Export (0) Print
Expand All

RMS for Individuals and Azure Rights Management

Updated: February 1, 2015

Applies To: Azure Rights Management, Office 365

RMS for individuals is a free self-service subscription for users in an organization who have been sent sensitive files that have been protected by Azure Rights Management (Azure RMS), but their IT department has not implemented Azure Rights Management (Azure RMS), or Active Directory Rights Management Services (AD RMS).

These users can sign up for a free Azure work or school account to use with Azure RMS, download and install the Rights Management sharing application, and then read the protected files. Using the Rights Management sharing application on Windows computers, they can also protect files in place (for example, on their desktop or laptop) or send protected files by email to people inside their organization and outside their organization. If the recipients of the email are in an organization that has not implement Azure Rights Management, they can read the protected email attachment after they have also signed up for an RMS for individuals account.

This free subscription ensures that authorized people can always read files that have been protected. Currently, you can also use this free subscription to protect documents, but this is intended for trial use only. For more information and any changes to using RMS for individuals to protect documents, see the Microsoft Rights Management Terms of Service.

For more information about how you can protect files by using the free Rights Management sharing application, see the Rights Management sharing application guide for users.

Use the following sections for more information:

To sign up for this free account, you request it by visiting the Microsoft Rights Management page, and provide your work or school email address. When you receive an email in response from Microsoft, you complete the sign-up process by entering details to create your account and wait for an email confirmation. This final email message also contains links for you to download the sharing application for different devices, and a link to the user guide.

  1. Go to the Microsoft Rights Management page.

  2. Type in the email address that you use for your organization, such as janetm@contoso.com or p.dover@fabrikam.com.

    Personal email accounts are not supported, so do not enter a Microsoft account (formerly known as a Microsoft Live ID account) or another personal account that you might use at home from your Internet provider.

  3. Click Get started.

    Microsoft checks the email address that you supplied to see whether your organization already has Office 365 or Microsoft Azure. If that’s the case, you are prompted to sign in using an online account for your organization. When you do that and your organization already has a paid subscription that includes Azure RMS, you don’t need RMS for individuals so you’ll be signed in immediately and the self-service sign up for RMS for individuals is canceled.

  4. Wait for a confirmation email message to be sent to the address that you supplied. It will be from Microsoft and has the subject Microsoft RMS.

  5. When you receive the email, click the link in the instructions to complete the sign up process.

  6. The link takes you a new Microsoft Rights Management page for you to supply details for your account. Type in your first name, your last name, enter and confirm a password of your choice, select your region from the drop down, and click Create.

  7. Wait for another email message from Microsoft that now confirms that your account is ready to use.

  8. When you receive the email, click the link to sign in and read the instructions to download and install the sharing application, or click the Help link to read the sharing application user guide, which also contains the link to download the sharing application with instructions.

Now your account is created, you’re ready to start protecting files and read files that others have protected. When prompted to sign in to protect or read protected files, enter your email address and password that you used to create the account for RMS for the individuals.

RMS for individuals uses a self-service sign up process that is also used by other solutions that use Microsoft cloud-based technology to authenticate users.

This is what happens in the background when a user signs up for RMS for individuals and their organization does not have an Office 365 subscription or Azure subscription, and therefore, no directory in Azure to authenticate users:

  1. When the first user from an organization requests a subscription for RMS for individuals, the domain name supplied in their email address is checked to see whether it is already associated with an Office 365 subscription, or an Azure subscription. When there is no existing subscription, an Azure directory for the organization is automatically created and a new account for this first user is automatically created. Unlike with a paid subscription for Azure, the first account is not a global administrator, but a standard user. The new account uses the email address and password that the user supplied.

    Some domain names cannot be used to create the directory and therefore cannot be used for RMS for individuals. The list of blocked domain names can be viewed from this JavaScript Object Notation file: http://portal.aadrm.com/content/blocked_domains.json

  2. The organization is granted an RMS for individuals subscription, without charge. After authenticating, this user can now protect files and read files that others have protected by using Azure Rights Management. To protect and read protected files, the user must download and install the free Rights Management sharing application.

  3. When the second user from the same organization requests an RMS for individuals subscription, a new user account is added to the previously created Azure directory, by using the organization’s RMS for individuals subscription. This second user can do everything that the first user could do (protect files and read protected files), but in addition, these two users can now more easily collaborate securely because they can quickly apply default templates to files that restrict access to accounts in their organization’s Azure directory.

  4. Subsequent users from the same organization follow the same pattern, adding user accounts (when new users sign up) to the organization’s Azure directory. The more accounts that are added to the directory, the more users can securely collaborate with co-workers and partners, and more easily prevent unauthorized people from reading their files when they should not have access to them.

Throughout this process, there is no charge to the organization and no work required from the IT department. However, the IT department could choose to do either of the following:

  • Manage the accounts and sign-up process: IT administrators can take ownership of the automatically created directory and accounts in Azure. They can then manage the accounts by implementing directory integration solutions such as password synchronization and single sign-on. Or, they can prevent users from signing up for RMS for individuals.

    For more information, see the following section, How administrators can control the accounts created for RMS for individuals.

  • Manage Rights Management: IT administrators can convert the RMS for individuals subscription for the organization to a paid subscription that includes Azure Rights Management. When they do this, the existing Azure directory and accounts are preserved for a seamless transition for existing users who were using RMS for individuals. Any files that users protected previously will still be protected with the same policies and the people that they granted permissions to use the files will still be able to use the files in the same way.

    When you take this course of action, your organization benefits by being able to integrate Rights Management into its workflows, services, and data stores. In addition, you can now manage Rights Management because you have control over your organization’s tenant key for Azure Rights Management. You can now do the following:

If you do not want to convert your organization’s RMS for individuals subscription to a paid subscription, you can still control the user accounts in the Azure directory that was created for your organization in the following ways:

  • Implement directory integration solutions for Azure Active Directory and your Active Directory Domain Services infrastructure. You can synchronize accounts and passwords so that users will not have to create new accounts to use Rights Management and your on-premises password policies will apply to the new Azure user accounts. You can also synchronize passwords so that users do not have to remember a different password to use Rights Management.

  • You could prevent users from signing up to use Azure Rights Management. In most cases, there is little advantage in doing this because users will either share files without protection (which could put your company at risk), or will use another file protection mechanism that doesn’t provide the IT department with the option to access the data. However, if you want to prevent users from signing up to use RMS for individuals, do one of the following after you have taken ownership of your organization’s Azure directory:

    • Prevent all users from signing up for RMS for individuals by setting the AllowAdHocSubscriptions parameter to false with the Set-MsolCompanySettings cmdlet from the Windows PowerShell module for Azure Active Directory. For example: Set-MsolCompanySettings -AllowAdHocSubscriptions $false

    • Prevent users from creating a new account in your Azure directory, which means that only users who already have an account in Azure can sign up for RMS for individuals. To do this, set the AllowEmailVerifiedUsers parameter to false with the Set-MsolCompanySettings cmdlet from the Windows PowerShell module for Azure Active Directory. For example: Set-MsolCompanySettings -AllowEmailVerifiedUsers $false -AllowAdHocSubscriptions $true

    • Synchronize your Active Directory Domain Services infrastructure with Azure Active Directory. This action prevents new accounts from being created when users sign up for RMS for individuals, and you can delete or disable accounts that were previously created in the Azure directory.

To control the user accounts in the Azure directory, or to prevent users from signing up for RMS for individuals, you must have an Azure subscription and own the directory. If a directory was automatically created for you during the self-service process, obtain a free subscription for Azure and then take ownership of the directory.

As an administrator, how do you know if your users have signed up for RMS for individuals? You might use any or a combination of the following methods:

  • Ask users how they protect highly confidential files, especially when collaborating with others outside the organization.

  • When have an Azure subscription for your organization, use the Get-MsolAccountSku cmdlet to see if RIGHTSMANAGEMENT_ADHOC is returned as one of the subscriptions. If it is, this is the RMS for individuals subscription that was granted to the organization, with a pool of active units available for users to use the self-service sign-up process.

  • Use a system management solution, such as System Center Configuration Manager, to inventory software installed and software in use. The Rights Management sharing application runs by using the ipviewer.exe program and you can download and install the application for free to identify other characteristics about this application that you then use for software inventory.

  • Be on the lookout for file name extensions that are created by the Rights Management sharing application. The .pfile and .ppdf file name extensions are the most obvious example, but there are other files that change their file name extension when they are natively protected by Rights Management. For more information, see the Supported file types and file name extensions section in the Rights Management sharing application administrator guide.

  1. To obtain a free subscription for Azure, go to the Azure Get started page and follow the instructions.

  2. Download the latest Windows PowerShell module for Azure Active Directory. For more information and links, see the Install the Azure AD Module section from the Manage Azure AD using Windows PowerShell documentation.

  3. Connect to Azure AD by running the following cmdlets:

    import-module MSOnline
    $msolcred = get-credential
    connect-msolservice -credential $msolcred
  4. Specify your domain, by using the New-MsolDomain cmdlet:

    New-MsolDomain -Name <your-domain_name>

    For example: New-MsolDomain -Name contoso.com

  5. Then run the Get-MsolDomainVerificationDns cmdlet to create a challenge:

    Get-MsolDomainVerificationDns –DomainName <your_domain_name> –Mode DnsTxtRecord

    For example: Get-MsolDomainVerificationDns –DomainName contoso.com –Mode DnsTxtRecord

  6. Copy the value (the challenge) that is returned from this command.

    For example: MS=32DD01B82C05D27151EA9AE93C5890787F0E65D9

  7. In your public DNS namespace, create a DNS txt record that contains the value that you copied in the previous step.

    The name for this record is the name of the parent domain, so if you create this resource record by using the DNS role from Windows Server, leave the Record name blank and just paste the value into the Text box.

  8. Run the Confirm-MsolDomain cmdlet to verify the challenge:

    Confirm-MsolDomain -DomainName <your_domain_name>

    For example: Confirm-MsolDomain –DomainName contoso.com

    A successful challenge returns you to the prompt without an error.

Now you’ve taken ownership of the Azure Active Directory domain, you can configure directory integration solutions with your Active Directory Domain Services infrastructure, and manage your Azure directory by using the Set-MsolCompanySettings cmdlet, as described in the previous section.

Although the Rights Management sharing application can be downloaded and installed individually by users, it also supports an enterprise installation. To help users protect sensitive files and collaborate securely, consider automatically installing this application on Windows computers for users.

For more information, see the Automatic deployment for the Microsoft Rights Management sharing application section in the Rights Management sharing application administrator guide.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft