Information Protection and Control (IPC) in Office 365 with Azure Rights Management

Introduction

Every day, information workers use e-mail messages and collaboration solutions to exchange sensitive information such as financial reports and data, legal contracts, confidential product information, sales reports and projections, competitive analysis, research and patent information, customer records, employee information, etc.

Because people can now access their e-mail from just about anywhere, mailboxes have transformed into repositories containing large amounts of potentially sensitive information. Likewise, collaboration solutions enable people to share information within the enterprise but also across organizations. As a result, information leakage can be a serious threat to organizations. Leaks of confidential information can result in lost revenue, compromised ability to compete, unfairness in purchasing and hiring decisions, diminished customer confidence, and more. This risk demands effective Information Protection and Control (IPC) systems, which are not only secure but are also easy to apply, whether it's to e-mail messages sent or documents accessed inside an organization or outside the organization to business partner organizations.

IPC is also known as a different set of names including: data leakage prevention, data loss protection, content filtering, enterprise rights management, etc. All of these categories aim to prevent an accidental and unauthorized distribution of sensitive information.

Organization can benefit from an effective IPC system in a number of ways by helping to reduce:

  • Violations of corporate policy and best practices,
  • Non-compliance with government and industry regulations such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (Sarbox or SOX), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA or PIPED Act), European Union Data Protection Directive (EUDPD 2003/58/EC), Japan's Personal Information Privacy Act (PIPA), etc. to just name a few,
  • Loss of intellectual property and proprietary information,
  • High-profile leaks of sensitive information,
    • Damage to corporate brand image and reputation.

To help secure this information and prevent information leakage, the Azure Rights Management service provides the ability to enable the use of digital rights management technology to organizations that choose to subscribe to Microsoft Office 365.

Microsoft Office 365 provides secure anywhere access to professional e-mail, shared calendars, instant messaging (IM), video conferencing, and document collaboration. It represents the cloud version of the Microsoft communication and collaboration products with the latest version of the Microsoft desktop suite for businesses of all sizes.

Note    For additional information on Office 365 in addition to the content of this paper, please refer to the product online documentation, the Office 365 Deployment Center along with Office 365 Deployment Guide for Enterprises, the Office 365 Tech Center Web site, and the Office 365 Community Web site (blogs, forums, wikis, etc.).

The Azure Rights Management service is included in the Office 365 Enterprise E3 and E4 plans. It can also be purchased as a standalone with these plans: Office 365 Enterprise E1, Office 365 Enterprise K1, Exchange Online Plan 1, Exchange Online Plan 2, and Exchange Online Kiosk.

Note    The Azure Rights Management service was formerly known as Windows Azure Active Directory Rights Management (Windows Azure AD Rights Management or AADRM). These terminologies are used interchangeably in the rest of this document. For additional information, please refer to the Azure Rights Management page.

Note    This document is intended to be used in conjunction with an Office 365 Enterprise subscription (E3 or E4 plans), and more specifically Exchange Online and SharePoint Online along with Office 365 ProPlus (or Office Professional 2013 and/or Office 2010).

The Azure Rights Management service provides software as a service (SaaS) for rights protecting content created and exchanged using Office 365 and Office.

Implementing a cloud-based rights management service on Windows Azure, the Azure Rights Management service helps providing an alternative to a full on-premises deployment of Microsoft Active Directory Right Management Services (AD RMS), an information protection technology that enables AD RMS-enabled applications to protect digital content from unauthorized use, both online and offline, inside and outside of the organization's boundaries.

First shipped during Windows Server 2003 timeframe, and with the latest release is Windows Server 2012, AD RMS is a server role designed for organizations that need to protect sensitive and proprietary information such as confidential e-mail messages, financial reports, product specifications, customer data, etc. through persistent usage policies (also known as usage rights and conditions) by establishing the following core elements:

  • Trusted entities. Organizations can specify the entities, including individuals, groups of users, computers, devices, and applications that are trusted participants in an AD RMS system. By establishing trusted entities, AD RMS can help protect information by granting access only to properly trusted participants.
  • Usage rights and conditions. Organizations and individuals can assign usage rights and conditions that define how a specific trusted entity can use protected information. Examples of named rights are permission to read, copy, print, save, forward, and edit. Usage rights can be enhanced by conditions, such as when those rights expire. Organizations can exclude applications and entities (as well as non-trusted entities) from accessing the protected information.
  • Encryption. Encryption is the process by which data is locked with electronic keys. AD RMS encrypts information, making access depending on successful validation of the trusted entities. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information in an AD RMS-enabled application or browser. The defined usage rights and conditions will then be enforced by the application.

The usage policies remain with the information, no matter where it goes, even in transport, rather than the rights merely residing on an organization's corporate network. This also enables usage rights to be enforced after the information is accessed by an authorized recipient, both online and offline, inside and outside of the organization.

Similarly to AD RMS, by combining the above elements, the Azure Rights Management service prevents the accidental disclosure of sensitive data by applying usage polices.

Today with Microsoft Office 365, organizations can benefit from the Azure Rights Management service to have in place a comprehensive system that (automatically):

  • Controls with Exchange Online the distribution of information with a proper inspection of e-mail messages and the application of appropriate action, such as a protect, block, alert, redirect, etc. in accordance to the corporate security and privacy policies;
  • Protects Office document workloads stored in the cloud with SharePoint Online, protects online and offline access to information with support for Information Rights Management (IRM) in Office 365 ProPlus (or Office Professional Plus 2013), and Office 2010.

Exchange Online and SharePoint Online are a subset of the workloads offered by Office 365.

The Azure Rights Management service enables Rights Management integration within all the aforementioned workloads.

Compared to a classical on-premises AD RMS infrastructure, such a system is seamlessly enabled with no additional administrator installation or deployments required. With such a solution, no on-premises AD RMS server is required.

Objectives of this paper

This document is intended to help you preview and evaluate the Azure Rights Management service technology and, for that purpose, understand:

  • The Azure Rights Management service capabilities.
  • The features the Azure Rights Management service enables in Office 365.
  • How to configure and use Azure Rights Management service capabilities in Office 365, Office 365 ProPlus (or Office Professional Plus 2013), and Office 2010.

Beyond a short description of the Azure Rights Management service technology to introduce key concepts and requirements for the rest of the paper, and how it differs from on-premises Active Directory Rights Management Services (AD RMS), this paper further presents how to leverage, configure, and use the Azure Rights Management service technology in the organization's Office 365 Enterprise tenant(s), and more especially with both Exchange Online and SharePoint Online in the Cloud, and with Office locally.

It contains step-by-step information on how to configure and use the Azure Rights Management service to perform rights protection on your corporate content, as well as other details and requirements that you need to make a successful evaluation of the Azure Rights Management service technology in your environment.

This document is intended for system architects and IT professionals who are interested in understanding the basics of the Azure Rights Management service technology.

Organization of this paper

To cover the aforementioned objectives, this document is organized by themes which are covered in the following sections:

  • A brief overview of the Azure Rights Management service;
  • Enabling the Azure Rights Management service in Office 365;
  • Configuring Exchange Online to use the Azure Rights Management service;
  • Configuring SharePoint Online to use the Azure Rights Management service;
  • Configuring and using Office 2010 IRM features;
  • Configuring and using Office 365 ProPlus IRM features.

Beyond an overview of the Azure Rights Management service, these sections describe how to enable the Azure Rights Management service in Office 365 and what you need to know to get started protecting, publishing and consuming IRM- protected content as well as how to use such IRM features with Exchange Online, SharePoint Online and Office.

About the audience

This document is intended for system architects and IT professionals who are interested in understanding the basics of the Azure Rights Management service technology in the Cloud through Office 365.

A brief overview of the Azure Rights Management service

Organizations of all sizes are challenged to protect a growing amount of valuable digital information against careless mishandling and malicious use. The increasing impacts of information theft and the emergence of new regulatory requirements to protect data emphasize the need for better protection of digital information.

This digital information may include confidential e-mail messages, strategic planning documents, financial forecasts, contracts, dynamic, database-driven reports, and other sensitive information. The growing use of computers and devices to create and work with this information, the introduction of extensive connectivity through networks and the Internet, and the appearance of increasingly powerful computing devices have made protecting enterprise data a key security consideration.

In addition to the threats of theft and mishandling, a growing list of regulatory requirements adds on top of the ongoing task of protecting digital files and information. For example: the financial, government, healthcare, and legal sectors are increasingly taxed by the need to better protect digital files and information due to emerging regulatory standards such as the Healthcare Insurance Portability and Accessibility Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) in the financial services market.

Digital information must be better protected. Although no form of information will ever be completely risk-free from unauthorized use and no single approach will shield data from misuse in all cases, the best defense is a comprehensive solution for safeguarding information.

As an essential part of an organization's overall security strategy, a solution for better Information Protection and Control (IPC) should provide the means to control how data is used and distributed beyond the use of simple access control. IPC is also known under various other names such as: data leakage prevention, data loss protection, content filtering, enterprise rights management, etc.

An IPC solution should indeed help protect an organization's records and documents on the company intranet, as well as from being shared with unauthorized users. It should help ensuring that data is protected and tamper-resistant. When necessary, information should expire based on time requirements, even when that information is sent over the internet to other individuals.

Such IPC capabilities (encryption, and usage rights expression and enforcement) are provided by the Azure Rights Management service.

The Azure Rights Management service provides the ability to enable the use of digital rights management technology for those organizations who choose to subscribe to Microsoft Office 365 Enterprise.

The Azure Rights Management service provides software as a service (SaaS) for rights protecting content created and exchanged using Office. By implementing a cloud-based rights management service running on Windows Azure, rights management helps providing an alternative to a full on-premises deployment of AD RMS for customers seeking lightweight information protection capabilities within Office 365 and other supporting (SaaS) applications.

Easy to setup and use as illustrated in the rest of is document, organizations can start protecting data within minutes of when they subscribe to Office 365. No on-premises infrastructure is required.

With the Azure Rights Management service, organization can protect their data by encrypting and managing usage rights, including Office documents, Exchange e-mail messages and attachments, and SharePoint document libraries across Office 365 Enterprise services and applications. The technology is highly integrated into Office 2010, Office Professional (Plus) 2013 (or Office 365 ProPlus), Exchange Online, and SharePoint Online, and offers a seamless experience for both end users and administrators in document authoring, e-mail, and SharePoint publishing.

Integrated within Exchange Online, SharePoint Online and Office, users use applications and services they are already familiar with today.

The Azure Rights Management service is initially focusing on customers whose e-mail (Exchange Online) and document workloads are stored in the cloud (SharePoint Online). It broadens rights management capabilities to a new set of customers and, in this context, it provides the core features needed for information protection.

The Azure Rights Management service enables secure collaboration by default within Office 365 tenants. In other words, it's enabled for Office 365 cross-tenant collaboration and anyone with an Office 365 ID can consume rights-protected content.

This capability is available in each workload for both Cloud Identities (CloudID) and Federated Identities (FederatedID).

Note    By default, users receive, for signing into services in Office 365, cloud credentials that are separate from other desktop or corporate on-premises credentials. The Cloud Identities are mastered in the Cloud in Microsoft Azure Active Directory (Azure AD). (With the optional directory synchronization, the user IDs mastered on-premises can be synchronized to the Cloud in the form of Cloud Identities.)

In companies that leverage the single sign-on (SSO) feature of Azure AD, users can then sign into Azure AD and/or services in Office 365 using their own corporate credentials. The user's IDs are mastered on-premises and synchronized to the service in the form of Federated Identities.

For additional information on Federated Identities, see the white paper Active Directory from on-premises to the Cloud in this document series on the identity and security features of Office 365.

The Azure Rights Management service technology provides an organization with the following benefits:

  • Safeguard sensitive information. Applications and services such as Outlook 2010, Outlook 2013, Word 2010, Word 2013, Exchange Online, and SharePoint Online are enabled to help safeguard sensitive information.

    Users and Administrators can define who can open, modify, print, forward, or take other actions with the information. Organizations are provided rights policy templates such as "Company - Confidential View Only", which can be applied directly to the information. Organizations can also create their own custom ad-hoc rights policy templates;

  • Persistent protection with the data. The Azure Rights Management service persists protection of Office data when at rest and in motion. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information.

    Organizations remain in control of who has access to the data, whether in the Cloud, on premise in the existing IT infrastructure, or at the individual's computer;

  • Closer management of rights and conditions. Organizations and individuals can assign usage rights and conditions using the Azure Rights Management service, which define how a specific trusted entity can use rights-protected content according to the business requirements. Examples of usage rights are: permission to read, copy, print, save, forward, and edit. Usage rights can be enhanced with conditions, such as rights expiration definition;
  • Rights management with Office 365. The Azure Rights Management service is integrated with Exchange Online, SharePoint Online, and other Office 2010/Office Professional Plus 2013 applications in order to provide rights management functionality across the Microsoft Office suite.

Note     For additional information on the Azure Rights Management service, see the online documentation on the Microsoft TechNet Web site as well as the several dedicated posts of the AD RMS Team Blog.

Features available in Office 365

As already stated, the Azure Rights Management service is included in the Microsoft Office 365 Enterprise E3 and E4 plans.

It can also be purchased as a standalone with these plans: Office 365 Enterprise E1, Office 365 Enterprise K1, Exchange Online Plan 1, Exchange Online Plan 2, and Exchange Online Kiosk.

Once purchased, the following Azure Rights Management service's features are available in the Office 365:

  • Exchange Online IRM Integration. The Azure Rights Management service enables users of Exchange Online to IRM protect and consume e-mail messages (and attachments) in Microsoft Outlook, Microsoft Outlook Web App (OWA) and consume IPC protected e-mail messages (and attachments) via Exchange ActiveSync (EAS) for devices that have implemented IRM support including Windows Phone 7.x and Windows Phone 8.

EAS provides synchronization of mailbox data between mobile devices and Exchange Online, so users can access their e-mail, calendar, contacts, and tasks on the go. EAS is supported by a wide range of mobile devices, including Windows Mobile 6.x, Windows Phone 7.x and Windows Phone 8, Nokia E and N series devices, Palm devices, Apple iPhone and iPad, and some Android phones.

Note    Implementation of specific EAS features varies by device and manufacturer. A community-maintained comparison of how Exchange ActiveSync features are implemented by various mobile clients is available at this Comparison of Exchange ActiveSync Clients page on Wikipedia. The EAS Logo Program helps organizations identify enterprise-ready mobile devices that have implemented key Exchange ActiveSync user features and management policies. A list of EAS Logo Program Qualified Devices is available in the article Exchange ActiveSync Logo Program on Microsoft TechNet.

Exchange Online administrators can enable additional features, such as transport rules, to ensure content is not inadvertently leaked outside of the organizational boundary and edit the content of the message to include disclaimers.

  • SharePoint Online IRM Integration. The Azure Rights Management service enables SharePoint Online administrators to create IRM-protected document libraries so that when a user checks-out a document from the IRM-protected document library, protection is applied to the document no matter where it goes and the user has the usage rights to that document as they were specified for the document library by the administrator.

By using IRM in SharePoint Online, you can define the usage restrictions, the policy renewal, and the users and distribution groups on per document library basis. This enables control on which actions users can take on documents when they open them from libraries in SharePoint Online. This differs from the protection applied to documents stored on client computers, where the owner of a document can choose which usage rights to assign to each user of the document. SharePoint Online Preview also provides view only capabilities for Web Access Companion Applications.

  • Office IRM Integration. The Azure Rights Management service enables Microsoft Office users to be able to IRM protect content using predefined policies provided by the service within an organization. Office applications that include these capabilities are Word, Excel, PowerPoint, Outlook, and InfoPath. Note that only Office 2010 and Office Professional Plus 2013 are supported for this release.

Protecting content with the Azure Rights Management service

The Azure Rights Management service provides two ways to protect content: templates-based and users' defined rights.

Default templates

The Azure Rights Management service provides default rights policy templates which represent common usage rights. Templates are predefined usage rights so that users would easily apply permissions to IRM-protected content.

As part of Office 365 Enterprise, the following core templates help restricting access to users within a company are provided:

  • Company – Confidential. This template, when applied to content, help preventing recipients (or users of the content) to copy and print the content, whereas all other usage type is allowed.
  • Company - Confidential View Only. This template, when applied to content, only enables recipients (or users of the content) to read or view the content but do not allow content modification in any way from its original published form.

Important note    When either of these the Azure Rights Management service templates is applied to content, only users within the organization are able to open the content.

Important note    The name of the above templates reflects the name of the company specified when signing-up to an Office 365 Enterprise subscription. "Company" is indeed replaced by the company name. For our tenant, it will be "Microsoft France". Consequently, the two templates above are named "Microsoft France - Confidential" and "Microsoft France – Confidential View Only".

Custom templates

The Azure Rights Management service provides the ability to create custom templates that let you define the protection policies you would like to roll out within your organization.

Note    For information and instructions on how to configure custom templates, see the blog post Create custom templates in Azure RMS with the Azure Management Portal and the Microsoft TechNet article Foo.

User Defined Rights

When more granular level of control is required, end-users can also apply permission manually by defining their own rights. Users can enter users or groups that will get defined on the policy as well as define specific usage rights on content.

What can Microsoft see

Similarly to on-premises AD RMS infrastructure, the Azure Rights Management service receives the publishing license, looks up right info and constructs a use license for the authorized recipient/user.

Note        For additional information on licenses, see the blog post Licenses and Certificates, and how AD RMS protects and consumes documents.

The Azure Rights Management service never sees the data that you protect! This is an important point. You use the Azure Rights Management service just to manage your keys and distribute document-specific keys to authorized parties, both internal and external to your organization.

The Azure Rights Management service handles the following customer assets:

  • Your tenant root keys (protected by a HSM, non-recoverable)
  • User-specific keys and certificates
  • Document-specific symmetric keys
  • Configuration of your tenant
  • Request logs for your tenant

Microsoft uses these assets solely for the purpose of providing you the Azure Rights Management service. Microsoft is deeply committed to our customers' privacy.

Note        For additional information on this topic, see the Microsoft Rights Management Privacy Statement and Windows Azure Privacy statement.

Using RMS-enlightened applications

The Azure Rights Management service is built to work in conjunction with RMS-enlightened applications, i.e. applications that are able to consume and/or publish RMS protected files such as Office, Office 365, Foxit Enterprise Reader with the RMS PDF Plug-in Module, SECUDE End-to-End Information Security for SAP, etc.

Such applications propose data protection and rights enforcement by leveraging the RMS SDK 3.0 that are available on most important platforms: Windows and Mac OS/X computers, Windows RT tablets, Windows Phone, iOS, and Android devices, and any other environments with the RESTful APIs.

Enabling the Azure Rights Management service in Office 365

The following is a list of the step-by-step actions which need to be performed in order to enable and administer the Azure Rights Management service capabilities in an Office 365 Enterprise tenant.

Note    Before evaluating/leveraging the Azure Rights Management service functionality, you will need to configure user accounts using either the Microsoft Online Administration portal, the Windows Azure management portal, or the Exchange Admin Center (EAC). It is also a good idea to create mail-enabled security groups in Exchange Online ahead of time. For more information, see the article 2588125 How to manage Active Directory security groups and to mail-enable group objects in an Office 365 environment.

Note    For additional information, see the blog post Enabling Windows Azure AD Rights Management in Office 365 Enterprise Preview.

Signing-in for an Office 365 Enterprise account

All the steps below require that you have previously signed-up to setup for an Office 365 Enterprise account.

This will provide you with a valid Office 365 Enterprise tenant where you can then enable the Azure Rights Management service, a user login and e-mail user account (such as user@idmgtn15.onmicrosoft.com) within that tenant.

To sign up to a Microsoft Office 365 Enterprise tenant, follow the instructions at http://www.microsoft.com/office/preview/en/office-365-enterprise.

Note    For more information, see the article Sign in to Office 365.

Once you have signed up and established your organization with an account in Office 365 Enterprise, enabling the Azure Rights Management service capabilities within the Office 365 Enterprise just takes a few additional steps to enable and configure for use.

By default, the Azure Rights Management service is disabled when you sign up for your Office 365 account in Microsoft Office 365 Enterprise.

To enable the Azure Rights Management service for use your Office 365 Enterprise tenant, you need to:

  1. Use the Office 365 admin center.

-or-

  1. Use the Azure Rights Management service from Windows PowerShell.
  • First connect to the Azure Rights Management service from Windows PowerShell with the Azure AD Rights Management administration module for Windows PowerShell.

Note    Windows PowerShell is a task-based command-line shell and scripting language that is designed for system/service administration and automation. It uses administrative tasks called cmdlets. Each cmdlet has required and optional arguments, called parameters, that identify which objects to act on or control how the cmdlet performs its task. You can combine cmdlets in scripts to perform complex functions that give you more control and help you automate the administration of Windows, applications and online services in the Cloud. It has become a common way to manage the latest generation of Microsoft products and services.

For more information about Windows PowerShell, please see the Windows PowerShell Web site, the Windows PowerShell online help, and the Windows PowerShell Weblog Windows PowerShell Software Development Kit (SDK) that includes a programmer's guide along with a full reference.

  • And then enable it for use by using the Enable-Aadrm cmdlet provided with the Azure AD Rights Management administration module for Windows PowerShell.

Note    The Windows Azure AD Rights Management administration module for Windows PowerShell should only be used as needed for administrators and users of other service portals. For more information on this advanced alternative procedure, see the Microsoft TechNet article Enabling the rights management service.

Once activated, the Azure Rights Management service can be then administered via Windows PowerShell and/or through the Office 365 admin center.

Next sections describe how to enable and configure the Azure Rights Management service using either Windows PowerShell or the Office 365 admin center.

Preparing for the Azure Rights Management service with Windows PowerShell

In order to connect a Windows PowerShell command shell to the Azure Rights Management service using an Office 365 Enterprise tenant account, the local computer being used must meet the following requirements:

  • Windows Vista Service Pack 2 (SP2), Windows 7 Service Pack 1 (SP1), Windows 8, Windows Server 2008 R2, Windows Server 2012 or above (x64 platforms only);
  • Windows PowerShell 2.0 or above;
  • Microsoft Online Services Sign-In Assistant (MOS SIA) 7.0;
  • Azure Active Directory Module for Windows PowerShell;
  • Azure Rights Management administration module for Windows PowerShell.

Windows PowerShell 2.0 is already installed in computers running Windows 7 or Windows Server 2008 R2 and above.

.Net Framework 4.0 or above is needed by the latter component above. See the Microsoft .NET Web site.

The procedure steps below cover the setup and the configuration (if any) of the last three components (Online Sign-In Assistant, Azure Active Directory Module for Windows PowerShell and Azure Rights Management administration module for Windows PowerShell).

Installing the Microsoft Online Services Sign-In Assistant

The Microsoft Online Services Sign-In Assistant (MOS SIA) 7.0 must be installed in order to authenticate against the Azure Rights Management service.

Note    The Microsoft Online Services Sign-In Assistant (MOS SIA) 7.0 provides end user sign-in capabilities to Microsoft Online Services, such Office 365 and the Azure Rights Management service. In the context of this paper, the MOS SIA is used to authenticate users to these services through a set of dynamic link library files (DLLs) and a Windows service as described in the community article Description of Microsoft Online Services Sign-In Assistant (MOS SIA).

To install the Microsoft Online Services Sign-In Assistant (MOS SIA) 7.0, proceed with the following steps:

  1. Download the Microsoft Online Services Sign-In Assistant (MOS SIA) 7.0 (msoidcli_64bit.msi) from the following link: Microsoft Online Services Sign-In Assistant for IT Professionals RTW and click Run to install.

Note    This download is intended for IT Professionals, for distribution to managed client systems as part of an Office 365 client deployment, via System Center Configuration Manager (SCCM) or similar software distribution systems. For users who are installing Office 365 Enterprise by means of the Office 365 Desktop Setup application, this download is not necessary, because the MOS SIA is installed as part of the Desktop Setup process. For more information about the Office 365 desktop setup, see the Office 365 online help topic Set up your desktop for Office 365.

The wizard Microsoft Online Services Sign-in Assistant Setup starts.

  1. On the license terms page, select I accept the terms in the License Agreement and Privacy Statement and click Install. A User Account Control dialog pops up.

  1. In the User Account Control dialog, click Yes to execute the setup.

  1. On the completion page, click Finish.

Installing the Azure Active Directory Module for Windows PowerShell

The Azure Active Directory Module for Windows PowerShell provides corporate administrators the ability to complete many Azure AD/Office 365 tenant-based administrative tasks within Windows PowerShell.

A Windows PowerShell "module" is a package that contains Windows PowerShell commands, cmdlets, providers, functions, variables, and aliases. The Azure Active Directory Module for Windows PowerShell is a separate installation package which includes cmdlets specifically designed for Azure AD tenant-based administration.

Note    For more information, see the article Manage Windows Azure AD by using Windows Powershell.

The Azure Active Directory Module for Windows PowerShell cmdlets mirror the administrative functions tenant administrators can complete with the Microsoft Online Services Portal (MOP). Administrators can leverage the Azure Active Directory Module for Windows PowerShell cmdlets to streamline Windows Azure AD/Office. 365 tenant-based administrative tasks that would otherwise be time consuming in the MOP GUI environment (such as running administration tasks in bulk against a set of users for example). The Azure Active Directory Module for Windows PowerShell cmdlets were previously known as the Microsoft Online Services Module for Windows PowerShell cmdlets

Administrative privileges are needed on the local computer in order to install the Windows Azure Active Directory Module.

In order to install the tool, proceed with the following steps:

  1. Download the Azure Active Directory Module for Windows PowerShell (AdministrationConfig-en.msi) from the following URL: Azure Active Directory Module for Windows PowerShell (64-bit version) and click Run to execute the setup the module.

The Azure Active Directory Module for Windows PowerShell Setup wizard starts.

  1. On the Welcome page, click Next.

  1. On the License Terms page, select I accept the terms in the License Terms and click Next.

  1. On the Install Location page, select the defaults for the installation location and click Next.

  1. On the Ready to Install page, click Install. A User Account Control dialog pops up.

  1. Click Yes to execute the setup. (The previous program name "Microsoft Online Services" is still being used in the dialog.)

  1. On the completion page, click Finish.

Installing the Azure Rights Management administration module for Windows PowerShell

The Azure Rights Management administration module provides a set of Windows PowerShell cmdlets that provide administrative (advanced) capabilities for the Azure Rights Management service.

To connect Windows PowerShell to the Azure Rights Management service, proceed with the following steps:

  1. Open the %WINDIR%\System32\WindowsPowerShell\v1.0 folder and ensure that your Powershell.exe.config file contains the following XML data:
<?xml version="1.0"?> 
<configuration> 
    <startup useLegacyV2RuntimeActivationPolicy="true"> 
        <supportedRuntime version="v4.0.30319"/> 
        <supportedRuntime version="v2.0.50727"/> 
    </startup> 
</configuration>
  1. Download the Azure Rights Management administration module (WindowsAzureADRightsManagementAdministration.exe) for Windows PowerShell from the following link: Azure Rights Management administration module for Windows PowerShell and click Run to installation of the Azure Rights Management administration module.

A User Account Control dialog pops up.

  1. Click Yes to execute the setup.

  1. On the Welcome page, select the Next option.

  1. On the End-User License Agreement page, select I accept the terms in the License Agreement and click Next.

  1. On the Ready to Install page, click Install.

  1. On the completion page, click Finish.

Connecting Windows PowerShell to the Azure Rights Management service

Now, you need to proceed with a couple of configuration changes before being able to administer the Azure Rights Management service's settings for your Office 365 Enterprise tenant.

First connect Windows PowerShell to the Azure Rights Management service, using the following instructions:

  1. Open a 64-bit elevated Windows PowerShell command prompt.
  2. Then import the module and connect to the Azure Rights Management service for your Office 365 Enterprise tenant by typing the following commands:
PS C:\Windows\system32> Import-Module AADRM
PS C:\Windows\system32> Connect-AadrmService –Verbose

You will be prompted for your credentials.

  1. Enter your Office 365 Enterprise credentials (the set of credentials should have Global Administrator privilege) and wait to be authenticated. In the Windows PowerShell Credential Request window that opens up, provide the credentials for the Office 365 Enterprise global administrator account such as:

Username: admin@idmgtn15.onmicrosoft.com

Password: ****************

Note    By default, global administrators are able to the Azure Rights Management service.

PS C:\Windows\system32> Connect-AadrmService –Verbose

In the step 2, you can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object.

The following example shows how to create credentials.

PS C:\Windows\system32> $Cred = Get-Credential "admin@idmgtn15.onmicrosoft.com"

The following shows how to set the Credential parameter to these credentials.

PS C:\Windows\system32> Connect-AadrmService –Verbose -Credential $Cred

If the acting credentials do not have tenant-level permission to perform the task, the Azure Rights Management service returns a terminating error.

Once connected, the Azure Rights Management administration module provides a set of Windows PowerShell cmdlets that provide administrative (advanced) capabilities for the Azure Rights Management service.

More especially, cmdlets listed in Table 1 below enable configuring and viewing the Azure Rights Management service for an Office 365 Enterprise tenant.

Table 1: Windows PowerShell cmdlets for Azure Rights Management service

Cmdlet

Description

Connect-AadrmService

Opens a connection to the Azure Rights Management service.

Disconnect-AadrmService

Closes a connection to the Azure Rights Management service.

Disable-Aadrm

Disables the Azure Rights Management service.

Enable-Aadrm

Enables the Azure Rights Management service.

Get-AadrmConfiguration

Returns the current configuration of the Azure Rights Management service, including information on all features states, and configuration data for rights management.

Add-AadrmRoleBasedAdministrator

Adds a member user or group to the list of those that are able to administer the Azure Rights Management service.

Get-AadrmRoleBasedAdministrator

Lists the member users or groups that can administer the Azure Rights Management service.

Remove-AadrmRoleBasedAdministrator

Removes a member user or group from the list of those that are able to administer the Azure Rights Management service.

Get-AadrmAdminLog

Generates a log of administrative commands performed against the Azure Rights Management service.

Enable-AadrmSuperUserFeature

Enables the Azure Rights Management service super user feature to provide all rights to access protected content for specified users.

Add-AadrmSuperUser

Assigns super user rights to a user by e-mail address within your organization.

Get-AadrmSuperUser

Lists users within your organization who have super user privileges.

Remove-AadrmSuperUser

Removes super user rights from a user by e-mail address within your organization.

Get-AadrmMigrationUrl

Returns the currently set migration URL for the Azure Rights Management service installations that have migrated to AD RMS.

Set- AadrmMigrationUrl

Sets the migration URL for use in migrating away from the Azure Rights Management service.

Note    For additional information, see the online help topics Administering rights management and Known Issues for Windows Azure AD Rights Management.

Enabling the Azure Rights Management service

As previously noticed, and by default, the Azure Rights Management service is disabled when you sign up for your Office 365 account in Office 365 Enterprise. To enable the Azure Rights Management service with an Office 365 Enterprise tenant, tenant administrator need to first connect to the Azure Rights Management service and enable the service.

Enabling the Azure Rights Management service from Windows PowerShell

To enable the Azure Rights Management service from a Windows PowerShell command shell, proceed with the following steps:

  1. Connect Windows PowerShell to Azure AD Rights Management as previous Section § Connecting Windows PowerShell to the Azure Rights Management service.
  2. In the elevated Windows PowerShell command prompt window, type the following command for enabling the Azure Rights Management service with the Office 365 Enterprise tenant.

PS C:\Windows\system32> Enable-Aadrm

In order to support rights protection of content this action is required for all new tenant deployments of the Azure Rights Management service.

  1. View the current configuration for the tenant by running Get-AadrmConfiguration cmdlet:

PS C:\Windows\system32> Get-AadrmConfiguration

PS C:\Windows\system32> Get-AadrmConfiguration

BPOSId                                    : b106f2c4-06b2-4ca6-b92e-f5feeb284532
RightsManagementServiceId                 : 5fd817cb-2d48-41dd-bc9a-25b81858751c
LicensingIntranetDistributionPointUrl     : https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/licensing
LicensingExtranetDistributionPointUrl     : https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/licensing
CertificationIntranetDistributionPointUrl : https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/certification
CertificationExtranetDistributionPointUrl : https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/certification
AdminConnectionUrl                        : https://admin.eu.aadrm.com/admin/admin.svc/Tenants/5fd817cb-2d48-41dd-bc9a-25b81858751c
OnPremiseDomainName                       :
Keys                                      : {92c7e3bc-26a6-4046-8154-9d75f54290cc}
CurrentLicensorCertificateGuid            : 92c7e3bc-26a6-4046-8154-9d75f54290cc
Templates                                 : {176af282-7354-42d2-952a-e7bb5839d581, 2ecf1998-8ced-4026-98e9- 
                                           f15a0669e896}
FunctionalState                           : Enabled
SuperUsersEnabled                         : Disabled
SuperUsers                                : {}
AdminRoleMembers                          : {}
KeyRolloverCount                          : 0
ProvisioningDate                          : 18/03/2013 10:36:23

For regions outside the European Union, .eu. will be replaced in the above Urls by .na. for North America, or .ap. for Asia, for instance:

e.g.: https://<RightsManagementServiceId>-rms.na.aadrm.com/_wmcs/licensing for North America e.g.: https://<RightsManagementServiceId>-rms.ap.aadrm.com/_wmcs/licensing for Asia Pacific

  1. Close the connection with the Azure Rights Management service.

PS C:\Windows\system32> Disconnect-AadrmService

After completing these steps, the tenant should be enabled.

Enabling the Azure Rights Management service from the Office 365 admin center

To enable the Azure Rights Management service from the Office 365 admin center (in-lieu of using the Windows PowerShell procedure described in previous section), proceed with the following steps:

  1. Navigate to the Office 365 admin center at https://portal.microsoftonline.com and login with your administrative credentials.
  2. In the left pane of the Office 365 admin center, click Service Settings.
  3. From the Service Settings page, click Rights Management.
  4. Under Protect your information, click Manage.
  5. Under Rights Management, click activate.

  1. When prompted Do you want to activate Rights Management?, click activate.

After completing these steps, you tenant should be enabled.

Configuring Exchange Online to use the Azure Rights Management service

Exchange Online allows you to use Information Rights Management (IRM) features to protect specific e-mail content in your organization and outside of it. These features allow end users or corporate administrators to apply (policy) rules on e-mail messages which helps controlling how e-mail messages are forwarded, replied to, or defines who can view the content of the message.

Once IRM services is enabled with Exchange Online, these (policy) rules can applied directly to messages by users, by transport rules configured by corporate administrators to e-mail messages that are in transit, or automatically by Outlook protection rules with Outlook client. The following sections provide more details about these capabilities.

Note    For more information, see the blog post Configure Exchange Online Preview to use Windows Azure AD Rights Management.

Office 365 Enterprise improves the set up (and end user experience) for IRM with Exchange Online.

With Exchange Online, you now can leverage the Azure Rights Management service to provide IPC with Exchange Online hence you are no longer required to implement AD RMS on-premises to integrate with Exchange Online, as described in the white paper Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS and the online help topic Set Up and Manage Information Rights Management in Exchange Online. When integrating on-premises AD RMS with Exchange Online it was required to configure the rights policy templates that define the (policy) rules and to upload these templates to Exchange Online to ensure the rules were honored across the organization.

After enabling the use of the Azure Rights Management service (see Section § Enabling the Azure Rights Management service in Office 365), all you have to do is to activate IRM services with Exchange Online to protect e-mail messages. This requires no on-premises deployment.

Enabling IRM services with Exchange Online requires some additional configuration within your Office 365 Enterprise tenant deployment. Enabling the IRM services can be achieve from within the Exchange Admin Center (EAC), but before doing so, you first need to configure the Azure Rights Management service key sharing URL using Exchange Online PowerShell cmdlets.

In order to complete these configuration steps, the local computer must meet the following requirements:

  • Windows Vista Service Pack 2 (SP2), Windows 7 Service Pack 1 (SP1), Windows 8, Windows Server 2008 R2, Windows Server 2012 or above (x64 platforms only);

Configuring Windows PowerShell for Exchange Online

Windows PowerShell 2.0 has introduced the "Windows Remote PowerShell" feature, which allows administrators to execute PowerShell cmdlets against other computers or Web services. The DMTF WS-Management protocol and the Windows Remote Management (WinRM) 2.0 service allow administrators to establish a Windows PowerShell session with a remote servers or Web services.

Exchange Online administrators can use Windows Remote PowerShell to connect to Exchange Online servers. Such connection is known as Exchange Online PowerShell. Within Exchange Online PowerShell, corporate administrators are provided with a subset of the Exchange on-premises server cmdlets to manage Exchange objects in their Exchange Online tenant. Administrators do not need to install any Exchange Server management or migration tools in order to use Remote Windows PowerShell.

To use Windows Remote PowerShell, administrator's computers must be running the Windows Management Framework, which contains Windows PowerShell 2.0 and WinRM 2.0. These components are already installed in computers running Windows 7 or Windows Server 2008 R2 and above.

Note    For more information, see the article 968929 Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0).

The configuration of Windows PowerShell consists in:

  • Verifying that Windows PowerShell can run scripts. If you cannot run scripts enable such capability in Windows PowerShell;
  • Verifying that WinRM allows Windows PowerShell to connect. If you cannot connect to WinRM, configure WinRM to support basic authentication.

To verify that Windows PowerShell can run scripts from a local computer, proceed with the following steps:

  1. Open an elevated Windows PowerShell command prompt, and, at the command prompt, run the following command:

PS C:\Windows\system32> Get-ExecutionPolicy

PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

Note    When you set the script execution policy to RemoteSigned, you can only run scripts that you create on your computer or scripts that are signed by a trusted source.

    When invited, press Y to confirm the operation.

To verify that WinRM allows Windows PowerShell to connect, proceed with the following steps:

  1. In the above Windows PowerShell session you've just opened as an administrator, run the following command to check the status of the WinRM service:

PS C:\Windows\system32> sc query winrm

  1. If the WinRM service isn't running, start it with the following command:

PS C:\Windows\system32> net start winrm

  1. Run the following command:

PS C:\Windows\system32> winrm get winrm/config/client/auth

  1. In the results, look for the value "Basic =". If the value is "Basic = false", you must change this value to "Basic = true".

To change that value, run the following command:

PS C:\Windows\system32> winrm set winrm/config/client/auth @{Basic="true"}

The value between the braces { } is case-sensitive. In the command output, verify the value "Basic = true".

Note    On a non-domain joined machine you may get an access denied with the "Error number: -2147024891 0x80070005", which is due to UAC filtering for local accounts. In order to disable UAC filtering, on such a non-domain joined machine, so you can complete the WinRM configuration, you need to create the following DWORD registry entry and set its value to 1:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy.

  1. If you started the WinRM service in step 2, run the following command to stop it:

PS C:\Windows\system32> net stop winrm

Connecting Windows PowerShell to Exchange Online

The next step is to connect a Windows PowerShell session to the Exchange Online tenant.

By default when opening a Windows PowerShell on a local computer, the Windows PowerShell session runs on the local computer. A session is an instance of Windows PowerShell that contains all the commands that are available in the instance. A Windows PowerShell session on the local computer, i.e. a client-side session, only has the basic Windows PowerShell commands available to it (the session also includes all the commands that relate to modules that have been imported into the session).

When connecting to the Microsoft Exchange Online services, the connection is made with the Microsoft Exchange Online datacenter's server environment, i.e. a server-side session is created. The Windows PowerShell session contains the commands provided by the cloud-based service. In other words, a remote Windows PowerShell interface provides access to the Exchange Online configuration information using an additional set of Windows PowerShell cmdlets. When such remote session is created, the Windows PowerShell additional cmdlets are imported and made available to the administrator.

Note    Whilst the Windows Azure Active Directory Module for Windows PowerShell (see Section § Installing the Azure Active Directory Module for Windows PowerShell) is generally used to manage various aspects of an Windows Azure AD/Office 365 based tenant, Exchange Online Remote Windows PowerShell is in no way tied to the Windows Azure Active Directory Module for Windows PowerShell.

To connect a Windows 7 (or Windows Server 2008 R2 and above) computer to Microsoft Exchange Online Services using Windows PowerShell, proceed with the following steps:

  1. Click Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell. For Windows 8 and Windows Server 2012, go to the Start Screen, then click the Windows PowerShell icon to launch the shell
  2. From the command prompt, store the credential for the Exchange Online administrator account.

PS C:\Windows\system32> $Cred = Get-Credential

In the Windows PowerShell Credential Request, enter the tenant administrator credentials (the administrator should have "global administrator" permissions on the Office 365 Enterprise tenant):

Username: admin@idmgtn15.onmicrosoft.com

Password: ****************

  1. Create a new remote Windows PowerShell session:

PS C:\Windows\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection

Using the AllowRedirection parameter will allow redirection to the appropriate remote PowerShell endpoint (appropriate Uniform Remote Identifier – URI). Staring with the initial connection to the global remote endpoint ps.outlook.com it'll then be redirected as needed to the URI corresponding to the tenant related remote endpoint.

  1. Then Import the cmdlets to the local session:

PS C:\Windows\system32> Import-PSSession $Session

A progress indicator appears that shows the importing of cmdlets used in the cloud-based service into the client-side session of your local computer. When the process completes, the additional Exchange Online Windows PowerShell cmdlets will be available within that Windows PowerShell session.

Note    For additional information see the article Connect Windows PowerShell to the Service and the blog Using Exchange Management Shell to manage your Exchange Online and Exchange On Premises Environment. For troubleshooting, watch the video Troubleshooting PowerShell for Exchange Online.

Enabling IRM capabilities in Exchange Online

To configure the Azure Rights Management service key sharing URL and enable IRM capabilities with Exchange Online, run the following steps:

  1. Connect to your Exchange Online tenant account using Windows PowerShell (same steps as the one described in Section § Connecting Windows PowerShell to Exchange Online).
  2. When connected to Exchange Online tenant, start enabling tenant configuration using Enable-OrganizationCustomization cmdlet:

PS C:\Windows\system32> Enable-OrganizationCustomization

  1. Then enable IRM capabilities within Exchange Online:
    1. Set the key sharing URL using Set-IRMConfiguration cmdlet:

PS C:\Windows\system32> Set-IRMConfiguration –RMSOnlineKeySharingLocation "https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc"

For regions outside the European Union, please substitute .eu. with. .na. for North America, or .ap. for Asia

e.g.: https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc for North America e.g.: https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc for Asia Pacific

  1. Import the trusted publishing domain (TPD) for the Azure Rights Management service tenant using Import-RMSTrustedPublishingDomain cmdlet. The Exchange Online services will consume the keys (and the rights policy templates) from the Azure Rights Management service tenant configuration directly.

PS C:\Windows\system32> Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

Note    For additional details on TPD, see article AD RMS Trusted Publishing Domain Considerations as well as the whitepaper Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS.

  1. View the current IRM configuration for the tenant by running Get-IRMConfiguration cmdlet:

PS C:\Windows\system32> Get-IRMConfiguration
InternalLicensingEnabled       : False
ExternalLicensingEnabled       : True
JournalReportDecryptionEnabled : True
ClientAccessServerEnabled      : True
SearchEnabled                  : True
TransportDecryptionSetting     : Optional
EDiscoverySuperUserEnabled     : True
RMSOnlineKeySharingLocation    : https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc<
RMSOnlineVersion               :
ServiceLocation                : https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/certification
PublishingLocation             : https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/licensing/publish.asmx
LicensingLocation              : {https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/licensing}

By default, as you can see in the output above, the InternalLicensingEnabled is set to False. In order to allow Web-based clients to utilize the Azure Rights Management service this setting must be changed to True.

  1. Enable the IRM capability for Outlook Web Apps (OWA) and Microsoft Exchange ActiveSync (EAS) clients by changing the InternalLicensingEnabled setting using the Set-IRMConfiguration cmdlet:

PS C:\Windows\system32> Set-IRMConfiguration -InternalLicensingEnabled $true

With this configuration change (which is immediate) users should then be able to use the rights policy templates from any Rights Management supported client. At this stage, both OWA and EAS are enabled for users. They are now able to use IRM Office 365 cross tenant.

Note    For the complete usage details on this cmdlet, review the cmdlets reference available at: Reference to Available PowerShell Cmdlets in Exchange Online.

  1. Optionally test the configuration using the Test-IRMConfiguration cmdlet:

PS C:\Windows\system32> Test-IRMConfiguration –sender user1@idmgtn15.onmicrosoft.com

Verifying IRM in Outlook Web App (OWA)

Microsoft Office Outlook Web App (OWA) is a Web-based version of the Outlook e-mail program provided by Exchange Online.

Wherever users are connected to the Internet, at home, at the office, or on the road, they can access their e-mail through OWA:

-or-

Then they can directly create and read IRM-protected e-mail messages in OWA, without any add-in or any ActiveX control. They can use leverage IRM protection in OWA just like users can use IRM protection in Outlook 2010 and above (See Section § Using IRM in Outlook 2010).

The native support for IRM in OWA extends the ability of organizations to leverage IRM-protection.

To start using IRM functionality in Outlook Web App (OWA), proceed with the following steps:

  1. Log into OWA using the explicit URL. Use http://outlook.com/owa/idmgtn15.onmicrosoft.com for example (to log to idmgtn15.onmicrosoft.com tenant).

  1. Create a new mail message using the new mail link. A new message will appear on the right hand side of the screen.

  1. Click the ellipsis ("") right after the INSERT option in the tool strip and then select set permissions.

  1. Select the "Company - Confidential" rights policy template, which is in our configuration "Microsoft France - Confidential".

  1. Optionally click INSERT to add additional attachments. Rights-protection to e-mail message also includes protection to Microsoft Office Word, Excel, PowerPoint, and XPS attached documents.
  2. Send the message to a recipient that is also using Office 365 Enterprise.
  3. The recipient will be able to open the message in OWA, Outlook 2010 (see Section § Configuring and using Office 2010 IRM features), or Outlook 2013 (see Section § Configuring and using Office 365 ProPlus IRM features).

OWA enables users to create, read and reply to (as well as reply all, forward, block print, cut/copy) IRM-protected e-mail messages natively, without requiring any plug-in, using Internet Explorer, Mozilla Firefox, Apple Safari, Chrome, and most other Web browsers on computers running Windows, UNIX or Apple MacOS. OWA also includes full-text search, conversation view and preview pane for IRM-protected messages.

In Office 365 Enterprise, the Rights Management Add-on (RMA) for Internet Explorer is no longer needed; users can create and consume Right-Managed messages without the need of additional components.

When Office documents are sent as attachment into an IRM-Protected message, the Office document that has been protected can be viewed, in read only mode, directly from the Web browser through the Office Web Apps Preview (used seamlessly by OWA).

Configuring transport rules

In Exchange Online Transport rules provide some mail flow control capabilities for administrators. The basic goal, when creating a transport rule, is to have Exchange Online inspect e-mail messages sent to and received by the users of the tenant and process actions against that e-mail message based on conditions. These rules can help administrators mitigate security and compliance risks in their organization. For example, transport rules are commonly used by administrators in order to apply a legal disclaimer on each e-mail message leaving their organization.

Transport rules use a set of conditions, actions, and exceptions:

  • Conditions identify specific criteria such as sender, receiver and keywords within an e-mail message and determines why the rule is triggered;
  • Actions are applied to e-mail messages that match these conditions;
  • Exceptions identify e-mail messages to which a transport rule action shouldn't be applied, even if the message matches a transport rule condition.

Along with the standard list of conditions that can be applied to all rules, administrators can set up transport rules that automatically apply IRM-protection to e-mail messages in transit (including Microsoft Office Word, Excel, PowerPoint, and XPS attachments).

For example, you can create a transport rule that automatically protects any e-mail message sent to the "Legal Department" (represented by a distribution group - DG) in you organization, with a "Company - Confidential View Only" rights policy. With such a configuration any message sent to a member of the "Legal Department" group, will be automatically protected by Exchange Online with the "Company - Confidential View Only" rights policy template. When such a template will be applied, the e-mail message could not be replied to, forwarded, or copied when it is received by a member of the distribution group.

Information workers exchange sensitive information such as financial reports and data, customer and employee information, and confidential product information and specifications, by e-mail every day. As illustrated above, users can protect e-mail messages content in OWA by applying a rights policy template.

However, when left to the discretion of users, e-mail messages may be sent in clear text without applying any IRM protection. Transport rules can help protect against information leakage by having tenant administrators defining IRM-protection enforcement based on a set of conditions. Outlook protection rules represent another way to help protect against this type of information leakage (see Section § Configuring Outlook Protection rules).

To create the transport rule to help protect against information leakage, proceed with the following steps:

  1. From a Web Browser, open the Microsoft Online Services Portal (MOP) https://portal.microsoftonline.com.
  2. Sign in as the Exchange Online global administrator account for your subscription such as:

Username: admin@idmgtn15.onmicrosoft.com

Password: ****************

  1. Click Sign in.

  1. Click service settings on the left and then under mail flow click on Custom mail rules.

This opens the Exchange Admin Center (EAC).

  1. Click + and Create a new rule… to create a new rule using the new rules dialog.

(You can alternatively select Apply rights protection to messages… in our context)

  1. In the Name field, give the new transport rule a name, for instance "Legal Department Users - Company Confidential".
  2. In *Apply this rule if…, select The recipient is... A Select Members Web dialog appears. In that dialog box select a user or a distribution group, then click add- >, and then ok. In our illustration, we've selected Legal Department (legal@idmgtn15.onmicrosoft.com), a distribution group that has been previously created (this is not illustrated as part of this paper for the sake of brevity).
  3. Click More options…

  1. In *Do the following…, select Secure the message with... and rights protection. This automatically applies IRM protection and gives the option of the rights policy templates. (See Section § Default templates.) A select RMS template dialog appears.

  1. Select the RMS template that will be applied as part of this new transport rule (, and then click ok. You can select for example the "Company – Confidential View Only" template, "Microsoft France – Confidential View Only" in our tenant.
  2. Click save.

When the transport rule is in place, users of the given selection (in our example: users of the Legal department) are getting all their messages enforced by an IRM-Protection policy template. The IRM template itself will define which persistent protection will be applied to the messages and will define whether they could viewed, copied, forwarded, printed, etc.

Configuring Data Loss Prevention (DLP) policies

As outlined in the introduction of this document, leakage or loss of data through email represents a growing risk and concern for many organizations today – because of regulations, breaches of trust or loss of business critical information.

In such a context, organizations must ensure that data is properly handled during regular business processes, preventing inappropriate access or sharing. They must consequently must organize their content and classify it to assign retention and access controls as part of their compliance practice. Current classification systems place enormous responsibility on the user and can interfere with their ability to complete their job.

Exchange Online approach to the problem is different and provides a range controls that can detect sensitive data in email before it is sent and automatically block, hold, notify the sender or apply usage rights restriction. This corresponds to the Data Loss Prevention (DLP) feature which is the ability to identify, monitor, and protect sensitive data through deep content analysis.

DLP can help organizations reduce unintentional disclosure of sensitive data. It is designed to help organizations meet specific regulations or security objectives by finding and protecting sensitive data. DLP content holds data type definitions to locate regulatory and/or sensitive content, and defines the policy objectives to meet regulatory controls for identified content. The actual classification of documents in DLP is achieved through content analysis.

Transport rules covered in the previous section have been updated in Exchange Online to support creating rules that accompany and enforce DLP policies. In fact, DLP policies define the different types of projects through the organization.

Built-in templates for a DLP policy based on regulatory standards such as Personally Identifiable Information (PII) and Payment Card Industry Data Security Standard (PCI-DSS) are offered as illustrated hereafter:

This set of DLP policies is extensible to support other policies important to your business. Corporate administrators can easily create DLP policies in the Exchange Administration Console. For example, a DLP policy built for a financial institution would take action on email that includes credit card information.

Fundamentally a DLP policy is an .xml document (can think of it as a block of configuration) that will determine what content it should be detecting and what is the response (action) when that content is detected.

A DLP policy can include rules, actions, and exceptions, and uses the full power of Exchange transport rules.

Upon identifying sensitive information, DLP can automatically take action such as applying IRM protection, appending a disclaimer, generating an audit log, sending the message for moderation, or preventing a message from being sent.

Exchange Online adds Document Fingerprinting, which helps you detect sensitive information in standard forms that are used throughout the organization.

Note    For more information about document fingerprinting, see the Microsoft TechNet article Document Fingerprinting.

Document Fingerprinting is a DLP feature that converts a standard form into a sensitive information type, which you can use to define transport rules and DLP policies. For example, you can create a document fingerprint based on a blank patent template and then create a DLP policy that detects and blocks all outgoing patent templates with sensitive content filled in.

As far as the forms are concerned, Document Fingerprinting supports the same file types as the ones that are supported in transport rules.

Note    For more information about the supported file types, see the Microsoft TechNet article same File Types That Are Supported In Transport Rules.

DLP works with a new feature called Policy Tips that informs users of a potential policy violation before it occurs. Policy Tips help educate users about what sensitive data has been found in the email and can educate them about related company policies. This ongoing education helps users manage data appropriately and avoid sending sensitive data to unauthorized users.

Note    For more information, see the online help article Policy Tips.

To create a custom DLP policy from scratch, proceed with the following steps:

  1. In the Exchange Administration Center (EAC), navigate to compliance management and click data loss prevention.

  1. Click the arrow that is beside the + icon, and select New custom DLP policy.

If you click + instead of the arrow, you will create a new policy based on a DLP policy template (as illustrated above).

  1. On the New custom DLP policy page, complete the following fields:
    1. Name: add a name that will distinguish this custom DLP policy from others, for example "Company Confidential DLP Policy". This field is required.
    2. Description: add an optional description that summarizes this custom DLP policy. This field is optional.
    3. Choose a mode for the requirements in this DLP policy: select the mode for this custom DLP policy, for example Test DLP Policy without Policy Tips. The new DLP policy is not fully enabled until you specify that it should be. The default mode for a policy is test without notifications.
  2. Click Save to finish creating the new DLP policy reference information. The DLP policy is added to the list of all DLP policies that you have configured, although there are not yet any rules or actions associated with this new custom policy.

  1. Double-click the DLP policy that you just created. An edit DLP policy dialog appears.
  2. On the Company Confidential DLP Policy page, click rules on the left end side.

  1. Click + and Create a new rule to add a new blank rule.

A New Rule dialog appears. You can establish conditions using all the traditional transport rules in addition to the sensitive information types defined in Exchange Online.

  1. In the Name field, give the new rule a name, for example "Legal Department Users". In order to avoid confusion, supply a unique name for each part of your DLP policy or rule.
  2. In *Apply this rule if…, select The recipient is... A Select Members Web dialog appears. In that dialog box, select a user or a distribution group, then click add- >, and then ok. In our illustration, we select "Legal Department" (legal@idmgtn15.onmicrosoft.com), a distribution group that has been previously created (this is not illustrated as part of this paper for the sake of brevity).
  3. Click More options to add additional conditions and actions for this rule including time-bound limits of enforcement or effects on other rules in this policy.

  1. In *Do the following…, select Secure the message with... and rights protection. This automatically applies IRM protection and gives the option of the rights policy templates. (See Section § Default templates.) A select RMS template dialog appears.

  1. Select the RMS template that will be applied as part of this new transport rule, and then click ok. You can select for example the "Company – Confidential View Only" template, "Microsoft France – Confidential View Only" in our tenant.
  2. Click Save to finish modifying the policy and save your changes.

  1. Click ok.

  1. Back to the edit DLP policy dialog, click save.

As shortly illustrated, the new DLP technology is a sophisticated system built into Exchange Online for helping users work with sensitive data safely and efficiently. It provides a rich framework on the kinds of policies you can construct for your organization.

Note    For more information, see the online help topic Data Loss Prevention.

The DLP technology is part of the compliance management features provided Exchange Online. In terms of compliancy, we would like to take this paper to shortly describe the InPlace eDiscovery & Hold feature.

Note    For more information, see the online help topic Messaging Policy and Compliance.

Leveraging the InPlace eDiscovery & Hold feature

With the explosive growth compliance requirements both inside and outside organizations, compliance has become everyone's responsibility. Neither the IT department nor the legal and compliance departments can keep tabs on all of the information that is exchanged in the ordinary course of business. Organizations need tools that enable self-service and automated compliance wherever possible. Enabling legal teams to search, hold and export the right information without intervention from IT is cost saving for the organization.

This is the role devoted to E-discovery:

"E-discovery is the identification, preservation, collection, preparation, review and production of electronically stored information associated with legal and government proceedings"

Gartner Says E-Discovery Software Marketplace is Set to Continue High-Growth Pace

Office 365 Enterprise is built with an integrated E-discovery solution, through the InPlace eDiscovery & Hold feature and the eDiscovery Center across Exchange Online, SharePoint Online, and Lync Online that address pre-processing stages of E-discovery, including information management, identification, preservation, and collection.

Note    For more information, see the Electronic Discovery Reference Model (EDRM), a set of guidelines and processes for conducting eDiscovery for customers and providers, and was developed by a group of industry experts in a number of working projects. EDRM focuses on reducing the cost and complexity of eDiscovery through the development of standards such as EDRM XML to attempt to provide a clear and repeatable process.

Thanks to this solution, compliance officers can perform the discovery process in-place; data is not duplicated into separate repositories. As such, tools operate on data where it lives, and preserve minimum amount of data needed. Since content is held in-place, teams can respond quickly by accessing data in its native format (without any loss of fidelity often associated with copying data to separate archives). Then, teams have an easy way to package the result by exporting it according to the EDRM XML specification so that it can be imported for example into a review tool.

In order to be able to decrypt any rights protected content within an organization, compliance officers must be added as super user in the Azure Rights Management service (see Section § Configuring the super users capabilities).

Such a capability resonates with the site mailbox, another new feature of Office 365 Enterprise. A site mailbox is a shared inbox in Exchange Online that all the members of a SharePoint Online site, i.e. the individuals listed in the Owners and Members groups of the site (security groups or distribution lists are not supported) can access. It's accessible from the site in which it is created. The email address of the site mailbox is generated automatically from the name of the site.

With site mailboxes, Exchange Online works with SharePoint Online to give users more ways to collaborate while keeping data safe.

Beyond the site itself, site mailboxes are surfaced in Outlook 2013 and give you easy access to the email and documents for the projects you care about. It's listed in the Folder Explorer in Outlook 2013, letting you file emails or documents into the shared project space simply by dragging the email, document, or attachment into the site mailbox. (Site mailboxes are not available in Outlook Web App)

Users view site mailbox emails just as they would any other Exchange message, while SharePoint Online enables versioning and coauthoring of documents.

Note    For more information, see the blog post Site Mailboxes in the new Office.

Interestingly enough in the context of this paper, site mailboxes can be searched using the Exchange eDiscovery Center where the built-in eDiscovery functionality makes it easy to find needed information across held, archived, and current e-mail messages. As a consequence, e-mail messages and documents stored in site mailboxes can be put on legal hold. Additionally, site mailboxes adhere to the lifecycle policies applied to the SharePoint Online site with which they are associated, enabling automated retention and archiving of the entire site mailbox. Site mailboxes allow users to naturally work together – while compliance policies are applied behind the scenes.

In tandem with SharePoint Online, organizations can search e-mail message, instant messages, calendars, and contacts, as well as SharePoint documents, sites, file shares, blogs, wikis, and more, all from the eDiscovery Center.

Configuring SharePoint Online to use the Azure Rights Management service

SharePoint Online includes IRM feature support using the Azure Rights Management service.

This section describes how to configure SharePoint Online with the Azure Rights Management service protection and how to enable and use IRM settings on SharePoint Online document libraries.

Note    For additional information, see the blog post Configure SharePoint Online Preview to use Windows Azure AD Rights Management.

Enabling IRM for a SharePoint Online tenant deployment

To enable SharePoint tenant deployments to use the Azure Rights Management service, proceed with the following steps:

  1. From a Web Browser, open the Microsoft Online Services Portal (MOP) https://portal.microsoftonline.com.
  2. Sign in as the Office 365 Enterprise tenant global administrator such as:

Username: admin@idmgtn15.onmicrosoft.com

Password: ****************

  1. Click Sign in.

  1. Click service settings on the left and then sites.

  1. In the service settings page, click View site collections and manage additional settings in the SharePoint Administration Center.

  1. On the SharePoint Administration Center page, in the left hand pane, click settings.

  1. On the settings page, in the Information Rights Management (IRM) section, click Use the IRM service specified in your configuration, and then click Refresh IRM Settings.

Note    Selecting this radio button will enable SharePoint Online to read the Azure Rights Management service configuration (if any) and enable the tenant with IRM services. If the Azure Rights Management service is not enabled for the tenant, IRM features CANNOT be enabled (see section § Enabling the Azure Rights Management service in Office 365 for the related instruction to enable the tenant for Windows Azure AD Right Management).

  1. After a successful completion, the message "We successfully refreshed your settings." Appears under the Refresh IRM Settings button.

Configuring IRM Settings on Document Libraries

After IRM is enabled for the SharePoint Online tenant, IRM settings can be applied on SharePoint document libraries.

Settings on libraries are a superset of the capabilities that were available in SharePoint 2010 especially around granular control on the usage rights and introduction of group protection.

Group protection feature provide library owners the ability to specify an e-mail-enabled group who can protect the documents downloaded from the library. This enables collaboration scenarios out-of-SharePoint for members of a given distribution group.

In addition, rights managed document libraries provide read-only Web access support and provide collaboration scenarios across organizations (tenants).

To configure IRM settings on a SharePoint Online document library, proceed with the following steps:

  1. Create a new SharePoint Online site or navigate to an existing SharePoint Online site and then click Documents.

  1. From the document library page in SharePoint Online, click the Library tab, and then Library Settings.

  1. From the Settings page, in the Permissions and Management, click Information Rights Management and configure the document library for rights management as illustrated in the next step.

  1. In the Information Rights Management Settings page, configure IRM settings to enforce the IRM-Protection on documents when downloading them.

  1. Click Restrict permissions on this library on download,
  2. Enter a permissions policy title,
  3. Enter a permission policy description,
  4. And then click SHOW OPTIONS.

Clicking Show Options will show the rest of the setting fields, which includes all advanced settings as illustrated hereafter.

Beyond writing the permission policy title and description, this enables library administrators to:

  • Set access rights (print, run scripts to enable screen readers, or enable writing on a copy of the document;
  • Set expiration date (i.e. the date after which the document cannot be used);
  • Control whether documents that do not support IRM protection can be included in the document library;
  • Control whether Office Web Apps can render the document in the library.

As far as the latter is concerned, library administrators can check the Prevent opening documents in the browser for this document library box to prevent Office Web Apps from showing the content.

Furthermore, whenever a document is downloaded from a rights managed document library, by default each supported file type is encrypted and rights are restricted to the authenticated user who downloaded the documents. Other users who have rights to the same library must get their own copy.

The Allow group protection box enables to protect, as its name indicates, a library for a group. Library administrators can specify a Windows Azure AD/Office 365 group and use it to stamp the usage license for the file. Then, documents that are downloaded can be used by all the members of the group, and the user who downloaded the copy can transfer the copy to any member of the group directly

  1. Set the above appropriate settings, and then click OK.

In order to test the SharePoint Online rights managed document library settings, you can go back to the document library, add a new Word document to the library.

You can then try opening this Word document and verify that the IRM-Protection has properly been applied to the content upon download or preview in the browser using Word Web App (see screenshot below), or in Word 2010 (see next Section § Configuring and using Office 2010 IRM features) of or from Word 2013 (see Section § Configuring and using Office 365 ProPlus IRM features).

Leveraging the support for PDF in addition to Office formats

Interestingly enough, starting with the new Office 365, SharePoint Online supports IRM protection of PDF documents.

Such a support leverages a Microsoft extension to the existing ISO 32000 international standard, which is based on the Portable Document Format (PDF), version 1.7 developed by Adobe standard.

The extension allows PDF documents to be encrypted by Microsoft IPC technology that is implemented by Azure Rights Management service (as well as Windows Server AD Rights Management, a Windows Server role).

In the context of this paper, with such a support, users can upload PDF documents to SharePoint Online rights managed document libraries (see previous section), and upon download, the files will be protected using Office IRM along with the Azure Rights Management service.

To use PDF files in libraries that the owner has protected with IRM, the user will need a PDF compatible readers as listed in the article SharePoint-Compatible PDF readers that support Microsoft Information Rights Management services.

Without a compatible PDF reader that implements the extension, the user experience will be as follows when viewing a protected PDF:

As you can see, the user will be invited to download a compatible PDF reader. In terms of compatible PDF readers, one can use for instance the Foxit Enterprise Reader with the AD RMS 2.0 Protect PDF Plug-in Module.

This reader leverages the functionalities exposed by the MSIPC (Microsoft Information Protection and Control) client 2.1, which relies on the RMS SDK 2.1.

These components result from a major effort to reduce complexity, to streamline the development process of IPC-enabled applications and solutions, to handle documents of different file types (Office documents, PDF, text, image and others), and to be able to quickly protect and unprotect documents. For additional information, see Announcing AD RMS SDK 2.1 RC.

You will need to install the SDK 2.1. You can download the package from Microsoft Connect.

In the ADRMS_SDK_21_RC.zip download package, you will find setup_sdk.exe 32-bit and 64 bit installers in the x86 respectively x64 folders. The setup_sdk.exe installers also include the related client.

Once installed, you can proceed with the installation of the reader itself. As indicated in the download page, "the Foxit Enterprise Reader is a free download. If companies are using the RMS 2.0 decryption feature for more than 200 users, a premium license is required."

From that point, an IRM-protected PDF document is rendered as expected along with the permission information from the SharePoint Online rights managed document library:

The Foxit Enterprise Reader provides tight integration into SharePoint Online service to enable instant viewing and collaboration.

Beyond this implementation, one should note that the above specification is publically available so that any ISVs who would like to implement a compatible PDF reader can refer to it.

This gives us the opportunity to mention the introduction of the RMS SDK 3.0, which is a set of simpler, ubiquitous SDKs that are now available on multiple platforms, starting with Windows RT, iOS and Android. These SDKs work exclusively with the Azure Rights Management service.

The new AD RMS 3.0 SDK is offered in conjunction with the above AD RMS 2.1 SDK. AD RMS 2.1 SDK will remain in active development and is well suited for Windows desktop applications and solutions. For additional information, see Announcing AD RMS SDK 3.0 Beta: rights-enablement support on Android, iOS and Windows RT platforms.

Configuring and using Office 2010 IRM features

In this section, is described the installation and configuration of Office Professional Plus 2010 that would help discovering IRM related features in conjunction with Office 365 Enterprise. Instructions on how to configure and use IRM integration are provided in that chapter.

As of writing, only Office 2010 and Office 365 ProPlus (or Office Professional Plus 2013 - see next section) are supported to create or consume IRM-protected content using the Azure Rights Management service and Office 365 Enterprise. As of writing, Microsoft Office 2007 is NOT supported for IRM Protection using the Azure Rights Management with Office 365 Enterprise.

In order publishing rights-protected content, Office 2010 Professional Plus is required, whereas Office 2010 Standard can be used to consume rights-protected content.

Note    For detailed information on Office 2010 features support depending on the suite version, see the Web page Compare server integration features between Office suites available through volume licensing.

Installing and configuring Office 2010 for IRM support

To configure Office 2010 for IRM support with the Azure Rights Management service, you must install the Rights Management sharing application, which configures Office 2010 to work with Azure Rights Management service.

Note    For more information, see the Microsoft TechNet article Configuring Applications for Azure Rights Management.

No further configuration is required other than users must sign in with their Office 365 credentials and they can then protect files and use files that have been protected by others. Beyond the Rights Management sharing application itself (and the related Office add-in for the Ribbon in order to share Rights Management protected files from within Office 2010), the setup package for the Rights Management sharing application indeed includes the followings:

Note    For additional information on Cryptographic Mode 2, please refer to the article Active Directory Rights Management Service Cryptographic Modes and the post AD RMS and cryptographic support for SHA-2/RSA 2048 on the AD RMS Team Blog.

In order to illustrate the installation process and go through the configurations and usage steps, a Windows 7 Service Pack 1 (SP1) 64-bit computer has been used. All screen shots have been taken from a Windows 7 machine.

To download and install the Rights Management sharing application, proceed with the following steps:

Note     You must have a local administrator account to install the RMS sharing application. If you do not log in as a local administrator, you can use the Run as administrator option when you run the setup program.

Note    The Windows version of the Rights Management sharing application supports a scripted installation, which makes it suitable for enterprise deployments via the Azure Rights Management service preparation tool aadrmprep.exe. The installation packages (64-bit and 32-bit versions) for automatic deployment are available on the Microsoft download center. The use of the preparation tool isn't illustrated hereafter. For additional information, see the Microsoft TechNet article Rights Management sharing application administrator guide.

  1. Go to the Microsoft Rights Management page on the Microsoft website.

  1. In the Computers section, click the icon for the Rights Management sharing application for Windows.

  1. Save the setup.exe file to install the Rights Management sharing application.
  2. Double-click the downloaded setup.exe file. If you are prompted to continue, click Yes.

A Setup Microsoft RMS page opens up.

  1. Click Next,

  1. Wait for the installation to finish.

  1. Click Next.

  1. On the Configure Office 2010 page, click Next.

  1. Enter your Office 365 Enterprise credentials when prompted in the Windows Security dialog, for example :

Username: user1@idmgtn15.onmicrosoft.com

Password: ****************

  1. Click OK.

  1. When the installation finishes, click Restart to restart the computer and complete the installation.

At this stage, after having restarted your computer, the user should have the following files created in their %LocalAppData%\Microsoft\DRM folder:

  • CERT-Machine-2048.drm
  • CERT-Machine.drm
  • CLC-*.drm
  • GIC-*.drm

An example of a CLC-*.drm file is as follows: CLC-user1@idmgtn15.onmicrosoft.com-{9a2487cb;k3d01;k4b24;kafcf;kbf00e92c55e0}.drm

Configuring Outlook 2010 for Exchange Online

To manually configure Outlook 2010 mail settings for Exchange Online, proceed with the following steps:

  1. Launch Outlook 2010. When this is the first time Outlook 2010 is launched on the local computer, the Microsoft Outlook 2010 Startup wizard start and you will be prompted to setup an e-mail account. In that case, you can proceed with that wizard and configure the Exchange e-mail settings to use Exchange Online with the tenant user account elements.
  • If the Microsoft Outlook 2010 Startup wizard is automatically launched, then on the first page, click Next. On the E-mail Accounts page of the wizard, click Next and you will be presented with the Auto-Account Setup page.
  • If Outlook 2010 has already been used, then the Startup wizard will not appear. The account settings configuration must be launched manually. To do so, click the File menu in the Outlook 2010 toolbar. Then, just above the Account Settings button, click Add Account which will open the Account Setup page

  1. On the Auto Account Setup page, type the user's first and last name in the Your Name field, in the E-mail Address field type full e-mail address of the user (in our example, we have been using: user1@idmgtn15.onmicrosoft.com), and finally in the Password and Retype Password fields type the user's password.
  2. Click Next. At that stage, Outlook 2010 is performing a configuration query against Microsoft Exchange Online environment (expecting the proper auto discover DNS record is in place for the domain) to find the e-mail server settings for that user's mailbox.

During the configuration query, you will be prompted to enter the user name and password. Make sure that you enter your full e-mail address (for example, "user1@idmgtn15.onmicrosoft.com") as your user name.

If Outlook is able to successfully set up the e-mail account, you should see the following text:

"Your e-mail account is successfully configured. Click Finish"

  1. Click Finish.

Note    For additional information, see the articles Set up E-mail in Outlook 2010 in the online help.

Using IRM in Outlook 2010

Sending protected e-mail using Outlook 2010

To publish IRM rights protected content using Outlook 2010 and Exchange Online, proceed with the following steps:

  1. On the e-mail sender's computer, ensure Outlook 2010 have been properly configured to work with Exchange Online and is also configured to use the Azure Rights Management service as described in Section § Installing and configuring Office 2010 for IRM support.
  2. Launch Outlook 2010 and enter your Office 365 Enterprise credentials when prompted in the Windows Security dialog, for example :

Username: user1@idmgtn15.onmicrosoft.com

Password: ****************

Click OK. Outlook 2010 opens up.

  1. From Outlook 2010 create a new mail: in the Home tab in the Office ribbon, click New E-mail.
  2. In the Options tab in the Office ribbon, click Permission, and then select one of the following templates: "Do Not Forward", "Company - Confidential" or "Company - Confidential View Only".

Note    The very first time you use IRM functionality Outlook will contact the Azure Rights Management service to finalize the configuration. During this first connection, you will be prompted for credentials. In addition, the "Company - Confidential templates" will not be available until the initial Office IRM client configuration has been completed and the task scheduler job has run to retrieve the templates from the Azure Rights Management service.

  1. The Select Service dialog appears (this dialog only appears the first time you use the Azure Rights Management service with Outlook). In this Select Service dialog box select Use a Microsoft Windows account, and then click OK.

  1. The Windows Security dialog appears. Enter your credentials for Office 365 Enterprise to complete the Office IRM client configuration and click OK.

  1. Compose the IRM-protected message providing the recipients, the e-mail subject, the e-mail body and you can also optionally attach Office documents to that e-mail message.

  1. And finally click Send to send the message.

Consuming protected content using Outlook 2010

To consume IRM rights protected content using Outlook and Exchange Online, proceed with the following steps:

  1. Launch Outlook 2010, and enter your Office 365 Enterprise credentials if prompted.
  2. Navigate in your inbox and select an IRM-Protected e-mail that was sent (published) previously (see previous section).
  3. View the message, which will force the IRM client to configure itself the first time you use IRM functionality.

Note    The very first time you use IRM functionality Outlook will contact the Azure Rights Management service to finalize the configuration. During this first connection, you will be prompted for credentials. In addition, the "Company - Confidential templates" will not be available until the initial Office IRM client configuration has been completed and the task scheduler job has run to retrieve the templates from the Azure Rights Management service.

Once the environment is properly configured, the protected e-mail message is rendered in the Outlook application. In the Outlook MailTip display zone you will be presented with the IRM template that has been used with the e-mail and the granted actions associated with the template for the recipient.

Configuring Outlook Protection rules

Outlook protection rules is a new Exchange Online feature provided to Outlook 2010. With that feature, administrators can apply automatic use of IRM protection to a set of users (recipients). With such a configuration when users are composing new e-mail messages with Outlook 2010 these e-mail messages will be automatically IRM-Protected with a specified Rights Management template and users will be notified while composing that message. When the message is sent, the IRM-Protection is automatically applied.

For example, you can create a rule that automatically protects any message sent to the "Legal Department" distribution group (DG) in you organization, with a "Company - Confidential View Only" rights policy. With such a configuration any message sent to a member of the "Legal Department" group would be automatically protected with the "Company - Confidential View Only" rights policy template and that the e-mail message could not be replied to, forwarded, or copied when it is received by a member of the DG.

Information workers exchange sensitive information such as financial reports and data, customer and employee information, and confidential product information and specifications, by e-mail every day. As illustrated above, users can protect e-mail messages by applying a rights policy template.

However, when left to the discretion of users, e-mail messages may be sent in clear text without IRM protection. In organizations that use e-mail as a hosted service, there's a risk of information leakage as a message leaves the client and is routed and stored outside the boundaries of an organization. Although e-mail hosting companies may have well-defined procedures and checks to help mitigate the risk of information leakage, after a message leaves the boundary of an organization, the organization loses control of the information. Outlook protection rules can help protect against this type of information leakage.

Transport rules in Exchange Online represent another way to help protect against this type of information leakage (see Section § Configuring transport rules).

To create an Outlook protection rule, a tenant administrator should proceed with the following steps:

  1. Open a Windows PowerShell command prompt window and connect the Windows PowerShell command prompt window to Windows PowerShell to Exchange Online as per Section §  Connecting Windows PowerShell to Exchange Online.
  2. Gather the list of the default Azure Rights Management service policy templates available in the Exchange Online tenant organization using Get-RMSTemplate cmdlet. (See Section § Default templates.)

PS C:\Windows\system32> Get-RMSTemplate | fl Name

  1. Create a new Outlook Protection Rule using the New-OutlookProtectionRule cmdlet. For example you can run the following command to apply the "Company - Confidential View Only" rights policy template to any message sent to the "Legal Department" distribution group:

PS C:\Windows\system32> New-OutlookProtectionRule -Name "Legal Department Users - Company Confidential" -SentTo "Legal Department" -ApplyRightsProtectionTemplate "Microsoft France – Confidential View Only"

  1. To test the Outlook Protection rule behavior, launch Outlook 2010 and create a new e-mail message.
  2. Add the "Legal Department" distribution group (DG) as a recipient (select the group in the "To…" line). The "Company - Confidential View Only" rights policy template is automatically applied as illustrated hereafter.

Since the messages are protected locally before being sent out to Exchange Online, Outlook protection rules allow the organization to block third-party service providers or Exchange Online administrators from viewing sensitive content that is sent between employees.

Unlike transport protection rules (see Section § Configuring transport rules), by default, Outlook protection rules allow end-users to turn off protection for less sensitive content if they want to. With such a capability end-users can by apply a different rights policy template or by simply remove any rights protection when they compose an e-mail message. Tenant administrator can prevent end-users to change or remove the IRM-Template associated with a given Office Protection Rule and enforce the action using the Set-OutlookProtectionRule cmdlet in conjunction with the UserCanOverride parameter.

To prevent users from overriding an Office Protection Rule, use the Set-OutlookProtectionRule cmdlet and set the UserCanOverride parameter to $false. For example, in order to prevent users from overriding an existing Outlook protection rule (we are working with "Legal Department Users - Company Confidential" protection rule in our example below), run the following command:

PS C:\Windows\system32> Set-OutlookProtectionRule -Identity "Legal Department Users - Company Confidential" –UserCanOverride $false

The following table sumarize the differences between transport rules and Outlook protection rules.

Table 2: differences between transport rules and Outlook protection rules for IRM-protection

Feature

Outlook protection rules

Transport rules

Run on Exchange Online servers

No

Yes

Run on Outlook 2010 client

Yes

No

The user can override

Yes, if configured by administrators

No

Can be applied to OWA users

No

Yes

Can be applied to e-mail clients running on mobile devices

No

Yes

Encrypt messages before they're sent

Yes

No (e-mail messages are in clear text in sender's Sent Items folder

Note    For additional information, please refer to the articles Create Outlook Protection Rules.

Using IRM in Word 2010

Publishing protected content with Word 2010

To publish an IRM rights protected document using Word 2010, proceed with the following steps:

  1. Launch Word 2010.
  2. From within Word 2010, create a new .docx document.
  3. On the File menu, click Info, then click Protect Document, select Restrict Permissions by People submenu and then choose a the rights policy template you want to apply (you can also select Restricted Access and then customize the protections you want to get applied to the document).

Note    The very first time you use IRM functionality Word will contact the Azure Rights Management service to finalize the configuration. During this first connection, you will be prompted for credentials. In addition, the "Company - Confidential templates" will not be available until the initial Office IRM client configuration has been completed and the task scheduler job has run to retrieve the templates from the Azure Rights Management service.

  1. Enter Office 365 Enterprise user's credentials to complete configuration of the Office IRM client if prompted.
  2. Select a template or restrict permissions to people in the organization by e-mail address or using a distribution group.

Right-protected files can be shared, using various means (storing the file on a SharePoint library, sending the document using an e-mail, storing the document on a file share, copying the document on an external disk or on an USB stick, etc.). Other individuals would be able to consume the IRM-Protected document (based on the permissions that were applied on the given document) as soon as they have configured their computers and signed up for the Office 365 Enterprise.

Consuming protected content with Word 2010

To consume an IRM rights protected document using Word 2010, proceed with the following steps:

  1. Share the document with another user and have the user open the document.

Note    The very first time you use IRM functionality Word will contact the Azure Rights Management service to finalize the configuration. During this first connection, you will be prompted for credentials. In addition, the "Company - Confidential templates" will not be available until the initial Office IRM client configuration has been completed and the task scheduler job has run to retrieve the templates from the Azure Rights Management service.

  1. If the user is authorized, the document will open and have the usage restrictions enforced.

Configuring and using Office 365 ProPlus IRM features

In this section, is described the installation and configuration of Office 365 ProPlus from an Office 365 Enterprise subscription. That Office 365 ProPlus would help discovering IRM related features in conjunction with Office 365 Enterprise. Instructions on how to configure and use IRM integration are provided in that chapter.

Please note that it is possible to use Professional Plus 2013 instead.

Office 365 ProPlus and Office Professional 2013 support is enabled for Office 365 cross tenant collaboration.

In order to illustrate the installation process and go through the configurations and usage steps, a Windows 7 Service Pack 1 (SP1) 64-bit computer has been used. All screen shots have been taken from a Windows 7 machine.

Installing and configuring Office 365 ProPlus

Office 365 ProPlus (or Professional Plus 2013) uses the Office 2013 Identity controls to provide end-users sign-in capabilities with Microsoft Online Services. Hence the Microsoft Online Services Sign-In Assistant (MOS SIA) 7.0, which is a pre-requisite for Microsoft Office 2010 deployment, is not required when Office 365 ProPlus (or Professional Plus 2013) is deployed.

Note    For additional information, see blog post Enabling Windows Azure AD Rights Management in Office 365 Enterprise Preview.

To configure Office 365 ProPlus for the Azure Rights Management service, proceed with the following steps:

  1. Using a Web Browser open the Microsoft Online Services Portal (MOP) using the following URL: https://portal.microsoftonline.com.
  2. Sign-in to Office 365 Enterprise with a tenant user account. In our case we are using:

Username: user1@idmgtn15.onmicrosoft.com

Password: ****************

  1. Click PC & Mac. The Office 365 Enterprise subscription provides Office 365 ProPlus licensing. Office 365 ProPlus can be downloaded and installed from the portal.

To install the Office desktop suite, under Office desktop apps simply select the language you want to download and install, select the version you want to install and the click Install which will launch the download of the setup package.

  1. To proceed with the click-to-run installation of Office 365 ProPlus, click Run.

  1. In the User Account Control dialog, click Yes.

  1. Then the Office installation will proceed installing the applications.

A welcome window pops up.

  1. Click Next and then Accept to finalize the installation.

Using IRM in Outlook 2013

Configuring Outlook 2013 for Exchange Online

To manually configure Outlook 2013 mail settings for Exchange Online, launch Outlook 2013 and follow the procedure described in Section § Configuring Outlook 2010 for Exchange Online for Outlook. This will provide the appropriate steps to configure Outlook with the Exchange mail settings for an Exchange Online tenant user account.

Publishing protected content using Outlook 2013

To publish IRM rights protected content using Outlook 2013 and Exchange Online, proceed with the following steps:

  1. On the e-mail sender's computer, ensure Outlook 2013 have been properly configured to work with Exchange Online and is also configured to use Windows Azure AD Right Management as described in Section § Installing and configuring Office 365 ProPlus.
  2. Launch Outlook 2013 and enter Office 365 Enterprise user's credentials if prompted in the Windows Security dialog, for example :

Username: user1@idmgtn15.onmicrosoft.com

Password: ****************

Click OK. Outlook 2013 should launch.

  1. From Outlook 2013 create a new mail: in the Home tab in the Office ribbon, click New E-mail.
  2. From the OPTIONS tab, click Permission, and then select one of the following templates: "Do Not Forward", "Company - Confidential" or "Company - Confidential View Only".

Outlook 2013 automatically retrieves the templates (see Section § Protecting content with the Azure Rights Management service) from the Azure Rights Management service tenant instance. When this operation is complete, Outlook is bootstrapped to use IRM functionality.

On the first use and in the meantime, you may see the Connect to Digital Rights Management Servers and Get Templates option. Click it to download the templates from the Azure Rights Management service.

  1. Compose the IRM-protected message providing the recipients, the e-mail subject, the e-mail body and you can also optionally attach Microsoft Office documents to that message

  1. Click Send to send the message.

Consuming protected content using Outlook 2013

To consume IRM rights protected content using Outlook 2013 and Exchange Online, proceed with the following steps:

  1. Launch Outlook 2013 and enter Office 365 Enterprise users' credentials if prompted.
  2. Navigate in your inbox and select an IRM-Protected e-mail message that was previously sent (published) (see previous section).
  3. View the e-mail message, which will force the IRM client to configure itself the first time you use IRM functionality.

An Active Directory Rights Management Services dialog opens up.

Click OK to continue. Once the environment is properly configured, the protected e-mail message is rendered in the Outlook application. In the Outlook MailTip display zone you will be presented with the IRM template that has been used with the e-mail and the granted actions associated with the template for the recipient.

Configuring outlook protection rules

Introduced with Outlook 2010, Outlook protection rules are also a feature in Outlook 2013 with Exchange Online.

To create an Outlook protection rule, please see eponym Section § Configuring Outlook Protection rules.

As previously illustrated with the "Legal Department Users - Company Confidential" protection rule, any message sent to the "Legal Department" distribution group would be automatically protected with the "Company - Confidential View Only" rights policy template and that the e-mail message could not be replied to, forwarded, or copied when received by a member of that distribution group.

Using IRM in Word 2013

Publishing protected content with Word 2013

Proceed with the following steps:

  1. Launch Word 2013.
  2. Click FILE, and then Account.

  1. Under Sign in to Office, click Sign In.

  1. Enter your Microsoft Office 365 Enterprise username, for example "user1@idmgtn15.onmicrosoft.com", and then click Next.

  1. Enter your password and click Sign in.

  1. Now you can proceed with the creation of a new .docx document.
  2. In the File menu, click Protect Document, Restrict Access.
  3. The first time you use IRM functionality, Microsoft Work 2013 will need to contact the Azure Rights Management service server to get the IRM client fully configuration. In order to complete that configuration, click Connect to Digital Rights Management Servers and get templates.

Word 2013 retrieves the templates from the Azure Rights Management service tenant instance.

After this operation completes Word 2013 is bootstrapped to use IRM functionality.

  1. On the File menu, select Info, then click Protect Document, select Restrict Access submenu and then choose a the RMS template you want to apply (you can also select Restricted Access and then customize the protections you want to get applied to the document).

Right-protected files can be shared, using various means (storing the file on a SharePoint library, sending the document using an e-mail, storing the document on a file share, copying the document on an external disk or on an USB stick, etc.). Other individuals would be able to consume the IRM-Protected document (based on the permissions that were applied on the given document) as soon as they have configured their computers and signed up for the Office 365 Enterprise.

Consuming protected content with Word 2013

To consume an IRM rights protected document using Word 2013, proceed with the following steps:

  1. Share the document with another user and have the user open the document.

Note    The very first time you use IRM functionality Word will contact the Azure Rights Management service to finalize the configuration. During this first connection, you will be prompted for credentials. In addition, the "Company - Confidential templates" will not be available until the initial Office IRM client configuration has been completed and the task scheduler job has run to retrieve the templates from the Azure Rights Management service.

  1. If the user is authorized, the document will open and have the usage restrictions enforced.

Advanced administration options for the Azure Rights Management service

The goal of this chapter is to provide additional information for configuring advanced capabilities provided by the Azure Rights Management service.

Note    For more information on administering the Azure Rights Management service for an Office 365 Enterprise tenant, refer to the help topic available online Administering rights management. You can also refer to the known issues topic within the online documentation Known Issues for Windows Azure AD Rights Management.

Configuring Role-Based Administration

By default, all corporate administrators (Office 365 Enterprise tenant global administrators) can run all of the Azure Rights Management service PowerShell cmdlets.

If an organization wants to delegate Azure Rights Management administration task to another set of users of group, then Role-Based Administration should be configured to extend the Azure Rights Management service default permission scheme to this set of users or group.

In order to delegate administration task you should create as security group, then add the security group to the Azure Rights Management administration role based administration role using Windows PowerShell.

To configure role-based administration for your organization, proceed with the following steps:

  1. Login to the Microsoft Online Services Portal (MOP) and create a security group. Click users and groups, and then click security groups.

  1. Click New to create a new security group and add users to this group. Under details, In Display name, type a name such as "Rights Management Administrators" and click save.
  2. Under select members, select the set of users you want to add to this newly created group and click save and close.

When the security group is created in the Office 365 Enterprise tenant you can proceed with delegating the Azure Right Management administration role to this newly created group using Windows PowerShell.

  1. Open a Windows PowerShell command prompt window.
  2. Import the Windows Azure AD administration cmdlets by running the following command:

PS C:\Windows\system32> Import-Module MSOnline

  1. Connect to the Microsoft Online service:

PS C:\Windows\system32> Connect-MsolService

You will be prompted for your credentials.

  1. Enter your Office 365 Enterprise credentials (the set of credentials should have Global Administrator privilege) and wait to be authenticated. In our example we are using:

Username: admin@idmgtn15.onmicrosoft.com

Password: ****************

  1. Lookup for the Object ID of the security group you created to administer role-based administrative rights for the Azure Rights Management service using the get-MsolGroup cmdlet. If you have many groups, you can also use the Where-Object cmdlet in Windows PowerShell to filter results. For example, you might enter the following cmdlet to filter and return only groups that start with "Rights":

PS C:\Windows\system32> Get-MsolGroup | where {$_.DisplayName -like "Rights*" }

  1. From the output of the Get-MsolGroup cmdlet, copy the GUID value from the Object ID that was returned.
  2. Use (copy and paste) that value into the value of the -GUID parameter of the following Add-AadrmRoleBasedAdministrator cmdlet:

PS C:\Windows\system32> Add-AadrmRoleBasedAdministrator –GUID b70299b5-7ba1-4231-bad9-d5c1305ca7d9

This cmdlet adds the security group "Rights Management Administrators" to the list users and groups that are granted the Azure Rights Management service administrator role for the organization.

The Remove–AadrmRoleBasedAdministrator cmdlet allows the ability to remove corporate administrator, and the Get-AadrmRoleBasedAdministrator cmdlet lists all the current role-based administrators.

Note    For more information, see the online help topic Add, list or remove role-based administrators for rights management.

Important Note    As of writing, the functionality supported by the above cmdlet is not currently available. This is a known issue and this functionality is expected to be restored once the issue is fixed and resolved. See the online help topic Known Issues for Windows Azure AD Rights Management.

Configuring the super users capabilities

The super users group is a special group which has full control over all rights-protected content managed by the Azure Rights Management service for the organization's tenant.

When super users group is configured for an Azure Rights Management service tenant, super users group members are granted full owner rights in all use licenses (UL) that are issued when using the Azure Rights Management service. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it.

By default, the super users group has no members; not even a single global administrators' account. Likewise, the super users feature is disabled by default.

To enable the super users feature and add a super user, proceed with the following steps:

  1. Connect Windows PowerShell to the Azure Rights Management service as described in previous Section § Connecting Windows PowerShell to the Azure Rights Management service.
  2. In the Windows PowerShell command prompt window, enable the super users feature using Enable-AadrmSuperUserFeature cmdlet.

PS C:\Windows\system32> Enable-AadrmSuperUserFeature

  1. Then add a user to the super users group of the Azure Rights Management tenant configuration use the Add-AadrmSuperUser cmdlet. For example in order to add the admin@idmgtn15.onmicrosoft.com to the super users group of the tenant, type the following command:

PS C:\Windows\system32> Add-AadrmSuperUser -id "admin@idmgtn15.onmicrosoft.com"

The Get-AadrmSuperUser cmdlet list all the member of the super users group for the Azure Rights Management service organization' tenant. The Remove-AadrmSuperUser cmdlet removes a specified user from the super users group.

Note    For more information, see the online help topic Manage super users for rights managed content.

Logging administrator actions

The Azure Rights Management service enables to create a read-only log of all administrative operations performed against the service. This Azure Rights Management service log includes the date/time, user, and the specific action an administrator has performed. This log is read-only cannot and be deleted or modified from the service by an administrator, hence it can be used for auditing purpose.

To gather the log of administrative commands performed against the service use the Get-AadrmAdminLog cmdlet.

To collect the administrators' log, proceed with the following steps:

  1. Connect Windows PowerShell to Azure AD Rights Management as described in previous Section § Connecting Windows PowerShell to the Azure Rights Management service.
  2. In the Windows PowerShell command prompt window, retrieve the Azure Rights Management service log using Get-AadrmAuditLog cmdlet.

PS C:\Windows\system32> Get-AadrmAdminLog -Path "C:\Temp" -FromTime "09/10/2012 08:00:00" -ToTime "09/17/12 07:00:00"

In the example above the action creates, at the specified file path (Path parameter value), the Azure Rights Management service log for the time period between specified start time (FromTime parameter value) and end time (ToTime parameter value).

Note    For more information, see the online help topic Enable logging for Windows Azure AD Rights Management.

Setting the migration URL support

The migration URL support is useful if you decide to leave Office 365 Enterprise and need to support migration from the Azure Rights Management service to an on-premises AD RMS cluster and will need to provide indefinite access to content that has been previously protected using the Azure Rights Management service.

Setting the migration URL support allows to set an alternate corporate URL referencing an on-premises AD RMS cluster. When configured, protected content that was previously protected to the Azure Rights Management service will maintain access protection using the alternate infrastructure.

The Get-AadrmMigrationUrl cmdlet returns the currently set migration URL as follows:

PS C:\Windows\system32> Get-AadrmMigrationUrl

AbsolutePath   : /_wmcs/licensing
AbsoluteUri    : https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/licensing
Authority      : 5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com
Host           : 5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com
HostNameType   : Dns
IsDefaultPort  : True
IsFile         : False
IsLoopback     : False
IsUnc          : False
LocalPath      : /_wmcs/licensing
PathAndQuery   : /_wmcs/licensing
Port           : 443
Query          :
Fragment       :
Scheme         : https
OriginalString : https://5fd817cb-2d48-41dd-bc9a-25b81858751c.rms.eu.aadrm.com/_wmcs/licensing
DnsSafeHost    : 737dd44d-4e02-40b1-90ae-4be7ee3e28d0.rms.eu.aadrm.com
IsAbsoluteUri  : True
Segments       : {/, _wmcs/, licensing}
UserEscaped    : False
UserInfo       :

PS C:\Windows\system32>

The Set-AadrmMigrationUrl cmdlet sets the migration URL for use for off-boarding use of the Azure Rights Management service.

To set the migration URL to use when migrating from the Azure Rights Management service to on-premises AD RMS, proceed with the following steps:

  1. Connect Windows PowerShell to Azure AD Rights Management as described in previous Section § Connecting Windows PowerShell to the Azure Rights Management service.
  2. In the Windows PowerShell command prompt window, type the following command:
PS C:\Windows\system32> Set-AadrmMigrationUrl –Domain "aadrm.online.idmgt.com"

Where in this example "aadrm.online.idmgt.com" correspond to the base URL of on-premises AD RMS infrastructure.

Note    For more information, see the online help topic List or set the URL for use in migrating rights managed content to AD RMS.