Académique Documents
Professionnel Documents
Culture Documents
with
Abstract: Organizations share information. The Microsoft Azure Rights Management service
(Azure RMS) offering helps organizations keep their information secure, both inside and
outside of the organization, by protecting sensitive documents both at rest and in motion
with unprecedented ease.
The Azure Rights Management service indeed enables the flow of protected data on all
important devices (not just Windows PCs), of all important file types (not just Microsoft Office
documents), and lets these files be used by all important people in a users collaboration
circle (not just within the users organization). In short, users can now share securely any
content with anyone, i.e. with any business user or with any individuals. Anyone can sign up
for free Microsoft Rights Management for individuals. This offer lets the authenticated users
consume (and produce protected) content on the device of their choice.
This document provides information about the Rights Management sharing applications to
share protected content on all important devices and the Rights Management for individuals
to enable anyone to share protected content.
Table of Contents
FEEDBACKS....................................................................................................... 3
INTRODUCTION..................................................................................................4
OBJECTIVES OF THIS PAPER................................................................................................5
NON-OBJECTIVES OF THIS PAPER..........................................................................................6
ORGANIZATION OF THIS PAPER............................................................................................6
ABOUT THE AUDIENCE....................................................................................................... 6
SHARING PROTECTED CONTENT ON COMPUTERS AND ALL IMPORTANT DEVICES....7
LEVERAGING THE MICROSOFT RMS ENLIGHTENED APPLICATIONS...............................................7
LEVERAGING THE RIGHTS MANAGEMENT SHARING APPLICATIONS................................................9
SHARING PROTECTED CONTENT WITH ANYONE..................................................25
Feedback
For any feedback or comment regarding this document, please send a mail to
AskIPteam@microsoft.com.
Introduction
Every day, information workers use e-mail messages to exchange sensitive information such
as financial reports and data, legal contracts, confidential product information, sales reports
and projections, competitive analysis, research and patent information, customer records,
employee information, etc.
Ever more powerful devices, converging technologies and the widespread use of the Internet
have replaced in mobility situation what were (controlled and managed) laptops in past
years. Today, information workers are highly interconnected and, with the consumerization of
IT, more and more of them are using the device of their choice to access e-mails and workrelated documents from just about anywhere. This raises new challenges for security. With
the time, the type, volume and sensitivity of information that is exchanged has changed
significantly. Mailboxes have transformed into repositories containing large amounts of
potentially sensitive information. Furthermore, as of today, information workers are not just
more mobile than ever before, but they are also more demanding on external collaboration.
Users indeed expect to be able to collaborate seamlessly with any business user not only
within the organization but also outside.
Considering the above, information leakage can be a serious threat to organizations. Leaks of
confidential information can result in lost revenue, compromised ability to compete,
unfairness in purchasing and hiring decisions, diminished customer confidence, and more.
Consequently, IT needs to make sure that proper policies and technologies are in place with
specifically the ability to protect and control access to sensitive corporate files from:
1. A broad base of the internal employees.
2. A collection of organizations or individuals the organizations and/or the information
author choose to collaborate with.
3. Various exposure risks data is subject to notably when stored on non-managed
devices, or in the cloud.
Each of these capabilities poses different challenges. These challenges demand effective
Information Protection and Control (IPC) systems, which are not only secure but are also easy
to apply, whether its to e-mail messages sent or documents (of all types) accessed from
various devices, inside an organization or outside the organization to business partner
organizations/individuals.
Note
IPC is also known as a different set of names including: data leakage prevention, data
loss protection, content filtering, enterprise rights management, etc. All of these categories aim to
prevent an accidental and unauthorized distribution of sensitive information.
Protect is Prove who you are before granting access. The document is unlocked (in fact
decrypted) if the user is authorized to access it. Control is limit the usage of the
information . Control goes a step further by granting people access while removing their
abilities (for example, to edit, copy, or print) in accordance to usage policy.
One should note that IPC is available for more than a decade but only few organizations are
using this kind of solution. This can be explained by previous lack of interest of Business
Decision Makers or by the complexity generally observed when deploying such a far-reaching
solution. Also users expectation is high and they are not tolerating any downtime. Users
would not be satisfy if the protected document they are trying to read couldnt be open
because an Information Protection element is not responding or if it isnt supported on their
devices. Deploying on-premises IPC can be challenging and/or require significant knowledge
to be done right. This was notably the case for Microsoft Active Directory Right Management
Management
Services
(AD
2
Office 365 Enterprise: http://office.microsoft.com/en-us/redir/FX103030346.aspx
RMS):
3
AZURE RIGHTS MANAGEMENT SERVICES: http://blogs.technet.com/b/rms/archive/2013/07/31/thenew-microsoft-rights-management-services-whitepaper.aspx
4
Azure Rights Management services: http://www.microsoft.com/rms
5
RMS Team blog: http://blogs.technet.com/b/rms
Leveraging
applications
the
Microsoft
RMS
enlightened
As time evolves, users now want to access corporate data (e-mails, Office documents, PDF
documents, pictures, etc.) from anywhere from their devices. They also want a consistent
user experience to access sensitive data from their devices, including a simplified sign-on
process when accessing such information.
On should note that accessing or sharing a protected document is best experienced within
an RMS enlightened application.
RMS enlightened applications enable individuals to protect and consume content. Content is
protected by using encryption and must be decrypted before it can be consumed. When the
file is protected, the individual applies permissions to the file such as the ability to print or
edit. The application will need to honor these rights.
Such an application leverages for that purpose the RMS SDK 2.16 and above. The RMS SDK
facilitates most of the protection flows and all initialization. It indeed takes care of all the
underlying details about the environment and topologies, document expiration, certificate
renewals, policy updates and more. Furthermore, if the application must honor the
permission enforcement requested of it, the SDK makes enforcing the rights easier by
providing APIs to control permissions such as printing, saving, forwarding, etc.
Note
CONCEPTS7
For additional details on permissions, see the MSDN articles AD RMS DEVELOPER
and BUILT-IN RIGHTS USAGE RESTRICTION REFERENCE8.
The RMS SDK protects the data within the runtime environment they are executing. This is
normally a computers (Windows or Mac OS/X) or a mobile device (Windows RT, Windows
Phone, iOS, or Android).
Note
As of this writing, there is no specific support for Linux or Blackberry. The RESTful API
support of the RMS SDK can be leveraged for that purpose. If theres a platform that is missing and
you consider critical, then you can contact the product team: askIPteam@microsoft.com
Those runtimes use the RMS SDK to interact with the Azure Rights Management service:
1. The Azure Rights Management service, when responding to client SDK requests, is
responsible for the secure encryption key interchange with the SDK in order to protect
the data without the data going to the Azure Rights Management service.
2. Once protected, the Azure Rights Management service plays key roles in document
consumption:
a. The user must be authenticated. The Azure Rights Management service
requests an authorization token from the appropriate identity provider.
Generally, this is the on-premises federated identity infrastructure, such AD
with AD FS, or the Azure AD organizations tenant as part of Office 365 or as a
stand-alone service but support for Microsoft Account (a.k.a. Live IDs) and
Google IDs is seek to be introduced.
b. The user must be authorized. The Azure Rights Management service serves
as a unified policy decision point and a policy enforcement point to follow
policies established by your organization. This is done by having Azure Rights
Management service process the document policy associated with a protected
document and then decide if the recipient should be granted permission to
view the document.
c. Every use must be logged. All user activity, successful or not, is logged in
Azure Rights Management services logs enabling your IT staff to audit access.
Mobile device applications use the new lightweight Microsoft Rights Management SDK (RMS
SDK) 4.0 with the latest mobile client, and benefit from Microsoft-provided user interfaces for
6
DIFFERENCES
BETWEEN
AD RMS SDK
AND
7
AD
RMS
DEVELOPER
CONCEPTS:
us/library/windows/desktop/jj127291(v=vs.85).aspx
http://msdn.microsoft.com/en-
8
BUILT-IN
RIGHTS
USAGE
RESTRICTION
REFERENCE:
us/library/windows/desktop/dn223421(v=vs.85).aspx
http://msdn.microsoft.com/en-
consumption and protection behaviors. This not only saves time to build protection support,
but it also provides a consistent protection user experience (UX) as the UX is integrated into
the SDK itself.
Note
The RMS SDK 4.0 is a simplified, next-generation API that enables a lightweight
development experience in building or upgrading device apps with information protection via the
RMS service, whether it is an on-premises AD RMS cluster with the mobile device extension or Azure
RMS.
Its APIs use standard programming languages and models for each operating system so, they are
easy and familiar to work with. The RMS SDK 4.0 provides support in mobile devices (Android9, iOS10,
Mac OS X11, Windows Phone, and Windows RT.
For additional information on the RMS SDK 4.0, see the eponym MSDN page MICROSOFT RIGHTS
MANAGEMENT SDK 4.012.
The Rights Management sharing application (see next section) constitutes a good illustration
of the UX that the SDK provides.
Windows desktop based RMS enlightened applications utilize the RMS SDK v2.1, which
doesnt yet offer built-in consumption and protection flows. (This will change in a near
future.)
As of this writing, the following applications and services natively support the Azure Rights
Management services:
Office 365 (protected e-mails messages and PDF and Office documents with Exchange
Online and SharePoint Online),
Office 2013 and Office 2010 (protected e-mails messages (Outlook) and Office (Word,
Excel, and PowerPoint) documents).
9
SDK 4.0 for Android: http://www.microsoft.com/en-ie/download/details.aspx?id=43673
10
SDK 4.0 for iOS: http://www.microsoft.com/en-us/download/details.aspx?id=43674
11
SDK 4.0 for OS X: http://www.microsoft.com/en-za/download/details.aspx?id=43675
12
MICROSOFT
RIGHTS
MANAGEMENT
us/library/dn758244(v=vs.85).aspx
SDK
4.0:
http://msdn.microsoft.com/en-
13
OUTLOOK 2013 RT COMING TO WINDOWS RT TABLETS AS PART OF WINDOWS 8.1 UPDATE :
http://blogs.office.com/b/office-news/archive/2013/06/05/outlook-2013-rt-coming-to-windowsrt-tablets-as-part-of-windows-8-1-update.aspx
Foxit Enterprise Reader with the RMS PDF Plug-in Module 16 and Foxit Mobile PDF
(protected PDF documents).
TITUS Mail19.
14
OFFICE
MOBILE
FOR
IPHONE
NOW
AVAILABLE
FOR
OFFICE
365
SUBSCRIBERS :
http://blogs.office.com/b/office-news/archive/2013/06/14/office-mobile-for-the-iphone-is-nowavailable-for-office-365-subscribers.aspx
15
OFFICE 365 SUBSCRIBERS GET OFFICE MOBILE FOR ANDROID PHONES: http://blogs.office.com/b/officenews/archive/2013/07/31/office-365-subscribers-get-office-mobile-for-android-phones.aspx
16
Foxit
Enterprise
Reader
with
the
RMS
http://www.foxitsoftware.com/landingpage/2012/07/Reader-Ads-RMS/
Plug-in
Module:
17
Nitro Desk: http://www.nitrodesk.com/Security.html
18
Nitro
PDF:
http://www.nitropdf.com/?utm_source=m-softrms&utm_medium=web&utm_campaign=microsoft-rms-icon
19
TITUS Mail: http://www.titus.com/software/mobile-security/titus-mail.php
20
RightsWATCH
for
individuals/get-it-here
Individuals:
https://www.watchfulsoftware.com/en/products/rw-for-
21
SECUDE
End-to-End
Information
Security
for
http://www.secude.com/company/partners/end-to-end-information-security-for-sap/
10
SAP:
Leveraging the
applications
Rights
Management
sharing
This location is referenced during the Rights Management for Individuals signup flow, and
more especially in the subsequent confirmation e-mail (see Section SHARING PROTECTED
CONTENT WITH ANYONE ).
This cross-platform sharing application is also available through all the appropriate popular
application stores, e.g. App Store, Google Play and Windows Store.
22
INTRODUCING SHARING APP:
rms-sharing-app.aspx
http://blogs.technet.com/b/rms/archive/2013/08/09/introducing-
23
Azure Rights Management download center: https://portal.aadrm.com/home/download
24
RMS sharing app on Windows Desktop: http://go.microsoft.com/fwlink/?LinkId=313954
25
RMS sharing app on Windows Phone: http://go.microsoft.com/fwlink/?LinkId=328512
26
RMS sharing app on iPhone and iPad: http://go.microsoft.com/fwlink/?LinkId=325338
27
RMS sharing app on Android: http://go.microsoft.com/fwlink/?LinkId=325340
28
RIGHTS
MANAGEMENT
SHARING
http://technet.microsoft.com/library/dn339006
11
APPLICATION
USER
GUIDE :
IT Professionals can download the installation packages (64-bit and 32-bit versions) of the
Rights Management sharing application for Windows from the Microsoft download center29 for
automatic deployment and thus make use of the ITPro-oriented silent setup options. The
Windows version of the Rights Management sharing application indeed supports a scripted
installation, which makes it suitable for enterprise deployments via the Azure Rights
Management service preparation tool aadrmprep.exe.
NoteFor additional information, see the Microsoft TechNet article RIGHTS MANAGEMENT SHARING
APPLICATION ADMINISTRATOR GUIDE30.
NoteThe Rights Management sharing application for Windows is not only reserved for those
subscribing to the Microsoft Right Management cloud-hosted service offering but also available for
organizations already using an AD RMS infrastructure on their premises .
29
Microsoft
Rights
Management
sharing
application
http://www.microsoft.com/en-us/download/details.aspx?id=40857
for
Windows:
30
RIGHTS
MANAGEMENT
SHARING
APPLICATION
http://technet.microsoft.com/library/dn339003.aspx
12
ADMINISTRATOR
GUIDE:
2. Click the icon corresponding to your computer or device to download the related
Microsoft Rights Management sharing application, for example the Windows blue icon
for installation the sharing application for Windows. As indicated, support for
additional devices is coming by October 2013.
4. Click Next.
5. When setup is finished, restart your computer to complete installation. Click Restart.
The setup experience is somehow similar on other devices whilst depending on the device.
13
Protection of a single file or bulk protection of multiple files as well as all files within a
selected folder:
Native protection for PDF and Office documents, text and images files.
Generic protection for any file type; especially useful for files and apps that do
not support native Rights Management protection.
Built-in viewer for commonly used text and image file types.
Protection and sharing of any file with someone else (within or outside of your
organization) via e-mail.
Enhanced File Explorer (a.k.a. Windows Explorer in Windows 7 and above or Finder in
Mac OS/X) by adding two items Protect in-place and Share Protected (see below).
New buttons (Share Protected) added to the Microsoft Office Ribbon for Word,
PowerPoint, and Excel applications, so that you can protect and share your files from
within Office 2010 and Office 2013.
Allows Office 2010 to work with the Azure Rights Management service by configuring
automatically registry settings.
The Rights Management sharing application is a user-driven application that helps protecting
and consuming any file format. It uses the power of the File API31, which supports automated
protection and enhances the protection ecosystem by protecting all file formats.
The Rights Management sharing application for computers provides, depending of the level
of integration possible with the file format, two different levels of protection:
1. Native protection. This represents a strong level of protection that provides
encryption and also application of a policy (enforcement of rights or permissions).
Before opening a protected content, a successful authentication and authorization
must occurred as depicted earlier in this document.
When authorization is granted, the content is rendered in accordance to the defined
usage rights policy in RMS-enlightened applications (see Section LEVERAGING THE
MICROSOFT RMS ENLIGHTENED APPLICATIONS ). In practice, the protected content is
rendered in either the Microsoft Rights Management sharing application (for protected
text and image files) or the associated application (for all other supported file
formats):
File format compatible with Rights Management protection keeps their original
extension.
31
ANNOUNCING THE RIGHTS MANAGEMENT SERVICES FILE API: http://blogs.msdn.com/b/rms/archive/2012/10/31/announcingthe-rights-management-services-file-api.aspx
14
Text and images get special treatment, the original file extension is appended
with a P. (for example, TXT becomes PTXT, XML becomes PXML, JPG becomes
PJPG same behavior for PNG, JPEG TIFF, BMP, and GIF).
Note
The Microsoft Rights Management sharing application is registered into the
system to handle PFILE extension.
Permissions are displayed but cannot be enforced once the file is opened in its
original format (For example, once a VSD file is opened in Microsoft Visio). This
enables any application to immediately participate in the RMS ecosystem.
Note
an administrator.
The user can protect a document by using the Rights Management sharing applications
integration in Windows and Mac OS/X, as well as via the Microsoft Office Ribbon extensions
(see below). Generally stated, the capability is either:
Protect in place. This flow will protect the file in place. The user can then take other
actions to share the file, if need be. This flow is most suitable for personal or clouddrive file protection flows. The user will be given the choice of protecting with an
organizational RMS template, a previously saved user RMS template, or create a new
ad-hoc template (see below).
Share Protected: This flow will protect a copy of the selected file leaving the
original file in its prior state (which could also be protected). This flow has the user
addressing the document to people (e-mail addresses) and selecting related
permissions. Upon sending, an unprotected e-mail will be sent with the protected
document. The user can customize the e-mail before it is sent.
-or-
To protect in place a file from the Windows Explorer, proceed with the following steps:
1. Right-click the file to protect in place and select protect in place, and then select a
listed RMS template or select Custom Permissions
2. In the former case, the selected template is silently applied.
-or3. In the latter case, an add protection dialog appears.
15
Set the slider to restrict Address and select the appropriate permissions (see below)
and click Apply.
To share protected a file from the Windows Explorer, proceed with the following steps:
1. Right-click the file to share protected and select share protected. A share
protected dialog appears.
2. Add the user(s) who will be able to access the file in USERS.
3. Optionally select Allow consumption on all devices if the file will be shared with
users who use devices such as iOS and Android. In this case, the sharing application
adds the file to a container which is then encrypted so that the file is protected. This
mode will thus allow them to view the file on their devices (and even using devicespecific applications like Pages on an iPad) after the sharing application on the device
verifies they have access to the file.
4. Set the slider in PERMISSIONS to restrict with the appropriate permissions what the
recipient(s) of the file will be able to do (see below) and click Send. An Outlook 2013 I
have securely shared file(s) with you dialog opens up. An e-mail has been
created that is ready to be sent but you can edit it first
16
An e-mail has been created that is ready to be sent but you can edit it first. The
recipient(s) can view the file, and can simply sign up for a free Microsoft Rights
Management account as needed (see Section SHARING PROTECTED CONTENT WITH
ANYONE ).
Protecting and sharing a document from within Office 2010 and Office 2013
As previously outlined, the Rights Management sharing application for Windows add a Share
Protected button on the Microsoft Office Ribbon, which enables to share a protected copy of
the document with others. Related Rights Management add-ins for Excel, PowerPoint and
Word are stored in the following folder: C:\Program Files (x86)\Microsoft RMS Office Addins.
To protect and share a document from Word 2013, for example, proceed with the following
steps:
1. From Word 2013, save the document.
2. Click Share Protected for sharing a sensitive file.
17
3. Address and select the appropriate permissions (see below) and click Send. An
Outlook 2013 I have securely shared file(s) with you dialog opens up. An e-mail
has been created that is ready to be sent but you can edit it first
An e-mail has been created that is ready to be sent but you can edit it first. The
recipient(s) can view the file, and can simply sign up for a free Rights Management
account as needed (see Section SHARING PROTECTED CONTENT WITH ANYONE).
Using RMS Templates
The general use of RMS templates enables an organization to define and implement
information policies that are consistent across the organization. When implementing
automatic rules leveraging RMS templates, then protection applies to everybody in the
company across the board.
Templates reduce the effort of determining who should be assigned user rights and what
types of rights the intended consumer should receive from the publisher. Furthermore, when
18
modifications to a template occur, all past, present, and future content based on that
template will inherit the new rights when a use license is issued.
If the feature that requires a new use license with every access is used with a template, the
organization can dynamically change rights policies after the document is published or sent
by e-mail. This way, the organization retains the option to further restrict or loosen control on
one or more users at any time.
Azure Rights Management services administrators design and control the content of the
templates. They can easily modify the template definitions of approved consumers and the
rights that are assigned to those users within a rights-protected document.
Important note
The Azure Rights Management service contains by default two
templates built-in. At the time of this writing, the capability to create additional templates is not yet
present.
The last and up-to-date version of a RMS template resides in the Cloud and is always used
when a use license is created so that the most recent policy set by the Microsoft RMS
administrator is enforced. Each RMS client must download the templates that it will use.
These local versions of the templates do not need to be updated every time the Azure Rights
Management services administrator updates the template, because the Azure Rights
Management services tenant uses its own copy when it evaluates the rights that the
template specifies. However, templates still must be available locally for a user to select
them when he or she performs offline publishing, as its the case for Office applications.
Note
If the AD RMS Client 2.1 is bootstrapped against an AD RMS on-premises
installation, then the Microsoft Rights Management sharing application will show the on-premises
templates.
Using Custom RMS permissions
As seen previously, with RMS templates, its quick and easy to apply protection on
documents that are only access by people working inside the organization. Whenever you
want to collaborate with other organizations or with individuals outside, you will share
protected documents by applying custom RMS permissions. Custom RMS permission allows
to grant people access (individuals inside or outside the organization) on a protected
document while controlling their ability to use the document (for example edit, copy, or
print).
19
With the Rights Management sharing application, a document owner can apply permissions
to a file through customized combinations of permissions assigned to each specified
individual identified with corresponding e-mail address.
Below is a description of supported Rights Management permissions along with their
definitions:
Permission
Description
Mobile
devices
users
will
need
to install the Microsoft Rights Management sharing application
to view the protected file. The file is added to a container which
is then encrypted so that the file is protected. The sharing
application on the device verifies that users have access to the
file and then allows them to view the file on their devices (and
even using device-specific applications like Pages on an iPad).
This right sets the use license to expire immediately after the
protected content has been accessed. As a result, the consumer
must have online access to the Azure Rights Management
service to get another use license every time the document is
opened.
Content expires on
Below is a description of various Rights Management roles along with their definition.
Role
Permission(s)
Viewer
Reviewer
Co-author
Co-owner
All Permissions
This right gives the consumer the same abilities that the
publisher has. This right acts as if no rights restrictions have
been applied. It is typically enabled only for an individual who is
a member of a larger group of consumers for whom rights that
are more restrictive have been applied. It can also be used to
transfer ownership of a document.
Discovering Microsoft
applications for devices
Rights
Management
sharing
The Microsoft Rights Management sharing application for mobile devices provides the
following capabilities:
20
Built-in viewer for commonly used text and image file types.
Create protected images from the camera or on-device camera roll. This can be seen
as the secure whiteboard feature: take a photo of the meeting room whiteboard and
share it with all attendees, securely.
Note
Although the Microsoft Rights Management sharing application can send
protected document by e-mail, only the attached document is protected leaving the body of e-mail
unencrypted. The main purpose of the share protected functionality is for secure collaborating
with others that dont have yet sign up with the Azure Rights Management service. The e-mail
contains instruction for sign up for Microsoft Rights Management for free.
Sharing with others protected images from an iPad
More and more information workers use their mobile device for capturing information when
taking for example a photo of the meeting room whiteboard.
One new feature, exclusively available on the Microsoft Rights Management sharing
application for mobile devices, is the ability for users to create protected images from the
camera or on-device camera roll and share it with other attendees, securely.
To illustrate the feature on an iPad, proceed with the following steps:
1. Launch the Microsoft Rights Management sharing application for iOS by taping the
RMS sharing application.
2. Tap take a photo or choose from library to pick a picture from Camera Roll.
21
4. Enter the credentials of your organizational account and tap Sign in.
22
5. The list of available templates is display, you can choose the Read and Print Only
one or tap Custom Permissions
23
7. An -email is automatically generated for you, containing the protected image file and
instructions for recipients that dont have signed up for the Microsoft Rights
Management sharing application. Add the recipients e-mail address and tap Send.
Opening protected files shared by others on an iPad
Heres another example of how it works when a user receives an e-mail with a protected
document:
The Azure Rights Management service redirects the user to authenticate against the
Windows Azure AD.
Based on the users e-mail address, the Azure Rights Management service looks up in
the Windows Azure AD tenant (Microsoft Rights Management for individuals or Cloud
identities) or redirects to the local on-premises federation infrastructure, e.g. AD FS
for instance, to validate the credentials (federated identities).
Once the users credentials are validated, the Azure Rights Management service then
controls that the user is authorized to access this document. If an access should be
granted, the Azure Rights Management service then sends back to the Microsoft
Rights Management sharing application an appropriate use license.
When downloading or opening a protected file, the file association on the device displays the
icon of the Rights Management sharing application provided that the Rights Management
sharing application is already installed on that device.
24
Furthermore, when downloading a protected file by using the browser (as illustrated
hereafter with the .pjpg extension), you can directly open the file with the Rights
Management sharing application by simply clicking Open in RMS sharing.
The protected image file is then opened and rendered in the Rights Management sharing
application and the associated information policy is displayed. In this case, authorized users
are only allow to view and print the content.
25
By controlling access to information based on user identity, the Azure Rights Management
service is a solution that safeguard corporate information. When access is granted and
information is unlocked, the Azure Rights Management service also provides rich auditing
capabilities.
To ease the collaboration beyond your organizations boundaries and beyond the
organizations that subscribed to the Azure Rights Management service where the
collaboration between them constitutes a native feature as covered earlier in this document,
the Azure Rights Management service provides new ways for individuals and/or users in
organizations that dont offer the Azure Rights Management service to their employees
individuals to sign up for a free account.
With the free Microsoft Rights Management for individuals, users can share with anyone (any
business user or any individual), even those who dont have subscribed to Azure Rights
Management service as part of Office 365 or as a stand-alone service.
In order to securely consume or exchange protected files, anyone can now follow these three
easy steps:
1. Signing up for a free Microsoft Rights Management account via a simple registration
experience.
2. Installing the Microsoft Rights Management sharing application.
3. Open received protected files or protect any file or any folder with the Share
Protected feature.
To sign up for a free account, proceed with the following steps:
1. Open a browser session and navigate to the Microsoft Rights Management portal32.
32
Microsoft Rights Management portal: http://portal.aadrm.com
26
2. Specify your organizational/personal e-mail address you want to use to sign in, for
example alice@contoso-corporation and type the characters corresponding to the
displayed CAPTCHA.
3. Click Get started. At this stage, several checks are made before an ad-hoc Rights
Management service account is created. In particular, the Azure Rights Management
service checks to see if the parent organization already has a Windows Azure AD
tenant, if the user already had an account, etc.
NoteA Windows Azure AD tenant is provisioned if the users organization doesnt already have
one.
A Rights Management for Individuals ad-hoc account is simply a Windows Azure AD tenant that is
created for a specific organization (not shared across organizations) and the user account is
added. There is no administrator for these tenants. If other users from the same organization
create ad-hoc accounts, they are placed in this same headless tenant. By way of (this) example,
alice@contoso-coporation.com signs up. The tenant CONTOSO-CORPORATION is cre
ated.
Alices user account is added to the tenant CONTOSO-CORPORATION. Alices account is given the
Microsoft Rights Management for individuals SKU. bob@contoso-coporation.com signs up. The
tenant CONTOSO-CORPORATION exists and is reused. Bobs user account is added to the tenant
CONTOSO-CORPORATION. Bobs account is given the Microsoft Rights Management for individuals
SKU.
IT professionals will be given the ability to convert these ad-hoc accounts to licensed users with no
impact to the user or the tenant. Once this is done, IT professionals will have full management
capabilities for these users.
If the various checks succeed, a verification e-mail is sent to the email address youve
provided to validate your ownership of the email address.
27
5. Check
your
inbox
for
a
mail
entitled
Microsoft
MicrosoftRMSteam@microsoft.com and follow its instructions.
RMS
from
6. Click the link here provided in the above e-mail. Once your ownership is proven, a
new Microsoft RMS tab opens up in the browser.
7. To complete the signup process, specify your first name and your last name, enter a
password, confirm it, select a country in the dropdown box and password, and then
click Create to provision the account. The self-service Rights Management for
individuals accounts will be re-validated on a monthly basis.
8. The account is being provisioned. When the sign up process is finished, a confirmation
e-mail is sent to your address. Wait a few minutes before checking your e-mails.
28
9. You should receive a new email also entitled Microsoft RMS from
MicrosoftRMSteam@microsoft.com that confirms the completion of the sign up
process.
10. Click the first link here to download the Microsoft Rights Management sharing
application. A new Microsoft RMS tab opens up in the browser with the Download
section of the Microsoft Rights Management portal.
You can now install the sharing application for your device and start leveraging the
Azure Rights Management service as an individual.
This concludes this guide.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed
as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted
to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented
after the date of publication.
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright,
no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.
2014 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events
29 Share
content
with Azure
Rights
Management
depicted
hereinprotected
are fictitious.
No association
with any
real company,
organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred.
Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.