Azure RMS Templates
Hello, I recently posted this question in both the Azure and Office 365 forums and was referred here. We
are currently using Office 365 and have enabled E3 licenses to use IRM in Office through Azure. We would like to encrypt a lot of documents using the AD RMS Bulk Encryption tool,
however it requires an RMS template. Azure provides two (Confidential, and Confidential Read-only). These work using the tool, but when I try to modify the XML to customize the templates it breaks them and since I don't have access to the AD RMS
MMC I cannot generate my own. Does anyone know how I can make this work?
Updating an old thread: Azure RMS now supports customized templates.
Announcement:
http://blogs.technet.com/b/rms/archive/2014/04/03/create-custom-templates-in-azure-rms-with-the-azure-management-portal.aspx
Documentation:
http://technet.microsoft.com/en-us/library/dn642472.aspx
Similar Messages
-
Azure RMS Group user with Ad-hoc policy
Hi,
In Azure RMS, the group users are unable to open the encrypted documants if the file is encrypted using ad-hoc policy(my policy)
But, the same group users were able to open the encrypted document incase if the file is encrypted using templates(company policy)
so, it would be great if you assist us in resolving this issue.
Vivek, thanks for your reply. As mentioned I'm trying to integrate ASA remote access VPN in with Microsoft Active Directory via IAS. How can I configure RADIUS Attribute 25 on IAS to recv a value from AD and fwd it on to the ASA?
What I'd really like confirmed first is whether group-lock functionality is available from AD through RADIUS?
thanks, Graeme -
RMS sdk 2.1 - cannot get AZURE rms server.
We have 2 RMS servers, 1 is on premise and the second is RMS azure server with SSO(single sign on).
calling IpcGetTemplateIssuerList returns only the on-premise RMS server. how do i retrieve the azure RMS server?Hi,
I'm also new to AD RMS and trying to get started with the interop example. I too am getting the EXACT SAME ERROR - The system cannot find the file specified. HRESULT: 0x80070002 - when I try to run the code below:
I try to run this statement: Collection<TemplateInfo> ipcTemplates = IPC.GetTemplates();
internal static class IPC
static IPC()
SafeNativeMethods.IpcInitialize();
public static Collection<TemplateInfo> GetTemplates()
Collection<TemplateInfo> templates = null;
try
templates = SafeNativeMethods.IpcGetTemplateList(null, true, true, false, false, null, null);
catch (Exception /*ex*/)
/* TODO: Add logging */
throw;
return templates;
Here's my stack trace:
The system cannot find the file specified. HRESULT: 0x80070002
at Microsoft.InformationProtectionAndControl.SafeNativeMethods.ThrowOnErrorCode(Int32 hrError) in c:\Microsoft.InformationProtectionAndControl\SafeNativeMethods.cs:line 1678
at Microsoft.InformationProtectionAndControl.SafeNativeMethods.IpcGetTemplateList(ConnectionInfo connectionInfo, Boolean forceDownload, Boolean suppressUI, Boolean offline, Boolean hasUserConsent, Form parentForm, CultureInfo cultureInfo) in c:\\Microsoft.InformationProtectionAndControl\SafeNativeMethods.cs:line
137
at IPC.GetTemplates() in c:\IPC.cs
Please let me know if you have resolved this error or if you can find any managed code samples for AD RMS.
Thanks -
I am trying to make protected documents available to some users via Azure RMS. Within the templates, there is an option called Offline Settings and its configured to "Content is available only with an Internet connection".
Background:
When I open the file in Office 2010 or Office 2010, the user is prompted to login (good) and the credentials are cached.
If the internet connection is unavailable, both Office 2010 or Office 2013 does not open the document (good).
For the next 8 hours, Office 2013 will not prompt for authentication as its cached (acceptable/good).
The problem is that Office 2010 seems to cache the credentials forever. Meaning that if a employee is suspended, they still have access to the document. Any ideas?Hi Bigredthelogger,
Summing up - if you enable "Content is available only with an Internet connection" with Azure
RMS, to be able to open a protected document users will always need to have Internet connection. If they don't - they fail.
Now, if you want to revoke access to the documents for the users you should disable users account. Relying
on caching auth credentials is not a good way to your requirement. Depending on your architecture
If you have your users synced from AD to Azure - disable users account in AD and this information should
disable user in the Cloud resulting in user being not able to access document
If you have your users directly in the Cloud with no synchronization - just login to the Office365 portal
as a Global Admin, go to Users, search for the user and there in the settings section you can choose to block user "<label disabled="disabled">The user can't sign in or access services.". Also you can remove RMS subscription
from the user account</label>
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer. -
KimaniBob
Is it possible to have AD RMS templates display on OWA (I have Exchange 2010 sp3) and AD RMS 2008 R2?I figured it out.
I used the following link :http://blogs.technet.com/b/ilvancri/archive/2010/07/09/configuring-ad-rms-and-exchange-2010-sp1-beta.aspx
Thanks hope this is helpful to someone else
KimaniBob -
Old AD RMS template still displayed in OWA which were already deleted
Hi,
Currently, I'm having a problem where a deleted template still can be view & select when trying to apply RMS protection. I have checked the template distribution folder & run the Get-RMSTemplate to see whether the template is presented or not (which
is not)
As you can see from the picture above. I have already disabled the rms, still we can see the template. Some of the template listed above have been already deleted & some just come pop in out of no where. Please, i really need some help here. Thanks in
advanceDepending on what version of Exchange this is, you might be able to use:
Set-IrmConfiguraton -RefreshServerCertificates
It sounds like this will refresh the templates as well:
The
RefreshServerCertificates switch clears all
Rights Account Certificates (RACs), Computer Licensor Certificates (CLCs),
and cached AD RMS templates from all Microsoft Exchange Server 2010 or
Exchange Server 2013 servers in the organization. Clearing RACs, CLCs, and
cached templates may be required during troubleshooting or in the event of a
change of keys on the AD RMS cluster in your organization.
I would be careful about actually deleting templates. Preferably you should archive them. If messages actually were protected with those templates and they are deleted, they will be inaccessible. -
I am unable to see the created AD RMS Templates office 2010
Hi,
We have a SBS 2011 server (AD, exchange, DNS, ...etc) and a File server 2008 R2.
We installed the AD RMS feature on the File server and created the templates needed.
On AD RMS client (W7):
-We run the task scheduler.
-We create the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DRM for office 2010 clients
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM for office 2007clients
On all MS 2007 client hasn't any problems but on all MS 2010 has a problem that: "unable to see the created AD RMS Templates.
Please advise,
Note: I prefer to contact me using my email
[email protected] to acceleratre our communication.Hi,
We need to check the templates in the path: C:\Users\martinr\AppData\Local\Microsoft\DRM\Templates
first.
Then, if you use 32-bit editions of Office running on 64-bit versions of Microsoft Windows,please try the following command:
HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Office\<version>\Common\DRM.
Following this, I recommond do the two methods:
The permission policy path in the ADMX file is setup to use EDITTEXT (Regular Reg_sz), instead of EXPANDABLETEXT (REg_Expand_Sz).
The policy template is setup out of the box expects a static path (i.e. c:\templates, and cannot use %localappdata%\Microsoft\DRM\Templates)
For more detail information, please refer to the following link:
http://technet.microsoft.com/en-us/library/cc179103.aspx
http://technet.microsoft.com/en-us/library/dd772637(v=ws.10).aspx
Here is a similar issue, we could refer to:
http://social.technet.microsoft.com/Forums/en-US/224574c4-599b-4843-b235-f86ac74d03e9/ad-rms-template-problem?forum=rms
Regards,
George Zhao
TechNet Community Support -
Can I build Azure RemoteApp template without Remote Desktop License ?
Can I build Azure RemoteApp template without Remote Desktop License ?
I want to build and update the Azure RemoteApp template by using same Hyper-V guest image continue.
Message:
"Remote Desktop licensing mode is not configured"
Environment 1: my on-premises Hyper-V guest.
Environment 2: my Azure Virtual Machine by "Windows Server Remote Desktop Session Host" image.
Regards,
Yoshihiro KawabataHi Yoshihiro,
If you are referring to RDS CAL, the answer is yes, you can build a template
without having an RDS CAL. For on-premises you would still need rights to install Windows Server as a guest, but to build the template you do not need an RDS CAL because this use is for administrative purposes.
In the case of building the image on an Azure Virtual Machine you do not need Windows Server license since that is included in the pricing for the Virtual Machine. As mentioned above you do not need an RDS CAL since you are only building a template
image which is administrative use.
As always please review the appropriate documents that apply to your situation such as the Online Service Terms (OST), Product Use Rights (PUR), license agreement(s), etc. for precise details.
Thanks.
-TP -
Dear Sir,
I got an experienced for the RMS with iPhone. I have enrolled an account for RMS evaluation from aadrm portal. I have registered two acounts for testing purpose. First of all, I have download the apps from apple store and install
it on my iphone. After installation, I have tried to encrypted the photos through existing photo library. I follwed the instructions to do so. I have two choices and the third choices is dim which is "Custom Permission". The only
two choices "Shared" and "Protected". I am able to encrypt the photo and sent out to the designated users. It returns an error on sharing permission. What is going wrong? On the other hand, is the in placed photo
will be encrpted or not? I have returned to photo library the format remains unchanged.
Secondly, I have registered Widnows Azure. As heard from tecnical engineer-MS, they told me that MS has an Azure RMS dedicated cloud platform. Is it a centralised platform for user management? I would like managed all user in Azure
cloud services. Please let me know?
For the permission assigned, I also have an experience before with PC encrypted document file(s) where I used ms office 2013.
Finally, I woul like to get more Windows Azure information. Can you give me some implementation note and technical requirements?
Regards
StanleyHi Stanely,
Some answers for your questions:
" I have two choices and the third choices is dim which is "Custom Permission""
>>> "Custom Permissions" is currently not supported and but will be available soon. It allows you to give permissions to specific people (i.e. email addresses) inside or outside your organization (i.e. account).
>>> "It returns an error on sharing permission."
It is not clear to me what happened here, can you please elaborate? Did the designated user get the sharing permissions when he tried to open the document using RMS sharing app? did it happen on the same device?
>>> "On the other hand, is the
in placed photo will be encrpted or not? I have returned to photo library the format remains unchanged.
When you choose a photo from your Photos gallery, the photo is copied and encrypted using RMS and can be sent in a protected file format (called PFILE).
The original photo in your Photos library app remains unchanged, because it is currently impossible to use RMS to protect the photos that are in your photos library app. You can of course choose to delete the original photo itself after you protect and share
it.
About the rest of your questions,
- Windows Azure provides deep documentation and tutorials which you can find here: http://www.windowsazure.com/en-us/
You can use Windows Azure Active Directory to manage all the users in your organization, as explained there.
Azure RMS is the new RMS technology which RMS sharing app uses. You can build your own applications that uses Azure RMS too. Please refer to the following links to find more information on Azure RMS:
http://blogs.msdn.com/b/rms/archive/2013/11/15/the-new-microsoft-rms-has-shipped.aspx
You might also want to read Azure RMS whitepaper here:
http://blogs.technet.com/b/rms/archive/2013/07/31/the-new-microsoft-rights-management-services-whitepaper.aspx
Best regards,
Yair -
UNABLE TO RETRIVE RMS TEMPLATE
HI ,
I install RMS on standalone server
in our file server just we go to file management task and go to action : i find ( cannot retrieve RMS templates )
need suggestions.
MCP MCSA MCSE MCT MCTS CCNAHi Yasser,
Here are some related links below for you references:
You cannot use earlier versions of templates in Windows Rights Management Services (RMS) after you upgrade to RMS Server 2003
http://support.microsoft.com/kb/830693
AD RMS Troubleshooting Guide
http://social.technet.microsoft.com/wiki/contents/articles/13130.ad-rms-troubleshooting-guide.aspx
AD RMS Template Problem
https://social.technet.microsoft.com/Forums/en-US/224574c4-599b-4843-b235-f86ac74d03e9/ad-rms-template-problem?forum=rms
Best Regards,
Amy -
Decommissioning of a Azure RMS
Title says it all :)
The process of an AD RMS decommissioning is documented, and with can also be done automatically for the documents.
But how about Azure RMS? I could not find Information about this Topic, can some one help me out?
Thanks in advance
www.sccmfaq.chHi Martin -
I have found some information about deactivating the Azure RMS service here:
http://technet.microsoft.com/en-us/library/jj658940.aspx. That will help you to stop using the Azure RMS service. However, in terms of using decommissioning to decrypt protected content, I don't think that Azure RMS has an equivalent process.
The article makes specific reference to contacting support to enable certain scenarios.
I hope that helps!
Micah LaNasa
Synergy Advisors
synergyadvisors.biz -
SharePoint On Premises – AZURE RMS issue
SharePoint On Premises – AZURE RMS issue. Our SharePoint plat form is on premises and wanted to take AZURE RMS ISSUE to make workable in On premises SharePoint site.
Based on the below blogs I have configured all the specified in those. I am getting below at the final stage. Please help me with the same.
https://technet.microsoft.com/en-us/library/dn375964.aspx
http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=639
I am trying with my corporate AD account and logging into SharePoint site, getting below popup. in this screen, I am getting blank word whate ever I click with it is change user option or yes option or no option
Thanks, Ram ChHi Ram,
The RMS connector communicates with Azure RMS by invoking REST service, so it doesn't need to be exposed to internet, but it must be able to reach internet. Based on the screenshot
information, it sounds that you haven't verified your domain in Office 365. For example, your AD users have UPN with suffix @consotos.com, the domain name contoso.com should be added into Domains of your Office 365 tenant, and verify it. This is to keep the
consistency of your users' on-premises credential and online credential, otherwise, your users will by synced to Office 365 with the default domain "tenantname.onmicrosoft.com", such as the current situation. In fact it has been already mentioned
in the article included in your first post. See the information below:
(from
https://technet.microsoft.com/library/hh967642.aspx)
Caution
You must add and verify your company’s domains in order to use them in Azure Active Directory and Office 365. For more information, see
Add your custom domain to the Azure AD tenant and
Verify a domain.
Meanwhile, to experience Azure RMS, I highly recommend you to implement single sign-on, otherwise, your users will be prompt for credentials before they can get access to the protected content.
Thanks,
Reken Liu
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Mapping Azure RMS logs to SharePoint documents
Hello,
I have a SharePoint online environment with Azure RMS activated. I can get some logs from RMS, however it is not clear to me how the log entries are related the the sharepoint documents.
Can anyone help me out how I can link a document to a RMS log entry? (c#, powershell, ...)
ThanksHi Ram,
The RMS connector communicates with Azure RMS by invoking REST service, so it doesn't need to be exposed to internet, but it must be able to reach internet. Based on the screenshot
information, it sounds that you haven't verified your domain in Office 365. For example, your AD users have UPN with suffix @consotos.com, the domain name contoso.com should be added into Domains of your Office 365 tenant, and verify it. This is to keep the
consistency of your users' on-premises credential and online credential, otherwise, your users will by synced to Office 365 with the default domain "tenantname.onmicrosoft.com", such as the current situation. In fact it has been already mentioned
in the article included in your first post. See the information below:
(from
https://technet.microsoft.com/library/hh967642.aspx)
Caution
You must add and verify your company’s domains in order to use them in Azure Active Directory and Office 365. For more information, see
Add your custom domain to the Azure AD tenant and
Verify a domain.
Meanwhile, to experience Azure RMS, I highly recommend you to implement single sign-on, otherwise, your users will be prompt for credentials before they can get access to the protected content.
Thanks,
Reken Liu
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Hi,
Im struggling with finding clear information on licensing surrounding Azure RMS, in particular protecting files on on-premise file servers.
To begin with we only want to use Azure RMS to protect content stored within on-premise Windows 2012 servers using FCI and the Azure RMS Connector.
In terms of licensing the users do we need to
A) License each user that will be consuming protected content on premise?
or
B) License the users that will be applying the protection to content.
i.e. does a user need a RMS license to consume on premise protected documents.
A previous engagement with Microsoft Partner PreSales Advisory stated that we do not need to license users that are purely consuming content and only need to license uses putting the protection and policys in place but we wanted to confirm this.
We are aware that with Applications such as Exchange Online and SharePoint Online all users need an RMS license but we need the clarification on on-premise file servers.
Can anyone help?
Many ThanksHi Carol,
Thank you for the further explanation this certainly does help clear things up.
Thinking about this scenario more and more it does seem like it could be quite cumbersome to license with a high potential to not license correctly certainly in a large environment.
Depending on how you have you NTFS permissions setup it strikes me that you would need to license any user that has the potential to save / create a file in a location as by default they would be the owner of that new file.
Would it be a sensible suggestion to have a license in place for all members of the security group that has the ability to create files in the location you are protecting? Further on from that if a we did this and a member of that security group didn't have
a license would we breach licensing regulations or would they simply not have the relevant functionality available to them? Taking this even further if the protection gets put in place by a policy / FCI rule surely they wouldn't need any different level
of functionality as FCI will be assisting in putting the protection in place not the user creating the files.
Sorry to bombard you with my questions / ramblings!
Thanks -
Hi,
Im struggling with finding clear information on licensing surrounding Azure RMS, in particular protecting files on on-premise file servers.
To begin with we only want to use Azure RMS to protect content stored within on-premise Windows 2012 servers using FCI and the Azure RMS Connector.
In terms of licensing the users do we need to
A) License each user that will be consuming protected content on premise?
or
B) License the users that will be applying the protection to content.
i.e. does a user need a RMS license to consume on premise protected documents.
A previous engagement with Microsoft Partner PreSales Advisory stated that we do not need to license users that are purely consuming content and only need to license uses putting the protection and policys in place but we wanted to confirm this.
We are aware that with Applications such as Exchange Online and SharePoint Online all users need an RMS license but we need the clarification on on-premise file servers.
Can anyone help?
Many ThanksPlease see the following blog post. I believe it covers your questions.
Rights Management Licensing Terms (for Orgs and ISVs)
Consuming protected content is free. Licenses needed to protect content. Other details in the link.
Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
Maybe you are looking for
-
I know this forum has many requests on a daily basis for tutorials for beginners. Does anyone know online a sample scenario with XI sending an receiving idocs via email? Thanks for the info. Steve Edited by: Stephen Hardeman on Feb 11, 2008 2:39 PM
-
Ebooks, scrollable text, pdfs
Hello all, I am creating a simple ebook in indesign, using scrollable text. It is not working in an interactive pdf export. Is there a workaround for this? I am creating a simple editors proofing pdf, and it would be great if that worked. I can creat
-
How to implement an online recorder?
Hello everyone, We would like to offer our site users an online recording tool. This means, any user who registers on our forum will be able to record an audio file and automatically store it in their account. Which Adobe products do we need for this
-
Incomplition sales order list t.code
Hi, Is there any t.code for incomplition sales order. b4 posting this thread i cheked all previous ones. thanks sreenivas
-
TS Types. Order of loading
From http://www.ni.com/white-paper/7060/en/ I know that order of the loading types is like below: ========================================================================================= ============================================================