Getting to Know the Enterprise Mobility Suite (Part 4)

If you would like to read the other parts of this article series please go to:


In Part 1 of this series, we talked about how EMS – Microsoft’s new mobile device management solution – offers organizations a more mobile, cloud-centric way of doing business. We discussed the components of EMS: Microsoft Active Directory Premium, Microsoft Intune and Microsoft Azure Rights Management and we provided an overview of what each one is and does and how it fits into the solution. In Part 2, we discussed some of the particulars of deploying Azure AD and InTune in your organization. In Part 3, we continued with this series by beginning to present an overview of how to deploy and manage my favorite part of EMS: the Azure Rights Management service, and we’ll delve into the details of deployment here in Part 4.

I had originally intended to end the series with Part 4, but for more comprehensive coverage of the deployment process, it will be continued and wrapped up in Part 5.

Deploying Azure RMS

Last time, we talked about the prerequisites that you need in order to deploy the Azure RMS service in your org, which include a subscription to the RMS service (which can be through an Office 365 enterprise subscription), Azure AD, client devices that support RMS, applications that support RMS, a properly configured network infrastructure that allows connectivity to the URLs and IP addresses used by RMS. Optional components include an on-premises Exchange server and multi-factor authentication (MFA) enabled.

Once you have all that in place, there is still a good bit of preparatory work to do. The first step involves getting your Azure or Office 365 tenant account ready to work with RMS. That means:

  • Create the user accounts and groups Azure RMS can use to authenticate users if they don’t already exist, or sync your on-premises AD.
  • Plan how your Azure RMS tenant key will be handled (by Microsoft or BYOK).

You can switch from Microsoft-managed tenant key to BYOK but you can’t switch back the other way. Letting Microsoft manage the key is faster and gives you full functionality with Exchange Online. You don’t need special hardware (Hardware Security Module). However, BYOK gives you more control and protection of the key by an HSM.

  • If you haven’t already, install the Rights Management module for Windows PowerShell on a computer with Internet access, to be used for advanced configuration and scripting of Azure RMS. The computer must run Windows 7 or above or Server 2008 or above. You can download it here.
  • Activate Azure RMS (we’ll talk about this in the next section.

Note that if you’re using on-premises RMS now, you’ll need to migrate your keys, templates and URLs to Azure RMS. This involves synchronizing the directories between the on-premises and Azure Active Directory. In order to get full information rights management (IRM) functionality with Exchange Online following the migration, you have to allow Microsoft to manage the tenant key rather than doing BYOK.

Activating Azure Rights Management

Before you can use Azure RMS to protect content in Office, Exchange and SharePoint you need to activate it. You can do this in one of three ways: via the Office 365 admin center, through the Azure classic portal, or using PowerShell. Let’s look at each of these.

Use the Office 365 admin center

If you have an Office 365 enterprise account that includes an Azure RMS subscription, log into Office 365 with your administrative account and do the following:

  1. Click the app launcher icon in the upper left of the Office 365 portal.
  2. In the app launcher panel, click the Admin tile (this will only be in your app launcher if you’re logged in with an admin account) as shown in Fig. 1.

Figure 1

  1. In the left pane of the admin console, expand Service Settings and select Rights Management.
  2. Select Manage. This opens the Rights Management page.
  3. Click Activate. You will be prompted with a dialog box that asks if you want to activate Rights Management. Click Activate again. Now you should see a message that “Rights management is activated,” along with the option to Deactivate.

Use the classic Azure portal

  1. Sign into the classic Azure portal.
  2. In the left pane, select Active Directory.
  3. On the Active Directory page, select Rights Management.
  4. Select the appropriate directory and then select Activate.
  5. Confirm that you want to activate Rights Management. You should see the word “Active” in the Rights Management Status. You should also see the option to Deactivate.

Use PowerShell

To activate Azure RMS using the PowerShell interface, use the following cmdlet:


You can disable RMS using:


These cmdlets turn Azure RMS on or off for all services and applications that are rights-enabled.

If the Rights Management option is missing from the Service Settings section in the admin console, your Office 365 plan may not include Azure RMS. It is included in Enterprise E3, E4 and E5, Education A3, A4 and A5, and Government G3, G4 and G5 plans. It is not included in Office 365 Home/Personal plans, Business Essentials, Business Premium, Enterprise E1, Education A1, Enterprise K1, SharePoint plans or Exchange Online plans.

Rights policy templates

The pair of default rights policy template might be sufficient for your needs but if it isn’t, you can create custom templates for Azure RMS. You don’t have to do it during deployment (although you can). You can do it later if you wish.

The two included default templates are:

  • Read-only viewing for protected content (View Content permission)
  • Read or modify protected content (View Content, Edit Content, Save File, View Assigned Rights, Allow Macros, Forward, Reply and Reply All permissions)

You might wish to create a template for a set of permissions in between that, for example, allow a user to View content and view assigned rights but not edit content and save files, or perhaps you want to allow the user to do everything except allow macros, or maybe you only want to restrict users from copying and printing content, or some other combination. In that case, a custom template would be needed.

Be aware of the RMS sharing application that can be used by users to define their own permissions. This is an app that works on Windows 7 (SP1), 8, 8.1 and 10 client operating systems. The app allows users to share protected info with someone in a different organization, send a protected document in email to someone using an iPhone or iPad, find out who has accessed protected documents you shared and revoke access, or protect confidential files on your laptop when you travel. People whose organizations don’t use RMS can use the app to read protected content that is sent to them. Instructions for downloading and installing the RMS sharing application are here.

To configure a custom template for Azure RMS is pretty easy, since you can do this through the Azure portal, too. You can sign into the Azure portal directly or if you go to the Office 365 admin center and select Advanced Features for RM, which will take you to the Azure portal where you create and publish your custom templates.

Remember that you will need to activate Azure Rights Management first before you create custom templates, as described above.

To create a new template, in the portal select Create a new rights policy template from the Get Started with Rights Management page. Here you will choose the language and enter a unique name and a description of the template, then click the Complete button. The new template will appear in the list of templates on the Manage Your Rights Policy Templates page, shown as Archived. Now you have to configure it.

Select it from the Templates page in the portal, click Get Started, Configure Rights for Users and Groups and then Get Started Now or Add. Select the user and groups you want to add to the template (they must have email addresses). It’s better to manage rights management templates for groups rather than individual users. You can use security groups or distribution groups, as long as they are email-enabled.

Click Next and then assign one of the rights in the list to the users/groups that you added. You can select Custom and then click Next and select the custom rights. You can choose any combination of rights but sometimes some rights are dependent on others so the necessary rights will be selected for you.

Click Complete and your template is done. You can make the template visible to only a specific subset of users by configuring the Scope option. Unless you do this, by default all users in the Azure AD see all published templates and can select from them.


Azure RMS is easier to deploy than on-premises rights management servers, but that doesn’t mean it’s a one-step solution. There are still a number of decisions that you have to make and options that you can consider when you deploy cloud-based rights management for your organization. In Part 4, we covered the basics of deploying and activating Azure RMS and creating custom rights policy templates. In Part 5, the last of our series, we will talk about configuring applications and usage rights, as well as how to decommission and deactivate Azure RMS.

If you would like to read the other parts of this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top