Export (0) Print
Expand All

Active Directory Rights Management Services


Applies to: Office 365

Topic Last Modified: 2014-02-24

Intellectual property leaks and accidental information disclosures are concerns for all businesses. With Office 365 for enterprises, Microsoft provides your organization with capabilities that support the protection of data that you entrust to the Office 365 environment. These capabilities may include setting business policy regarding access control (for example, need-to-know or automatic content classification and distribution restrictions) and the ability to enforce the policy even after the data leaves the organization’s enterprise.

The technology domain of the Information Rights Management (IRM) capabilities of Office 365 is a fundamental part of the solution to the problem of intellectual property protection. The Microsoft Active Directory Rights Management Services (AD RMS) product is used to deliver a robust IRM capability to organizations subscribing to the Exchange Online and SharePoint Online services.

The Office 365 AD RMS solution only works in conjunction with your on-premises AD RMS infrastructure. The Office 365 AD RMS solution is not available if you do not have an AD RMS environment. If your organization is signing up for Office 365 Dedicated plans and intend to utilize the IRM feature, you must deploy AD RMS infrastructure on-premises prior to feature activation.

The figure below illustrates the principal elements required to implement the IRM feature of Office 365. The Office 365 rights management solution requires AD RMS clusters in your on-premises and Office 365 environment to provide AD RMS activation and certification capabilities. Also shown are the trust-granting relationships—represented by the arrow lines—between the systems.

AD RMS Architecture Diagram

If you subscribe to Exchange Online, a two-way forest trust must be established between the Microsoft Managed Forest and the Customer Forest. The two-way trust is required to allow the Office 365 AD RMS application servers to make calls to the Active Directory and AD RMS servers within your environment. The trust from the Customer Forest to the Microsoft Managed Forest (Customer Forest will trust the Managed Forest) should be configured by your organization to use the selective authentication security setting. See the Active Directory Trusts section for more information.

The AD RMS solution design assumes that selective authentication is enabled for all trusts from the Customer Forest to the Microsoft Managed Forest. The design also assumes that the Managed Forest AD RMS service account and all Managed Forest AD RMS IIS computer account objects are granted the Allowed to Authenticate permission on all Customer Forest AD RMS servers and Customer Forest domain controllers in the forests that are within scope of the Office 365 AD RMS solution. No other access is required to the Customer Forest systems.

Organizations using only the SharePoint Online service require only a one-way trust between the Microsoft Managed Forest and the Customer Forest(s) where AD RMS user objects reside (the Microsoft Managed Forest trusts Customer Forest). Because SharePoint Online does not need to contact the on-premises AD RMS customer services, there is no need to establish a bi-directional trust.

The Office 365 AD RMS solution requires the Trusted User Domain (TUD) key provided by the AD RMS cluster of each Customer Forest. The imported TUD allows the Office 365 AD RMS certification cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates were issued by a different AD RMS certification cluster. Your organization must export the TUD from each of their AD RMS certification clusters and provide the TUD(s) to Microsoft. TUD keys are required for both the Exchange OnlineExchange Online and SharePoint Online services.

If you are an Exchange Online subscriber, you have the option of providing your trusted publishing domain (TPD) information for use in the Office 365 environment to take advantage of additional IRM functionality. Providing a copy of the TPD is useful in the following two scenarios:

  • Support for your legacy content in an Exchange co-existence configuration (on-premises and online Exchange resources).

  • Support for content encrypted within the on-premises AD RMS system that must be used in the Exchange Online service.

The TPD enables the Office 365 AD RMS cluster to issue use licenses for content protected by another AD RMS cluster. Additional IRM functionality is provided by the presence of the imported TPD in Office 365 including the following:

  • Availability of on-premises rights policy templates to support decryption of on-premises content for use in Office 365.

  • Ability to view IRM-protected messages in Outlook Web App using Internet Explorer, Firefox, Safari, and Google Chrome web browsers.

  • IRM support for Microsoft Exchange ActiveSync devices.

  • Indexing of IRM-protected messages to support Search.

  • Ability for Exchange Online to decrypt content protected on-premises and to allow transport protection rules to be applied that utilize AD RMS rights policy templates created in Office 365.

  • Ability to scan messages for malware.

  • Journal report decryption for legal and regulatory purposes.

  • Ability to apply IRM protection to hosted voicemail sent from the Exchange Online Unified Messaging server.

The trusted publishing domain certificate from the on-premises AD RMS environment is not useful (and therefore not required or accepted) for organizations subscribing only to SharePoint Online.

A voice telephony call forwarded by an on-premises Microsoft Lync server or Lync Online service to an optional Unified Messaging server in Exchange Online can be processed as voicemail and IRM-protected for delivery to an Exchange Online mailbox. If optional AD RMS infrastructure has been deployed to support the Office 365 environment, your IT administrator can use the self-service administration capability of Exchange Online to enable/disable the IRM protection capability.

Specific client operating systems, Web browsers, and versions of Microsoft Office can be used with the AD RMS implementation for Office 365 Dedicated and ITAR-support plans. Supported configurations for a majority of client types used with Office 365 Dedicated plans are described on the Software requirements for Office 365 for business page (see Notes below for exceptions).

  • IRM capability is supported for Microsoft Office Mobile on the Windows Mobile 6.x and Windows Phone 7.5 or later mobile devices. The Word, Excel, and PowerPoint applications of Office Mobile are capable of consuming IRM-protected documents, and the Outlook application provides the capability to consume or protect messages. Outlook Web App for the Apple iPhone and iPad products (applications referred to as OWA for iPad and OWA for iPhone, respectively) provide consume-only capability.

  • Any web browser supported by SharePoint can be used to create and consume AD RMS content in SharePoint Online. See the SharePoint Online Dedicated Service Description Single Page for additional information.

  • IRM encryption and decryption limitations exist with the use of Office Online in SharePoint Online. Specific supported scenarios are described in the TechNet article Information Rights Management for Office 365 Dedicated.

  • Deploy AD RMS clusters in the Office 365 environment.

  • Set up the Active Directory trust with your organization.

  • Obtain your Trusted User Domain (TUD) keys and import these keys in Office 365 AD RMS cluster that is dedicated to your organization.

  • If you provide Trusted Publishing Domain (TPD) information, import the information into the Office 365 AD RMS cluster dedicated to your organization (option for Exchange Online customers only).

Customer Responsibilities

  • Retain or deploy an AD RMS cluster for rights account certificate (RAC) issuance within the customer environment.

  • Implement an Active Directory trust with Office 365 (Microsoft Managed Forest).

  • Provide Trusted User Domain (TUD) keys to Microsoft for all user account locations.

  • Provide Trusted Publishing Domain (TPD) information for all publishing locations (optional) and continue to provide TPD to Microsoft whenever changes occur to on-premises rights policy templates.

  • Set up and maintain operations support for selective authentication (Exchange Online customers only).

  • Monitor the time skew of client and servers systems with your AD RMS infrastructure and Microsoft AD RMS infrastructure and ensure the difference is not greater than 5 minutes.


Infrastructure and Security

  • You must provide AD RMS on Windows Server 2008 or later in your environment.

  • Client Windows operating systems prior to Windows XP are not supported.

  • With the exception of the IRM consume-only capability available with the OWA for iPhone and OWA for iPad applications, IRM functionality is not supported for Android, BlackBerry, Apple iOS, or Nokia Symbian OS devices.

  • Multi-factor authentication to AD RMS service endpoints, except as noted in this service description, is not supported. RSA SecureID and Swivel PINSafe are included, both of which are currently available as two-factor authentication options for Outlook Web App.


  • You must arrange to provide support for all Microsoft Office client applications that utilize the AD RMS solution. No detailed guidance or specific configurations to support non-Office client applications will be provided.

  • A configuration involving the use of client applications to utilize the Office 3655 AD RMS cluster to support client authoring and consumption of IRM-protected content is not supported by Microsoft support team.

  • Requests to install third-party software and/or extensions installed on the Office 365 AD RMS servers are not supported.

  • Outlook Web App in the Safari browser on Windows operating systems, the Opera browser on any platform, and any browsers that do not support the Outlook Web App Premium experience are not supported.

  • While client-side protection of documents in formats other than Office documents, email, and XPS can be supported through third-party client-side extensions deployed by your organization, such content will not be managed by the AD RMS solution in a content-aware fashion. Non-supported formats will not be processed by Transport Decryption and Outlook Web App will not display these encrypted documents in the browser. Transport protection rules will not encrypt non-Office attachments and SharePoint will not automatically protect non-Office documents other than XPS files.

  • Outlook Protection Rules—the application of IRM protection when messages are sent by an Outlook client—are not supported.

Other Services

  • If your organization is utilizing the optional Proofpoint archiving service, a specific Exchange Online Hub Transport server setting is required to ensure IRM-protected messages are archived by Proofpoint. Your Microsoft Service Delivery Manager can assist with requesting the required configuration. Specific procedures that enable your authorized personnel to examine IRM-protected content for compliance reasons are described in supplemental documentation that is provided only to Office 365 Dedicated and ITAR-support plan customers.


  • Interaction with AD RMS via federation protocols or clients is not supported.

  • AD RMS trusts involving systems that are not within the security realm of the customer are not supported.

  • Integration with Windows Live ID is not supported.

AD RMS Features

  • Revocation list checking using an AD RMS rights policy template is not supported.

  • Protected document sharing with other companies (your business partners) through AD RMS trusts (both TUD and TPD) and sharing through federation trusts between Office 365 and third parties are not supported.

  • Continued licensing of content after the AD RMS solution is discontinued is not supported. If you discontinue AD RMS services with Office 365 you should perform bulk decryption of content prior to the service end date.

  • Rights policy template extensions for the Rights Managed Add-on for Internet Explorer (RMA) are not supported.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft