Export (0) Print
Expand All

What is Azure Rights Management?

Updated: October 1, 2014

Applies To: Azure Rights Management, Office 365

Almost every organization is Internet-connected these days, with users bringing personal device to work, accessing company data on the road and home, and sharing sensitive information with important business partners. As part of their daily work, users share information by using email, file-sharing sites, and cloud services. In these scenarios, traditional security controls (such as access control lists and NTFS permissions) and firewalls have limited effectiveness if you want to protect your company data while still empowering your users to work efficiently.

In comparison, Azure Rights Management (Azure RMS) can protect your company’s sensitive information in all these scenarios. It uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization’s boundaries. As an example, employees might email a document to a partner company, or they save a document to their cloud drive. The persistent protection that Azure RMS provides not only helps to secure your company data, but might also be legally mandated for compliance, legal discovery requirements, or simply good information management practices.

But very importantly, authorized people and services (such as search and indexing) can continue to read and inspect the data that Azure RMS protects, which is not easily accomplished with other information protection solutions that use peer-to-peer encryption. This ability is sometimes referred to as “reasoning over data” and is a crucial element in maintaining control of your organization’s data.

The following picture shows how Azure RMS works as a Rights Management solution for Office 365 as well as for on-premises servers and services. And that it supports the popular end user devices that run Windows, Mac OS, iOS, Android, and Windows Phone.

Overview of Azure RMS


At this point, you might find the additional resources useful:

Use the following sections to learn more:

Use the following table to identify business requirements or problems that your organization might have, and how Azure RMS can address these.


Requirement or problem Solved by Azure RMS

Protect all file types

√ In previous implementation of Rights Management, only Office files could be protected, using native protection. Now, generic protection means that all file types are supported.

Protect files anywhere

√ When a file is saved to a location (protect in-place), the protection stays with the file, even if it is copied to storage that is not under the control of IT, such as a cloud storage service.

Share files securely by email

√ When a file is shared by email (share protected), the file is protected as an attachment to an email message, with instructions how to open the protected attachment. The email text is not encrypted, so the recipient can always read these instructions. However, because the attached document is protected, only authorized users will be able to open it, even if the email or document is forwarded to other people.

Auditing and monitoring

√ You can audit and monitor usage of your protected files, even after these files leave your organization’s boundaries.

For example, you work for Contoso, Ltd. You are working on a joint project with 3 people from Fabrikam, Inc. You email these 3 people a document that you protect and restrict to read-only. Azure RMS auditing can provide the following information:

  • Whether the people you specified in Fabrikam opened the document, and when.

  • Whether other people that you didn’t specify attempted (and failed) to open the document—perhaps because it was forwarded or saved to a shared location that others could access.

  • Whether any of the specified people tried (and failed) to print or change the document.

Support for all commonly used devices, not just Windows computers

√ Supported devices include:

  • Windows computers and phones

  • Mac computers

  • iOS tablets and phones

  • Android tablets and phones

Support for business-to-business collaboration

√ Because Azure RMS is a cloud service, there’s no need to explicitly configure trusts with other organizations before you can share protected content with them. If they already have an Office 365 or an Azure AD directory, collaboration across organizations is automatically supported. If they do not, users can sign up for the free RMS for individuals subscription.

Support for on-premises services, as well as Office 365

√  In addition to working seamlessly with Office 365, you can also use Azure RMS with the following on-premises services when you deploy the RMS connector:

  • Exchange Server

  • SharePoint Server

  • Windows Server running File Classification Infrastructure

Easy activation

√ Activating the Rights Management service for users requires just a couple of clicks in the management portal.

Ability to scale across your organization, as needed

√ Because Azure RMS runs as a cloud service with the Azure elasticity to scale up and out, you don’t have to provision or deploy additional on-premises servers.

Ability to create simple and flexible policies

√ Customized rights policy templates provide a quick and easy solution for administrators to apply policies, and for users to apply the correct level of protection for each document and restrict access to people inside your organization.

For example, for a company-wide strategy paper to be shared with all employees, you could apply a read-only policy to all internal employees. Then, for a more sensitive document, such as a financial report, you could restrict access to executives only.

Broad application support

√ Azure RMS has tight integration with Microsoft Office applications and services, and extends support for other applications by using the RMS sharing application.

√ The Microsoft Rights Management SDK provides your internal developers and software vendors with APIs to write custom applications that support Azure RMS.

For more information, see How Applications Support Azure Rights Management.

IT must maintain control of data

√ Organizations can choose to manage their own tenant key and use the “Bring Your Own Key” (BYOK) solution and store their tenant key in Hardware Security Modules (HSMs).

√ Support for auditing and usage logging so that you can analyze for business insights, monitor for abuse, and (if you have an information leak) perform forensic analysis.

√ Delegated access by using the super user feature ensures that IT can always access protected content, even if a document was protected by an employee who then leaves the organization. In comparison, peer-to-peer encryption solutions risk losing access to company data.

√ Synchronize just the directory attributes that Azure RMS needs to support a common identity for your on-premises Active Directory accounts, by using Azure Active Directory Synchronization Services (AAD Sync).

√ Enable single-sign on without replicating passwords to the cloud, by using AD FS.

√ Organizations always have the choice to stop using Azure RMS, deactivate their RMS tenant, and migrate the solution to on-premises so that they can continue to access data that their organization protected.

Adherence to regulatory requirements

√ Use of industry-standard cryptography and supports FIPS 140-2. For more information, see the Cryptographic controls used by Azure RMS: Algorithms and key lengths section in this topic.

√ Support for Thales Hardware Security Modules (HSMs) to store your tenant key in Microsoft Azure data centers. Azure RMS uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia, so your keys can be used only in your region.

√ Certified for the following:

  • ISO/IEC 27001:2005

  • SOC 2 SSAE 16/ISAE 3402 Attestations


  • EU Model Clause

For more information about these external certifications, see the Azure Trust Center.

If you are familiar with the on-premises version of Rights Management, Active Directory Rights Management Services (AD RMS), you might be interested in the comparison table from Comparing Azure Rights Management and AD RMS.

One important thing to understand about how Azure RMS works is that the Rights Management service (and Microsoft) do not see or store your data as part of the information protection process. Information that you protect is never sent to or stored in Azure unless you explicitly store it in Azure or use another cloud service that stores it in Azure. Azure RMS simply makes the data in a document unreadable to anyone other than authorized users and services:

  • The data is encrypted at the application level and includes a policy that defines the authorized use for that document.

  • When a protected document is used by a legitimate user or it is processed by an authorized service, the data in the document is decrypted and the rights that are defined in the policy are enforced.

At a high level, you can see how this process works in the following picture. A document containing the secret formula is protected, and then successfully opened by an authorized user or service. The document is protected by a content key (the green key in this picture). It is unique for each document and is placed in the file header where it is protected by your RMS tenant root key (the red key in this picture). Your tenant key can be generated and managed by Microsoft, or you can generate and manage your own tenant key.

Throughout the protection process when Azure RMS is encrypting and decrypting, authorizing, and enforcing restrictions, the secret formula is never sent to Azure.

How Azure RMS works

For a detailed description of what’s happening, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption section in this topic.

For technical details about the algorithms and key lengths that Azure RMS uses, see the next section.

Even if you don't need to know yourself how RMS works, you might be asked about the cryptographic controls that it uses, to make sure that the security protection is industry-standard.


Documentation protection method:

Algorithm: AES

Key length: 128 bits and 256 bits 1

Key protection method:

Algorithm: RSA

Key length: 2048 bits

Certificate signing:

Algorithm: SHA-256

1 256 bits is used by the Rights Management sharing application for generic protection and native protection when the file has a .ppdf file name extension or is a protected text or image file (such as .ptxt or .pjpg).

To understand in more detail how Azure RMS works, let's walk through a typical flow after the Azure RMS service is activated and when a user first uses RMS on their Windows computer (a process sometimes known as initializing the user environment or bootstrapping), protects content (a document or email), and then consumes (opens and uses) content that has been protected by somebody else.

After the user environment is initialized, that user can then protect documents or consume protected documents on that computer.

If this user moves to another Windows computer, or another user uses this same Windows computer, the initialization process is repeated.

Before a user can protect content or consume protected content on a Windows computer, the user environment must be prepared on the device. This is a one-time process and happens automatically without user intervention when a user tries to protect or consume protected content:


RMS client activation - step 1

The RMS client on the computer first connects to Azure RMS, and authenticates the user by using their Azure Active Directory account.

When the user’s account is federated with Azure Active Directory, this authentication is automatic and the user is not prompted for credentials.


RMS client activation - step 2

After the user is authenticated, the connection is automatically redirected to the organization’s RMS tenant, which issues certificates that let the user authenticate to Azure RMS in order to consume protected content and to protect content offline.

A copy of the user’s certificate is stored in Azure RMS so that if the user moves to another device, the certificates are created by using the same keys.

When a user protects a document, the RMS client takes the following actions on an unprotected document:


RMS document protection - step 1

The RMS client creates a random key (the content key) and encrypts the document using this key with the AES symmetric encryption algorithm.


RMS document protection - step 2

The RMS client then creates a policy for the document, either based on a template or by specifying specific rights for the document. This policy includes the rights for different users or groups and other restrictions, such as an expiration date.

The RMS client then uses the organization’s key that was obtained when the user environment was initialized and uses this key to encrypt the policy and the symmetric content key. The RMS client also signs the policy with the client’s certificate that was obtained when the user environment was initialized.


RMS document protection - step 3

Finally, the RMs client embeds the policy into a file with the body of the document encrypted previously, which together comprise a protected document.

This document can be stored anywhere or shared by using any method, and the policy always stays with the encrypted document.

When a user wants to consume a protected document, the RMS client starts by requesting access to the Azure RMS service:


RMS documention consumption - step 1

The authenticated user sends the document policy and the user’s certificates to Azure RMS. The service decrypts and evaluates the policy, and builds a list of rights (if any) the user has for the document.


RMS document consumption - step 2

The service then extracts the AES content key from the decrypted policy. This key is then encrypted with the user’s public RSA key that was obtained with the request.

The re-encrypted content key is then embedded into an encrypted use license with the list of user rights, which is then returned to the RMS client.


RMS document consumption - step 3

Finally, the RMS client takes the encrypted use license and decrypts it with its own user private key. This lets the RMS client decrypt the document’s body as it is needed and render it on the screen.

The client also decrypts the rights list and passes them to the application, which enforces those rights in the application’s user interface.

The preceding walkthroughs cover the standard scenarios but there are some variations:

  • Mobile devices: When mobile devices protect or consume files with Azure RMS, the process flows are much simpler. Mobile devices don’t first go through the user initialization process because instead, each transaction (to protect or consume content) is independent. As with Windows computers, mobile devices connect to the Azure RMS service and authenticate. To protect content, mobile devices submit a policy and Azure RMS sends them a publishing license and symmetric key to protect the document. To consume content, when mobile devices connect to the Azure RMS service and authenticate, they send the document policy to Azure RMS and request a use license to consume the document. In response, Azure RMS sends the necessary keys and restrictions to the mobile devices. Both processes use TLS to protect the key exchange and other communications.

  • RMS connector: When Azure RMS is used with the RMS connector, the process flows remain the same. The only difference is that the connector acts as a relay between the on-premises services (such as Exchange Server and SharePoint Server) and Azure RMS. The connector itself does not perform any operations, such as the initialization of the user environment, or encryption or decryption. It simply relays the communication that would usually go to an AD RMS server, handling the translation between the protocols that are used on each side. This scenario lets you use Azure RMS with on-premises services.

  • Generic protection (.pfile): When Azure RMS generically protects a file, the flow is basically the same for content protection except that the RMS client creates a policy that grants all rights. When the file is consumed, it is decrypted before it is passed to the target application. This scenario lets you protect all files, even if they don’t natively support RMS.

  • Protected PDF (.ppdf): When Azure RMS natively protects an Office file, it also creates a copy of that file and protects it in the same way. The only difference is that the file copy is in PPDF file format, which the RMS sharing application knows how to open for viewing only. This scenario lets you send protected attachments via email, knowing that the recipient on a mobile device will always be able to read them even if the mobile device doesn’t have an app that natively supports protected Office files.

To learn more about Azure RMS, use the other topics in the Getting Started with Azure Rights Management section, such as How Applications Support Azure Rights Management to learn how your existing applications can integrate with Azure RMS to provide an information protection solution. Review Terminology for Azure Rights Management so that you’re familiar with the terms that you might come across as you’re configuring and using Azure RMS, and be sure to also check Requirements for Azure Rights Management before you start your deployment.

If you’re ready to start deploying Azure RMS, use the Azure Rights Management Deployment Roadmap for your deployment steps and links for how-to instructions.

For additional information and help, use the resources and links in Information and Support for Azure Rights Management.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft