The Azure RMS Connector (Part 1)

If you would like to read the next part in this article series please go to The Azure RMS Connector (Part 2).


It could be argued that a migration of Exchange on-premises to Exchange Online is a common first workload deployment of Office 365 services. However, what if the scenario exists where an organization would like to deploy the Azure Rights Management Service in the cloud but still have on-premises services take advantage of this cloud-based service? That’s where the Rights Management Services connector comes in. I’ll refer to this as the RMS connector throughout the rest of this article.

The RMS connector allows on-premises Exchange, SharePoint and Windows file servers to use the cloud-based Azure Rights Management Services. This article will focus on my lab-based experiences of deploying the RMS connector for use with on-premises Exchange, although many of the principles will apply to on-premises SharePoint and Windows file services of course. When it comes to deploying the RMS connector for use with Exchange on-premises, the RMS connector supports both Exchange 2010 and Exchange 2013 so this must be addressed in organizations that are using a version of Exchange earlier than Exchange 2010.

In part one of this article, I will focus on the background tasks that needed to be performed, such as enabling the Rights Management Service in the Office 365 tenant and the installation of the RMS connector.

Enabling Azure Rights Management Service

In my lab Office 365 tenant, the Azure Rights Management Service was not enabled and therefore the first step was to activate this service. This was achieved in the Office 365 Admin Center and is a very straightforward process. Let’s have a look at this process as it happened in my lab Office 365 tenant:

  1. I first logged into my Office 365 tenant using an administrator account and navigated to the Admin app
  2. In the Office 365 Admin Center, I chose the Rights Management option from the Service Settings area on the left-hand side menu. This is shown below in Figure 1-1.

Figure 1-1:
The Rights Management Service Setting Area

  1. Next, the Protect your information screen was shown. On this screen, I chose the Manage option as can be seen from Figure 1-2.

Figure 1-2:
Managing Rights Management

  1. Next, the Rights Management screen was displayed. Since Azure Rights Management had not yet been activated, I was informed of this fact and the Activate button was available. I clicked the Activate button to activate Azure Rights Management as shown in Figure 1-3.

Figure 1-3:
Activating Rights Management

  1. Clicking the Activate button gave me an additional “Do you want to activate Rights Management?” prompt, to which I clicked yet another Activate button to confirm my decision. After a brief pause, I was then informed that Azure Rights Management had been activated as can be seen from Figure 1-4.

Figure 1-4:
Rights Management Now Activated

Installing the RMS Connector

With Rights Management now activated within my Office 365 tenant, I was then able to move onto installing and configuring the RMS connector. The RMS connector can run on 64-bit machines that run Windows Server 2008 R2 or later. Additionally, there are a couple of other minimum requirements in that the machine must have at least 1GB of memory and at least 64GB of disk space. In my Azure lab, I deployed the RMS connector onto a machine running Windows 2012 R2 that exceeded the memory and disk space requirements. Note also that at the time of writing this article Microsoft states three other key considerations for the server running the RMS connector:

  • The machine hosting the RMS connector must have Internet access via a firewall or proxy server that does not require authentication
  • The RMS connector must not be installed onto a server that will use it. In other words, in my lab, I did not install the RMS connector onto the Exchange server
  • Deploy the RMS connector onto a minimum of two servers if high availability and fault tolerance is required

Installing the RMS connector is a straightforward process. Let’s look at the process as it happened in my lab:

  1. First I downloaded the RMS connector from the Microsoft download site. The RMS connector can be found at this link. The actual file to download for 64-bit servers is RMSConnectorSetup.exe; note that a separate x86 file is available. Also note that a PowerShell script called GenConnectorConfig.ps1 is also available for download. I used this script later on in the process and we will therefore discuss this script later in part two of this article.
  2. Once downloaded, I then ran RMSConnectorSetup.exe with administrator permissions to begin the installation process. The first screen presented was the welcome screen which is shown in Figure 1-5. Since I was running the setup program on the actual server to house the RMS connector, I chose the Install Microsoft Rights Management connector on this computer option, then clicked Next.

Figure 1-5:
RMS Connector Installation Welcome Screen

  1. The next screen is the licensing screen, which is self-explanatory.
  2. After that, I was presented with the credentials screen that can be seen in Figure 1-6. Here I was required to enter the credentials of an account that can install the RMS connector. I personally chose to use an Office 365 tenant administrator account, although I could have also chosen to use an RMS tenant global administrator account. Additionally, if preferred, an RMS connector administrator account can be created. This will need to be a rights management role-based administrator account that has the ConnectorAdministrator role.

Figure 1-6:
RMS Connector Installation Credentials Screen

  1. Once past the administrative credentials screen, I was presented with the confirmation screen that can be seen in Figure 1-7. Clicking the Install button at this point starts the installation of the RMS connector.

Figure 1-7:
RMS Connector Installation Confirmation Screen

  1. The progress of the connector installation was then presented on the next screen. The overall installation took a few minutes in my lab since other required components such as Internet Information Services (IIS) were installed as part of the RMS connector installation routine; such components weren’t already installed on my server.
  2. At the end of the installation routine, I was presented the results screen shown in Figure 1-8. Note the option, already enabled, to launch the connector’s administration console to commence the server authorization process. At this point I was in a position to do this as I was just installing the connector on a single server, but in situations where the RMS connector is being deployed in a highly available scenario then Microsoft recommends that at least one additional RMS connector is installed before launching the administration console.

Figure 1-8:
RMS Connector Installation Completion Screen

I wanted to understand what files were installed with the application and where those files were located, and I noted that on my lab server the connector installed itself into the C:\Program Files\Microsoft Rights Management connector folder. Underneath this folder, I noted separate folders for the administration tool and the web service.

Before the administration console is configured, it is possible to test that the RMS connector appears operational by using a browser to navigate to http://server/_wmcs/certification/servercertification.asmx. A successful connection showed me the ServerCertifcationWebService web page as can be seen from Figure 1-9.

Figure 1-9:
Basic Testing of RMS Connector Operation

It can be seen from Figure 1-9 that this connection is using HTTP. After testing, I deployed a certificate to the server and re-tested the configuration using HTTPS.


That completes part one of this article on the Azure RMS Connector, which has covered enabling the Azure Rights Management Service in the Office 365 tenant followed by installing the RMS connector. In part two of this article, I will look at what happened when I configured the RMS connector as well as configuring the on-premises Exchange 2013 server to use it. Finally, I will look at the Exchange 2013 transport rules to check that the RMS templates are available to them.

If you would like to read the next part in this article series please go to The Azure RMS Connector (Part 2).