Register now to join us for this 30 minute webinar on January 23^rd, 2015 at 10AM PT where we will be talking with Pragya Pandey, technical product marketing manager for Azure Rights Management Services, about how Azure RMS helps keep your corporate data secure. After discussing the capabilities of RMS, there will be a short demo and a forum for Q&A.

Webcast Information

Title: Protecting Corporate Data with Enterprise Mobility Suite

Date: Friday January 23^rd, 2015

Time: 10:30 am PST

You can also register for additional enterprise mobility webinars in this series here.

Hi Everyone,

Back in October we blogged about some new and upcoming features we were building into Azure RMS. Today we are excited to announce that we are releasing the Azure RMS migration toolkit, new Azure RMS onboarding controls, new updates to RMS SDK and RMS sharing app for Windows Phone 8.1, and the introduction of departmental templates.

Let’s review each of these in detail.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our community on Yammer.

Azure RMS migration toolkit

Many organizations that have been using AD RMS have asked to move to Azure RMS. Some want to benefit from the rapid pace of innovation seen with Azure RMS. Others want to benefit from the new scenarios enabled by this modern platform (e.g.: B2B sharing). Yet others using Windows RMS on Windows Server 2003 need to upgrade anyway and want to make the change during that event. For all these cases, we are now releasing the Azure RMS migration toolkit. This toolkit enables AD RMS and Windows RMS customers to migrate to Azure RMS without losing access to their existing RMS-protected content or their policies.

The Azure RMS migration toolkit includes all the materials necessary for a successful migration, including tools, configuration scripts, and detailed guidance. We’ve worked with over a dozen large organizations already and we expect many more of you will want to make the switch.

Step By Step -- Azure RMS migration toolkit

A migration to Azure RMS begins with the creation of an Azure RMS tenant. This can be any Azure AD tenant with RMS activated, including one that is part of an Office 365 subscription. Once the tenant is created and configured to support the organization’s users, the company migrates their keys and templates to the cloud to enable the service to support content that is already protected by their old AD RMS platform.

You can import the AD RMS keys into Azure RMS using the updated PowerShell module:

PS C:\> Connect-AadrmService

PS C:\> $Password = Read-Host -AsSecureString -Prompt "Password: "

PS C:\> Import-AadrmTpd -TpdFile E:\MyTPD.xml -ProtectionPassword $Password –Active $true -Verbose

This example imports your AD RMS keys and templates into Azure RMS.

Alternatively, you can migrate your keys using the Bring your Own Key (BYOK) process, which places the keys in a Hardware Security Module inside Microsoft’s hosted environment. This process is designed so that Microsoft can’t see or extract (thus leak) your keys. You, the customer, remain in control of the keys at all times.

This BYOK step is also possible even when the original keys in AD RMS were not stored in a Hardware Security Module. We simply ask that you use the migration tools to first move your keys into a Hardware Security Module on your own premises and then performing a synchronization of the keys to the cloud. This way the design goal of our not seeing your keys is preserved.

During the migration process, the existing AD RMS rights policy templates are also migrated. They are marked as ‘archived’ Azure RMS custom templates. You of course have the ability to change and/or publish the templates you want to use, after they are imported.

For you advanced admins, if your organization is using multiple keys to protect content, you can choose to make one of these keys active, and import the other keys as archived keys, which lets users open previously protected content, but has Azure RMS protect all new content with the key that you designate as active.

An example of how you might import multiple keys and designate which one to be active:

PS C:\> Connect-AadrmService

PS C:\> $Password = Read-Host -AsSecureString -Prompt "Password: "

PS C:\> Import-AadrmTpd -TpdFile E:\MyTPD.xml -ProtectionPassword $Password –Active $true -Verbose

PS C:\> Import-AadrmTpd -TpdFile E:\MyTPD2.xml -ProtectionPassword $Password –Active $false -Verbose

After the tenant is ready with the imported active keys and templates, users can use Azure RMS. In order to do this, their devices need to be reconfigured to use Azure RMS instead of on-premises servers running RMS. To do this, use the configuration scripts and guidance provided with the toolkit. During your migration process your users in Azure RMS can open content from users who use the on-premises RMS [Note: that if the migration is going to be performed over an extended period full two-way exchange of protected content between migrated and non-migrated users may require additional configurations. Pay special attention to the doc if this is the case for you].

An organization using Exchange, SharePoint and FCI integrated with AD RMS can continue to do so. These are features such as Exchange with IRM integration in OWA, or SharePoint libraries that automatically protect documents, or FCI on file servers. To use these workloads you will deploy the Azure RMS connector. This offer ‘connects’ Azure RMS with your on-premises services.

As a final step – after completing these steps and verifying that your AD RMS servers are no longer in use by any clients or servers -- you can decommission the AD RMS cluster and remove references in your environment to the old infrastructure. This is done by querying the AD RMS statistics reports.

At that point pop a bottle of bubbly and celebrate your being fully migrated to Azure RMS!

Learn more about migration: Migrating from AD RMS to Azure Rights Management

Onboarding Controls

If you’re deploying Azure RMS in a large organization you might feel a little uneasy about turning it on all at once. That’s ok, we listened and now understand… the latest Azure RMS PowerShell module supports a phased deployment of Azure RMS. This lets you designate a subset of users who can start to protect content with Azure RMS. This deployment configuration is useful when first deploying Azure RMS, because it lets an organization build up Azure RMS usage at its own pace. There are many reasons for this. Those who want this already know them.

For example, you can use the following PowerShell command to control which users can use Azure RMS by adding them to a designated group:

Alternatively, you can use the same control to ensure that only users who are correctly licensed to use Azure RMS can protect content. For example:

Learn more about configuring the onboarding controls: Set-AadrmOnboardingControlPolicy  

Departmental Templates

Today we are launching the public preview of a powerful enhancement to custom templates in Azure RMS. This one is a customer favorite / long standing top 3 ask! This feature permits organizations to make some templates available to a subset of their users. We call this option “departmental templates” and it consists of an additional parameter for each template, its “scope”, where you can designate groups that will receive this template.

This enables you to define a much larger numbers of ‘departmental’ templates that meet the needs of users in specific departments, roles, or divisions. Our many Azure RMS partners -- Gigatrust, Secure Island, TITUS, and Watchful Software -- enable powerful tools to manage these templates just like an IAM solution helps IT manage groups.

The basics are, well, quite basic: the scope controls which users will see the template as available to select when they want to protect new content. The rights within the template continue to control which users can view content that is protected with a particular template.

Example make this easier. An organization might want to define a template specifically for the Engineering department. The configuration of the template is such that it’s applicable to users in the engineering department only and should not be used by other departments. To do so, create a custom template with the required rights in the Azure RMS management portal, navigate to the SCOPE option in the template, and specify a group that includes people in the engineering department only.

One configured, only users in the engineering department will see this new template. This template isn’t visible to other users, so they can’t (incorrectly) select it.

 In this very simplistic example, here’s what an Engineering department user will see:

Here’s what other users will see:

You can also define departmental templates for users in specific employee roles, groups within the organization (e.g. “Executive Board Confidential”), projects, or business accounts, or even for IT processes that are not exposed directly to users. A departmental template can be assigned to anything that can be defined via a group or list of groups.

To display departmental templates according to the user’s identity, an application must support this feature. The RMS Sharing application already supports departmental templates so start with that. Other applications and Office 2013 are being updated over the next few months with this support. Just to make sure you don’t miss this, Office 2013 does not yet support this capability… it will be added shortly in the form of a service pack. Get all your early testing done with RMS sharing app.

Learn more about departmental templates from our Azure RMS Custom Templates documentation. 

NOTE: If you want to use this feature before Office ships it, you can do so using a template deployment script that downloads regular and departmental templates based on the user’s identity and makes them available to Office and other applications. When all your RMS-enlightened applications are updated to natively support departmental templates, this script is no longer needed and the applications will automatically display the departmental templates according to your configuration.

Updates for Windows Phone

A few months ago, we updated the RMS SDK and RMS sharing app for iOS, Android and Mac to support the PPDF scenarios and AD RMS Mobile Device Extensions (MDE). We now have Windows Phone as well. Enjoy! 

An RMS sharing app for Windows Phone is now available in the Windows Phone store.

We have also shipped the RMS SDK 4.1 for Windows Phone. RMS developers for Windows Phone will be able to use the updated RMS SDK 4.1 to provide the functionality that their counterparts on iOS, Android and Mac were able to provide. Primarily this includes:

• AD RMS support - IT admins can use RMS enabled applications on mobile devices with AD RMS server (MDE). 
• Offline Consumption - end-users can access RMS protected data offline.
• Segregated Authentication - developers can use their own authentication library for Azure RMS and AD RMS (or use the recommended Active Directory Auth Library).
• Segregated UI - developers can build their user interface to protect and consume RMS protected documents.

 Developer documentation is available here. You can download the latest build from here

RMS updates for Windows desktops

RMS sharing app has also been updated with many bug fixes in template management, localization, diagnostics, stability and quality. It is being rolled out now. You will soon receive a notification for upgrade when try to use ‘Share Protected’. Learn more about the update in release notes.

Also, the RMS SDK 2.1 is available here. Learn more about the update in release notes.

We hope that you will see the above as a commitment to listening to your feedback and adding the features and enhancements you most want. We will keep meeting with you and people like you so stay tuned for further updates and new features in coming months… there are some wicked cool features coming real soon so listen in on @TheRMSGuy and join our advisory board to vote on what should come next

Thanks for your continued support!

    Dan on behalf of our excellent team
    @TheRMSGuy

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month.  And, we're celebrating a full year of bringing you these doc update announcements, that we hope help keep you better informed.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: January 1, 2015 (or later) at the top of the topic.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

It's been a great way to start the year!  First, check out the latest What's New in Azure RMS (September-December) if you need a round-up or refresher for updates and changes that saw out 2014.  Tip: You might want to bookmark "What's New in Azure RMS" to see a list of all changes during 2014, as well as automatically list new ones when they become available. 

NEW!  Then, check out our new storyboarding section: Azure RMS in action: What administrators and users see. This takes you through some typical use cases for Azure RMS, with screenshots. It covers activation and templates, the RMS connector with FCI, Exchange Online and DLP, SharePoint Online and protected libraries, and the RMS sharing app with an iPad.  Although the last scenario shows users applying information protection, this section highlights the control that administrators have when they automatically apply protection with simple but powerful "set it and forget it" configurations.

UPDATES!  We then move to doc updates that support the January releases and features, changes that update the support statements, and fixes and clarifications to incorporate customer feedback.  If you provided some of this feedback, thank you for helping to improve the docs for others!

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the docs for the RMS sharing application, or for Azure RMS, email AskIPTeam@Microsoft.com.

What's New for the RMS Sharing Application Documentation, January 2015

The following information lists the topics that contain significant changes since the last update (August 2014) and support the January release.

Rights Management Sharing Application for Windows

- New landing page to bring together the main links for the RMS sharing application.

Rights Management sharing application: Version release history

- New topic that lists fixes and new functionality for each release, starting with our January release.

Rights Management sharing application administration guide

- Updates include:

• Clarifications to the Suppressing automatic updates section: Details about creating the RmsSharingApp key, if not already present, and a suggested strategy for testing new versions before an enterprise rollout.
• A new section, AD RMS only: Support for multiple email domains within your organization: Specific to the January release, how to edit the registry if your organization uses AD RMS and has multiple email domains, perhaps as a result of mergers and acquisitions. Without this configuration and newly added support, some users might not be able to consume content that has been protected by other users in your organization.

What's New in the Documentation Library for Azure Rights Management, January 2015

The following information lists the topics that contain significant changes since the last update (December 2014).

What is Azure Rights Management?

- New section, Azure RMS in action: What administrators and users see, which takes you through some typical use cases for Azure RMS, with screenshots. While the outcomes show the protection enforcement, the introduction reminds you that organization always remain in control of their data (can always access it) by using the Super User feature. In addition, the Enable-AadrmSuperUserFeature and Add-AadrmSuperUser reference topics are updated to clarify that the statement "super users can decrypt any rights-protected content file and remove rights-protection for content previously protected within that organization" applies even if an expiration date has been set and expired.

RMS for Individuals and Azure Rights Management

- Updated to add the New-MsolDomain command to the instructions "To obtain an Azure Active Directory subscription and take ownership of the Azure directory" and corrected the cmdlet to verify the challenge for Get-MsolDomain.

Comparing Azure Rights Management and AD RMS

- Updated the supported migration paths for Azure Rights Management, and added departmental templates as a differentiator for Azure RMS.

Requirements for Azure Rights Management

- Updated for the following:

• The introduction no longer says that migration from AD RMS isn't supported (however, running AD RMS and Azure RMS side-by-side remains unsupported).
• The Applications that support Azure RMS section has removed the entry that said Microsoft OneDrive for Business Online isn't supported.  For more information about this functionality, see the Office blog post: Secure and sync with Information Rights Management on OneDrive for Business.
• The Client device capabilities section has updates for TITUS solutions, and added 9Folders for Android email. The Windows Phone supported version is updated to 8.1 and removes the limitation that the RMS sharing app supports Azure RMs only.

Terminology for Azure Rights Management

- New entry for departmental template.

Azure Rights Management Deployment Roadmap

- Updated for migration and user onboarding controls.

Migrating from AD RMS to Azure Rights Management

- New topic if you're running RMS on-premises and want to benefit from the capabilities that Azure RMS offers, while preserving access to documents and email messages that your organization protected by using AD RMS.

Planning and Implementing Your Azure Rights Management Tenant Key

- Updated to reflect new changes in the updated version of the BYOK toolset, which includes new files and updated commands.

Activating Azure Rights Management

- Updated for information and instructions for user onboarding controls, if you need a phased deployment of Azure RMS.

Configuring Custom Templates for Azure Rights Management

- Updated for departmental templates (now in Preview) and the following:

• Added a tip if you want to specify rights for external users. You can do this with some restrictions and limitations.
• Recommendation to test the configured rights with your applications before deploying to users (by using departmental templates), because the actual implementation of each right can vary by application.
• Corrected the example in the Exchange Online Only subsection in the Refreshing templates for users section.

Administering Azure Rights Management by Using Windows PowerShell

- Updated for the cmdlets that support migration (Import-AadrmTpd) and user onboarding controls (Get-AadrmOnboardingControlPolicy and Set-AadrmOnboardingControlPolicy).

Azure Rights Management Cmdlets

- Updated for the new version number (2.1.0.0) and the new cmdlets that support migration and user onboarding controls.  In addition:

• The cmdlets for templates are updated for configuring departmental templates (the parameters EnableInLegacyApps and ScopedIdentities were previously unsupported).
• The Connect-AadrmService cmdlet description is updated to clarify which accounts qualify as an Azure RMS tenant administrator for when you are prompted for credentials.

Frequently Asked Questions for Azure Rights Management

- New entries:

• Can I control which of my users can use Azure RMS to protect content?
• When will you support migration from AD RMS?

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month. 

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: February 1, 2015 (or later) at the top of the topic.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

Unlike the previous month with the bumper crop of new releases and updates, February has been a fairly quiet month for doc updates.  There are no significant updates to the RMS sharing application and the updates we have are mainly to incorporate customer feedback and questions.

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the docs for the RMS sharing application, or for Azure RMS, email AskIPTeam@Microsoft.com.

What's New in the Documentation Library for Azure Rights Management, February 2015

The following information lists the topics that contain significant changes since the last update (January 2015).

What is Azure Rights Management?

- Updated the final row in the What problems does Azure RMS solve? table, for the latest certifications that might be needed for compliance or regulatory requirements.

RMS for Individuals and Azure Rights Management

- Updated the section about how to take control of accounts and the sign-up process by using the AllowEmailVerifiedUsers parameter with the Set-MsolCompanySettings cmdlet from the Windows PowerShell module for Azure Active Directory. When this parameter is set to False (and AllowAdHocSubscriptions is set to True) only users who already have an account in Azure AD can sign up for RMS for individuals. This prevents new user accounts from being created automatically during the self-service sign-up process. 

In addition, added the Get-MsolAccountSku cmdlet as another check that you can use to see whether your organization has been granted an RMS for individuals subscription. If it has, RIGHTSMANAGEMENT_ADHOC is returned as one of the subscriptions with a pool of active units available.

Comparing Azure Rights Management and AD RMS

- Added a new row for file types to clarify that both Azure RMS and AD RMS now support protecting all file types when you use the RMS sharing application.

Deploying the Azure Rights Management Connector

- Updated the prerequisites to clarify that the connector must be installed on a member server and not a domain controller.

Helping Users to Protect Files by Using Azure Rights Management

- Updated to add a reference to new video: Azure RMS user experience

Azure Rights Management Cmdlets

Updated for the following:

• Add-AadrmTemplate to clarify that before using this cmdlet, you must first create a rights definition object that specifies the rights that you want to grant and to whom, by using New-AadrmRightsDefinition. The example for this cmdlet is also updated to include the configuration of a departmental template.
• New-AadrmRightsDefinition no longer references the "bundled rights" such as Co-Author and Co-Owner.  These are not working as expected so they are removed from the documentation while we investigate the issue.

Frequently Asked Questions for Azure Rights Management

- New entry:

• Can I prevent users from sharing protected documents with specific organizations?

Today we're very excited to announce RMS (aka IRM) support in the new Office for Mac preview. Yair Cohen is a Program Manager on the team and he’ll talk about the release in more detail.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers,
  Dan (on behalf of the RMS team)

Hi, this is Yair. Last Thursday was a big day for the Mac community – Office 365 announced public availability of the new Office 2016 Mac Preview.

As part of our commitment to enable Information Rights Management (IRM) in Office on all platforms, we are proud to announce that Office 2016 for Mac has Azure RMS support.

Office 2016 for Mac is powered by the cloud so you can access and share your documents on OneDrive, OneDrive for Business and SharePoint at anytime, anywhere. With Azure RMS, you can also secure and control your documents wherever they go.

The new Outlook (released), Word, PowerPoint and Excel for Mac support Azure RMS and AD RMS, which means that users can now send and receive IRM emails, as well as open and create IRM documents, and share them within and outside your organization.

Office 2016 for Mac is not yet listed in our official documentation (the client capabilities table that lists supported applications) while it remains prerelease. But do keep checking this documentation and our blog for updates.

We’re looking forward to hearing from the Mac community and will use the feedback to finalize the product for release later this summer. You can download the Office apps today and try them yourself!

Note: If you are part of an organization that uses AD RMS, you need to install the new Mobile Device Extension package as described here. This is because Office IRM depends on the new RMS SDK 4.1, which uses OAuth 2.0 to authenticate users.

Please send us your feedback to Ask the RMS Info Protection Team.  

Cheers,
 Yair on behalf of the RMS team

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month. 

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: March1, 2015 (or later) at the top of the topic.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

March continues to be a fairly quiet time for doc updates.  There are no significant updates to the RMS sharing application and the few updates we have are to incorporate customer feedback and questions. We took advantage of this quieter period to update our generic cloud symbol that we had been using for Azure RMS in the documentation, and replace it with the official Azure RMS symbol.  As a result, What is Azure Rights Management? has had quite a makeover. Want an official copy of the Azure RMS symbol for your own documentation?  You can download versions for Visio, PowerPoint, and .PNG files for this and other Azure symbols from here: Microsoft Azure, Cloud and Enterprise Symbol / Icon Set for Visio, PowerPoint, PNG

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the docs for the RMS sharing application, or for Azure RMS, email AskIPTeam@Microsoft.com.

What's New in the Documentation Library for Azure Rights Management, March 2015

The following information lists the topics that contain significant changes since the last update (February 2015).

What is Azure Rights Management?

- Updated the following pictures for Walkthrough of how Azure RMS works:

• For content protection, the picture previously showed a single key to sign and encrypt the policy. The signing is done with the user’s private key, the encryption with the organization’s public key. Although this detail was in the text, the picture now shows two separate keys to clarify this.
• For content consumption, the picture incorrectly showed the organization's public key decrypting the policy.  This is now corrected to show the organization's private key.

Requirements for Azure Rights Management

Updated for the following:

• Added information to the infrastructure requirement to not terminate the TLS client-to-service connection (sometimes done for "SSL inspection") or use authentication on behalf of users with web proxy servers. Doing either of these will result in a failed client connection to Azure RMS.
• Clarified that Microsoft OneDrive for Business is supported except when used with SharePoint Server 2013.

Terminology for Azure Rights Management

- Added the terms protect and unprotect, because these have specific meaning when in the context of Rights Management.  Also added an entry for use license, which is introduced in Walkthrough of how Azure RMS works and can be configured in a custom template, by using the offline access option, Number of days the content is available without an Internet connection in the Azure Management Portal.  It can also be configured by using the LicenseValidityDuration parameter with the Add-AadrmTemplate cmdlet.

Deploying the Azure Rights Management Connector

- Updated for the following:

•  For consistency, all 3 examples for the Add-AadrmRoleBasedAdministrator command to install the RMS connector by using the Microsoft RMS connector Administrator account now reference the ConnectorAdministrator role with a clarification that you can also use the GlobalAdministrator role.
• The table of registry changes for File Classification Infrastructure was missing an entry for the Activation key, now added.

Azure Rights Management Cmdlets

Updated for the following:

• Set-AadrmOnboardingControlPolicy to remove the SecurityGroupObjectId parameters from Example 3: Restrict Azure RMS to users who have a license and Example 4: Do not restrict Azure RMS for users.
• Set-AadrmTemplateProperty to correct that LCID is an integer, not a string.

Hi Everyone,

We’re excited to announce an update to use license caching for Azure RMS. Shubha Pratiwadibhayankar is a PM on the team and she'll talk about these updates in more detail.

Hello, this is Shubha.

Today, we're making available an Azure RMS feature that you've all been asking for – a smaller default value for the use license cache validity period.

In the past, by default, use licenses never expired. We have changed this default to be 30 days. Any new content published will now require recipients to re-authenticate themselves every 30 days (this doesn’t mean users will see an authentication prompt, it just means that the application will connect to Azure RMS to get a new license. If the user already has a cached authentication token, then there will be no prompt).This also applies to new content created using an existing template which had no use license expiration set, or a use license expiration set to greater than 30 days.

The smaller default is more secure. A document that has expired or has changed usage rights causing the user to lose access will not be accessible by the user after the cache becomes invalid. Having control over the use license also provides support for document revocation, a soon-to-be released new feature.

Along with this change, we’re also providing you the ability to change the license cache validity period for your organization. You can use these two new PowerShell cmdlets which are now part of the Azure RMS Administration Tool.

Set-AadrmMaxUseLicenseValidityTime: This cmdlet sets the maximum validity time for use licenses that Azure RMS grants for your organization when it protects files and email messages. The default value is 30 days.

Get-AadrmMaxUseLicenseValidityTime: This cmdlet gets the maximum validity time, in days, for Azure RMS use licenses in your organization. The default value is 30 days.

Your organization can choose to override this tenant-level setting by using a more restrictive setting in a rights policy template as before. Less restrictive values will not override the tenant-level setting.

Take note: When you change the default value by using this cmdlet, you’re making a tradeoff between security and the ability to have offline access for longer periods. Choose a maximum value that best suits your organization:

-- With a low value, users will be required to authenticate more often; this is more secure, and means they will be quickly prevented from accessing protected documents whose rights may have changed. Again, this doesn’t mean users will see an authentication prompt. If a valid token is available, authentication will be silent.

--With a high value, users will be required to authenticate less often; however, this is less secure, and means that they will continue to have access to a protected document whose rights may have changed.

If you have any questions, you can reach us at askipteam@microsoft.com

Cheers!

Shubha, on behalf of the RMS team

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for last month - delayed a few days, to accommodate Brad Anderson's announcement of RMS document tracking at Microsoft Ignite.  Miss it?  Watch the full recording of the keynote or read the recap of the demo: Ignite Keynote Demo Recap: Document Tracking & Secure Collaboration with Azure RMS.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our our new RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: April 1, 2015 (or later) at the top of the topic.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

With the recent release of the RMS sharing application and document tracking in preview, we have a lot of doc updates for you in addition to updates and fixes as a result of customer feedback.  We're also debuting a NEW, Quick Start Tutorialfor people who want to quickly test Azure RMS for themselves in just 5 steps and 15 minutes or less.  It covers activating the Azure RMS service, securely sending a confidential document by email to somebody in another organization, and then tracking when that document is opened.  Note that you need the latest version of the RMS sharing application for this tutorial, because it uses document tracking, and the instructions and picture reflect the latest UI.  We're also looking into providing customizable end-user documentation, starting with the business-to-business share protected scenario.  If you're interested in reviewing and using an early version of this documentation, please contact us.

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the docs for the RMS sharing application, for Azure RMS, the new tutorial, or want to review an early version of the customizable end-user documentation, email AskIPTeam@Microsoft.com.

What's New for the RMS Sharing Application Documentation, April 2015

The following information lists the topics that contain significant changes since the last update (January 2015) and support the April release.

Rights Management sharing application: Version release history

- Updated for fixes and new functionality in the April release. For known issues, check the Common issues section in the FAQ for Rights Management Sharing Application for Windows, which has also been updated for the April release.

Rights Management sharing application administration guide

- Updated the Supported file types and file name extensions table to include files that have a file name extension of .jt will be renamed .pjt.

Rights Management sharing application user guide

- Updated throughout for the latest release. Includes:

• New topic, Track and revoke your documents.
• Updated instructions and pictures for Protect a file on a device (protect in-place) and Protect a file that you share by email.
• Updated options and version number in Specify settings in the dialog box.

What's New in the Documentation Library for Azure Rights Management, April 2015

The following information lists the topics that contain significant changes since the last update (March 2015).

What is Azure Rights Management?

- Updated the Azure RMS in action: What administrators and users see section, to reflect the latest UI from the RMS sharing application.

How Applications Support Azure Rights Management

- Updated the RMS sharing application for Windows and mobile platforms section, to include document tracking. Also updated the Other applications that support the RMS APIs section, to revise the information about where you can information about RMS-enlightened applications. These used to be available as icons on the Microsoft Rights Management page, but this page now directs you to the Client device capabilities table for this information.  As noted in the Community Addition at the bottom of the page, we're aware that this table doesn't list all our RMS partner solutions (for example, GigaTrust, RightsWATCH, Secure Islands), but only end-user applications that don’t require an additional server product.  We hope to have information for all RMS partner solutions available soon.

Comparing Azure Rights Management and AD RMS

- Updated with the information that Azure RMS supports the document tracking portal with the RMS sharing application; AD RMS does not support the document tracking portal.

Requirements for Azure Rights Management

- Updated the Client device capabilities section, to change the final column from Generic Protection to Other file types. Also removed "Azure RMS only" for Foxit Reader for iOS and Android, now that this app now supports AD RMS for these mobile devices. Note that the Comparison of Rights Management Services (RMS) Offerings referenced from this page has been substantially updated to clarify the subscriptions, provide a more expansive list of features, and now includes document tracking and revocation.

Quick Start Tutorial for Azure Rights Management

- New topic, for people who want to quickly test Azure RMS for themselves in just 5 steps and 15 minutes or less.  It covers activating the Azure RMS service, securely sending a confidential document by email to somebody in another organization, and then tracking when that document is opened. 

Configuring Custom Templates for Azure Rights Management

- Updated for the following:

• Added a Tip to the instructions when configuring the rights, to consider adding the Copy and Extract Content right and grant this to selected administrators or personnel in other roles that have responsibilities for information recovery. Granting this right lets them remove protection if needed, from files and emails that will be protected by using this template. This ability to remove protection at the template level provides more fine-grained control than using the super user feature.
• Modified the example for application compatibility for departmental templates, to clarify the difference between Exchange Online and Exchange Server.
• Modified the instructions to refresh templates for Office 2013, from deleting a folder to editing the registry.

Deploying the Azure Rights Management Connector

- Updated the Entering credentials section for the information that if you've configuring onboarding controls, you must include the account that you specify for the connector. Otherwise, you will see the error "The attempt to discover the location of the administration service and organization failed. Make sure Microsoft Rights Management service is enabled for your organization". Some customers have been running into this issue, not realizing that another administrator previously configured onboarding controls.

Verifying Azure Rights Management

- Updated to include the RMS Analyzer tool to help identify and fix potential problems. To read more about this tool and a walkthrough with sample data, I can recommend Tom Aafloen's blog post: Rights Management Services Analyzer Tool – updated.

Helping Users to Protect Files by Using Azure Rights Management

- Updated to include information about the document tracking site, and link to the video: Azure RMS Document Tracking and Revocation.

Administering Azure Rights Management by Using Windows PowerShell

- Updated for the new configuration scenario to configure the default use license validity period, and blogged previously in April: Changes to the Azure RMS use license validity period and new version of the Azure RMS Administration Tool

Azure Rights Management Cmdlets

Updated for the following:

• Get-AadrmMaxUseLicenseValidityTime and Set-AadrmMaxUseLicenseValidityTime are added as new cmdlets to the Azure RMS module.
• Add-AadrmTemplate and Set-AadrmTemplateProperty is updated so that the description of the ContentValidityDuration parameter includes references to the tenant-level equivalent setting and the user-level equivalent setting, both of which can override this parameter. The most restrictive setting is always used.

Hi everyone, 

On Thursday our very own @simonster is hosting us at the Microsoft studios. Here's what Simon has to say:

Upcoming Jump Start: Azure RMS Core Skills

Protecting your organizations data is something that should be top-of-mind for every IT person out there. It’s not something that is just the job of the CSO or the folks in the security team, but if you are in that team it is absolutely something you should be thinking about. It’s what I would term a “core skill” that you need on your resume for the future.

That’s why I’m really excited to bring you the third installment of our Enterprise Mobility Core Skills Jump Start series this week, focused on Azure RMS.

This Jump Start will focus on the following key areas:

• Activating Azure RMS
• Protecting the files your users share
• Tracking and revoking usage of protected files
• Building and managing templates
• Integrating with on-premises services

Of course I won’t be delivering this alone, Dan Plastina (@theRMSguy) will first help me to help you understand why Azure RMS is so important to your organization. Then, for the rest of the session, Carol Bailey, the amazing technical writer behind the Azure RMS documentation, and I will help you get the core skills you need to start protecting your organization’s information.

You can sign up for the event, running Thursday, May 21^st at 9am PST right here. You can watch the previous episodes in the series on the same page too.

Thanks and we look forward to hearing your questions on the live Q&A!

Simon May

You can get more on Microsoft Enterprise Mobility and Windows on my blog http://simon-may.com and follow me on twitter for the inside scoop @simonster

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month - and hope you were able to join both of us in Simon May's Azure RMS Jumpstart earlier this month. If not, the recording should soon be available on the Microsoft Virtual Academy site (check the Recorded Events section).

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: May 1, 2015 (or later) at the top of the topic.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

Super users and how/why/when to use them in Azure RMS has been a very popular question this month, so we've created a new topic (Configuring Super Users for Azure Rights Management and Discovery Services or Data Recovery) just for this feature, which pulls together information that was previously in multiple topics. We've also had questions about how to decommission Azure RMS from a production environment - not because any customer actually wanted to do this but because they want to deploy Azure RMS knowing that they could do this, if ever they wanted or needed to. It's part of our mission that you always stay in control of your data when you use Rights Management, so we've added instructions and recommendations in the Deactivating topic that help ensure you always have access to data that we protect, even if you decide to no longer use our information protection services.

There are no updates to the RMS sharing application documentation this month.

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the docs for Azure RMS, email AskIPTeam@Microsoft.com.

What's New in the Documentation Library for Azure Rights Management, May 2015

The following information lists the topics that contain significant changes since the last update (April 2015).

What is Azure Rights Management?

- Moved the certifications for Azure RMS to its own subsection, Security, compliance, and regulatory requirements so that it can more easily be referenced for security administrators who are specifically looking for this information.

Comparing Azure Rights Management and AD RMS

- Added the additional differentiator for the RMS sharing application, that it supports sharing with people outside your organization only when used with Azure RMS.

Requirements for Azure Rights Management

- Removed the operating system versions for the supported Windows operating systems and instead, reflected the differences in the Office versions supported.

Frequently Asked Questions for Azure Rights Management

- New entries, based on recently asked customer questions:

• Can I integrate Azure RMS with my on-premises servers?
• If I deploy Azure RMS in production, is my company then “locked into” the solution or risk losing access to content that we protected with Azure RMS?
• How do we regain access to files that were protected by an employee who has now left the organization?

Migrating from AD RMS to Azure Rights Management

- Added a new limitation if you import your on-premises key to Azure RMS as archived. Also updated to clarify that although it's not ideal, you can still migrate your AD RMS to Azure RMS if you discover that the service has already been activated. For more information, see "What if your Azure RMS tenant is already activated?" in Step 3: Activate your RMS tenant.

Configuring Custom Templates for Azure Rights Management

- Updated to clarify that when you specify mail-enabled groups and you're synchronizing these from Active Directory on-premises, these groups can be distribution groups or security groups. This information applies to all configuration operations for Azure RMS, and so is also added to Preparing for Azure Rights Management.

Configuring Super Users for Azure Rights Management and Discovery Services or Data Recovery

- New topic, which explains what the super user feature is and how and why you might want to use it. The most typical scenario we get asked about is regaining access to files that somebody protected and then left the company. There's also a section about scripting because for data recovery scenarios, you usually want to remove protection from multiple files, multiple locations. That's a lot easier when you script it, using the newly released RMS Protection tool.

Decommissioning and Deactivating Azure Rights Management

- Updated for decommissioning options (should you ever decide to stop using Azure RMS) and updated the title to reflect this.

Logging and Analyzing Azure Rights Management Usage

- In the introduction, included a reference to the RMS usage reports in the Azure portal, and also added the tip into the instructions that if you don't see the option for Storage in the portal, you probably don't have an Azure subscription as listed in the prerequisites table.

Installing Windows PowerShell for Azure Rights Management

- Updated the prerequisites for .NET Framework to 4.5 with a tip that this version is automatically installed if you have at least Windows 8 or Windows Server 2012.

A few months ago we announced the preview of Azure RMS Departmental Templates, a feature that allows organizations to define different policies that will be deployed to different departments (or roles) for their use in documents and emails.

We are pleased to announce that this feature is being officially released today, alongside with the incorporation of native support for this feature in Office 2013.

With Departmental templates organizations can define specialized templates that meet the needs of users in specific departments, roles or divisions. This is done through an additional parameter for each template, its scope, where you can designate the groups that will receive this template. This is separate from the rights in a template, which apply to the content protected with the template. The scope controls not which users can view content protected with the template, but which users will see the template listed when they want to protect new content.

This can be used in a variety of scenarios, such as where an organization may want to define a set of templates for each of their departments.

For example, let’s imagine a fictional organization Contoso, which has three departments on which they want to enable specialized RMS policies: Marketing, HR and Engineering. They want these templates to align with their classification taxonomy, which calls for Confidential and Strictly Confidential content, in addition to company-wide internal content.

In order to implement this model Contoso would want to create the following templates:

An administrator would archive the two default templates and then create the seven custom templates defined above (for the first one, copying the default Contoso Confidential template is probably the easiest approach, as it would allow them to change its name and any other property they may want to modify from the default values).

Each of the marketing, HR and Engineering templates would limit access to content to people within those departments in addition to upper management, with rights according to the sensitivity of the material: Confidential templates grant the team Co-Author rights to content with no expiration and limited offline access, while the Strictly Confidential templates grant the same people View Only rights, with no offline access and a one-year expiration setting.

Since even with just three departments (and most organizations have many more) asking users to pick from a list of seven templates each time they want to protect content could result in confusion and errors, Contoso decides to make the templates that are specific to HR, Marketing and Engineering departmental templates by specifying a scope that includes the corresponding departments.

Let’s see how Contoso would define the Marketing Confidential template.

On the Rights option they would add the Marketing and Executive Board groups, granting those groups Co-Author rights so they have flexibility in managing the content:

On the template configuration, they would enter no expiration and a one-day offline access policy for the content protected with the template.

And finally, they would navigate to the Scope section where they would specify the groups that will see this template:

Selecting the Marketing group they indicate that only people at the Marketing team will see this template listed in the policy options.

The administrator would follow similar steps for each of the other templates in the list.

Once these templates are created, published and deployed to clients, members of each department would see only the templates pertinent to them.

A member of the Marketing group using Office 2013 would see the following policy templates:

While a user in the Engineering group would see the following policies:

As you can see, this keeps the list of policy options very short and easy to navigate so users can choose the right policy without hesitation, while offering them the options they need.

This feature can also be used to define templates for users in specific employee roles, groups within the organization (e.g. “Executive Board Confidential”), projects or customers. A departmental template can be assigned to anything that can be defined via a group or list of groups in Azure Active Directory.

In order to be able to display Departmental templates, an application needs to support this feature. Office 2013 has been refreshed with the latest updates to support this new feature so no further action is needed for these clients to properly display departmental templates. The RMS Sharing app, mobile applications and several third party applications already support departmental templates as well.

Since Office 2010 does not download policy templates itself, but it relies on an external task to do it, you can bring departmental templates to this application by deploying the templates via a script or task that supports these templates, such as the Enhanced Template Deployment Script available in Microsoft Connect (you will need to sign in to Microsoft Connect first to download this script).

With this feature you can also break through the practical limitations in the number of templates you can create, since you can now define as many templates as your organization needs, and selectively display only a subset of them to individual users according to their needs.

You can learn more about departmental templates from our Azure RMS Custom Templates documentation.

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: June 1, 2015 (or later) at the top of the page.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

Unfortunately, we're still waiting for the recording of Simon May's Azure RMS Jumpstart, but in the meantime, you might be interested in reviewing the questions/answers from people who attended: Your questions answered from the Azure RMS Core Skills Jumpstart

Update July 1st: Hot off the press - the recording is now available: https://www.microsoftvirtualacademy.com/en-US/training-courses/azure-rights-management-services-core-skills-10500 

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the docs for Azure RMS, email AskIPTeam@Microsoft.com.

What's New for the RMS Sharing Application Documentation, June 2015

The following information lists the topics that contain significant changes since the last update (April 2015).

Rights Management sharing application administration guide

- Updated the introduction to clarify that the RMS sharing application can be used with Azure RMS and AD RMS, but some features are supported with Azure RMS only. 

Rights Management sharing application user guide

- Updated the Dialog box options page, to clarify what time zone is used to determine a specified expiry time.

What's New in the Documentation Library for Azure Rights Management, June 2015

The following information lists the topics that contain significant changes since the last update (May 2015).

How Applications Support Azure Rights Management

- Updated for the following:

• The SharePoint Online and SharePoint Server section for information about the IRM features that are not yet implemented in SharePoint, with a reference to an Office blog post that explains how SharePoint supports Azure RMS today. There is active work going on for IRM in SharePoint, so expect this section to be updated soon.
• The File servers that run Windows Server and use File Classification Infrastructure (FCI) section to clarify that the RMS connector protects Office files. To protect all file types, you don't use the RMS connector but instead, the file server computer directly communicates with Azure RMS by using PowerShell commands from the RMS Protection module, and some additional configuration.

Requirements for Azure Rights Management

- Added a reference to the Office blog post, Office everywhere, encrytion everywhere at the end of the Client device capabilities section, for the latest information about how Office supports Azure RMS on different platforms. 

Frequently Asked Questions for Azure Rights Management

- New entries, based on recent customer questions:

• We really want to use BYOK with Azure RMS but learned that this isn’t compatible with Exchange Online—what’s your advice?
• I have a hybrid deployment of Exchange with some users on Exchange Online and others on Exchange Server—is this supported by Azure RMS?
• A feature I am looking for doesn’t seem to work with SharePoint protected libraries—is support for my feature planned?

Quick Start Tutorial for Azure Rights Management

- Updated with screenshots.

Migrating from AD RMS to Azure Rights Management

- Added a reference to the BYOK pricing and restrictions section from the Planning and Implementing Your Azure Rights Management Tenant Key topic to help you choose the best Azure RMS tenant key topology for your migration if you want to use Exchange Online. Also added a new step for configuring IRM integration for Exchange Online.

Planning and Implementing Your Azure Rights Management Tenant Key

- Updated the BYOK pricing and restrictions section with more information about the current limitations and choices if you want to use Azure RMS BYOK and Exchange Online.

Configuring Custom Templates for Azure Rights Management

- Updated for the following:

• Removed "preview" for departmental templates. If you missed the announcement that this feature went GA, see Announcement: General Availability of Departmental Templates.
• Removed Office 2013 folder details for manually copying departmental templates now that Office 2013 with the June updates now natively supports departmental templates.
• Updated the Refreshing templates for users section by adding the RMS sharing application to the Office 2013 instructions, and added a new registry setting to refresh templates in seconds rather than days. The RMS sharing application for Windows shares the same template refresh behavior as Office 2013, whereas the RMS sharing app for mobile devices automatically refreshes templates the next time it connects to Azure RMS. The new registry setting is also added to the RMS Client Deployment Notes, which has been revised to include both AD RMS and Azure RMS.

Configuring Usage Rights for Azure Rights Management

- New topic, with detailed information about the available usage rights and how these rights are interpreted by applications.

Deploying the Azure Rights Management Connector

- Updated the introduction to clarify that the connector is supported with hybrid deployments (for example, some users have mailboxes on Exchange Online and some on Exchange 2013) and on virtual machines, including Azure IaaS VMs.  Also updated the SharePoint Server 2013 registry table settings to match the settings that configured by the server configuration tool.

Helping Users to Protect Files by Using Azure Rights Management

- Updated the Help desk information guidance, to include the RMS Analyzer tool, how to recover files, and tips if users report problems protecting content or consuming protected content.

Happy Wednesday

Today we're very excited to announce RMS (aka IRM) support in the new Office 2016 for Mac. Yair Cohen is a Program Manager on the team and he’ll talk about the release in more detail.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers,
  Dan (on behalf of the RMS team)

Hi guys, this is Yair. Last week Office 365 announced general availability of the new Office 2016 for Mac.

As part of our commitment to enable Information Rights Management (IRM) in Office on all platforms, we are excited to announce that Office 2016 for Mac has Azure RMS support. Very soon,Office for iOS will also enable Information Rights Management (IRM), and other platforms will follow later this year.

Office 2016 for Mac is powered by the cloud so you can access and share your documents on OneDrive, OneDrive for Business and SharePoint at anytime, anywhere. With Azure RMS, you can also secure and control your documents wherever they go.

The new Outlook, Word, PowerPoint and Excel for Mac support Azure RMS and AD RMS, which means that users can now send and receive IRM emails, as well as open and create IRM documents, and share them within and outside their organization.

You can download the Office apps today and try them yourself! 

If your organization uses Azure RMS, you are all set. Just sign in with your organizational account and open or create IRM protected emails and documents.

If your organization uses AD RMS, your admin will need to install the new Mobile Device Extension package as described here. This is because Office IRM depends on the new RMS SDK 4.1, which uses OAuth 2.0 to authenticate users. Note that even if you already have Mobile Device Extension installed in your org, your admin would still need to install the new version update that was released today and includes a few important fixes for Office 2016 for Mac.

As always, we encourage you to send us your feedback to Ask the RMS Info Protection Team.  

Cheers,
 Yair on behalf of the RMS team

Click on the image to read the full article in Office blogs:

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month. And July has been a very hot month for us!

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: July 1, 2015 (or later) at the top of the page.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

With all the new releases coming out that support Rights Management, the documentation page to watch and refresh at the moment is Requirements for Azure Rights Management - you might want to add this to your favorites! For more information about some of the releases, check out our blog posts if you haven't already. For example: Office 2016 for Mac available now with Azure RMS support! and Office for iPad available now with Azure RMS support!

In addition, when Office for Mac 2016 released, we updated the Active Directory Rights Management Services Mobile Device Extension documentation, to let AD RMS customers know that this latest Office version requires our latest version of the mobile device extension. If you're not sure how to confirm whether your installed version supports Office for Mac 2016, we've added instructions how to check.

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the docs for the RMS sharing application, for the mobile device extension, or for Azure RMS, email AskIPTeam@Microsoft.com.

What's New for the RMS Sharing Application Documentation, July 2015

There are no technical changes to the sharing application documentation since the last update (June 2015), except to document a new release for minor fixes. For more information, see Rights Management sharing application: Version release history.

What's New in the Documentation Library for Azure Rights Management, July 2015

The following information lists the topics that contain significant changes since the last update (June 2015).

How Applications Support Azure Rights Management

- In the SharePoint Online and SharePoint Server section, removed the limitation that you cannot share with people outside your organization. With recent changes to SharePoint, you can now share by using a work or school account, or a Microsoft account.

Requirements for Azure Rights Management

- Although Windows 10 is now added as a supported operating system, the RMS sharing application doesn't yet support this latest Windows release, which is reflected in the Applications section (the Important callout box).  This restriction should be resolved very soon!  In addition, the Client device capabilities section has multiple updates for the recent releases:

• Office Mobile apps and Siemens JT2Go: JTfiles are added for Windows 10
• Office for iPad and iPhone is added for iOS (Word, Excel, PowerPoint)
• Office 2016 for Mac is added for OS X  (Word, Excel, PowerPoint, and for Email)

Frequently Asked Questions for Azure Rights Management

- New entry:

• When I share a protected document with somebody outside my company, how does that user get authenticated?

Configuring Applications for Azure Rights Management

- Updated the following sections:

• Exchange Online: IRM Configuration: Expand this section to now see a typical set of commands that enables Exchange Online to use Azure RMS.
• SharePoint Online and OneDrive for Business: IRM Configuration: Expand this section to now see configuration steps for OneDrive for Business. This section now more clearly delineates the different levels of configuration required and who would usually do this configuration.

Import-AadrmTpd

- Updated the -ProtectionPassword<SecureString> parameter description, for information about how to specify special characters (such as symbols) for paswords when you use ConvertTo-SecureString. Chances are, if you have a strong password, you will use special characters.  If you do not escape these characters when you specify the password or surround them in single (not double) quotes, PowerShell strips them out so the password will fail and you see the error messages Trusted Publishing Domain data is corrupted and The remote server returned an unexpected response: (400) Bad Request.

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: August 1, 2015 (or later) at the top of the page.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

This month sees updated documentation published for the RMS Protection cmdlets, installed with the RMS Protection Tool. This updated information replaces the original PDF that was included when the tool first released in June. Expect the help file that is used with the Get-Help commands to be replaced soon. The new help file has additional examples and includes the online parameter for each cmdlet, so that you can always check for the latest information online (and localized versions, when available). 

On the RMS Protection cmdlets page, you'll find the latest system requirements, current limitations, and the usual table of links for each of the cmdlets. The getting started information that was in the original PDF has been moved to two new "about" help topics—about_RMSProtection_AzureRMS for Azure RMS, and about_RMSProtection_ADRMS for AD RMS. Both of these include any additional prerequisites for their respective deployment platform, and an end-to-end walkthrough for typical scenarios.

One other update this month that's worthy of particular notice is a new section we've added to the main page of the Azure Rights Management documentation, which we named Also known as ...  We've known for a while that our history of rebranding Azure Rights Management has left people very confused about the name—which is not at all surprisingly, considering how many times this service (and its predecessors) have been renamed! 

Unfortunately, old references aren't always updated, which leaves a confusing array of possible names and abbreviations that include "Windows Azure Active Directory Rights Management Service", "Windows Azure AD Rights Management", and "AADRM" (which you still see in the cmdlets for Azure Rights Management)—and other combinations. Many people get confused about what the "S" stands for, in the widely used "Azure RMS" abbreviation ... is it "Services", "Service", or "service"?  We've even seen "Suite" and "System".  When people get the name wrong, other people then copy it, and the confusion grows. The upshot is, when people search using one of the old names (or an incorrect name), it makes it very hard to find the current documentation.

There's no perfect solution here, but we're trying this Also known as ... section on the main page, in which we include the old names, as well as put some context around the name changes. We're hoping that this might work as a safety net for people searching with an old name, will act as an authoriative reference for people who want to make sure they are using the correct name in their documentation and presentations, and maybe even provide some interesting background information that helps people understand and remember the official name of "Azure Rights Management".  If this is successful, you could see this Also known as section in other product documentation that has similar problems with (re)naming! 

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the documentation for the RMS Protection cmdlets, the new "Also known as .." section, the RMS sharing application, or for the Azure RMS docs in general, email AskIPTeam@Microsoft.com.

What's New for the RMS Sharing Application Documentation, August 2015

There are no technical changes to the sharing application documentation since the last update (June 2015), except to update the Rights Management sharing application: Version release history to reflect the new refresh period of 1 day for templates, which went into the last version.

What's New in the Documentation Library for Azure Rights Management, August 2015

The following information lists the topics that contain significant changes since the last update (July 2015).

 Azure Rights Management

- New section, Also known as ... to help clarify the official service name, as well as its history and relationship with Office and the subscriptions that include Azure RMS.

Requirements for Azure Rights Management

- Updated the Client device capabilities section, to add Gaaiho Doc, which support Protected PDF for Windows, and Outlook for iPad and iPhone for iOS.

Frequently Asked Questions for Azure Rights Management

- New entry:

• Can I add users from outside my company to custom templates?

Activating Azure Rights Management

- Updated to clarify that onboarding controls can be configured either before or after you activate Azure RMS. Also clarified that these controls are for client applications, such as Word and the RMS sharing application. Server-side applications, such as Exchange, can implement their own per-user controls for RMS integration to achieve the same result.

Configuring Custom Templates for Azure Rights Management

- Updated the Refreshing templates for users section, to reflect the new default refresh period of 1 day for the RMS sharing application. Because this update also applies to AD RMS clients, this update is also reflected in the RMS Client Settings section of the RMS Client Deployment Notes.

Configuring Applications for Azure Rights Management

- Expand the Exchange Online: IRM Configuration section to see the newly included reference to protected voice mail (Unified Messaging).  Also added a new subsection, for Office 365 Message Encryption.

Configuring Super Users for Azure Rights Management and Discovery Services or Data Recovery

- Updated with a new section for security best practices with example log entries for monitoring super user administrative commands. Also added a note to the scripting options section, that the RMS Protection tool does not yet support super users; instead you can use a service principal account to authenticate to Azure RMS.

New-AadrmRightsDefinition

- Updated the Rights parameter, for the missing values related to email (FORWARD, REPLY, REPLYALL).

Hi Everyone,

We've gotten a lot of feedback that organizations often need to share documents for which some of the information cannot be disclosed to everyone. They don't want a multitude of documents and they don't want to restrict a flow of the information that is less sensitive. What they really want is agency-style redaction behaviors. Today we're announcing a preview of the offer so you can begin to integrate the concept into your workflows. The final release of the offer will add several additional capabilities shortly. 

What it is not

There are many ways of doing redaction, some better than others. Some vendors have approached this problem by deleting the content from the document as the user opens it. This approach has several quite poor side effects:

1. Loss of document context (Hmm, this does not make sense. Stuff seems to be deleted).
2. Loss of document meaning (am I missing 3 words or 3 FULL pages?)
3. The now necessary re-flowing of the pages creates very confusing interactions (Go to Page 22, paragraph 3. I'm there but I don't see what you're quoting? I said PAGE TWENTY TWO, PARAGRAPH THREE. I know what you said but that is not what I see).

We can go on but, the net of it, is hacking at the content and quite frankly ruins the authenticity of the overall experience. This is not a suitable approach.

What it is

Microsoft and Foxit have developed a patent pending approach to this problem. We want you to see the document you were meant to see, but without the 'juicy tidbits' that are, well, not meant for you to see. Let's review a few use cases…

You're a leading pharmaceutical company and you have a drug trial going on with 1000 patients. You have a staff (army) of physicians who need to study the side effects of the drugs. It's critical they:

1. See EVERYTHING in the document except for the patient info.
2. Be able to SEARCH for everything in the document except for the patient info using normal search tools without having to open the document.
3. Maintain document formatting, flow, pagination, etc.
4. Be able to print (single, multiple) documents using normal tools and devices without having to open the document.
5. Be able to tell the document owner that this patient needs to be contacted.

It's pretty easy to see the power of the solution to this pharmaceutical company. Let's try another, this time with follow along pictures.

You are now a seller and you want to send out order invoices. Today you have to generate TWO copies of the document. One is the actual invoice with prices. The other is the order landing form as they call it. In the paper-based days this was easy. Mail the invoice and glue the landing form to the shipping box. In these days of electronic retail, we could send one doc with different rights. Let's see what that looks like:

Here you see an order from Contoso. You'll note a few special things about this particular PDF. First, it has agency-style redactions where the discount and total is. This is to protect the seller's special pricing for the mega-store Contoso (Smaller companies like Fabrikam don't get those same deep discounts). The second thing you'll notice is that there is a header at the top. This header educates the user that this is one of those special dual mode documents.

Zooming in on the header:

The user is taught how to get a viewer to see 'behind' the redactions and they are taught how to get a free evaluation tool to learn how to make their own redacted documents. The free Microsoft RMS Sharing app, Foxit Reader and PhantomPDF will  all able to show both modes of this file.

The free RMS Sharing application does not yet render these files (coming soon) but the preview version of the Foxit PhantomPDF does. Here's what it looks like:

In this view, no surprise, the PDF with redaction looks just like it did in the above PDF preview view. However, in this case there is an added 'yellow bar' that offers to let you VIEW THE FULL CONTENT. Selecting this button validates that you're authorized to see the file. If you are – lucky you – you will see the below view of the file:

At this point you can toggle back to the REDACTED VIEW of the file.

Before we walk you through creating your own with the preview offer, let's talk about the near-magical (and patent pending) abilities of these redacted PDFs.

1. You can view the redacted document in ANY PDF viewer, on ANY device. Really.

2. The PDF is indexed for search in ANY storage environment: Windows, email, SharePoint, document libraries, specialty enterprise content management systems, custom code using Windows IFilter, etc. For example, you could type XBOX ONE in your Windows start menu and the above file will be found. You can NOT, by design, find it by the 332.49 price however.  The redacted information will not be indexed in this case.

3. "Quick resizing of the window" or any other trickery does NOT make the black bars slip to reveal the text. In fact, the black bars do not really protected the text as the text is GONE from the PDF. (Our little secret: An RMS protected PDF is hidden inside the redacted PDF. The hidden text is visible in that fully-encrypted copy).

How to create your own

Few would doubt that Word is the defacto tool for document creation and that PDF is an extremely common way of disseminating 'published' information. The combination of these two formats and their respective tooling is the only way to enable a mainstream scenario.

So, once you install the Foxit^® Redaction Plugin for Microsoft Word^, you'll see this familiar toolbar. In addition to the previously available CREATE PDF and CREATE AND EMAIL actions you now see MARK FOR REDACTION and CREATE REDACTED actions. These do, well, what they say.

One would simply select text and MARK FOR REDACTION as many time as is necessary. Once the content is redacted, the user would invoke the MARK FOR REDACTION action that will save the document out as a redacted PDF and launch the Foxit viewer to preview the content.

 Selecting CREATE REDACTED offers the user the familiar RMS templates.

 And, just as we started with, the author sees the PDF that others will see:

How to get it

The Foxit^® Redaction Plugin for Microsoft Word is available now in Public Preview. We're worked with Foxit to offer you these general terms:

1. 90 days of free to use

2. Trial license supports up to 100 users in your organization. 

3. The product supports Microsoft Word 2013

If you'd like more different terms, please contact Foxit via their web page info.

Our team are working on generally availability for later this year. That will include all of the above in completed for as well as the RMS viewer being able to render these dual-personality PDFs.

For more information on the preview download, please visit this link: www.foxitsoftware.com/redact

In closing, here's a short interview with Foxit’s VP of Sales, Phil Lee 

Dan: Hi Phil, Can you tell us about Foxit Software?

Phil: Foxit Software is a leading software provider of fast, affordable and secure PDF solutions. Businesses and consumers increase productivity by using Foxit's cost effective products to securely work with PDF documents and forms. Foxit is the #1 pre-installed PDF software, shipped on one-third of all new Windows PCs, including those from HP®, Acer, and ASUS®.  Foxit boasts over 325 million users and has sold to over 100,000 customers located in over 200 countries.

Dan: Some customers, like my two examples above, will want automated processing of redacted fields. Is this something Foxit would partner with them on? What services are you looking to offer?

Phil: Foxit would love to partner with these customers on automated processing.  In fact, Foxit will be releasing the first round of server based PDF processing tools later this summer.  In that roadmap, we do plan to include both RMS and redaction related capabilities.  We would be very interested in speaking with customers who are looking for these types of automated processing capabilities for PDF.

Dan: What other PDF related tools does Foxit offer?

Phil: In addition to the Redaction Plugin for Microsoft Word, Foxit provides other PDF centric products that support RMS and SharePoint to allow users to:

Consume, modify, and protect PDF on Windows desktops in Active Directory® RMS and Azure® RMS environments with the Foxit Enterprise Reader and/or Foxit PhantomPDF.

Consume and annotate protected PDF on mobile devices in Azure RMS environments through the Foxit Mobile PDF product line.

Server side protection of PDF for SharePoint 2007, 2010, and 2013 environments and Exchange 2010 and 2013 environments with the Foxit PDF Secure RMS Protector.

Protect PDF files through programmatic interfaces in both Active Directory RMS and Azure RM environments with the Foxit RMS PDF Protection Tool.

Windows Search of PDF on SharePoint servers by providing super-fast PDF file indexing allowing users to index a large amount of PDF documents through the Foxit PDF IFilter.

Note: Foxit products support the new RMS protected PPDF file format.

Dan: So finally, if organizations want to test the Redaction feature set, how do they reach you?

Phil: Right now, the Foxit Redaction Plugin is available as a preview that you can download and add to your installed version of Microsoft Word 2013.   Users can download the plugin at www.foxitsoftware.com/redact.

Other products can be downloaded from the Foxit Download Center.

And that’s it.  I encourage you to try out Foxit Redaction Plugin for Microsoft Word. As always, let us know what you think.

Cheers,

  Dan on behalf of the RMS team

@TheRMSGuy                              -- our twitter account for late breaking news
www.yammer.com/askIPteam       -- a customer facing portal for all things RMS

Happy Tuesday everyone

For companies that generate intellectual property, document-level security is a top priority these days. While RMS has historically been known for protecting Office and PDF documents we've been working with key partners on protecting files our customers are demanding be protected. CAD is one such sector.

In the recent past we've shared with you our ability to protect Siemens JT file (as PJT) thanks to the good folks at Siemens. Today we're sharing with you some incredibly deep integration of RMS into AutoDESK AutoCAD from a partner of ours, SealPath. Organizations can now use SealPath product to protect AutoCAD designs with RMS and share them with others, and then use AutoCAD to work on those protected designs. 

If your CAD format is not JT or AutoCAD, please let us know and we'll work with the vendors to get it protected: https://www.surveymonkey.com/r/RMSforMFG 

Here's our interview with SealPath's CEO, Luis Angel del Valle:

Dan: Hello Luis. Could you please introduce us to SealPath and your role? 

Luis: Thank you Dan.  SealPath offers diverse solutions centered on RMS for corporate clients who require more configuration flexibility. We have recently created a RMS plugin for AutoCAD which we believe will be very valuable to our shared customers. As far as my role at SealPath, I am the CEO and am deeply involved in the definition of our roadmap and the product development strategy.

Dan: Can you tell me more about the RMS plugin for AutoCAD and what is the user experience like?

Luis: The new RMS plugin for AutoCAD offers native integration with the AutoCAD suite (currently v2012 to v2016) enabling the control of the permissions assigned to a specific CAD design. An AutoCAD file can be protected by the user using the RMS sharing app. The user can use either templates or using the assignment of granular permissions. Once the plugin is installed, when the file is protected, the file will change from having a .dwg extension to a .pdwg extension. Then, when double clicking on the file the drawing will be opened in AutoCAD and the permissions associated with it will be enforced (e.g. only view, edit, print/plot, copy and paste, etc.). We have placed the emphasis on the user's experience to ensure that it is very easy to manage and access for users.

Figure 1. Protect and open secured drawing

Figure 2. Permissions restricted by the AutoCAD RMS plugin

Dan: What kind of companies can benefit from this plugin?

Luis: Any company that works with the AutoCAD suite and is concerned about safeguarding their intellectual property can benefit from it. Through the proven and powerful RMS technology and the SealPath plugin, companies in engineering, research and development, manufacturing and other sectors can protect their designs when sharing them both internally or externally as well, with partners, subcontractors, suppliers, etc.

What other solutions can we expect for the future? Can you give us a clue?

Luis: We are actively working on the protection of formats in the industrial area. We soon hope to provide plugins in order to extend RMS to formats for other design solutions such as 2D, 3D, PLMs, etc. Another critical part of our solutions is the integration with document management systems beyond SharePoint in such a way that it is extremely straightforward to protect documents in different documentation repositories.

Can someone trial the AutoCAD plugin?

Luis: Of course. We offer free trials for one month of the AutoCAD plugin. Upon request, we provide the plugin so that it can be tried in a real environment by different users.

Dan: If organisations have questions or want to see a demo, how do they reach you?

Luis: All they have to do is access http://rmscad.sealpath.com and request it using the contact forms or by sending an e-mail to info@sealpath.com. As such, we can organise demos or analyze specific requirements regarding AutoCAD protection.  Regarding licensing, there is an annual price per user that can protect, edit, print/plot a drawing, but you don´t need a license for view only users.

So there you have it, RMS inside of AutoDESK's AutoCAD! Much more to come so, check back with us!

Regards,

Dan Plastina
@TheRMSGuy
https://www.linkedin.com/in/danpl

We’re happy to announce that the document tracking preview is now available worldwide.

Currently, this is in English only. We are working on making the site available in other languages over the next several weeks.

Stay tuned for updates. 

In addition, if you want to disable document tracking on your tenant, you can follow instructions at https://msdn.microsoft.com/library/azure/mt548471.aspx

If you have any questions, you can reach us at AskIPTeam@microsoft.com

Hi Everyone,

Today, we’re announcing another major update to Azure Rights Management services. No one RMS topic has garnered more smiles that this one! It's the public preview for the feature we simply call document tracking. If you only have 1 minute and 52 seconds to give us, then watch this quick videoandyou too will smile at the possibilities!

Let's give you the full tour but, before we get started, we'd like to offer thanks to the many of you who provided feedback during the early days. For the others, we welcome you to be a part of our extended design team by joining our advisory board.

The premise here is simple: You, the IT professional, have very little understanding of what constitutes good sharing, bad sharing, or even abuse of a sensitive document. It's true. Many like you have said that you do not sit in front of monitors all day watching the several hundred documents leaving your organizations per hour (or second)! Don't laugh, some vendors are in fact focused on building consoles for the IT staff where they show "document ABC.XLS was opened on an iPad by user Jane". While most of you perform data loss prevention (DLP) and monitoring (SIEM) in the broader parametric domain, you can't monitor the specific flows of all documents.

The good news is that the users in your organization, those doing the sharing, are actually very well equipped to know both the intent and possible abuse of the documents they share. They are the ones – the only ones – that know which documents were meant for limited use but are being over-circulated (abused).

Simply stated, today we’ve extended our base document protection promise to now be these 4 core points:

1. Your users can protect documents and share them both internally as well as with other businesses.
2. They can limit who gets access to their documents and can set a document expiration date.
3. The sender can (now) monitor the use, and thus abuse, of each of these documents shared using a variety of views.
4. If the senders does not like what they see, they can (now) revoke access to the document regardless of where it is stored.

The last two promises are new as of today while the first two are the Azure RMS offer that has been in market for a while now.

Details: A day in the life of a sensitive document

First, we're going to send a document to a large set of people. Here this is an Excel Spreadsheet but it could be any file type.

After the Share Protected action, each of these users will open their document. We've covered these steps in detail here so we'll not repeat them here today. In short, they got an email with both an XLS and a PPDF (protected PDF) that can be consumed on iOS, Android, Windows, and Mac devices.

At this juncture the sender will now get a Document Tracking email. This new emails look like this:

Visiting the enclosed link will bring the user to the web hosted document tracking site. Here the user will see a list of all prior sharing sessions and can pick any one of them.

Picking one, we'll now see a summary of all document sharing activity. Here you see a carrier pigeon with a document to indicate that the document is still 'in flight'. You'll see relevant info including successful use and possible abuse.

Looking at the other views…
Here we have a list view with sortable columns.

Here we have a graph view showing historical trends. Columns can be selected to narrow down the list.

Here we have a map view showing the location of the users. This is generated via IP address so it has all the good and the bad of such offers. In time we expect location services to get better via a variety of means.

Now, should you not like what you see in terms of use / abuse, the user can revoke access to the document. This means it will no longer be accessible. Revoke is a two set process. First, pressing the above button offers this confirmation page. Here you'll optionally be able to send an email to all recipients with text of your choice. With that typed in, you can CONFIRM revocation. That's it – the doc is now inaccessible.

You'll notice there was a disclaimer type statement about a duration of continued access. The RMS IT leaders will be creating templates. These templates have policy about offline use. Offline use is merely a license that has an NN day duration set on it. Revoking a document means that the RMS services will no long issue new licenses but some of your users (on specific devices) may already have one of these NN day licenses. Those users will be able to use the document for a while longer. This brings us back to the option in the RMS Sharing application to "Allow me to instantly revoke access to these documents". When set, offline access is disabled but instant revocation is gained.

At this point the summary view has the carrier pigeon replaced with a REVOKED banner. The document is no long usable.

Tracking (as well as protection) can be invoked from several locations. We've updated the RMS sharing application to support templates (a topic for a future post) and to integrate tracking.

In Outlook, there is now a Track Usage button:

From and Outlook mail message, and a Word, Excel, PowerPoint document the add-on offers this new split button behavior:

From the Windows File Explorer. Here we took the opportunity to clean up a bit. We nested all the action under one Protect with RMS action. Here's what it now looks like in the new RMS sharing application:

In Summary

With today's preview announcement, you can begin to experience the benefits of our document tracking feature. This offer will be generally available (GA) in all worldwide geographies this summer. For now, setup an E3 test tenant and learn about it, give us feedback, and get your organization ready to really be in control of how your sensitive data is used. If you're on AD RMS and want to migrate to Azure RMS, learn about the migration toolkit or contact us for help.

To get the latest updates please follow us on twitter as @TheRMSguy. We'll share details about when we'll be in EU/APAC geographies as well as when we add the new control features (disable tracking of internal users for EU workers council, etc). If you want to be more involved in crafting RMS for the need of your organization, then please join our advisory board.

Finally, it almost goes without saying, you don't need to wait for the document tracking features to be released to get Azure RMS piloted, deployed and otherwise used in your company. We recommend you get started on protecting yourself against your next data leak… we know plenty of companies who wish they did before they experienced their very painful leaks!

If you have any questions or feedback, please post it below. You'll likely hear from Shubha, our document tracking PM leader. If you want to learn more, visit our FAQ at https://technet.microsoft.com/en-us/dn947488

Thanks, 
Dan, Shubha, and Gagan on behalf of the RMS team
@TheRMSGuy

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: September 1, 2015 (or later) at the top of the page.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

In addition to responding to customer feedback, this month sees lots of updates throughout the documentation for new versions and new support statements. We listed the most relevant article rather than all of them, but for example, you'll now see references to Windows 10 and Office 2016 throughout the documentation. Of course, the Requirements page, and especially the client device capabilities table is the one to bookmark for the latest support statements!

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about the docs for the RMS sharing application or for Azure RMS, or additional PowerShell examples that you want to share, email AskIPTeam@Microsoft.com.

What's New for the RMS Sharing Application Documentation, September 2015

The following information lists the topics that contain significant changes to this documentation set since the last update.

Rights Management sharing application: Version release history

- New section for the September release, which introduces support for MFA and modern authentication (ADAL).

Rights Management sharing application administrator guide

- Updated for the following:

• Removed references to the Sign In Assistant for the deployment instructions, when clients support modern authentication (ADAL).
• New section, Azure RMS only: Configuring document tracking, which contains information about the new cmdlets that support document tracking and the required URLs.

Rights Management sharing application user guide

- Updated throughout to include Windows 10 in the Applies To: list at the top of each page.

What's New in the Documentation Library for Azure Rights Management, September 2015

The following information lists the topics that contain significant changes since the last update (August 2015).

Requirements for Azure Rights Management

Updated for the following:

• The Cloud subscriptions that support Azure RMS section now references Azure Rights Management Premium, the new subscription name for Azure RMS Standalone. It also clarifies that a paid Rights Management subscription is needed only to protect content (files and emails), not to consume protected content.
• The Azure AD directory section has new information about Azure multi-factor authentication (MFA) support.
• Updated the Client device capabilities section, to clarify that Windows 10 apps are view-only and for Azure RMS only. Mobile devices that support ActiveSync are now moved to this table for platform-specific information. SecureIslands IQProtector is added for email, for iOS and Android.
• In the Applications that support Azure RMS section, Office 2016 is added as supported. XPS Viewer is added as not supported. The restriction that Windows 10 is not supported with the RMS sharing application is removed (supported with the latest version).

Migrating from AD RMS to Azure Rights Management

- Updated Step 2, to revise the instructions for the HSM-protected key to HSM-protected key migration scenario. For this configuration, you do not transfer your HSM key to Azure RMS by using the Add-Aadrmkey command, as you would do for a software-protected key to HSM-protected key migration. Instead, you transfer your HSM key when you upload your exported trusted publishing domain, by using the Import-AadrmTpd command.

Administering Azure Rights Management by Using Windows PowerShell

- Updated the tasks table to include a new entry to disable or enable the document tracking site for Azure Rights Management, with links to the new cmdlets Disable-AadrmDocumentTrackingFeature, Enable-AadrmDocumentTrackingFeature, and Get-AadrmDocumentTrackingFeature.

Get-AadrmTemplateProperty

- Updated for the following:

• Removed the references to getting the rights for specified users or specified locales because not currently implemented.
• Added a description of the -ReadOnly parameter (denotes whether a default template, or a custom template).
• Added a new example: For all templates, get the name, the usage rights, whether a default template, and whether published or archived Kudos to Sandor Teglasy in CSS, for this helpful example.

about_RMSProtection_AzureRMS

- Updated for workaround instructions (prerequisite 3) if your Azure region is not in North America.

Get-RMSFileStatus

- Updated the detailed description to clarify the difference between a status of Protected and Protected(Custom). Also added a new example: List the protection status for all files in a folder and any subfolders. This cmdlet supports getting the protection status of a single file only, but you can use PowerShell commands to return the status of all files in a folder. Kudos to Eddie Bowers in CSS, for this really helpful tip!

Protect-RMSFile

- Updated for the following:

• Clarified that this cmdlet reprotects files if they are already protected by Rights Management. This action lets changes in templates or an ad-hoc license take effect.
• How to change the default levels of protection is now linked to the correct File API configuration reference on MSDN instead of the instructions in the RMS sharing application administrator guide. Although the instructions are very similar, they use their own registry key and both can be in use on the same computer.
• Added information about the -OwnerEmail parameter, which includes the recommendation to always use this parameter if you use Azure RMS because in this context, the "owner" is the service principal account rather than your own account. In addition, because this email address is displayed to users for generically protected files and if they do not have permissions to access the content, consider using a group address, such as your help desk.
• Added a new example: Protected files with a specific file name extension in a folder by using a template. Although this cmdlet does not natively support wildcards, you can use PowerShell commands to achieve the same result. We applied Eddie's tip from his Get-RMSFileStatus to this cmdlet, as well.

Hi everybody

As per Carol’s introduction post, she's letting you know what's new and hot in the docs for this month.

Reminders: Follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.

Cheers, 

   Dan (on behalf of the RMS team)

The Documentation Library for Azure Rights Management has been updated on the web and the latest content has Updated: October 1, 2015 (or later) at the top of the page.

Summary of the documentation available: Getting Started with Rights Management | Configuring Rights Management | Using Rights Management | Administering Rights Management by using Windows PowerShell

Plus, the Rights Management sharing application guides (admin guide and user guide) and FAQs (for Windows and mobile platforms).

Windows PowerShell seems to be a recurring theme again this month, helping to deliver key business benefits when you integrate Rights Management with other solutions. Specifically, protecting all file types on Windows Server with FCI, an easy administrator configuration to enable IRM on all users' OneDrive for Business if you have SharePoint Online, and adding Office apps support for mobile devices:

• RMS Protection with Windows Server File Classification Infrastructure (FCI):   This new article steps you through configuring Windows Server File Server Resource Manager FCI with an easy-to-edit script that uses the RMS Protection cmdlets. We couldn't have got these tried and tested instructions and script to you without the help of Frank Pahler from Microsoft Consulting Services and Sandor Teglasy from Customer Support Services. Not to mention many internal runs and tests that Enrique Saggese and I did ourselves to ensure a robust set of instructions with troubleshooting tips, so that you would be spared the mistakes and assumptions we made!
• SharePoint Online and OneDrive for Business: IRM Configuration:   Expand this existing section of the docs to see newly added instructions for OneDrive for Business. Previously we had instructions for users only, because administrators can't enable IRM for users' OneDrive for Business by using the UI - only users can do this. But thanks to Joe Rodgers (Premier Field Engineer) and his SharePoint and PowerShell expertise, you now have a script to do this where you can enable and configure settings for one or a few users' OneDrive for Business libraries, or import a .CSV file to do this in bulk. To help with the latter, there's an addition script to retrieve the URLs you will need to enable this setting, which saves the entries to a .CSV file that you can then feed into the first script. There's a third script if you need to disable IRM on these personal libraries. I've heard many requests to enable IRM for OneDrive for Business instead of relying on users to do this themselves, so I'm sure this is going to be a very useful resource.
• Active Directory Rights Management Services Mobile Device Extension:   Updated for new PowerShell commands to support the latest Office apps. Quick call out here for Eric Huang (Customer Support Services) for his help with this.

There are no updates to the RMS sharing application documentation this month.

We value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  If you have any feedback about these docs or any other docs for Azure RMS, email AskIPTeam@Microsoft.com.

What's New in the Documentation Library for Azure Rights Management, October 2015

The following information lists the topics that contain significant changes since the last update (September 2015).

Requirements for Azure Rights Management

- Updated the Client device capabilities table for minor clarifications (no new entries).

Comparing Azure Rights Management and AD RMS

- Updated the migration row with links and removed references to Windows Server 2003, now that this operating system is out of support. Added a new row that differentiates the licensing requirements because Azure RMS, unlike AD RMS, doesn't require a user license to consume protected content.

Migrating from AD RMS to Azure Rights Management

- Updated Step 2, to revise the instructions (all configurations) for importing multiple TPDs. Previously, the instructions said to import all files as Active, whereas only the TPD you want to use to protect content by using Azure RMS should be set to Active.

Configuring Applications for Azure Rights Management

- Updated the SharePoint Online and OneDrive for Business: IRM Configuration section, with extensive instructions and supporting scripts for admins to configure OneDrive for Business for users. The introduction to this post has more details.

Deploying the Azure Rights Management Connector

- Update to the Authorizing servers to use the RMS connector section, for SharePoint servers configuration, which now covers service accounts (recommended) as well as Local System accounts.

about_RMSProtection_AzureRMS

- Updated the workaround instructions (prerequisite 3) to clarify that you must run Set-RMSServerAuthentication after editing the registry if yourAzure region is outside North America. For example, if you successfully ran Set-RMSServerAuthentication before editing the registry, edit the registry and then immediately run Get-RMSTemplate, the templates won't download until you run Set-RMSServerAuthentication again. The error message that you'll typically see is "The system cannot find the file specified. HRESULT: 0x80070002".

Get-RMSFileStatus

- Added a new example from Eddie Bowers in CSS: Create a .CSV file with the protection status for all files in a folder and any subfolders. This example builds on the previous example Eddie provided, but outputs the results to a .CSV file so that you can easily sort and order the information.