Export (0) Print
Expand All

RMS for Individuals and Azure Rights Management

Updated: October 1, 2014

Applies To: Azure Rights Management, Office 365

RMS for individuals is a free subscription for users in an organization who have been sent sensitive files that have been protected by Azure Rights Management (Azure RMS), but their IT department has not implemented Azure Rights Management (Azure RMS), or Active Directory Rights Management Services (AD RMS).

These users can sign up for a free Azure work or school account to use with Azure RMS, download and install the Rights Management sharing application, and then read the protected files. Using the Rights Management sharing application on Windows computers, they can also protect files in place (for example, on their desktop or laptop) or send protected files by email to people inside their organization and outside their organization. If the recipients of the email are in an organization that has not implement Azure Rights Management, they can read the protected email attachment after they have also signed up for an RMS for individuals account.

This free subscription ensures that authorized people can always read files that have been protected. Currently, you can also use this free subscription to protect documents, but this is intended for trial use only. For more information and any changes to using RMS for individuals to protect documents, see the Microsoft Rights Management Terms of Service.

For more information about how you can protect files by using the free Rights Management sharing application, see the Rights Management sharing application guide for users.

Use the following sections for more information:

To sign up for this free account, you request it by visiting the Microsoft Rights Management page, and provide your work or school email address. When you receive an email in response from Microsoft, you complete the sign-up process by entering details to create your account and wait for an email confirmation. This final email message also contains links for you to download the sharing application for different devices, and a link to the user guide.

  1. Go to the Microsoft Rights Management page.

  2. Type in the email address that you use for your organization, such as janetm@contoso.com or p.dover@fabrikam.com.

    Personal email accounts are not supported, so do not enter a Microsoft account (formerly known as a Microsoft Live ID account) or another personal account that you might use at home from your Internet provider.

  3. Click Get started.

    Microsoft checks the email address that you supplied to see whether your organization already has an Office 365 or Azure Active Directory account. If that’s the case, there’s no reason to create a new account and instead of completing the signup process, you are prompted to sign in with your existing account.

  4. Wait for a confirmation email message to be sent to the address that you supplied. It will be from Microsoft and has the subject Microsoft RMS.

  5. When you receive the email, click the link in the instructions to complete the sign up process.

  6. The link takes you a new Microsoft Rights Management page for you to supply details about your account. Type in your first name, your last name, enter and confirm a password of your choice, select your region from the drop down, and click Create.

  7. Wait for another email message from Microsoft that now confirms that your account is ready to use.

  8. When you receive the email, click the link in the instructions to download and install the sharing application, or click the Help link to read the sharing application user guide, which also contains the link to download the sharing application with instructions.

Now your account is created, you’re ready to start protecting files and read files that others have protected. When prompted to sign in to protect or read protected files, enter your email address and password that you used to create the account for RMS for the individuals.

This is what happens in the background when a user signs up for this account by using RMS for individuals:

  1. When the first user from an organization requests a subscription for RMS for individuals, the domain name supplied in their email address is checked to see whether it is already associated with an Office 365 subscription, or a Azure Active Directory subscription. Only if it isn’t associated with one of these subscriptions is a new account for the user created, in addition to a Azure directory for the organization. Otherwise, the user is prompted to use their existing account for Office 365 or Azure Active Directory.

    Some domain names are blocked and cannot be used for RMS for individuals. The list of blocked domain names can be viewed from this JavaScript Object Notation file: http://portal.aadrm.com/content/blocked_domains.json

  2. This RMS for individuals subscription is granted to the organization, without charge. The user can now protect files and read files that others have protected by using Azure Rights Management. To protect and read protected files, the user must download and install the free Rights Management sharing application.

  3. When the second user from the same organization requests an RMS for individuals subscription, if necessary, a new user account is added to the existing Azure directory, by using the organization’s RMS for individuals subscription. This user can do everything that the first user could do (protect files and read protected files), but in addition, these two users can now more easily collaborate securely because they can quickly apply default templates to files that restrict access to accounts in their organization’s Azure directory.

  4. Subsequent users from the same organization follow the same pattern, adding user accounts (as required) to the organization’s Azure directory. The more accounts that are added to the directory, the more users can securely collaborate with co-workers and partners, and more easily prevent unauthorized people from reading their files when they should not have access to them.

Throughout this process, there is no charge to the organization and no work required from the IT department. However, the IT department could choose to do either of the following:

  • Manage the accounts only: With the RMS for individuals subscription and with a free Azure Active Directory subscription, you can take ownership of the existing directory and accounts in Azure. You can then manage the accounts by implementing directory integration solutions such as password synchronization and single sign-on. Or, you can prevent users from using RMS for individuals.

    For more information about how to obtain a free Azure Active Directory subscription and then take ownership of the Azure directory, see the following section, How administrators can control the accounts created for RMS for individuals.

  • Manage Rights Management: Convert the RMS for individuals subscription for the organization to a paid subscription for Office 365 or stand-alone Azure Rights Management subscription. When you do this, the existing Azure directory and accounts are preserved for a seamless transition for existing users who were using RMS for individuals. Any files that they protected previously will still be protected with the same policies and the people that they granted permissions to use the files will still be able to use the files in the same way.

    When you take this course of action, your organization benefits by being able to integrate Rights Management into its workflows, services, and data stores. In addition, you can now manage Rights Management because you have control over your organization’s tenant key for Azure Rights Management. You can now do the following:

If you do not want to convert your organization’s RMS for individuals subscription to a paid subscription, you can still control the user accounts in the Azure directory that was created for your organization in the following ways:

  • Implement directory integration solutions for Azure Active Directory and your Active Directory Domain Services infrastructure. You can synchronize accounts and passwords so that users will not have to create new accounts to use Rights Management and your on-premises password policies will apply to the new Azure user accounts. You can also synchronize passwords so that users do not have to remember a different password to use Rights Management.

  • You could prevent users from using Azure Rights Management. In most cases, there is little advantage in doing this because users will either share files without protection (which could put your company at risk), or will use another file protection mechanism that doesn’t provide the IT department with the option to take full control. However, if you want to prevent users from using RMS for individuals, do one of the following after you have taken ownership of your organization’s Azure directory:

    • Run Set-MsolCompanySettings -AllowAdHocSubscriptions $false from the latest Azure Active Directory Windows PowerShell module. For more information about this cmdlet, see Set-MsolCompanySettings.

    • Synchronize your Active Directory Domain Services infrastructure with Azure Active Directory. This action prevents new accounts from being created when users try to sign up for RMS for individuals, and you can delete or disable accounts that were previously created in the Azure directory.

To control the user accounts in the Azure directory, or to prevent users from signing up for RMS for individuals, you must obtain a free Azure Active Directory subscription, and then take ownership of the Azure directory.

As an administrator, how do you know if your users have signed up for RMS for individuals? You might use any or a combination of the following methods:

  • Ask users how they protect highly confidential files, especially when collaborating with others outside the organization.

  • Use a system management solution, such as System Center Configuration Manager, to inventory software installed and software in use. The Rights Management sharing application runs by using the ipviewer.exe program and you can download and install the application for free to identify other characteristics about this application that you then use for software inventory.

  • Be on the lookout for file name extensions that are created by the Rights Management sharing application. The .pfile and .ppdf file name extensions are the most obvious example, but there are other files that change their file name extension when they are natively protected by Rights Management. For more information, see the Supported file types and file name extensions section in the Rights Management sharing application administrator guide.

  1. To obtain a free subscription for Azure Active Directory, go to the Azure Get started page and follow the instructions.

  2. Download the latest Azure Active Directory Windows PowerShell module. For more information and links, see the Install the Azure AD Module section from the Manage Azure AD using Windows PowerShell documentation.

  3. Connect to Azure AD by running the following cmdlets:

    import-module MSOnline
    $msolcred = get-credential
    connect-msolservice -credential $msolcred
  4. Run the following cmdlet to create a challenge:

    Get-MsolDomainVerificationDns –DomainName <your_domain_name> –Mode DnsTxtRecord

    For example: Get-MsolDomainVerificationDns –DomainName contoso.com –Mode DnsTxtRecord

  5. Copy the value (the challenge) that is returned from this command.

    For example: MS=32DD01B82C05D27151EA9AE93C5890787F0E65D9

  6. In your public DNS namespace, create a DNS txt record that contains the value that you copied in the previous step.

    The name for this record is the name of the parent domain, so if you create this resource record by using the DNS role from Windows Server, leave the Record name blank and just paste the value into the Text box.

  7. Run the following cmdlet to verify the challenge:

    Confirm-MsolEmailVerifiedDomain –DomainName <your_domain_name>

    For example: Confirm-MsolEmailVerifiedDomain –DomainName contoso.com

    A successful challenge returns you to the prompt without an error.

Now you’ve taken ownership of the Azure Active Directory domain, you can configure directory integration solutions with your Active Directory Domain Services infrastructure. For more information, see Directory integration in the Azure Active Directory documentation library.

Although the Rights Management sharing application can be downloaded and installed individually by users, it also supports an enterprise installation. To help users protect sensitive files and collaborate securely, consider automatically installing this application on Windows computers for users.

For more information, see the Automatic deployment for the Microsoft Rights Management sharing application section in the Rights Management sharing application administrator guide.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft