Export (0) Print
Expand All

Configuring Custom Templates for Azure Rights Management

Updated: December 1, 2014

Applies To: Azure Rights Management, Office 365

After you have activated Azure Rights Management, users are automatically able to use two default templates that make it easy for them to apply policies to sensitive files that restrict access to authorized users in your organization. These two templates have the following rights policy restrictions:

  • Read-only viewing for the protected content

    • Display name: <organization name> - Confidential View Only

    • Specific permission: View Content

  • Read or Modify permissions for the protected content

    • Display name: <organization name> - Confidential

    • Specific permissions: View Content, Save File, Edit Content, View Assigned Rights, Allow Macros, Forward, Reply, Reply All

In addition, the RMS sharing application lets users define their own set of permissions. And, for the Outlook client and Outlook Web Access, users can select the Do Not Forward option for email messages.

For many organizations, the default templates might be sufficient. But if you want to create your own custom rights policy templates, you can do so. Reasons for creating a custom template include the following:

  • You want a template to grant rights to a subset of users in the organization rather than all users.

  • You want to define a custom right for a template, such as View and Edit, but not Copy and Print.

  • You want to configure additional options in a template that include an expiration date and whether the content can be accessed without an Internet connection.

For users to be able to select a custom template that contains settings such as these, you must first create a custom template, configure it, and then publish it.

Use the following sections to help you configure and use custom templates:

You create and manage custom templates in the Azure Management Portal. You can do this directly from the Azure Management portal, or you can sign in to the Office 365 admin center, and choose the advanced features for Rights Management, which then redirects you to the Azure Management portal.

Use the following procedures to create, configure, and publish custom templates for Rights Management.

  1. Depending on whether you sign in to the Office 365 admin center, or the Azure Management Portal, do one of the following:

    • From the Office 365 admin center:

      1. In the left pane, click service settings.

      2. From the service settings page, click rights management.

      3. In the Protect your information section, click Manage.

      4. In the rights management section, click advanced features.

        noteNote
        If you haven’t activated Rights Management, first click activate and confirm your action. For more information, see Activating Azure Rights Management.

        If you haven’t clicked advanced features before, after Rights Management is activated, follow the on-screen instructions to get a free Azure subscription that’s required to access the Azure Management Portal.

    • From the Azure Management Portal:

      1. In the left pane, click ACTIVE DIRECTORY.

      2. From the active directory page, click RIGHTS MANAGEMENT.

      3. Select the directory to manage for Rights Management.

      4. If you have not already activated Rights Management, click ACTIVATE and confirm your action.

        noteNote
        For more information, see Activating Azure Rights Management.

  2. Create a new template:

    • From the Get started with Rights Management quick start page, click Create a new rights policy template.

  3. On the Add a new rights policy template page, choose a language in which you will type the template name and description that users will see (you can add more languages later). Then type a unique name and a description, and click the Complete button.

From the Get started with Rights Management quick start page, now click Manage your rights policy templates. You will see your newly created template added to the list of templates, with a status of Archived. At this stage, the template is created but not configured, and is not visible to users.

  1. Select your newly created template from the TEMPLATES page in the Azure Management Portal.

  2. From the Your template has been added quick start page, click Get started from step 1, Configure rights for users and groups, then click GET STARTED NOW or ADD, and then select the users and groups who will have rights to use the content that is protected by the new template. As a best practice, use groups rather than users, which simplifies management of the templates. However, if you want to grant rights to all users in the organization, it will be more efficient to copy one of the default templates rather than specify multiple groups. For more information, see the How to copy a template section in this topic.

    noteNote
    The users or groups that you select must have an email address. In a production environment, this will nearly always be the case but in a simple testing environment, you might need to add email addresses to user accounts or groups.

  3. Click the Next button, and then assign one of the listed rights to your selected users and groups.

  4. If you selected Custom, click the Next button, and then select those custom rights.

    Although you can use any combination of the individual rights available, in some applications, some rights might have dependencies on other individual rights. When this is the case, the dependent rights are automatically selected for you.

  5. Click the Complete button.

  6. Click CONFIGURE and add additional languages that users use, together with the name and description of this template in that language. When you have multi-language users, it’s important to add each language that they use, and supply a name and description in that language. Users will then see the name and description of the template in the same language as their client operating system, which ensures they understand the policy applied to a document or email message. If there is no match with their client operating system, the name and description that they see falls back to the language and description that you defined when you first created the template.

    Then check whether you want to make any changes to the following settings:

     

    Setting More information

    content expiration

    Define a date or number of days for this template when files that are protected by the template should not open. You can specify a date or specify a number of days starting from the time that the protection is applied to the file.

    offline access

    Use this setting to balance any security requirements that you have against the requirement that users must be able to open protected files when they don’t have an Internet connection.

    If you specify that content is not available without an Internet connection or that content is only available for a specified number of days, when that threshold is reached, users must be re-authenticated and their access is logged. When this happens, if their credentials are not cached, users are prompted to sign in before they can open the file.

    In addition to re-authentication, the policy and the user group membership is re-evaluated. This means that users could experience different access results for the same file if there are changes in the policy or group membership from when they last accessed the file.

  7. When you are confident that the template is configured appropriately for your users, click PUBLISH to make the template visible for users, and then click SAVE.

  8. Click the Back button in the Management Portal to return to the TEMPLATES page, where your template now has an updated status of Published.

To make any changes to your template, select it, and then use the quick start steps again. Or, select one of the following options:

  • To add more users and groups, and define the rights for those users and groups: Click RIGHTS, then click ADD.

  • To remove users or groups that you previously selected: Click RIGHTS, select the user or group from the list, and then click DELETE.

  • To make the template no longer visible to users: Click CONFIGURE, click ARCHIVE, and then click SAVE.

  • To make other configuration changes: Click CONFIGURE, make your changes, and then click SAVE.

WarningWarning
When you make changes to a template that was previously saved, clients will not see those changes to the template until templates are refreshed on their computers. For more information, see the Refreshing templates for users section in this topic.

If you want to create a new template that has very similar settings to an existing template, select the original template on the TEMPLATES page, click COPY, specify a unique name, and make the changes that you need.

ImportantImportant
When you copy a template, the Published or Archived status is also copied. So if you copy a published template, its immediate status will be published, unless you change it.

You can copy custom templates and the default templates. As a best practice, copy one of the default templates instead of creating a new custom template if you want the template to grant rights to all users in your organization. This method means that you don’t have to create or select multiple groups to specify all users. In this scenario however, be sure to specify a new name and description for the copied template for additional languages.

The default templates cannot be deleted, but they can be archived so that users do not see them.

Similarly, if you have published a custom template and no longer want users to be able to see it, you can edit the template and choose ARCHIVE and SAVE from the CONFIGURE page. Or, you can select it from the TEMPLATES page and select ARCHIVE.

Because you cannot edit the default templates, to archive these templates, you must use the ARCHIVE option from the TEMPLATES page. You cannot archive the Outlook Do Not Forward option.

  • From the TEMPLATES page, select the default template, and click ARCHIVE.

The status changes from Published to Archived. If you change your mind, select the template and click PUBLISH.

When you use Azure RMS, templates are automatically downloaded to client computers so that users can select them from their applications. However, you might need to take additional steps if you make changes to the templates:

 

Application or service How templates are refreshed after changes

Exchange Online

Manual configuration required to refresh templates.

For the configuration steps, see the following section, Exchange Online only: How to configure Exchange to download changed custom templates.

Office 365

Automatically refreshed – no additional steps required.

Office 2013

Automatically refreshed – on a schedule, every 7 days.

To force a refresh sooner than this schedule, see the following section, Office 2013 only: How to force a refresh for a changed custom template.

Office 2010

Refreshed when users log on.

To force a refresh, ask or force users to log off and log back on again.

For Windows computers that use the RMS sharing application, templates are automatically downloaded (and refreshed if necessary) without additional configuration required. This is also the case for mobile devices that use the RMS sharing app or other apps that are RMS-enlightened.

If you have already configured Information Rights Management (IRM) for Exchange Online, custom templates will not download for users until you make the following changes by using Windows PowerShell in Exchange Online.

noteNote
For more information about how to use Windows PowerShell in Exchange Online, see Use Windows PowerShell in Exchange Online.

You must do this procedure each time you change a template.

  1. Using Windows PowerShell in Exchange Online, connect to the service.

  2. Use the Import-RMSTrustedPublishingDomain cmdlet to re-import your trusted publishing domain (TPD) from Azure RMS:

    Import-RMSTrustedPublishingDomain -Name "<TPD name>" -RefreshTemplates –RMSOnline
    

    For example, if your TPD name is RMS Online - 1 (a typical name for many organizations), enter: Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online - 1"

    noteNote
    To verify your TPD name, you can use the Get-RMSTrustedPublishingDomain cmdlet.

  3. To confirm that the templates have imported successfully, wait a few minutes and then run the Get-RMSTemplate cmdlet.

  4. For each imported template that you want to be available in the Outlook Web App, you must use the Set-RMSTemplate cmdlet and set the Type to Distributed:

    Set-RMSTemplate -Identity "<name of the template>" -Type Distributed
    
    

In addition, if you archive a template (custom or default) and use Exchange Online with Office 365, users will continue to see the archived templates if they use the Outlook Web App or mobile devices that use the Exchange ActiveSync Protocol.

So that users no longer see these templates, connect to the service by using Windows PowerShell in Exchange Online, and then use the Set-RMSTemplate cmdlet by running the following command:

Set-RMSTemplate -Identity "<name of the template>" -Type Archived

By editing the registry, you can change the automatic schedule so that changed templates are refreshed on computers more frequently than every 7 days. You can also force an immediate refresh by deleting the templates folder on computers.

  • Using a registry editor, define an integer value that specifies the frequency in days to download any changes to a downloaded template.

    WarningWarning
    If you use the Registry Editor incorrectly, you might cause serious problems that might require you to reinstall the operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk.

     

    Registry path Type Value

    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC

    REG_DWORD

    TemplateUpdateFrequency

  • Delete the following folder: %localappdata%\Microsoft\MSIPC\Templates

Everything that you can do in the Azure Management Portal to create and manage templates, you can do from the command line, by using Windows PowerShell. In addition, you can export and import templates, so that you can copy templates between tenants or perform bulk edits of complex properties in templates, such as multilingual names and descriptions.

ImportantImportant
To use Windows PowerShell to create and manage Azure RMS rights policy templates, you must have at least version 2.0.0.0 of the Windows PowerShell module for Azure RMS.

If you have previously installed this Windows PowerShell module, run the following command in a PowerShell window to check the version number: (Get-Module aadrm -ListAvailable).Version

For installation instructions, see Installing Windows PowerShell for Azure Rights Management.

The cmdlets that support creating and managing templates:

After you’ve configured custom templates for Azure Rights Management, use the Azure Rights Management Deployment Roadmap to check whether there are other configuration steps that you might want to do before you roll out Azure Rights Management to users and administrators. If there are no other configuration steps that you need to do, see Using Azure Rights Management for operational guidance to support a successful deployment for your organization.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft