Office 365 – Use Right Management Services

Leave a Comment / Exchange, Microsoft Azure, Office 365, Security, SharePoint / By / / Exchange, Microsoft Azure, Office 365, Office 365 Grid, Security, SharePoint

With the new Office 365, Microsoft has introduced a new functionality to secure document sharing: Right Management Services.

This service is (should be) well know as this is available since Windows Server 2003 as additional component for internal deployment.

See http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx for more details about RMS.

So, going back to Office 365 and Windows Azure Rights Management (as this is the commercial name of RMS on the cloud).

Windows Azure Rights Management (AADRM) is available through the Enterprise E3 Office 365 plan.

 

Enable Windows Azure RMS

 

By default, Windows Azure RMS is not activated.

To enable AADRM, connect with an Office 365 administrator account to the administration portal and go to Service Settings section (on the left)

 

image 

 

Then hit the Rights Management tab and finally hit the Manage link

 

imageimage 

 

Once you have reached the Rights Management administration page, click on the Enable button and confirm the activation

 

imageimage 

 

Wait few minutes while AADRM is being activated

 

image 

 

You are now redirected to the AADRM page which now is showing that RMS is activated; since this has been activated, you have the ability to disable it also from this page

 

image 

 

NOTE Windows Azure RMS can also be activated using PowerShell

 

To do so, you must have installed Office 365 Modules for PowerShell and RMS Modules for PowerShell (http://www.microsoft.com/en-us/download/details.aspx?id=30339), then run the following commands:

 
  • $user = "<your Office 365 administrator email">
  • $cred = Get-Credential -Credential $user
  • Import-Module AADRM
  • Connect-AadrmService -Credential $cred
  • Enable-Aadrm

 

Use of RMS with Exchange Online

Once RMS has been activated, you will be able to secure your mail exchange.

Automatic protection

To secure your emails with RMS, you must set a Mail flow rule (recommended). Doing so, your end-user will don’t have to think about RMS.

From the Exchange Online administration portal (Exchange Admin Center, which can be reached from the Office 365 administration portal, open the submenu just below Admin on the right side of your name and select Exchange.

image 

Go to the Mail Flow section (from the left menu)

image 

Then go to Rules section and create a new rule to apply RMS

imageimage 

Define the rule settings et voilà your email will be protected by RMS automatically.

Manual Protection

    

If you want to let your users to set RMS for their email when using OWA you must enable RMS for OWA.

Enable RMS for OWA

Launch a PowerShell command prompt (you must have install Office 365 Modules for PowerShell as well as RMS Modules for PowerShell http://www.microsoft.com/en-us/download/details.aspx?id=30339)

Run the following commands:

  • $user = "<your Office 365 administrator email">
  • $cred = Get-Credential -Credential $user
  • Import-Module MSOnline
  • Import-Module AADRM
  • Connect-MsolService -Credential $cred
  • Connect-AadrmService –Credential $cred
  • Enable-Aadrm
  • $msoExchangeURL = "https://ps.outlook.com/powershell/"
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionURI https://ps.outlook.com/powershell/ -Credential $Cred -authentication Basic –Allowredirection
  • Import-PSSession $session
  • Enable-OrganizationCustomization

NOTE You may receive an error message saying this command is not required because your organization is already enabled for customization

This operation is not required. Organization is already enabled for
customization.
    + CategoryInfo          : NotSpecified: (:) [Enable-OrganizationCustomizat
   ion], InvalidOperationException
    + FullyQualifiedErrorId : F977D53F,Microsoft.Exchange.Management.Deploymen
   t.EnableOrganizationCustomizationTask
    + PSComputerName        : pod51031psh.outlook.com

  • Import-RMSTrustedPublishingDomain –RMSOnline –Name “RMS Online” ; this CMDlet is importing the new RMS parameters to your tenant

image 

  • Test-IRMConfiguration –RMSOnline ; this CMDlet is testing and validating the imported RMS configuration

image 

  • Set-IRMConfiguration -InternalLicensingEnabled $true

You may have to wait a little bit before the options for Outlook Web Access appear.

 

Outlook Web Access

Connect to your mailbox using your web browser (https://mail.office365.com)

Create a new email and go to Set Permission

image 

With Exchange 2013, there is no more need to download attachments secured by RMS; this is now fully integrated with Exchange

image 

 

Outlook Client

When using Outlook, go to the Options tab when writing email

image 

Message received and protected by RMS

image 

 

Use of RMS with SharePoint Online

Once RMS has been activated, you can now use it to secure your document stored on SharePoint Online.

However, even if you have activated RMS from the Office 365 administration portal, this doesn’t mean this has been also activated for SharePoint Online.

To enable RMS for SharePoint, connect to the SharePoint Online Administration site (From the Office 365 administration portal, open the submenu just below Admin on the right side of your name and select SharePoint)

image 

Then, from the SharePoint Online administration portal, reach the Settings section from the left menu and enable RMS for SharePoint

imageimage 

Finally, connect to your SharePoint site and browse to the document library you want to secure with RMS. Only ONE RMS policy can be applied on a document library.

Open the library settings using the ribbon

image 

A new option has appears called Information Rights Management just below the Permission and Management section

image 

When you open this option, you can enable RMS for the document library and define the RMS policy to be applied; this mean your end users will not have to think about RMS before uploading document onto the library

You have lot of option to define your RMS policy:

image 

Additional RMS library settings

  • Do not allow users to upload document that do not support IRM: this option will block document upload if the document format doesn’t support RMS

If this settings is enabled, end-users will have an error message explaining the document format they are trying to upload is not compatible with RMS and so can not be secured

image 

  • Stop restricting access to the library: this means after the defined date, the document library will no longer apply the RMS policy
  • Prevent opening documents in the browser for this document library: this will force end users to open the document with their Office client. NOTE RMS is supported with Office Web Application; document protected with RMS can be opened in the web browser

If this settings is NOT enabled, the Office document will be opened with the web browser. End user will see a yellow information bar explaining the document is protected by RMS (the RMS policy name is shown).

image 

Document access rights

  • Allow viewers to print
  • Allow viewers to run script and screen reader to function on downloaded documents
  • Allow viewers to write on a copy of the downloaded document
  • After download, document access rights will expire after these number of days

Set group protection

  • Users must verify their credentials using this interval
  • Allow group protection

 

When saving document using your Office client on SharePoint Online, to protect your document go to the Office backstage (screenshots done with Office 2013)

image 

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *