Getting to Know the Enterprise Mobility Suite (Part 5)

If you would like to read the other parts of this article series please go to:


In Part 1 of this series, we talked about how EMS – Microsoft’s new mobile device management solution – offers organizations a more mobile, cloud-centric way of doing business. We discussed the components of EMS: Microsoft Active Directory Premium, Microsoft Intune and Microsoft Azure Rights Management and we provided an overview of what each one is and does and how it fits into the solution. In this, Part 2, we discussed some of the particulars of deploying Azure AD and InTune in your organization. In Part 3, we continued with this series by beginning to present an overview of how to deploy and manage my favorite part of EMS: the Azure Rights Management service, and started delving into the details of deployment in Part 4.

I had originally intended to end the series with Part 4, but for more comprehensive coverage of the deployment process, we will continue that discussion and wrap it up in this, Part 5.

Configuring Applications

There are other applications that are rights management-enabled, but most users will be using Azure RMS with Office – either the local Office 2010, 2013 and 2016 client programs or, increasing, Office 365. Thus we’ll focus on the configuration of Azure RMS for those apps and services.

If you’re using Office 2013 or 2016 locally with an Office 365 subscription, the good news is that Azure RMS is supported natively by both of these versions of Office. That means you don’t have to do anything special to be able to use rights management with the applications. The applications that are rights-enabled are Word, Excel, PowerPoint, and Outlook. The Outlook Web App (OWA) is also supported, in case you use the web to manage your email and calendaring.

In this case, you don’t have to install or configure anything to protect your Office documents. However, you can opt to install the RMS sharing app that we mentioned in Part 4, and which we’ll talk about more shortly.

Installing and using the Rights Management sharing application

As we mentioned above, The RMS sharing app is necessary in order to use Azure RMS with Office 2010, and it is also needed by those whose organizations don’t have Azure RMS subscriptions if they want to view protected content sent by those who do. But how does it work?

There are Windows, Windows Phone, Mac OS X, iOS and Android versions of the sharing app. However, some devices don’t support all the functionalities that others do.

The desktop version of the sharing app adds new buttons to the Office ribbon in Word, PowerPoint and Excel, which make it easier for you to share protected files. It also adds functionality to file explorer, whereby you can protect multiple selected files or all of the files inside a selected folder by right clicking.

You can automatically deploy the RMS sharing app to Windows computers in your organization, or you can download and install the program on a single computer. The Windows version of the app supports scripted installation. There are two versions, one for 32 bit and one for 64 bit Windows operating systems. Deployment will differ, depending on whether you are running Office 2010 or Office 2013/2016. In the case of the latter, it’s very simple: after you download and extract the app, you simply run the setup.exe /s command with elevated privileges. With Office 2010, it’s a bit more complicated.

After installing the app, you’ll need to verify that it installed successfully, which again is done a little differently depending on the version of Office you’re using.

On the user end, the RMS sharing app can be used to send protected email or documents to someone who works for the same or a different organization, find out who has opened your protected documents (and revoke access if you want), and read protected content that has been shared with you if your organization doesn’t use rights management. You can:

  • Protect files “in-place” on a device, which replaces the original unprotected file with the protected one.
  • Protect files that you share via email, and have RMS send you an email notification when your sent files are opened (or opening is attempted unsuccessfully).
  • Use the documentation tracking site to track your shared files.
  • Revoke your files (and optionally notify people that you’re revoking access) through Outlook, a web browser, or File Explorer.
  • View and use protected files that you are authorized to view/use.
  • Remove protection from a file that you previously protected with the RMS sharing app.

Note that in addition to using the native protection that is built into Office, you can also generically protect other types of files – however, generically protected files (which can be identified by the .pfile extension), do not give you nearly as much control over the content after you share it. The problem is that although only the people you authorize can access the generically protected file that you send, the recipient can open it and forward it to others whom you haven’t authorized, somewhat negating much of the value of RMS. The recipient gets a message requesting that he/she honor the permissions but they can ignore this if they want. Another problem with generic protection is that you can’t set permissions granularly, such as restricting copying and printing. It’s an all-or-nothing thing.

With the native protection of Office files, whatever restrictions you set stay with the content even when the recipient forwards it, and you can restrict the permissions so that the recipient can view the file but can’t print, copy or modify it.

Configuring Usage Rights

Users must configure usage rights on protected files if they don’t use a policy template. When you create custom templates, you configure usage rights on them that will be applied when the template is used to protect content.

The different usage rights that you can assign include the following:

  • Edit
  • Save
  • Export (Save As)
  • Forward
  • Print
  • Reply
  • Reply All
  • View Content
  • Copy and extract content
  • View assigned rights
  • Change rights
  • Allow macros
  • Full Control

It’s important to understand the difference between rights and permissions levels. To make it easier to assign a particular set of rights to a user, you can add that user to a permissions level group. The levels include:

  • Viewer: as the name implies, this person can view, open and read content. What might be less obvious is that he/she can reply and reply all.
  • Reviewer: this person can perform the tasks that would normally be associated with reviewing the content, including the rights of a viewer plus the ability to save, edit and forward content.
  • Co-author: this person has the rights that a reviewer has, and can also copy and print content, view and save or export content, and view and change rights on content.
  • Co-owner: this person has all of the foregoing rights plus the Full Control right; in other words, the same rights as the owner who protected the content.

Decommissioning and Deactivating Azure RMS

If your organization no longer needs or wants to use Azure RMS to protect content, you can decommission and deactivate the service. The good news is that you don’t lose access to the content you previously protected with Azure RMS. However, to ensure that you maintain access to the content, you need to make a copy of the Azure RMS tenant key before your Azure RMS subscription expires. This means, unless you opted for BYOK, you’re going to need to export the tenant key that was managed by Microsoft.

You cannot export your Azure RMS tenant key after the subscription expires.

The procedure that you need to use in order to decommission Azure RMS depends on whether you are planning to switch over from Azure RMS to an on-premises RMS server or do not intend to use RMS anymore at all. In the former case, you’ll need to deploy the on-premises solution and direct existing users to the on-premises RMS server using the Set-AadrmMigrationUrl PowerShell cmdlet. If you’re going to stop using any form of RMS, then you’ll instead need to give an admin super user rights. Then you give this super user the RMS Protection Tool, which can be used to decrypt all of the files that were protected in bulk. After they are decrypted, you’ll be readable without RMS. Note that you can decrypt the files before you deactivate RMS or afterward.

The actual deactivation can be done from either the Office 365 admin center or through the Azure portal, in much the same way that you activated RMS (and which we discussed in Part 4 of this series.


This completes the five-part series on Getting to Know EMS (Enterprise Mobility Suite), where we have provided an overview of the main components: Microsoft Azure Active Directory Premium, Microsoft Intune and Microsoft Azure Rights Management Services (RMS). I hope this helped you get acquainted with the individual services that make up the suite and provided information that will be useful to you in assessing whether EMS is right for your organization.

If you would like to be notified when Deb Shinder releases the next part of this article series please sign up to the Real time article update newsletter.

If you would like to read the other parts of this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top