- What is Azure Rights Management?
- Protection features
- Collaboration features
- Platform support features
- Infrastructure features
- Create simple and flexible policies
- Easy activation
- Auditing and monitoring services
- Ability to scale across your organization
- Maintain IT control over data
- Security, compliance, and regulatory requirements
- Next steps
- Active Directory Rights Management Services Overview
- Role description
- Practical applications
- New and changed functionality
- Server Manager information
- Upgrading or migrating
- See also
What is Azure Rights Management?
To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. While the classic client continues to work as configured, no further support is provided, and maintenance versions will no longer be released for the classic client.
We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent deprecation blog.
Azure Rights Management (Azure RMS) is the cloud-based protection technology used by Azure Information Protection.
Azure RMS helps to protect files and emails across multiple devices, including phones, tablets, and PCs by using encryption, identity, and authorization policies.
For example, when employees email a document to a partner company, or save a document to their cloud drive, Azure RMS’s persistent protection helps secure the data.
Protection settings remain with your data, even when it leaves your organization’s boundaries, keeping your content protected both within and outside your organization.
Azure RMS may be legally required for compliance, legal discovery requirements, or best practices for information management.
Use Azure RMS with Microsoft 365 subscriptions or subscriptions for Azure Information Protection. For more information about individual subscription types and supported features, see the Azure Information Protection pricing site.
Azure RMS ensures that authorized people and services, such as search and indexing, can continue to read and inspect the protected data.
Ensuring ongoing access for authorized people and services, also known as «reasoning over data», is a crucial element in maintaining control of your organization’s data. This capability may not be easily accomplished with other information protection solutions that use peer-to-peer encryption.
Protection features
| Feature | Description |
|---|---|
| Protect multiple file types | In early implementations of Rights Management, only Office files could be protected, using built-in Rights Management protection. Azure Information Protection provides support for additional file types. For more information, see Supported file types. |
| Protect files anywhere | When a file is protected, the protection stays with the file, even if it is saved or copied to storage that is not under the control of IT, such as a cloud storage service. |
Collaboration features
| Feature | Description |
|---|---|
| Safely share information | Protected files are safe to share with others, such as an attachment to an email or a link to a SharePoint site. If the sensitive information is within an email message, protect the email, or use the Do Not Forward option from Outlook. |
| Support for business-to-business collaboration | Because Azure Rights Management is a cloud service, there’s no need to explicitly configure trusts with other organizations before you can share protected content with them. Collaboration with other organizations that already have a Microsoft 365 or an Azure AD directory is automatically supported. For organizations without Microsoft 365 or an Azure AD directory, users can sign up for the free RMS for individuals subscription, or use a Microsoft account for supported applications. |
Attaching protected files, rather than protecting an entire email message, enables you to keep the email text un-encrypted.
For example, you may want to include instructions for first-time use if the email is being sent outside your organization. If you attach a protected file, the basic instructions can be read by anyone, but only authorized users will be able to open the document, even if the email or document is forwarded to other people.
Platform support features
Azure RMS supports a broad range of platforms and applications, including:
| Feature | Description |
|---|---|
| Commonly used devices not just Windows computers | Client devices include: — Windows computers and phones — Mac computers — iOS tablets and phones — Android tablets and phones |
| On-premises services | In addition to working seamlessly with OfficeВ 365, use Azure Rights Management with the following on-premises services when you deploy the RMS connector: — Exchange Server — SharePoint Server — WindowsВ Server running File Classification Infrastructure |
| Application extensibility | Azure Rights Management has tight integration with MicrosoftВ Office applications and services, and extends support for other applications by using the Azure Information Protection client. The Microsoft Information Protection SDK provide your internal developers and software vendors with APIs to write custom applications that support Azure Information Protection. For more information, see Other applications that support the Rights Management APIs. |
Infrastructure features
Azure RMS provides the following features to support IT departments and infrastructure organizations:
Organizations always have the choice to stop using the AzureВ Rights Management service without losing access to content that was previously protected by AzureВ Rights Management.
Create simple and flexible policies
Customized protection templates provide a quick and easy solution for administrators to apply policies, and for users to apply the correct level of protection for each document and restrict access to people inside your organization.
For example, for a company-wide strategy paper to be shared with all employees, apply a read-only policy to all internal employees. For a more sensitive document, such as a financial report, restrict access to executives only.
Configure your labeling policies in your labeling admin center:
Unified labeling client: Use the Microsoft 365 security center, the Microsoft 365 compliance center, or the Microsoft 365 Security & Compliance Center.
Classic client: Use the Azure portal. For more information, see Configuring and managing templates for Azure Information Protection.
Easy activation
For new subscriptions, activation is automatic. For existing subscriptions, activating the Rights Management service requires just a couple of clicks in your management portal, or two PowerShell commands.
Auditing and monitoring services
Audit and monitor usage of your protected files, even after these files leave your organization’s boundaries.
For example, if a Contoso, Ltd employee works on a joint project with three people from Fabrikam, Inc, they might send their Fabrikam partners a document that’s protected and restricted to read-only.
Azure RMS auditing can provide the following information:
Whether the Fabrikam partners opened the document, and when.
Whether other people, who were not specified, attempted, and failed to open the document. This might happen if the email was forwarded on, or saved to a shared location.
AIP administrators can track document usage and revoke access for Office files. Users can revoke access for their protected documents as needed.
Ability to scale across your organization
Because Azure Rights Management runs as a cloud service with the Azure elasticity to scale up and out, you don’t have to provision or deploy additional on-premises servers.
Maintain IT control over data
Organizations can benefit from IT control features, such as:
| Feature | Description |
|---|---|
| Tenant key management | Use tenant key management solutions, such as Bring Your Own Key (BYOK) or Double Key Encryption (DKE). For more information about, see: |
| Auditing and usage logging | Use auditing and usage logging features to analyze for business insights, monitor for abuse, and perform forensic analysis for information leaks. |
| Access delegation | Delegate access with the super user feature, ensuring that IT can always access protected content, even if a document was protected by an employee who then leaves the organization. In comparison, peer-to-peer encryption solutions risk losing access to company data. |
| Active Directory synchronization | Synchronize just the directory attributes thatВ Azure RMS needs to support a common identity for your on-premises Active Directory accounts, by using a hybrid identity solution, such as Azure AD Connect. |
| Single-sign on | Enable single-sign on without replicating passwords to the cloud, by using ADВ FS. |
| Migration from AD RMS | If you’ve deployed Active Directory Rights Management Services (AD RMS), migrate to the AzureВ Rights Management service without losing access to data that was previously protected by ADВ RMS. |
Security, compliance, and regulatory requirements
AzureВ Rights Management supports the following security, compliance, and regulatory requirements:
Use of industry-standard cryptography and supports FIPSВ 140-2. For more information, see the Cryptographic controls used by Azure RMS: Algorithms and key lengths information.
Support for nCipher nShield hardware security module (HSM) to store your tenant key in Microsoft Azure data centers.
AzureВ Rights Management uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia, so your keys can be used only in your region.
Certification for the following standards:
- ISO/IEC 27001:2013 (./includes ISO/IEC 27018)
- SOC 2 SSAE 16/ISAE 3402 attestations
- HIPAA BAA
- EU Model Clause
- FedRAMP as part of Azure Active Directory in OfficeВ 365 certification, issued FedRAMP Agency Authority to Operate by HHS
- PCI DSS Level 1
For more information about these external certifications, see the Azure Trust Center.
Next steps
For more technical information about how the Azure Rights Management service works, see How does Azure RMS work?
If you are familiar with the on-premises version of Rights Management, Active Directory Rights Management Services (AD RMS), you might be interested in the comparison table from Comparing Azure Rights Management and AD RMS.
Active Directory Rights Management Services Overview
Applies To: Windows Server 2012 R2, Windows Server 2012
.jpeg) | Did you know that Microsoft Azure provides similar functionality in the cloud? Learn more about Microsoft Azure identity solutions. Create a hybrid identity solution in Microsoft Azure: |
This document provides an overview of Active Directory Rights Management Services (AD RMS) in Windows Server® 2012. AD RMS is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.
Did you mean…
Role description
AD RMS can be used to augment the security strategy for your organization by protecting documents using information rights management (IRM).
AD RMS allows individuals and administrators through IRM policies to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself.
AD RMS and IRM help individuals enforce their personal preferences concerning the transmission of personal or private information. They also help organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information.
AD RMS running on Windows Server 2012 R2 or Windows Server 2012 meets the requirements of FIPS 140-2 when this server role is deployed as described in FIPS Compliance Issues for RMS.
Practical applications
IRM solutions that AD RMS enables are used to help provide the following:
Persistent usage policies, which remain with the information, no matter where it is moved, sent or forwarded.
An additional layer of privacy to protect sensitive information —such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.
Prevent an authorized recipient of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content for unauthorized use
Prevent restricted content from being copied by using the Print Screen feature in Microsoft Windows
Support file expiration so that content in documents can no longer be viewed after a specified period of time
Enforce corporate policies that govern the use and dissemination of content within the company
IRM-based solutions that AD RMS supports cannot prevent all types of threats to the security of sensitive documents or prevent disclosure of screen readable information under all circumstances. For example, the following are some types of document security threats that AD RMS does not address or mitigate:
Content from being erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware
Content from being lost or corrupted because of the actions of computer viruses
Restricted content from being hand-copied or retyped from a display on a recipient’s screen
A recipient from taking a digital photograph of the restricted content displayed on a screen
Restricted content from being copied by using third-party screen-capture programs
For more information about how AD RMS can be used to design secure document collaboration, see AD RMS Architecture Design and Secure Collaboration Scenarios.
For information about how AD RMS can secure all file types, see How RMS protects all file types – by using the RMS sharing app.
New and changed functionality
Several improvements have been made to the Windows Server 2012 version of AD RMS. These enhancements are covered online in the article What’s New in AD RMS?
Server Manager information
The installation of AD RMS role services can be performed through the Server Manager. The following role services can be installed:
| Role service | Description |
|---|---|
| Active Directory Rights Management Server | The Active Directory Rights Management Server is a required role service that installs all AD RMS features used to publish and consume rights-protected content. |
| Identity Federation Support | The identity federation support role service is an optional role service that allows federated identities to consume rights-protected content by using Active Directory Federation Services. |
Upgrading or migrating
If you are running a version of Rights Management that you want to upgrade or migrate to the latest version, use the following resources:
To upgrade or migrate to Active Directory Rights Management (AD RMS): RMS to AD RMS Migration and Upgrade Guide
To migrate to Azure Rights Management (Azure RMS): Migrating from AD RMS to Azure Rights Management
See also
The following table provides additional resources for evaluating AD RMS.
