Export (0) Print
Expand All

IRM Implementation in Office 365 Dedicated


Topic Last Modified: 2015-02-16

The Information Rights Management (IRM) feature for Office 365 dedicated plans and ITAR-support plans has specific capabilities and constraints when compared to an on-premises IRM implementation. IRM protection is available for Exchange Online and SharePoint Online. Both services rely upon the existence of your on-premises AD RMS infrastructure, the export of the AD RMS server licensor certificate (SLC) “public” key or trusted user domain (TUD) from one or more forests within this environment, and the import of each TUD into the Office 365 AD RMS infrastructure dedicated to the subscribing organization.

The following sections describe how the IRM functionality applies to the Exchange Online and SharePoint Online services, and points out other IRM feature implementation considerations your organization should address.

  1. Exchange Online Implementation

  2. SharePoint Online Implementation

  3. Additional Implementation Considerations

Exchange Online messaging services can be provided solely from the Office 365 environment or within a hybrid configuration involving on-premises and online Exchange resources. The hybrid configuration, illustrated in the following diagram, is referred to as coexistence.

Exchange Online Co-Existence

Exchange Online as an independent service will provide IRM protection for email and attachments that are created and consumed within Office 365. IRM protection for email and documents is invoked when an AD RMS rights policy template is applied to the email message. The template applies restrictions on forwarding, the extraction of information from the message, saving the message, or printing the message. Usage rights are attached to the message itself and remain with the message regardless of whether the message remains within, or travels between, on-premises, online, and other external environments.

For a coexistence environment, additional IRM functionality is available if the AD RMS trusted published domain (TPD) of each on-premises AD RMS cluster is made available for use in the Office 365 AD RMS infrastructure dedicated to your organization. A TPD collectively represents the server licensor certificate (SLC), AD RMS cluster “private” key, and rights policy templates of the on-premises cluster. Providing the TPD for use within Office 365 is optional. Two closely related reasons to support consideration of a TPD import into the Office 365 environment are the following:

  • Exchange coexistence with support for legacy protected content. If a user has an on-premises mailbox which holds content protected by their on-premises AD RMS cluster and the mailbox is migrated to the Exchange Online environment, the on-premises TPD will be needed to perform virus scanning and to apply transport protection rules against the migrated content.

  • Newly protected content within on-premises environment is forward to Exchange Online environment. If email messages and documents are protected within the on-premises environment on an ongoing basis and the content is forwarded to the Exchange Online environment, the presence of the on-premises TPD will allow the Office 365 AD RMS cluster to (a) issue use licenses for email messages protected by the on-premises cluster and (b) allow system level Exchange Online functions (for example, virus scanning and transport rule application) to be performed against the forwarded content.

In addition, the presence of the imported TPD within Office 365 environment provides the following functionality:

  • Availability of on-premises rights policy templates. All rights policy templates associated with the source AD RMS licensing server for the TPD will be loaded into the Office 365 environment. The templates can be used by IRM-enabled applications to decrypt content originally protected within your on-premises environment.

  • Support for IRM in Outlook Web App. Users can use Outlook Web App to read IRM-protected messages generated within the on-premises Exchange environment. IRM-protected messages in Outlook Web App can be accessed through Internet Explorer, Firefox, Safari, and Google Chrome (no plug-in required) browsers and include full-text search, conversation view, and the preview pane. Exchange Online will pre-license the IRM-protected content for immediate viewing within Outlook Web App and the ability to use WebReady document viewing of content also will be provided by Outlook Web App.

  • Support for IRM in Exchange ActiveSync. Users with mobile devices that support the IRM features of the Exchange ActiveSync protocol can open and work with IRM-protected messages generated within the on-premises Exchange environment without tethering the phone or installing additional IRM software. Administrators can control the use of this feature using Role-Based Access Control (RBAC) and Exchange ActiveSync policies.

  • Indexing of IRM-protected messages to support Search. IRM-protected messages are indexed and searchable. Headers, subject, body, and attachments are included. Users can search items protected in Outlook and Outlook Web App within the on-premises Exchange environment and administrators can search protected items by searching multiple mailboxes.

  • Application of Exchange Online transport protection rules. IRM-protected messages can be decrypted to allow your defined transport protection rules to be applied within Exchange Online. This provides persistent protection for the file regardless of where it is sent and prevents forwarding, copying, or printing, depending on the rights policy template applied.

  • Malware scanning following transport decryption. IRM-protected messages received by Exchange Online can be decrypted and forwarded to the Forefront Protection for Exchange (FPE) application for virus scanning within the Exchange servers of Office 365.

  • Journal Report decryption for legal discovery and regulatory purposes. When messages marked for journaling are sent to an external archive, a decrypted, clear-text copy of the IRM-protected messages (including Office and XPS attachments) can be included in journal reports. This allows IRM-protected messages to be indexed and searched for legal discovery and regulatory purposes. The original IRM-protected message is also included in the report.

  • Unified Messaging Hosted Voicemail protection. Either senders or administrators can apply IRM-protection to voice messages to prevent unauthorized individuals from consuming the message and to prevent recipients from forwarding it, saving a copy of it, or saving or copying the audio attachment. To apply these restrictions, senders must mark the message as “private.” For additional information, see Understanding Protected Voice Mail.

Outlook Protection Rules—the application of IRM protection when messages are sent by an Outlook client—are not supported.

For on-premises and SharePoint Online installations, an IRM protector is used to automatically encrypt and decrypt a document placed in a library or attached to a list item. Document protection is managed by (1) a use license that grants rights to a specific user, (2) the AD RMS policy set on the SharePoint library or list, and (3) the rights granted within the library or list for specific users.

With Office 365, SharePoint will use a client licensor certificate (CLC) issued by the Office 365 AD RMS cluster to protect documents. The SharePoint Online user will then acquire a use license from the Office 365 AD RMS cluster to consume the protected documents. When requesting a use license, a consumer will use the rights account certificate (RAC) issued by your on-premises AD RMS cluster. The user’s RAC is recognized since the Office 365 AD RMS cluster has a copy of the TUD from the on-premises environment. SharePoint Online has no use for the on-premises TPD since SharePoint Online servers never request a use license from the Office 365 AD RMS cluster.

Within SharePoint Online, IRM protector applications exist only for Word, Excel, PowerPoint, XML Paper Specification (XPS) format, and InfoPath forms. For additional information describing how IRM protection is implemented with SharePoint, see the MSDN article IRM Framework Architecture in SharePoint Foundation.

When planning for implementation of the IRM feature, your organization may need to consider the following:

  • Prerequisites to support an Exchange coexistence environment where messaging content is protected and consumed between an Office 365 online environment and your on-premises environment.

  • Integration with other authentication systems, Unified Messaging applications, and other IT environments external to Office 365 or the environments managed by your organization.

  • Supported versions of Exchange Online, SharePoint Online, server and client operating systems, web browsers, client applications, and mobile devices.

  • Use of third-party IRM applications to protect content and the use of two-factor authentication applications in conjunction with IRM.

  • Automatic rules-based protection of email and the automatic determination of revoked rights to access IRM-protected content.

For a complete list of the capabilities and constraints of IRM including expanded descriptions of each topic, see the Identity and Provisioning Service Description for Office 365 Dedicated.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft