How Applications Support Azure Rights Management
Updated: November 1, 2015
Applies To: Azure Rights Management, Office 365
Use the following information to help you understand how your end-user applications (such as the Office applications, Word, Excel, PowerPoint, and Outlook) and services (such as Exchange and SharePoint) can use Microsoft Azure Rights Management to help protect your organization’s data:
To verify the applications and versions that Azure Rights Management (Azure RMS) supports, see Requirements for Azure Rights Management.
In some cases, information protection is automatically applied, according to policies that you configure. For example, this is the case with SharePoint libraries, classified files, and Exchange transport rules. In other cases, users must apply information protection themselves from their applications, either by selecting a template or by selecting specific options. For example, this is the case when users share a file by email, or protect a file in-place by restricting access or usage to selected users or to users outside the organization.
Templates make it easier for users (and administrators who configure policies) to apply the correct level of protection and restrict access to people inside your organization. Although Azure Rights Management comes with two default templates, you will probably want to create custom templates to reduce the times when they have to specify individual options. For more information, see Configuring Custom Templates for Azure Rights Management.
For the cases where users must apply information protection themselves, be sure to provide them with instructions and guidance how and when to do this. The instructions should be specific for the application and versions that they use and how they use them, and the guidance for when and how to apply information protection should be appropriate for your business. For more information, see Helping Users to Protect Files by Using Azure Rights Management.
For information about how to configure these applications for Azure RMS, see Configuring Applications for Azure Rights Management.
For examples and screenshots of applications using Azure RMS, see the Azure RMS in action: What administrators and users see section from the What is Azure Rights Management? topic.
The RMS sharing application is a free, downloadable application that is required to support Office 2010, but also recommended for Windows computers, Mac computers, and mobile devices. One of its benefits is that it can apply generic protection for applications and files that do not natively support Rights Management, which means that all files can be protected. For more information about the different protection levels, see the Level of protection – native and generic section from the Rights Management sharing application administrator guide.
When users protect their files by using the RMS sharing application, they can also track the documents that they protected, and if necessary, revoke access to them. They do this by using the document tracking site.
For Windows computers, the RMS sharing application unobtrusively integrates with and enhances the applications that users already use:
An Office add-in for Word, Excel, PowerPoint, and Outlook is installed. This provides users with a Share Protected button on the ribbon, which invokes an easy-to-use dialog box of settings that are most commonly used to protect files to be emailed. This button also provides a quick way to access the document tracking site.
A new right-click option for File Explorer. This provides users with a Protect in-place option, which invokes an easy-to-use dialog box of settings that are most commonly used to protect files stored on a disk.
A viewer to open files that have been protected by Rights Management. This viewer is automatically invoked when there is no other application installed that could open the protected file.
Backend configuration for Office 2010 that lets Word, Excel, PowerPoint, and Outlook from this suite work seamlessly with Azure Rights Management.
Although the RMS sharing application for Windows can be downloaded and installed for a single computer by using the Microsoft Rights Management page, it also supports an enterprise deployment for silent installation and custom configuration. For more information, see the following resources:
The RMS sharing application for mobile devices supports the most commonly used mobile devices, such as iPad and iPhone, Android, Windows Phone, and Windows RT. Users can download this app from the relevant store, and there are links to these from the Microsoft Rights Management page.
These applications natively support Rights Management by using information rights management (IRM) and let users apply protection to a saved document or to an email message to be sent. Users can apply templates or choose very customized settings for access, rights, and usage restrictions. For example, users can configure a file so that it can be accessed only by people in your organization, or control whether the file can be edited, or restricted to read-only, or prevent it from being printed. For time-sensitive files, an expiration time can be configured (directly by users or by applying a template) for when the file can no longer be accessed. For Outlook, users can also choose the Do Not Forward option to help prevent data leakage.
When you use Exchange Online or Exchange Server, you can use information rights management (IRM) integration, which provides additional information protection solutions:
Exchange ActiveSync IRM so that mobile devices can protect and consume protected email messages.
RMS support for the Outlook Web App, implemented similarly to the Outlook client, so that users can protect email messages by templates or by specifying individual options, and users can read and use protected email messages that are sent to them.
Protection rules for Outlook clients that an administrator configures to automatically apply RMS templates to email messages for specified recipients. For example, when internal emails are sent to your legal department, they can only be read by members of the legal department and cannot be forwarded. Users see the protection applied to the email message before sending it, and by default, they can remove it if they decide it is not necessary. Emails are encrypted before they are sent. For more information, see Outlook Protection Rules and Create an Outlook Protection Rule in the Exchange library.
Transport rules that an administrator configures to automatically apply RMS templates to email messages based on properties such as sender, recipient, message subject, and content. These are similar in concept to protection rules but do not let users remove the protection, can be applied to Outlook Web Access and emails sent by mobile devices, and do not encrypt email messages before they are sent from the client. For more information, see Create a Transport Protection Rule in the Exchange library.
Data loss prevention (DLP) policies that contain sets of conditions to filter email messages, and take actions to help prevent data loss for confidential or sensitive content (for example, personal information or credit card information). Policy Tips can be used when sensitive data is detected, to alert users that they might need to apply information protection, based on the information in the email message. For more information, see Data Loss Prevention in the Exchange library.
Office 365 Message Encryption that uses transport rules to send encrypted emails to people outside your company, and the email is read in a browser with an interface similar to the Outlook Web App. You can customize the disclaimer text and header text in your company’s encrypted emails, and even add your company logo. For more information, see Office 365 Message Encryption from the Office website.
If you use Exchange Server, you can use the information protection features with Azure Rights Management by deploying the RMS connector, which acts as a relay between your on-premises servers and the RMS cloud service. For more information, see Deploying the Azure Rights Management Connector.
When you use SharePoint Online or SharePoint Server, you can use information rights management (IRM) integration, which lets administrators protect lists or libraries so that when a user checks-out a document, the file is protected so that only authorized people can view and use the file according to the information protection policies that you specify. For example, the file might be read-only, disable the copying of text, prevent saving a local copy, and prevent printing the file.
For lists and libraries, information protection is always applied by an administrator, never an end user. And it is applied at the list or library level for all documents in that container, rather than on individual files. If you use SharePoint Online, users can also apply IRM to their OneDrive for Business library.
The IRM service must first be enabled for SharePoint. Then, you specify Information Rights Management for a library. In the case of SharePoint Online and OneDrive for Business, users can also specify Information Rights Management for their OneDrive for Business library. SharePoint does not use rights policy templates, although there are SharePoint configuration settings that you can select that closely match the settings that you can specify in templates.
If you use SharePoint Server, you can use the information protection features with Azure Rights Management by deploying the RMS connector, which acts as a relay between your on-premises servers and the RMS cloud service. For more information, see Deploying the Azure Rights Management Connector.
Currently, there are some limitations when you use IRM with SharePoint:
Azure RMS applies usage restrictions and data encryption for documents when they are downloaded from SharePoint, and not when the document is first created in SharePoint or uploaded to the library. For information about how documents are protected before they are downloaded, see Data Encryption in OneDrive for Business and SharePoint Online from the SharePoint documentation.
For more information about using Azure RMS with SharePoint, see the following post from the Office blog: What’s New with Information Rights Management in SharePoint and SharePoint Online
When you configure Windows Server to use File Classification Infrastructure, this File Server Resource Manager feature can scan local files and determine whether they contain sensitive data. For files that meet this criteria, they are tagged with classification properties that an administrator defines. The File Classification Infrastructure can then take automatic action, according to the classification. One of these actions include applying information protection by using Azure Rights Management and the deployment of the Rights Management connector (also known as the RMS connector). Office files are then automatically protected by Azure RMS.
To protect all file types, you would not use the RMS connector, but instead, run a Windows PowerShell script, using cmdlets from the RMS Protection tool.
The classification policies are fully configurable and highly extensible so that you can prevent potential data leakage from unauthorized and authorized users. It can even help to reduce the risk of data leakage by network administrators because you can configure policies that don’t require these administrators to have access to the files.
For instructions to deploy and configure the RMS connector for Office files, see Deploying the Azure Rights Management Connector.
For instructions to use the Windows PowerShell script for all file types, see RMS Protection with Windows Server File Classification Infrastructure (FCI).
By using the RMS SDK, your internal developers can write line-of-business applications to natively support Azure Rights Management. How information protection is integrated with these applications depends on how they are written. For example, the integration might be automatically applied with minimal user interaction required, or for a more customized experience, users might be prompted to configure settings to apply information protection to files. For more information about the SDK, see the Microsoft Rights Management SDK.
Similarly, many software vendors provide applications to provide information protection solutions, also known as enterprise rights management (ERM) products. A popular example is a PDF reader that supports Rights Management for specific platforms. You can use the table in the Client device capabilities section of the Requirements for Azure Rights Management topic to identify applications that support RMS (RMS-enlightened applications), and then use a web search to purchase or download the application.
For newly released applications, check the RMS community channels, listed in Information and Support for Azure Rights Management.