Export (0) Print
Expand All

What is Azure Rights Management?

Updated: September 1, 2014

Applies To: Azure Rights Management, Office 365

Almost every organization is Internet-connected these days, with users bringing personal device to work, accessing company data on the road and home, and sharing sensitive information with important business partners. As part of their daily work, users share information by using email, file-sharing sites, and cloud services. In these scenarios, traditional security controls (such as access control lists and NTFS permissions) and firewalls have limited effectiveness if you want to protect your company data while still empowering your users to work efficiently.

In comparison, Azure Rights Management (Azure RMS) can protect your company’s sensitive information in all these scenarios. It uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization’s boundaries. For example, somebody emails a document to a partner company, or they save a document to their cloud drive. This persistent protection not only helps to secure your company data, but might be legally mandated for compliance, legal discovery requirements, or simply good information management practices.

But very importantly, authorized people and services (such as search and indexing) can continue to read and inspect the data that Azure RMS protects, which is not easily accomplished with other information protection solutions that use peer-to-peer encryption. This ability is sometimes referred to as “reasoning over data” and is a crucial element in maintaining control of your organization’s data.

The following picture shows how Azure RMS works as a Rights Management solution for Office 365 as well as for on-premises servers and services. And that it supports the popular end user devices that run Windows, Mac OS, iOS, Android, and Windows Phone.

Overview of Azure RMS


Use the following table to identify business requirements or problems that your organization might have, and how Azure RMS can address these.


Requirement or problem Solved by Azure RMS

Protect all file types

√ In previous implementation of Rights Management, only Office files could be protected, using native protection. Now, generic protection means that all file types are supported.

Protect files anywhere

√ When a file is saved to a location (protect in-place), the protection stays with the file, even if it is copied to storage that is not under the control of IT, such as a cloud storage service.

Share files securely by email

√ When a file is shared by email (share protected), the file is protected as an attachment to an email message, with instructions how to open the protected attachment. The email text is not encrypted, so the recipient can always read these instructions. However, because the attached document is protected, only authorized users will be able to open it, even if the email or document is forwarded to other people.

Auditing and monitoring

√ You can audit and monitor usage of your protected files, even after these files leave your organization’s boundaries.

For example, you work for Contoso, Ltd. You are working on a joint project with 3 people from Fabrikam, Inc. You email these 3 people a document that you protect and restrict to read-only. Azure RMS auditing can provide the following information:

  • Whether the people you specified in Fabrikam opened the document, and when.

  • Whether other people that you didn’t specify attempted (and failed) to open the document—perhaps because it was forwarded or saved to a shared location that others could access.

  • Whether any of the specified people tried (and failed) to print or change the document.

Support for all commonly used devices, not just Windows computers

√ Supported devices include:

  • Windows computers and phones

  • Mac computers

  • iOS tablets and phones

  • Android phones

Support for business-to-business collaboration

√ Because Azure RMS is a cloud service, there’s no need to explicitly configure trusts with other organizations before you can share protected content with them. If they already have an Office 365 or an Azure AD directory, collaboration across organizations is automatically supported. If they do not, users can sign up for the free RMS for individuals subscription.

Support for on-premises services, as well as Office 365

√  Azure RMS works seamlessly with Office 365. You can also use Azure RMS with the following on-premises services when you deploy the RMS connector:

  • Exchange Server

  • SharePoint Server

  • Windows Server running File Classification Infrastructure

Ability to scale across your organization, as needed

√ Because Azure RMS runs as a cloud service with the Azure elasticity to scale up and out, you don’t have to provision or deploy additional on-premises servers.

Ability to create simple and flexible policies

√ Customized rights policy templates provide a quick and easy solution for administrators to apply policies, and for users to apply the correct level of protection for each document and restrict access to people inside your organization.

For example, for a company-wide strategy paper to be shared with all employees, you could apply a read-only policy to all internal employees. Then, for a more sensitive document, such as a financial report, you could restrict access to executives only.

Broad application support

√ Azure RMS has tight integration with Microsoft Office applications and services, and extends support for other applications by using the RMS sharing application.

√ The Microsoft Rights Management SDK provides your internal developers and software vendors with APIs to write custom applications that support Azure RMS.

For more information, see How Applications Support Azure Rights Management.

IT must maintain control of data

√ Organizations can choose to manage their own tenant key and use the “Bring Your Own Key” (BYOK) solution and store their tenant key in Hardware Security Modules (HSMs).

√ Support for auditing and usage logging so that you can analyze for business insights, monitor for abuse, and (if you have an information leak) perform forensic analysis.

√ Delegated access ensures that IT can always access protected content, even if a document was protected by an employee who then leaves the organization. In comparison, peer-to-peer encryption solutions risk losing access to company data.

√ Organizations always have the choice to stop using Azure RMS, deactivate their RMS tenant, and migrate the solution to on-premises so that they can continue to access data that their organization protected.

Adherence to regulatory requirements

√ Use of industry-standard cryptography and supports FIPS 140-2.

√ Support for Thales Hardware Security Modules (HSMs) to store your tenant key in Microsoft Azure data centers. Azure RMS uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia, so your keys can be used only in your region.

√ Certified for the following:

  • ISO/IEC 27001:2005

  • SOC 2 SSAE 16/ISAE 3402 Attestations


  • EU Model Clause

For more information about these external certifications, see the Azure Trust Center.

If you are familiar with the on-premises version of Rights Management, Active Directory Rights Management Services (AD RMS), you might be interested in the comparison table from Comparing Azure Rights Management and AD RMS.

To learn more about Azure RMS, use the other topics in the Getting Started with Azure Rights Management section, such as How Applications Support Azure Rights Management to learn how your existing applications can integrate with Azure RMS to provide an information protection solution. Review Terminology for Azure Rights Management so that you’re familiar with the terms that you might come across as you’re configuring and using Azure RMS, and be sure to also check Requirements for Azure Rights Management before you start your deployment.

If you’re ready to start deploying Azure RMS, use the Azure Rights Management Deployment Roadmap for your deployment steps and links for how-to instructions.

For additional information and help, use the resources and links in Information and Support for Azure Rights Management.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft