The Evolution of Microsoft’s Rights Management Services (Part 2)

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our Real-Time Article Update newsletter.

If you would like to read the first part in this article please go to The Evolution of Microsoft’s Rights Management Services (Part 1).


In Part 1 of this series on the evolution of Active Directory Rights Management Services, we provided an overview of what RMS is, how it works and some of the changes it has undergone from its release as an add-on for Windows Server 2003 back in 2005 to its incarnation in Windows Server 2012. In Part 2, we’ll talk about the next generation of RMS, Azure RMS, which has been revamped in a big way and was released in public preview form this summer.

AD RMS vs. Azure RMS

In the past, we’ve had a new version of RMS in each subsequent version of Windows Server that built upon the previous version. Although Azure RMS does build on the features in AD RMS, it’s a different animal in many ways, and Azure RMS coexists alongside Windows Server 2012 RMS rather than being a straight-up replacement for it. Which you use depends on your network infrastructure and whether it’s based on Windows servers in a traditional datacenter model or a private cloud running on Windows Azure.

Azure RMS (also called the Microsoft Rights Management Suite) runs as an Azure service and just as Windows Server 2012 RMS uses the Windows Active Directory, it uses the Azure AD. At the time of this writing (September 2013), it’s out in preview version and is expected to become available in final release in October. AD RMS is, of course, already available as a server role in Windows Server 2012.

How Azure RMS works

Although it appears to be fading as more and more organizations see the benefits of cloud computing, there is still a lot of distrust of the cloud in the business world. Data that a company wants to protect with rights management is, by definition, data that carries some sensitivity and so some IT pros and managers may be understandably wary about using a cloud-based form of RMS to protect it.

The good news is that Azure does not access the content of your protected data. Although Azure RMS runs on Windows Azure, the documents, emails and other protected files are not sent to the Azure service in the process. Regardless of where the files are stored – on premises or in a cloud provider’s storage or application – Azure RMS still never has access to the data. The RMS server handles encryption key interchange without ever “seeing” the data.

The RMS service then performs the following to protect the file from being misused by those with whom it is shared:

  • The RMS service authenticates the user who wants to access the file, using on-premises Active Directory or Azure AD (Microsoft has also announced that in the future, users can be authenticated through Microsoft accounts – formerly known as Live IDs – and Google accounts).
  • The RMS service authorizes the user based on the policy that is attached to the protected file.
  • The RMS service logs the user activity for audit purposes. This is true whether the user’s attempt to access the file succeeds or fails.

Azure RMS features

Azure RMS goes beyond what AD RMS does, and offers some exciting new features. While rights management through Windows server gives you some very useful capabilities, it also has some annoying limitations, both from the perspectives of admins and of users. Microsoft has taken a look at the scope and type of protection that’s needed in our more mobile world and provided the ability to really extend that protection in a flexible way.

For the IT pro, you get a lot more flexibility in terms of where you can store protected information. It can be on a USB thumb drive, on a local hard drive, on a file server, on a network storage device, in a SharePoint data store in the cloud, in a cloud provider’s SaaS application, on a cloud storage service. Regardless of where it’s stored, it’s still protected.

For users, protected files can be shared with anyone who has an Active Directory account, but when support for Microsoft and Google accounts is implemented (Microsoft has indicated this will happen in 2014), you’ll be able to share RMS-protected documents with any individual who has one of these free accounts. That will greatly extend the usability of RMS.

One of the features I’m most excited about is the ability to now protect all types of files, not just the limited number of Microsoft file types that could be protected in the past. Granted, some file types can be more protected than others and naturally, you get the most bang for the buck with files created and opened in applications that natively support RMS. That means .doc/.docx, .xls/.xlsx, .ppt/.pptx, and .pdf. With the free RMS app (more about that later), you can also also protect .txt, .xml, .jpg/.jpeg, .tif/.tiff, .gif and .bmp files.

Protected .pdf files can be opened with the Foxit PDF Reader.

Developers can use the SDK provided by Microsoft to create applications that are “RMS-enlightened.”

The RMS app

The RMS application integrates with Windows or Apple OS X, so that users of both operating systems can protect files with RMS, in a few different ways. It adds extensions to the Office toolbar that make it quick and easy to share protected files. There are three different ways to protect files.

The first method is called “Protect in place.” The user protects the original file where it’s stored. The second is called “Share Protected.” In this case, the original file stays where it is and as it is (protected or not) and the user protects a copy of the file that he/she is sending to someone else via email. The third is a variation of “Share Protected” called “Share Protected (Camera).” As the name implies, it allows the user to send a protected copy of a selected photo taken with a mobile device.

The RMS app adds a “Share Protected” button to the toolbar in Word, on the Home tab. It invokes a dialog box where you can set permissions for the recipient to only view the document, to review (edit) it, to be a co-author (with permission to copy and print the document) or to be a co-owner (with all permissions). You can select, by checking a box, whether to allow consumption on all devices and you can also require that a user be required to log in every time the file is opened. Finally, you can set a date for the content to expire.

When you’ve finished setting the permissions, click the Send button and an email message is automatically generated with the protected document attached. The message includes links for downloading the RMS app and for signing up for RMS. The recipient double clicks the file attachment and it opens in the appropriate application. For Word, Excel and PowerPoint files, this means those applications. For text and image files, this means the Microsoft RMS app.

Microsoft refers to protected files by adding a P to the beginning of the file type. For example, a protected .jpg file is referred to as a PJPG. Files other than those associated with native RMS applications and the RMS app (for example, a PhotoShop or CorelDraw file) can still be protected, but you can’t assign additional usage restrictions. You can, however, set access controls, expire the content and require authorization. A file of this type is identified as a PFILE. A PhotoShop file, then, would be Filename.PSD.PFILE.

Protected email can be created and viewed using Outlook 2013 with Exchange 2013, which are designed to work with Azure RMS. This applies to both Exchange Online (part of Office 365) and on-premises Exchange servers (through the RMS connector). Enabling RMS in Office 365 is a simple process; it’s basically just a matter of checking a checkbox in the admin portal.

Using the connector is a little more complicated. The Rights Management Connector emulates an AD RMS server and relays requests to the Azure RMS service. The RMS connector can be installed on virtual machines, and for high availability, you’ll need two servers or VMs. RMS service licenses must be purchased for users to create protected content, but you can enable Azure Active Directory and DirSync to receive protected files from outside the network even if you don’t have RMS licenses.

Another option is for users to sign up for the Azure RMS for Individuals service. This creates an ad hoc account for a particular organization. You’ll be able to convert ad hoc users to licensed users, so that they can be managed by IT, in the general availability version of Azure RMS.

Mobile apps

Microsoft will provide mobile apps for accessing RMS-protected content through mobile devices of various platforms. These will be available through the respective app stores for the mobile operating systems. You can currently view and reply to RMS-protected email messages on devices that support Exchange Active Sync (EAS). This includes Windows and Android phones.

The RMS mobile application allows you to share RMS-protected files through email, SkyDrive, DropBox, FTP, etc. When developers create RMS-enlightened apps, they can include built-in sharing capabilities.


Azure RMS takes rights management to the cloud – public or private – and expands the scope and capabilities of Microsoft’s RMS protections. For more detailed information about how to deploy Azure RMS, see the whitepaper titled Microsoft Rights Management, which can be downloaded from the TechNet AD RMS Team Blog web site.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our Real-Time Article Update newsletter.

If you would like to read the first part in this article please go to The Evolution of Microsoft’s Rights Management Services (Part 1).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top