In the past the Rights Management Server (nowadays known as Active Directory RMS, and former as Windows RMS) would require a server infrastructure on-premises, but with the advent of the Cloud everything became much easier. Some customers they have their entire environment in Microsoft Office365 and that makes things even easier.
For those customers that have hybrid environment where some mailboxes may be in Exchange On-Premises and some mailboxes in Office 365, we can take advantage of a solution called RMS connector and the Azure RMS to manage the security of the information.
The Azure RMS service encrypts at the application level and make it readable only for the authorized users and services, the information is not stored in Azure in any shape or form. The user can share the encrypted files with the defined levels of access in any media, and the document will be secure and accessible only for the right people.
When the Azure RMS service is enabled on Azure a key is generated and that will be used for encryption of the documents. In the first user logon, a key is assigned to the user and that key is stored in Azure, when the user moves around the same key is used.
When a user encrypts a file using a template or specific rights, a random key is generated and it encrypts the body of the document, then a certificate is created which includes the policy (users/groups level of permissions and expiration date), then the organization key is used to encrypt the policy and the random key, the policy is also signed with the user’s certificate.
Azure RMS solution works with Windows Server, Exchange/SharePoint on-premises, mobile platform and Office365 and a diagram of the solution is shown in the image below.
Source: Microsoft Azure RMS Documentation.
Creating a custom template…
Now that we introduced the Azure RMS briefly, we can show the steps required to create a new template. All RMS Template is done through the Azure Classic Portal, click on Active Directory, and then on Rights Management tab. For this article, the service was already enabled as depicted in the image below.
By default, the Azure RMS comes with two (2) templates: Confidential and Confidential View Only. We can create a template from scratch or copy from an existent template and just modify some rights to create a brand new template, we will select Confidential and we will click on Copy button located at the bottom bar.
In the new Copy an existing template page. We can define the language, name and the description, for the sake of simplicity we will create a template that only allows reply and after filling out the information we will click on OK.
After creating the template a new view of the created template will be shown, we can define rights, scope and additional configuration for it.
Click on Rights, and then double click on the entry that is being listed, that entry came from the original template that we copied over.
In the new page, leave the default values which is Custom and click Next.
In the Assign custom rights page. We can select the custom rights to this template, we will select just two rights: View Content and Reply. Click on OK.
After creating the template, we need to publish it, back to the original page where we have all templates being listed, select the new template and click on Publish. A small dialog it will show up at the bottom page, click on Yes to confirm.
Refreshing Templates in Office 365…
The refresh on the Exchange Online is not automatic, and a manual step is required to perform a refresh of the existent published templates.
The first step is to connect to the service using PowerShell, these following cmdlets can be used:
$cred = Get-Credentials $session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred –Authentication Basic –AllowRedirection Import-PSSession $session
To list the RMS trusted publishing domains, we can use the Get-RMSTrustedPublishingDomain cmdlet.
The next step is to use the Import-RMSTrustedPublishingDomain to refresh the templates, the complete cmdlet is listed below.
Import-RMSTrustedPublishingDomain –Name “RMS Online – 1” –RefreshTemplates – RMSOnline
To check if everything went fine, we can always run the following cmdlet.
Get-RMSTemplate –TrustedPublishingDomain “RMS Online – 1” –Type All
The process to validate it is easy, just edit or create a new transport rule in Exchange Online, and when an action to Apply Rights Protection to the message with… and then select Apply Rights Protection and from the new dialog box, select the templates available. In this list the new template that we have just created should be listed by now.
Those are the steps required to create a new RMS Template and make sure that it can be used in Exchange Online. If you have RMS Sharing application, Office 2013 or 2016 the default time for refresh is a cycle of 7 days.
If an immediate refresh is required, then the value LastUpdateTime should be clear and it can be found at
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC<RMS-FQDN>\Template.
