Académique Documents
Professionnel Documents
Culture Documents
Feature Guide
(Legacy Platform Release)
Applies to: Office 365 Dedicated Legacy Platform Releases
This feature guide describes the Information Rights Management (IRM) implementation used for the
legacy releases of Office 365 Dedicated. The following topics are presented in the guide:
Additional Resources
See the IRM landing page in the Customer Extranet site for additional implementation information and
diagnostic tools. Contact your Microsoft Service Delivery Manager for information on how to obtain
access to the Customer Extranet site.
1. An individual who intends to protect content and consume content protected by others must first
acquire certificates that enroll his or her computer and domain user account into the AD RMS
certificate hierarchy. A certificate that identifies a computer is called a machine certificate and one
that identifies a user is called a rights account certificate (RAC) also referred to as a group identity
certificate (GIC). An IRM-supported application must retrieve these certificates from an activation
service configured on an AD RMS server in the same Active Directory forest as the user.
Exchange Online as an independent service will provide IRM protection for email and attachments that
are created and consumed within Office 365. IRM protection for email and documents is invoked when
an AD RMS rights policy template is applied to the email message. The template applies restrictions on
forwarding, the extraction of information from the message, saving the message, or printing the
message. Usage rights are attached to the message itself and remain with the message regardless of
whether the message remains within, or travels between, on-premises, online, and other external
environments.
For a coexistence environment, additional IRM functionality is available if the AD RMS trusted published
domain (TPD) of each on-premises AD RMS cluster is made available for use in the Office 365 AD RMS
infrastructure dedicated to your organization. A TPD collectively represents the server licensor certificate
(SLC), AD RMS cluster private key, and rights policy templates of the on-premises cluster. Providing
the TPD for use within Office 365 is optional. Two closely related reasons to support consideration of a
TPD import into the Office 365 environment are the following:
In addition, the presence of the imported TPD within Office 365 environment provides the following
functionality:
Availability of on-premises rights policy templates. All rights policy templates associated with
the source AD RMS licensing server for the TPD will be loaded into the Office 365 environment. The
templates can be used by IRM-enabled applications to decrypt content originally protected within
your on-premises environment.
Support for IRM in Outlook Web App. Users can use Outlook Web App to read IRM-protected
messages generated within the on-premises Exchange environment. IRM-protected messages in
Outlook Web App can be accessed through Internet Explorer, Firefox, Safari, and Google Chrome
(no plug-in required) browsers and include full-text search, conversation view, and the preview
pane. Exchange Online will pre-license the IRM-protected content for immediate viewing within
Outlook Web App and the ability to use WebReady document viewing of content also will be
provided by Outlook Web App.
Support for IRM in Exchange ActiveSync. Users with mobile devices that support the IRM
features of the Exchange ActiveSync protocol can open and work with IRM-protected messages
generated within the on-premises Exchange environment without tethering the phone or installing
additional IRM software. Administrators can control the use of this feature using Role-Based Access
Control (RBAC) and Exchange ActiveSync policies.
Indexing of IRM-protected messages to support Search. IRM-protected messages are indexed
and searchable. Headers, subject, body, and attachments are included. Users can search items
protected in Outlook and Outlook Web App within the on-premises Exchange environment and
administrators can search protected items by searching multiple mailboxes.
Note:
Outlook Protection Rules (the application of IRM protection when messages are sent by an
Outlook client) are not supported.
For a complete list of the capabilities and constraints of the IRM feature set including expanded
descriptions of each topic, see the AD RMS Service Description (Legacy Platform Release) on the IRM
landing page of the Customer Extranet site.
As stated in the AD RMS Service Description (Legacy Platform Release) accessible via the IRM landing
page of the Customer Extranet site, the IRM feature does not support the following:
Interaction with AD RMS via federation protocols or clients.
Support for AD RMS trusts involving systems that are not within the security realm of your
organization.
Integration with Windows Live ID.
As shown in the diagram, the following characteristics apply to an Office 365 dedicated plan or ITAR-
support plan implementation of IRM:
The on-premises or online environment is capable of protecting Exchange email messages and
Office documents. Documents can be protected when attached to an IRM-protected email
message, using a Microsoft IRM-enabled application, or when placed within an IRM-enabled
SharePoint document library or list. Conditions related to the protection and consumption of
content are described in the table below.
The following table identifies the IRM protection and consumption characteristics for content shared
within and between the IRM source and destination environments.
Note:
We recommend identifying which remote email domains will be trusted within the Office 365
AD RMS environment; otherwise, it may be possible for a user from a trusted (on-premises)
user domain to impersonate a user from another Active Directory forest.
Protection policies for SharePoint Online are descried in the Considerations for SharePoint Online
section.
Conversely, Microsoft can provide the TPD for the Office 365 environment to your organization for
import within your on-premises environment to support the bulk decryption of content for legal
discovery purposes. If the Office 365 TPD is required, your SDM and Deployment Program Manager can
assist with planning and execution of the TPD export/import process. To address smaller scale content
decryption requirements, your compliance personnel can use the super user access method described
in the topic IRM Super User Access.
1
XML Paper Specification (.xps) file format.
2
SharePoint Server IRM, Windows Mobile 6.x, and Windows Phone 7.5, 7.8, & 8.0 do not support
applying protection through templates. SharePoint Server will only store documents protected through
templates and will apply the additional IRM protection settings of the SharePoint library or list.
Windows Mobile and Windows Phone can only consume documents and email protected through
templates.
If rights policy templates are created and used within an on-premises AD RMS environment of your
security realm, these templates can be imported into the dedicated Office 365 environment for use by
Microsoft Office applications and Exchange Online to decrypt IRM protected content. The templates
become available for decryption use only by following the Trusted Publishing Domain Sharing process.
Important:
Because content may exist within Office 365 that was protected using a specific on-premises rights
policy template or a custom rights policy template created within Office 365, an appropriate best
practice is to retain templates for an extended period to ensure older protected content can be
decrypted.
Prior to attempting to create or edit templates, confirm the administrative user has been added to the
RMS Template Administrators security group. The options to perform template creation and editing
within Office 365 are the following:
1. AD RMS snap-in for the Microsoft Management Console (MMC)
2. Windows PowerShell using the ADRMSAdmin provider
The following example represents the creation of a drive named RMS that represents the AD RMS
cluster hosted within a fictitious Office 365 environment named 999d:
New-PSDrive -name RMS -PsProvider AdRmsAdmin -Root
https://rms.999.d.office365.com
3. Set the current location.
Important:
When new templates are created within either the on-premises or online environments, care
must be taken to apply a unique name to each template to prevent a template name collision
from occurring when a TPD is transferred between the on-premises and Office 365
environments since the existence of duplicate template names will block TPD import.
Note:
If a rights policy template used by a transport protection rule is deleted from the Office 365 AD
RMS cluster but the transport rule continues to attempt to use the template, the RMS server will
fail to license the content and a NDR will be sent to the sender.
Note:
Email attachments that are not a native Office file type are encrypted along with an Microsoft
Exchange Online email message. When the message is decrypted, the attachment will not have
IRM restrictions. In SharePoint Online, no level of protection is provided to a non-native Office
file type that is uploaded into, or downloaded from, a document library or list.
You can find client information on Microsoft TechNet and from other Microsoft sources to help you
become familiar with the steps to configure an IRM client and how to interact with the IRM user
interface for these clients. The information below includes special notes and links to reference material.
A complete list of supported features and limitations is included in the AD RMS Service Description
(Legacy Platform Release) accessible via the IRM landing page of the Customer Extranet site.
Note:
Use of the Print Screen function and Snippet tool cant be blocked when viewing IRM-protected
content using a Web browser application (i.e., Outlook Web App or Office Online).
For the latest list of supported browsers for the IRM feature, see Office 365 system requirements (Web
browsers sections). For more information about additional browser constraints in SharePoint Online,
see Plan browser support in SharePoint 2013.
A service request for support from Microsoft will require that your organization provide specific error
messages, client operating system version, client application software with version number (for example,
Outlook and Internet Explorer), and related information. To submit a request, you use the IRM template
in the Escalation Template/Infrastructure folder of the Customer Extranet site for Office 365 dedicated
plans.
Note:
The Universal Distribution Group must be outside the scope of Office 365 directory
synchronization (MMSSPP). The Universal Distribution Group must have an email address
specified in the mail attribute object in Active Directory; the email address must be unique and
should not be re-used on any other objects in any of your directories.
Note:
1. See Information Rights Management for Office 365 Dedicated for a complete description of
how to implement, administer, and support an IRM implementation in Office 365 dedicated
plans.
2. Unless otherwise indicated, the information presented also applies to the International Traffic in
Arms Regulations (ITAR-support) version of Office 365.
3. Recent updates applied to this article contain an asterisk (*) at the beginning of each item title.
1. What is a RAC?
A rights account certificate (RAC) identifies a user account by binding the account into the pre-
production or production certificate hierarchy. Each RAC is tied to the machine certificate of the
computer on which the user is activated. A RAC and a machine certificate must exist before an end-
user license can be created and content encrypted or decrypted. A user can have more than one
RAC on a computer, one for each AD RMS service against which the user is activated, but the user
cannot transfer a RAC between computers.
Note:
Transport Decryption can be provided by Exchange Online by creating new templates for this
purpose within Office 365 (see guidelines regarding template creation within the Office 365 IRM
Feature Guide). See the IRM agents table in Information Rights Management for a handy
reference describing how IRM agents on Exchange Transport servers are used to support the
above listed features.
A customer with more than one licensing cluster may choose to enable the above features for only
a subset of their content protected on-premises by providing the TPD from selected RMS licensing
clusters. If the on-premises TPD is not provided, Exchange Online will process content protected
on-premises as opaque. Messages and files will be delivered using Exchange Online but the content
will not be rendered within Outlook Web App, scanned for malware, available for transport rules,
decrypted for journaling, indexed for searching, or delivered to Exchange ActiveSync devices.
Note:
If User Rights settings are changed within an on-premises template and the corresponding
template within Office 365 is not updated, content protected by Exchange Online or consumed
by authorized users within Exchange Online will utilize the older set of User Rights.
If content is protected within the on-premises environment using a newly created rights
policy template and the template is not exported for use by Exchange Online, an attempt to
decrypt content within Office 365 by a consumer or by an IRM feature requiring this specific
template will fail.
Note:
AD RMS rights policy templates imported into the Office 365 service using the TPD
exchange method are not available for use in Exchange transport rules since these
templates are marked as Archived and cannot be modified. This is an AD RMS product
limitation.
18. If a new AD RMS cluster is added within the on-premises enterprise, what tasks are required
to integrate the clusters with Office 365?
Essentially, the same assessment and integration process used for the initial deployment will be
executed again. Because an established environment exists, this process is likely to be completed
more quickly. Implementation time depends upon configuration characteristics.
19. Can an on-premises Exchange server decrypt content protected in the Office 365 service?
The on-premises Exchange server will not be able to decrypt content, however, users with on-
premises mailboxes that use Outlook will be able to read content protected in Office 365.
20. *Why must the on-premises AD RMS Certification URL be different from the Licensing URL?1
When the Exchange Online service needs to license (encrypt or decrypt) and process content that
was protected by the customer AD RMS cluster, the licensing transaction must be directed to the
Office 365 AD RMS service. Because the Licensing URL in the protected content wrapper will be the
on-premises Licensing URL, that URL needs to be redirected to the Office 365 AD RMS cluster. This
redirection is accomplished through DNS.
If the customer Licensing and Certification URLs were identical, calls to both URLs would be
redirected to the Office 365 AD RMS service. This would cause the user certification process
(including the process to obtain the users RAC for use in the licensing process) to fail.
Note:
Microsoft strongly recommends using an FQDN, rather than a single-label name, for the
Certification URL. Using a single label name (for example, https://certify) for an AD RMS
URL can cause service issues. The first security-related concern is the use of a rogue server
established to share the same server name and to lure clients to use it to protect content
without the possibility of the clients to differentiate between the two. The second concern is
related to multi-forest or cross-company collaboration environments presenting a situation
where different AD RMS servers with identical names would conflict. If identical names are
used for AD RMS servers, an attempt to exchange protected content between the
identically named servers would fail due to clients being directed to the wrong cluster after
resolving the single-label server name. These issues are not related to the Office 365
implementation. The use of an FQDN is considered to be a general AD RMS best practice.
22. *An attempt to change the Certification URL using the AD RMS Administration snap-in for
MMC was not allowed. How can the change be applied?1
The AD RMS Certification URL cannot be changed using the AD RMS Administration snap-in for
MMC. The AD RMS Certification URL can be changed via direct modification of the
serviceBindingInformation attribute of the Active Directory AD RMS service connection point.
This operation can be done using ADSIEDIT, LDP, or other Active Directory object editor.
23. *How will changing the Certification URL affect the AD RMS service and clients?1
Changing the Certification URL shouldnt affect any existing services, clients, or content. If a client
has trouble reactivating after the SCP has been changed, the DRM folder under the users profile
can be deleted to force the client to reactivate itself with the new URL.