As you may already know, one of the most complicated task for IT and security guys is to ensure sensitive corporate data are well protected.
To help them in this task, Microsoft has introduced a technology called Right Management Services (RMS) since about a decade (first release has been provided with Windows Server 2003 as additional downloadable component). Since then and the move to the cloud, RMS has been also made available for Office 365 customers based on the Azure RMS.
That said, the On Premises RMS version has (at least) one limitation which is you can not share RMS protected document with external peoples – you need either to create (and so manage) a user account on your Active Directory for those peoples or implement a federation with the external organization which requires this organization to implement ADFS too; on the other side, Azure RMS can help sharing such protected document with external people BUT does not deliver On Premises protection, meaning you can not use Azure RMS to protect On Premises files share, SharePoint sites or Exchange mail flows.
Good news 
, Microsoft has provided an RMS connector to help you to use Azure RMS on your On Premises systems.
To do, you just have to
- Enable Azure RMS (either on your Office 365 tenant or if you don’t have Office 365 on your Azure tenant),
- Implement (if not done yet) directory synchronization with Azure Active Directory Services (you know, the well know DirSync for Office 365 or the new tool AAD Connect – see http://blog.hametbenoit.info/2014/09/21/office-365-multi-factor-allows-to-remember-the-device-preview/)
- Optionally but recommended (also if not yet done) implement federation using ADFS
- And finally install the connector and configure your On Premises systems to use Azure RMS (SharePoint, Exchange or file shares)
I will not go through the first 3 steps – Azure RMS activation, directory synchronization and federation as there is already lot of documentation available – even in this blog . So, let start with the connector installation and systems configuration.
Download and Install the Azure RMS connector
- Download the Azure RMS connector from Microsoft Download website http://go.microsoft.com/fwlink/?LinkId=314106
There is 3 files available for download
- GenConnectorConfig.ps1 – PowerShell script to configure authorized servers to use the RMS connector (run either locally on the authorized server or using a Group Policy)
- RMSConnectorAdminToolSetup_x86.exe – install the RMS connector console on 32 bits client (not the 32 bits version of the connector)
- RMSConnectorSetup.exe – the connector setup itself, or the remote console
The connector can be installed in Windows Server 2008 R2 to 2012 R2. If you plan to implement high availability, you have to install it on at least 2 different server.
During the installation, IIS and all required features will be installed if not already installed on the server.
You can use the setup program to install the Azure RMS console on a remote client – if your client does not meet the requirements to install the connector itself, you will be proposed to install the console only automatically. This console allows you to manage authorized servers for the connector use
This is not needed to use dedicated server to host the connector BUT do not install it on Exchange, SharePoint or file shares servers to be protected with the connector.
The connector setup is very simple, just follow the install wizard to install it; there is no specific settings here except the tenant credentials to be entered
NOTE 1 if the administrator tenant credentials is using MFA (multi factor authentication), the setup will failed; I recommend to use a dedicated account, similar to one used for the Directory Synchronization installation. The error you will get does not clearly say MFA is not supported but user name and password combination is not correct.
NOTE 2 the credentials used here MUST be either Office 365 Global Administrator, RMS Tenant Global Administrator or Azure RMS Connector Administrator. If you plan to use an RMS account, see later in this post for connecting to the Azure RMS tenant and configure privileged account
Authorizing the use of Azure RMS Connector
Once the connector installation has been completed, the first thing is to allow the hosting server to use the Azure RMS connector.
At the end of the installation, the wizard proposes to launch the console to authorize the server. If not or if you closed the wizard without launching the console, just start if from the Start menu
On this console, you just have to add the server(s) allowed to use the RMS connector – such as the file share server, Exchange or SharePoint server.
When adding a server, you have to define which server type – Exchange, SharePoint or File Share – and an account – either service or computer account
Recommendations
- For Exchange servers, use the default Exchange Servers group to automatically allow all Exchange servers
- For SharePoint servers, use the service account used to run the SharePoint application pool
- For file servers, use the server account or a dedicated groups containing all file servers to be allowed to use the connector