The client SDKs protect the data within the runtime environment they are executing. This is normally
a PC (Windows or Mac) or a mobile Device (Windows RT, Windows Phone, iOS, or Android). The
device can also be a Windows server service (e.g. Exchange) or a solution provider’s value-add
offering (e.g. Data Leakage Prevention). Those runtimes use the RMS SDK to interact with the Azure
RMS service.
B) The Azure RMS server, when responding to client SDK requests, is responsible for the secure
encryption key interchange with the SDK in order to protect the data without the data going to the
Azure RMS service.
C) Once protected, the Azure RMS service plays key roles in document consumption:
a. The user must be authenticated – Azure RMS requests an authorization token from the
appropriate identity provider. Generally this is federated on-premise AD or Windows Azure
AD but we’ll seek to shortly offer support for Microsoft Account (aka LiveID) and Google IDs.
b. The user must be authorized – Azure RMS serves as a unified policy decision point and a
policy enforcement point to follow policies established by your organization. This is done by
having the RMS software process the document policy associated with a protected
document and then decide if user@Fabrikam.com should be granted permission to view the
document.
c. Every use must be logged – All user activity, successful or not, is logged in Azure RMS logs
enabling your IT staff to audit access. We are now working with third parties to render
distilled report and/or dashboards from these logs.
We hope that this section offered insight into the assurances we provide and the empowerment you
have in making key choices. Let’s now move on to describing RMS.
Promises of the new Microsoft Rights Management services
Users:



I can protect any file type
I can consume protected files on devices important to me
I can share with anyone
o Initially, I can share with any business user

o I can eventually share with any individual (e.g. MS Account, Google IDs in CY14)
I can sign up for a free RMS capability if my company has yet to deploy RMS
ITPro:




I can keep my data on-premise if I don’t yet want to move to the cloud
I am aware of how my protected data is treated
I can control my RMS ‘tenant key’ from on-premise
I can rely on Microsoft in collaboration with Partners for complete solutions
These promises combine to create two very powerful scenarios:
1) Users can protect any file type. Then share the file with someone in their organization, in another
organization, or with external users. They can feel confident that the recipient will be able to use it.
2) ITPros have the flexibility in their choice of storage locale for their data and Security Officers have
the flexibility of maintaining policies across these various storage classes. It can be kept on premise,
placed in an business cloud data store such as SharePoint, or it can placed pretty much anywhere
and remain safe (e.g. thumb drive, personal cloud drive).
The next few sections will describe the various capabilities and experiences.
Users and their Document Protection Experience
The below screen shots are from applications made available to those who are accepted into the
preview. If you want to start looking at Azure RMS, please request participation in the preview.
Documents are now very well supported by RMS. There are several important dimensions:




Users can protect any document type. The RMS API used by the RMS App or RMS-enlightened
applications will do its best to protect the file in the most suitable format.
o Native RMS-enlightened applications: DOC, DOCX, XLS, XLSX, PPT, PPTX, PDF
o The free ‘RMS App’, an enlightened application itself: TXT, XML, JPG, JPEG, TIFF, GIF, BMP
o Generically protected files are ‘wrapped’ and launched in the registered application.
E.g. A Photoshop™ file becomes MyDrawing.PSD.PFILE. This protection offers access control
without additional usage restrictions. Despite the lack of usage restrictions, you should not
underestimate the value of authorization, education, and the ability to expire content.
The user can publish or consume protected documents on Windows for computers, Windows for
tablets, Windows for phones, iOS, Android, and Apple OSX. Web sites and other operating systems
can participate in the RMS ecosystem via RESTful service APIs.
Users can share these protected documents with users in their organizations, other organizations
(B2B), users who act as individuals (B2I; support for Microsoft Account and Google IDs comes later)
Consumption of rights protected content is free. (More below on pricing)
Protecting a document is best experienced within an RMS-enlightened application. As application
developers utilize our new SDK, they will be providing a consistent user experience (UX) as the UX is
integrated into the SDK itself. Outside of an RMS-enlightened application, the user can protect a
document by using the RMS App’s integration in Windows and Apple OSX, as well as via Office toolbar
extensions. Generally stated, the capability is either Protect in place or Share Protected, with a special
affordance for capturing protected photos from mobile devices that have cameras.

Protect (in place): This flow will protect the file in place. The user can then take other actions to
share the file, if need be. This flow is most suitable for personal or cloud-drive file protection flows.
The user will be given the choice of protecting with an organizational template, a previously saved
user template, or create a new ad-hoc template.

Share Protected: This flow will protect a copy of the selected file leaving the original file in its prior
state (which could also be protected). This flow has the user addressing the document to people
(email addresses) and selecting related permissions. Upon sending, an unprotected email will be
sent with the protected document. The user can customize the email before it is sent.

Share Protected (Camera): This flow will soon be available on mobile devices. The user will be
permitted to take picture and accept or retake it. Once selected, the above ‘Share Protected’ flow
will apply and a protected JPG image will be attached.
Here is a visual example of sharing a sensitive file:
While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application)
Note: An astute reader will notice that we added a button here instead of reusing what already present in Office. Stated
plainly, we needed to alter fundamental behaviors such as user interface, underlying RMS SDK support, and authentication.
This new entry point mirrors the user interface you will see in the core OS views, as well as ISV applications.
You are then offered the protection screen. This screen will be provided by the SDK and thus will be the
same in all RMS-enlightened applications:
When you are done with addressing and selecting permissions, you invoke SEND. An email will be
created that is ready to be sent but you can edit it first:
Users and their Document Consumption Experience
In due time, the recipient of the above email simply opens the attachment to view it. This attachment,
depending on the file type, will invoke the correct application. As of the RMS preview, your system will
launch one of Word, Excel or PowerPoint for those respective files, the Foxit PDF Reader for protected
PDFs, or the RMS App for text, images, or generically protected files (PFILEs).
If the user has an RMS-aware identity, they will be able to log in. Here you see an email with a PJPG
(protected JPG). Upon opening, the user is asked to log in and then the image is rendered.
Note: In the July Preview, the mobile applications are not publicly available. We are prevented from
getting them into your hands until such time they have been accepted by the respective app stores. We
ask that you trust us as we used them to produce the above screen captures. The store distribution
acceptance process is underway and all will be released by/before our October general availability date.
Finally, in terms of enabling broad reach, recipients not in an RMS-supported organization can register
for Microsoft Rights Management for individuals. This self-service offering permits early departmentlevel adoption of the RMS services with limited need for IT support. It is a free offer. This offer lets the
user consume and produce RMS protected content. The sign up process is simple:
1) The user is asked for their organizational email name: joe@contoso.com. At this time several
checks are made before an ad-hoc RMS account is created. In particular we check to see if the
parent organization already has a Windows Azure Active Directory tenant, if the user already
had an account, etc. Failing all these important checks, the user is given an ad-hoc account for
free. The below ITPro section offers more insight here as well as other IT-oriented advice.
2) To validate the user’s ownership of the cited ID, they are sent an email (Not shown below).
3) Once ownership is proven, the user is asked to provide a display name, a password, and country
in order for their account to be provisioned. These self-service RMS for Individuals accounts will
be re-validated on a monthly basis for users.
4) The user is prompted to install the RMS application upon completion. The RMS application
requires administrative permissions in order to be installed and it is required to be installed in
order to consume protected content in older versions of Microsoft Office.
In visual form: (Cropped to fit)
Try this live at https://portal.aadrm.com. Sign up for real or use the demo flow (<name>@contoso.com)
Users and their Email experience
An important class of information is email. Users can both consume and protect email within
enlightened email clients and servers. Microsoft Outlook 2013, when backed by Exchange 2013, works
with the Azure RMS offers out-of-the-box and offers fantastic new innovations that enable automatic
RMS protection. The RMS connector (covered below) also enables Microsoft Exchange on premise offers
to work with Azure RMS. Exchange Online, as part of the Office 365 suite, works directly with Azure
hosted RMS. This suite of offers enables a very usable means to protect email within your company.
These email offers are no subject to the RMS for Individuals offers – they are capabilities of the RMSenlightened application. RMS itself does not offer any email protection capability.
ITPro and their Experiences
In a few short pages this section can’t begin to do justice to all the moving parts within. We’ve recorded
two 75min videos that we believe do a far better job: WCA-B322 and WCA-B321. We’ll instead focus here
on offering a quick overview. The www.microsoft.com/rms site also hosts much related information.
Deployment Topologies
The above-mentioned videos generally express three classes of organizations, and then describe the
associated RMS capabilities and the relationships with other workloads. In abstract form, the following
slide demonstrates exemplary infrastructure offers (Email, Portals, Storage) and their relationship to the
RMS deployment types.
Cloud Ready
The cloud ready organizations will find Office 365 very compelling. The combined offer has simplified all
aspects of configuration. Within that environment, RMS is very simple to enable – one button and deep
integration with Exchange, SharePoint, and the entire Office 2013 suite can be enabled. Through the
RMS application(s), users of Office 365 also benefit from generic protection of any file type and the
ability to collaborate with non-Office 365 organizations or individuals. This is, by far, the simplest way to
get started with RMS and is available for purchase now.
Cloud Hesitant
Cloud hesitant organizations generally have less of a drive to move to the cloud at this time. Reusing the
diagram above, a cloud hesitant organization is one that lives within the cross-hatch. Per the rationale
offered above, we expect the use of Azure RMS but exclude the use of cloud IaaS/SaaS offers. In other
words, a cloud hesitant customer for now will go for options 1) and 2) only as depicted in the illustration
below. Over time we expect the hesitancy to reduce and more customers will start to leave the crosshatch area for selective classes of services.
3
Office 365
Azure SaaS/PaaS/IaaS
SalesForce
Amazon Web Services
Conventional SaaS Offers
Azure
AD and RMS
Conventional Hosters
Contoso
(North America)
1
Fabrikam
(Europe)
2
4
Cloud Accepting
This organization type simply balances between the being Cloud Ready and Cloud Hesitant.
Features, and how they relate
At the core we have the Microsoft Rights Management service. This service is hosted in Azure and
handles all service side duties for the overall offer. This Azure RMS service relies on Windows Azure
Active Directory and associated services (Directory Sync and Federation).
The Azure RMS service requires storage for the high value tenant keys at the core of RMS. Our key
management service (KMS) stores these RMS tenant keys with extreme security thanks to its reliance on
industry proven, FIPS compliant HSMs from our partner Thales (learn more: hardware security
modules). The KMS also offers related services such as the Bring-Your-Own-Key capability that lets
customers, well, bring their own key. Finally, both the Azure RMS service and KMS service require
logging and that’s implemented using our Near-realtime Logging service. A complementary whitepaper
on this offer is forthcoming.
At the core of our hybrid story is the Rights Management connector. The ‘connector’ pretends to be an
AD RMS server for the on-premise Exchange and SharePoint workloads. It then relays all requests to the
Azure-hosted RMS service. The connector is simpler to deploy than the current AD RMS offering as only
a pair of them (for high availability) are required for an organization and they can be deployed on
existing VMs/machines. No fault tolerant SQL servers are needed.
Common Configurations
The baseline configuration for all the below has you creating an Azure Active Directory tenant for your
organization (or reclaiming one that was created on your behalf by your RMS for Individuals users). The
purchased RMS service licenses can then be enabled for the users in your tenant. You now have RMS!
As part of this baseline, if you represent a larger organization, you will layer on other integrated services
such as: Azure AD directory sync, ADFS trust federation, HSMs with our bring your own key, nearrealtime logging, and other forthcoming capabilities tuned for enterprises.
Before we detail these layered services, let’s first review some common deployments:
On Premise Email, within your company
On the server side, most of you will have an Exchange deployment with no form of information
protection. We enable you to quickly add the Microsoft Rights Management connector to your Exchange
deployments and configure it to interact with the RMS service. The result of this topology is that your
Exchange server is now fully RMS-capable by relaying protection traffic to the RMS service. As per the
opening section, NEVER does your data leave to the cloud. This is so simple that there is no excuse not
to do it.
On the client side, most of you will have a recent version of Office: 2010 or 2013. The 2013 client will
automatically recognize the RMS service and the 2010 client will automatically be made to work with
the RMS service once the RMS application in installed on your PC. If you are running Office 2007 and
can’t move to a more recent version, let us know. Microsoft Office for Mac does not support the Azurebased RMS service offering at this time. The Mac RMS application will however permit you to email
protected documents from the Apple Finder.
On the mobile device side, there are two waves of offers. The first is in market and relies on Exchange
Active Sync (EAS) -aware devices. Some of them (Windows Phone and Samsung yes, but not Apple)
support the EAS rights management capabilities and permit reading and replying to RMS protected
email. We ask that customers who need RM support on iPhones/iPads offer feedback (complain) to their
mobile account manager / Apple. The second wave centers on native RMS-enlightened mail clients with
full protection at rest and in motion. This wave can only begin once we release our developer SDKs.
On Premise file sharing, within your company
On the server side, many of you will have SharePoint. The above Exchange + RMS connector
configuration also works with SharePoint so you’d follow the same model.
Also on the server side, most of you will have Windows file servers. The Microsoft FCI/DAC offering is
also RMS aware. There are also PowerShell scripts that will connect FCI/DAC to the Azure-based RMS
service.
On the client side both native IRM support in Microsoft Office and our RMS application enable RMS. Of
note, the RMS application offers protection for file types other than Word, Excel, and PowerPoint. The
RMS application Office button bar extensions place this capability within reach of all users.
External Collaboration
The RMS application enables very simple point to point sharing with the RMS application as described
above. The benefit of point to point is that the transport does not matter – you can use SkyDrive™,
DropBox™, portable USB storage, email, FTP, or event P2P torrents. This use pattern simply requires
deploying the RMS application to your desktop and mobile phones. From there you can use the inapplication buttons or the shell of your operating system (i.e. Windows File Explorer or Mac Finder). In
the details below we also suggest how you can ready yourself to receive protected content even if you
choose not to license your users to send protected content. This is important and wise to consider.
On the mobile device side, our RMS application supports the core behaviors (and will add more soon).
In addition to the above, RMS-enlightened applications can equally offer in-built file sharing capabilities.
These can be client based, server based, or even web based.
Office 365
The Microsoft Office 365 empowers your employees with virtually anywhere access to the latest Office
applications, offers advanced cloud-based IT services, and does so at predictable costs. This online suite
is RMS-enlightened and enabling RMS is trivial. Here’s a 3 minute video that shows enabling RMS in
Office 356, turning on Exchange’s RMS-aware DLP functionality, and enables a SharePoint Secure library
that has checked out documents being RMS protected on egress.
Using the Microsoft Rights Management service
Here is a brief introduction on the specifics of getting started with each of the various moving parts
outlined above.
Enable the Azure-hosted Rights Management service
Existing Office 365 customers are ready to go. They can enable RMS with a simple checkbox in their
administration portal. Those who don’t currently use Office 365 can’t yet readily1 purchase the Azure
1
Contact AskIPTeam@microsoft.com if you really need to buy it now.
RMS standalone SKU but you are welcome to sign up for a free Office 365 E3 trial and then only use the
RMS features.
Windows Azure AD accounts
With a Windows Azure AD tenant in hand, you can enable tenant sync via the Directory Sync and
federation via the federation capability (or password sync). There are several reasons to proactively
enable these capabilities even if only for receiving content. There is value is turning on Windows Azure
AD and enabling DirSync without being an RMS license holder. Those are:
1) Using DirSync allows your users to receive protected content from external companies without
having them each creating an ‘RMS for Individuals’ ad-hoc account.
2) Federation enables your users to sign in vs having to create an ad-hoc account. This is important
as it eliminates the need for temporary one-month ad-hoc account life spans as well as permits
you to enforce organizational password policies.
3) Independent of Azure RMS, the Windows Azure AD and federated authentication services are
supported by a slew of other applications that are likely in use within your organization (and
they too could benefit from single sign on).
4) Windows Azure AD offers tenant branding (logos) to the tenant administrator.
In the absence of proactively setting up the above, the Azure RMS for Individuals offer will let individuals
use the Microsoft RMS services. An ‘RMS for Individuals’ ad-hoc account is simply an Azure AD tenant
that is created for the specific organization (not shared across organizations) and the user account is
added. There is no administrator for these tenants. If other users from the same organization create adhoc accounts, they are placed in this same ‘headless’ tenant. As stated above, these user accounts are
re-validated monthly. By way of example,
Joe@Contoso.com signs up

Tenant CONTOSO.COM is created
Joe’s user account is added to CONTOSO.COM tenant
Joe’s account is given the RMS for Individuals SKU.
Jane@Contoso.com signs up

Tenant CONTOSO.COM exists and is reused
Jane’s user account is added to CONTOSO.COM tenant
Jane’s account is given the RMS for Individuals SKU.
By the time we exit preview, an ITPro will be able to ‘convert’ these users to licensed users with no
impact to the user or the tenant. Once this is done, the ITPro will have full management capabilities for
these users. Stay tuned for an update to this document as those capabilities are released.
Enable Bring-Your-Own-Key
RMS has a very important key, the tenant key. Chief Information Security Officers (CISOs) often need to
use a key of their own provenance – sometimes for compliance reasons, sometimes because they are
migrating from their on-prem AD RMS. With the Bring-Your-Own-Key (BYOK) feature CISOs would
generate a key on their premise, using tools of their choice, in compliance with their own policies. This
key would then be securely imported into the Thales™ HSMs we use in our data center. The customer
has assurance that Microsoft operators cannot see or leak the key during the import as well as during
the running steady state.
Optionally, the customer can opt to push their key to the Azure RMS service’s HSMs with a 4 hour time
to live. Their on-premise infrastructure would do this automated push every 2 hours. We call this
capability ‘Key rejuvenation’ and it will be available nearing the RMS preview completion in September.
If the CISO or ITPro interrupts the upload of keys, the Azure RMS service ceases to function and the CISO
is assured that Microsoft has no access to their cached key once it expires. Once again, the Microsoft
Rights Management services never see your data [Ed note: sorry for being so repetitive on this point].
Enable Realtime Customer-facing Logging
Security Officers can obtain logs from the Azure RMS service. They do so by purchasing Windows Azure
storage, and configuring (via PowerShell) the Azure RMS service to write the log entries to that storage.
This way the ITPro is in control of how much log data they maintain and who (e.g. 3rd party reporting
services; auditors; etc) can access these logs.
Deploy the RMS App for Computers and Mobile devices
The RMS applications will be available through all the appropriate stores as well as in the RMS for
Individuals signup flow, and subsequent confirmation email. ITPros can also download the MSI package
from the Microsoft RMS download center and make use of the ITPro -oriented silent setup options and
AD group policies.
Deploy Hybrid Connector; Configure Exchange and SharePoint
Deployment of a high availability RMS connector requires two or more VMs/servers. These roles
function across forests. Setup is merely a few simple screens. Once configured and connected to the
Azure RMS service, the ITPro for the RMS connector will work with the Exchange and SharePoint
administrators to understand which machines should be given access to the Connector’s relay services.
This is merely a task of granting servers permission to use the connector; everything else is automatic.
Enable Dynamic Access Control
The Windows Server Dynamic Access Control (DAC/FCI) role is able to work with both AD RMS and Azure
RMS. For the latter, a PowerShell script is available to connect the two.
Enable Office 365 Exchange Online
Exchange Online is made aware of the existence of Azure RMS when enabled. Once Exchange Online is
provisioned with the RMS tenant key, the ITPro can make use of the advanced Exchange Online DLP
offer within the broader Office 365 product suite.
Of note: The use of the BYOK feature is not currently supported with Exchange Online. The ITPro will
have two choices when using the two services together. The preferred option will be to use the software
generated RMS tenant key feature built into Azure RMS. This offer automatically provisions Exchange
online with the RMS key for it to use. The alternate option has the ITPro install an AD RMS server with a
software key, and then follow the steps to import your TPD into Exchange Online.
Enable Office 365 SharePoint Online
Enabling SharePoint Online Secure libraries is simply a task of creating a library, setting it to be a Secure
Library, and adjusting a few straightforward options to suit your needs. e.g.: The library owner can
choose to override the protection policies to use a security group for protection (vs individual
protection). This permits one user to download a file and share it to others within the specified security
group without forcing a round trip back to SharePoint.
Summary of ITPro related offerings and activities.
At this point we’ve introduced the key parts of a complete Microsoft Rights Management deployment.
More details will be provided to the selected TAP organizations, and eventually to the broader
community. If you want to start looking at RMS, please request participation in the preview.
Timelines for the Azure RMS services
The preview will take place late-July thru late September with select organizations. The release of the
updated Microsoft Rights Management service is slated to be in early October.
The initial Azure RMS offer is focused on organizational that don’t have AD RMS deployed. This said,
Azure RMS will support the coexistence of existing customer’s AD RMS deployment but during the first
quarter or two of shipping we need to eliminate the added layer of complexity that would come with
coexistence of two RMS environments. We apologize in advance for what could appear as us ignoring
our loyal AD RMS customers!
For a variety of reasons, we strongly favor the use of the Azure-hosted Rights Management offering over
the existing AD RMS offering. They are: frictionless B2B collaboration, rich mobile device offers, far
faster agility in adding new capabilities, support for Ad-hoc RMS user accounts for the recipients of your
sensitive documents, and easy of deployment.
Buying the Microsoft Rights Management service
RMS can be purchased directly via the Office 365 web portal or via your Microsoft account manager.
Available Now
 RMS can be purchased directly via the Office 365 portal as a user subscription license.
 Subscription covers use by all RMS-enlightened application (e.g. Office, Office 365, Foxit PDF). It
is a “Pay once, use with all RMS-enlightened applications” model.
 Cost is $2/user/month.
 Consumption of rights protected content is free. A license is required to protect content, be it
manually done by the user or done by a service on behalf of the user.
 Azure RMS can be purchased as part of Office 365 suite offerings
o It is included in E3/E4 and A3/A4 SKUs
o It is available as an add-on to many other Office 365 SKUs.
Available Fall 2013
 Azure RMS can be purchased standalone for use with the Azure RMS Connector or third party
RMS enlightened applications.
 Azure RMS will be available via the Microsoft Enterprise Volume License programs (EA/EAS/EES)
 Azure RMS subscription will include the rights to use AD RMS on-premise
 Enterprise CAL (ECAL) customers can add on the Azure RMS service
If you have any questions please get in touch with your Microsoft sales contact.
Developers
Application ISVs can enlighten their applications and solutions with RMS easily and quickly by utilizing
the Microsoft Rights Management developer platform on all important devices and operating systems.
There are a few important concepts worth mentioning in this introductory brief:
Code once, use everywhere
RMS enlightened application developers write code once to protect documents. RMS SDK takes care of
all the underlying details about customer environment and topologies, document expiration, certificate
renewals, policy updates and more. Our sample code and getting -started guidance make it extremely
easy for you to enable RMS.
RMS-enlightened applications are most desired given they enforce protection rights
RMS enlightened applications enable individuals to protect and consume content. Content is protected
by using encryption and must be decrypted before it can be consumed. When the file is protected, the
individual applies permissions to the file such as the ability to print or edit. Your application will need to
honor these rights. The SDK will facilitate most of the protection flows and all initialization but, your
application must honor the permission enforcement requested of it. Our SDKs make enforcing the rights
easier by providing APIs to control permissions such as printing, saving, forwarding, etc. For more
details, see here.
The new SDKs do all of the RMS specific user interface work for you!
Mobile device applications will use the new v3 SDKs and benefit from Microsoft-provided user interfaces
for consumption and protection behaviors. This not only saves ISVs time to build protection support, it
also provides forward compatibility to new protection UX features. The RMS Application, built by
Microsoft, is a good example of the UX that the SDK provides / will provide.
Windows desktop based RMS applications utilize our powerful v2.1 SDK which doesn’t yet offer built-in
consumption and protection flows. It will before too long.
It is now easy to add RMS protection to your solutions
There is a class of applications that are quite simple to enlighten with RMS. These applications are
created by ‘solution providers’ or ITPros, and enable applications that either need to protect or
unprotect files. These are: data leakage prevention (DLP) agents, search indexers, Anti-virus software,
mobile device management (MDM) systems, and document management systems. They will utilize the
new File API available as part of the v2.1 SDK and/or PowerShell to protect and unprotect documents
easily and silently on the Windows platform (client or server).
A Protected file is a different file when persisted
The easiest way to implement protection of your file format is to simply use our SDK’s ability to create a
Protected File (PFILE) container. It encloses your file, such that your XYZ file is protected as a pXYZ file,
all from a stream based API. Our PFile format allows your application to immediately participate in the
existing RMS ecosystem.
Customizing your own RMS enlightened file format is more complex. It also prevents an entire
ecosystem of solution partners from being able to protect your file formats in their solutions given they
will all use the FILE API described above (which can protect any file to PFILE format while honoring your
file extensions). Nonetheless, if your needs require that you to update your existing file format with
RMS information, our SDKs support your use case.
RESTful API access
The RMS SDK doesn’t provide SDKs for platforms like Linux, RIM BlackBerry or the web site platforms
which are too numerous for us to implement rich libraries. For these platforms, we provide REST API
support, protocol documentation and a set of code samples (including open source code) to facilitate
application development. If a platform grows to be sufficiently important to you, we’ll consider adding
support.
In Closing
This document set out to:
1)
2)
3)
4)
Express what new work we’ve done in RMS; we hope that you will agree we did a lot!
Explain the value of this offer at a time when protecting information is of increasing importance
Offer a subjective view on the actions you can take now, versus waiting for the cure-all solution
Offer an overview of the moving parts involved in our offer.
We hope we have come close to or hit your target. If you want to start looking at RMS, please request
participation in the preview. If you have thoughts on how this document could be improved, please do
take a moment to share with our team.
Thanks for reading!
Cheers,
Dan Plastina on behalf of our RMS team