Decommissioning of a Azure RMS

Similar Messages

• Azure RMS Group user with Ad-hoc policy

  Hi,
  In Azure RMS, the group users are unable to open the encrypted documants if the file is encrypted using ad-hoc policy(my policy)
  But, the same group users were able to open the encrypted document incase if the file is encrypted using templates(company policy)
  so, it would be great if you assist us in resolving this issue.
    

  Vivek, thanks for your reply. As mentioned I'm trying to integrate ASA remote access VPN in with Microsoft Active Directory via IAS. How can I configure RADIUS Attribute 25 on IAS to recv a value from AD and fwd it on to the ASA?
  What I'd really like confirmed first is whether group-lock functionality is available from AD through RADIUS?
  thanks, Graeme

• RMS sdk 2.1 - cannot get AZURE rms server.

  We have 2 RMS servers, 1 is on premise and the second is RMS azure server with SSO(single sign on).
  calling IpcGetTemplateIssuerList returns only the on-premise RMS server. how do i retrieve the azure RMS server?

  Hi,
  I'm also new to AD RMS and trying to get started with the interop example. I too am getting the EXACT SAME ERROR - The system cannot find the file specified. HRESULT: 0x80070002 - when I try to run the code below:
  I try to run this statement: Collection<TemplateInfo> ipcTemplates = IPC.GetTemplates();
  internal static class IPC
  static IPC()
  SafeNativeMethods.IpcInitialize();
  public static Collection<TemplateInfo> GetTemplates()
  Collection<TemplateInfo> templates = null;
  try
  templates = SafeNativeMethods.IpcGetTemplateList(null, true, true, false, false, null, null);
  catch (Exception /*ex*/)
  /* TODO: Add logging */
  throw;
  return templates;
  Here's my stack trace:
  The system cannot find the file specified. HRESULT: 0x80070002
     at Microsoft.InformationProtectionAndControl.SafeNativeMethods.ThrowOnErrorCode(Int32 hrError) in c:\Microsoft.InformationProtectionAndControl\SafeNativeMethods.cs:line 1678
     at Microsoft.InformationProtectionAndControl.SafeNativeMethods.IpcGetTemplateList(ConnectionInfo connectionInfo, Boolean forceDownload, Boolean suppressUI, Boolean offline, Boolean hasUserConsent, Form parentForm, CultureInfo cultureInfo) in c:\\Microsoft.InformationProtectionAndControl\SafeNativeMethods.cs:line
  137
     at IPC.GetTemplates() in c:\IPC.cs
  Please let me know if you have resolved this error or if you can find any managed code samples for AD RMS. 
  Thanks

• Azure RMS

  Dear Sir,
  I got an experienced for the RMS with iPhone.  I have enrolled an account for RMS evaluation from aadrm portal.  I have registered two acounts for testing purpose.  First of all, I have download the apps from apple store and install
  it on my iphone.  After installation, I have tried to encrypted the photos through existing photo library.  I follwed the instructions to do so.  I have two choices and the third choices is dim which is "Custom Permission". The only
  two choices "Shared" and "Protected".  I am able to encrypt the photo and sent out to the designated users.  It returns an error on sharing permission.  What is going wrong?  On the other hand, is the in placed photo
  will be encrpted or not?  I have returned to photo library the format remains unchanged. 
  Secondly, I have registered Widnows Azure.   As heard from tecnical engineer-MS, they told me that MS has an Azure RMS dedicated cloud platform.  Is it a centralised platform for user management?  I would like managed all user in Azure
  cloud services.  Please let me know?
  For the permission assigned, I also have an experience before with PC encrypted document file(s) where I used ms office 2013. 
  Finally, I woul like to get more Windows Azure information.  Can you give me some implementation note and technical requirements?
  Regards
  Stanley                                              

  Hi Stanely,
  Some answers for your questions:
  " I have two choices and the third choices is dim which is "Custom Permission""
  >>> "Custom Permissions" is currently not supported and but will be available soon. It allows you to give permissions to specific people (i.e. email addresses) inside or outside your organization (i.e. account).
  >>> "It returns an error on sharing permission."
  It is not clear to me what happened here, can you please elaborate? Did the designated user get the sharing permissions when he tried to open the document using RMS sharing app? did it happen on the same device?
   >>> "On the other hand, is the
  in placed photo will be encrpted or not?  I have returned to photo library the format remains unchanged. 
  When you choose a photo from your Photos gallery, the photo is copied and encrypted using RMS and can be sent in a protected file format (called PFILE).
  The original photo in your Photos library app remains unchanged, because it is currently impossible to use RMS to protect the photos that are in your photos library app. You can of course choose to delete the original photo itself after you protect and share
  it.
  About the rest of your questions,
  - Windows Azure provides deep documentation and tutorials which you can find here: http://www.windowsazure.com/en-us/
  You can use Windows Azure Active Directory to manage all the users in your organization, as explained there.
  Azure RMS is the new RMS technology which RMS sharing app uses. You can build your own applications that uses Azure RMS too. Please refer to the following links to find more information on Azure RMS:
  http://blogs.msdn.com/b/rms/archive/2013/11/15/the-new-microsoft-rms-has-shipped.aspx
  You might also want to read Azure RMS whitepaper here:
  http://blogs.technet.com/b/rms/archive/2013/07/31/the-new-microsoft-rights-management-services-whitepaper.aspx
  Best regards,
  Yair

• SharePoint On Premises – AZURE RMS issue

  SharePoint On Premises – AZURE RMS issue. Our SharePoint plat form is on premises and wanted to take AZURE RMS ISSUE to make workable in On premises SharePoint site.
  Based on the below blogs I have configured all the specified in those. I am getting below at the final stage. Please help me with the same.
  https://technet.microsoft.com/en-us/library/dn375964.aspx
  http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=639
  I am trying with my corporate AD account and logging into SharePoint site, getting below popup. in this screen, I am getting blank word whate ever I click with it is change user option or yes option or no option
  Thanks, Ram Ch

  Hi Ram,
  The RMS connector communicates with Azure RMS by invoking REST service, so it doesn't need to be exposed to internet, but it must be able to reach internet. Based on the screenshot
  information, it sounds that you haven't verified your domain in Office 365. For example, your AD users have UPN with suffix @consotos.com, the domain name contoso.com should be added into Domains of your Office 365 tenant, and verify it. This is to keep the
  consistency of your users' on-premises credential and online credential, otherwise, your users will by synced to Office 365 with the default domain "tenantname.onmicrosoft.com", such as the current situation. In fact it has been already mentioned
  in the article included in your first post. See the information below:
  (from
  https://technet.microsoft.com/library/hh967642.aspx)
  Caution
  You must add and verify your company’s domains in order to use them in Azure Active Directory and Office 365. For more information, see
  Add your custom domain to the Azure AD tenant and
  Verify a domain.
  Meanwhile, to experience Azure RMS, I highly recommend you to implement single sign-on, otherwise, your users will be prompt for credentials before they can get access to the protected content.
  Thanks,
  Reken Liu
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Mapping Azure RMS logs to SharePoint documents

  Hello,
  I have a SharePoint online environment with Azure RMS activated. I can get some logs from RMS, however it is not clear to me how the log entries are related the the sharepoint documents.
  Can anyone help me out how I can link a document to a RMS log entry? (c#, powershell, ...)
  Thanks

  Hi Ram,
  The RMS connector communicates with Azure RMS by invoking REST service, so it doesn't need to be exposed to internet, but it must be able to reach internet. Based on the screenshot
  information, it sounds that you haven't verified your domain in Office 365. For example, your AD users have UPN with suffix @consotos.com, the domain name contoso.com should be added into Domains of your Office 365 tenant, and verify it. This is to keep the
  consistency of your users' on-premises credential and online credential, otherwise, your users will by synced to Office 365 with the default domain "tenantname.onmicrosoft.com", such as the current situation. In fact it has been already mentioned
  in the article included in your first post. See the information below:
  (from
  https://technet.microsoft.com/library/hh967642.aspx)
  Caution
  You must add and verify your company’s domains in order to use them in Azure Active Directory and Office 365. For more information, see
  Add your custom domain to the Azure AD tenant and
  Verify a domain.
  Meanwhile, to experience Azure RMS, I highly recommend you to implement single sign-on, otherwise, your users will be prompt for credentials before they can get access to the protected content.
  Thanks,
  Reken Liu
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Azure RMS Templates

  Hello, I recently posted this question in both the Azure and Office 365 forums and was referred here. We
  are currently using Office 365 and have enabled E3 licenses to use IRM in Office through Azure. We would like to encrypt a lot of documents using the AD RMS Bulk Encryption tool,
  however it requires an RMS template. Azure provides two (Confidential, and Confidential Read-only). These work using the tool, but when I try to modify the XML to customize the templates it breaks them and since I don't have access to the AD RMS
  MMC I cannot generate my own. Does anyone know how I can make this work?

  Updating an old thread: Azure RMS now supports customized templates. 
  Announcement:
  http://blogs.technet.com/b/rms/archive/2014/04/03/create-custom-templates-in-azure-rms-with-the-azure-management-portal.aspx
  Documentation:
  http://technet.microsoft.com/en-us/library/dn642472.aspx

• Azure RMS and Cache

  I am trying to make protected documents available to some users via Azure RMS. Within the templates, there is an option called Offline Settings and its configured to "Content is available only with an Internet connection".
  Background:
  When I open the file in Office 2010 or Office 2010, the user is prompted to login (good) and the credentials are cached.
  If the internet connection is unavailable, both Office 2010 or Office 2013 does not open the document (good).
  For the next 8 hours, Office 2013 will not prompt for authentication as its cached (acceptable/good).
  The problem is that Office 2010 seems to cache the credentials forever. Meaning that if a employee is suspended, they still have access to the document. Any ideas?

  Hi Bigredthelogger,
  Summing up - if you enable "Content is available only with an Internet connection" with Azure
  RMS,  to be able to open a protected document users will always need to have Internet connection. If they don't - they fail.
  Now, if you want to revoke access to the documents for the users you should disable users account. Relying
  on caching auth credentials is not a good way to your requirement. Depending on your architecture
  If you have your users synced from AD to Azure - disable users account in AD and this information should
  disable user in the Cloud resulting in user being not able to access document
  If you have your users directly in the Cloud with no synchronization - just login to the Office365 portal
  as a Global Admin, go to Users, search for the user and there in the settings section you can choose to block user "<label disabled="disabled">The user can't sign in or access services.". Also you can remove RMS subscription
  from the user account</label>
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Azure RMS user licensing

  Hi,
  Im struggling with finding clear information on licensing surrounding Azure RMS, in particular protecting files on on-premise file servers.
  To begin with we only want to use Azure RMS to protect content stored within on-premise Windows 2012 servers using FCI and the Azure RMS Connector.
  In terms of licensing the users do we need to
  A) License each user that will be consuming protected content on premise?
  or
  B) License the users that will be applying the protection to content.
  i.e. does a user need a RMS license to consume on premise protected documents.
  A previous engagement with Microsoft Partner PreSales Advisory stated that we do not need to license users that are purely consuming content and only need to license uses putting the protection and policys in place but we wanted to confirm this.
  We are aware that with Applications such as Exchange Online and SharePoint Online all users need an RMS license but we need the clarification on on-premise file servers.
  Can anyone help?
  Many Thanks

  Hi Carol,
  Thank you for the further explanation this certainly does help clear things up.
  Thinking about this scenario more and more it does seem like it could be quite cumbersome to license with a high potential to not license correctly certainly in a large environment.
  Depending on how you have you NTFS permissions setup it strikes me that you would need to license any user that has the potential to save / create a file in a location as by default they would be the owner of that new file.
  Would it be a sensible suggestion to have a license in place for all members of the security group that has the ability to create files in the location you are protecting? Further on from that if a we did this and a member of that security group didn't have
  a license would we breach licensing regulations or would they simply not have the relevant functionality available to them? Taking this even further if the protection gets put in place by a policy / FCI rule surely they wouldn't need any different level
  of functionality as FCI will be assisting in putting the protection in place not the user creating the files.
  Sorry to bombard you with my questions / ramblings!
  Thanks

• Azure RMS Licensing

  Hi,
  Im struggling with finding clear information on licensing surrounding Azure RMS, in particular protecting files on on-premise file servers.
  To begin with we only want to use Azure RMS to protect content stored within on-premise Windows 2012 servers using FCI and the Azure RMS Connector.
  In terms of licensing the users do we need to
  A) License each user that will be consuming protected content on premise?
  or
  B) License the users that will be applying the protection to content.
  i.e. does a user need a RMS license to consume on premise protected documents.
  A previous engagement with Microsoft Partner PreSales Advisory stated that we do not need to license users that are purely consuming content and only need to license uses putting the protection and policys in place but we wanted to confirm this.
  We are aware that with Applications such as Exchange Online and SharePoint Online all users need an RMS license but we need the clarification on on-premise file servers.
  Can anyone help?
  Many Thanks

  Please see the following blog post. I believe it covers your questions.
  Rights Management Licensing Terms (for Orgs and ISVs)
  Consuming protected content is free. Licenses needed to protect content. Other details in the link.
  Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

• Azure RMS and FCI Servers

  I am setting up a FCI server and want to encrypt certain documents based on policy.  I have completed the pre-requisites and have reached the stage to install the RMS Connector.  After installing it, I went to authorise a FCI server but I do not
  have that option.  The only options available are Exchange and Sharepoint.
  I have tried the sharepoint option and specified the computer account but when running the GetConenctorConfig script I receive back a 401 Unauthorised error.  Any thoughts as to why the option for a FCI server type is not present?  Seems to be
  a significant oversight.
  Regards
  Pete Hall

  This was a pretty recent addition and I know it took a while for it to show up for everyone.
  Is this still an issue?

• RMS: On-Premise vs Azure

  Hi,
  We are looking at whether to implement RMS either with Azure Cloud and on-premise. Does anyone has a list of technical difference & comparisons of pros-cons when it comes to on-premise versus Azure cloud?
  Thank You.

  Hi Warrior -
  The two are very similar in terms of how they work and the necessary components.  There are some feature differences at the moment, which are covered here:
  http://technet.microsoft.com/en-us/library/jj739831.aspx
  In terms of pros and cons, beyond the article covered there, Azure RMS is available as a subscription service, with limited on-premises components to deploy.  AD RMS is available as an on-premises server role.  So in addition to the above, the
  pros and cons of deploying something in the cloud or on-premises also apply.
  I hope that helps!
  Thanks,
  Micah LaNasa
  Synergy Advisors
  synergyadvisors.biz

• Co-existence of AD RMS On-Premises and Azure Rights Management

  Recently, I was part of an internal IT project to implement AD RMS on-premises on top of Windows Server 2012 R2. We had created a template, assigned users to it and the template has been in use for about 2 months without any issues.
  I was then reading about the Azure Rights Management Service which had been released and we were eligible for with our Office 365 subscription. I went through all the documentation and went ahead with implementing it yesterday not seeing any caveats based
  on our current setup. Well, today, I received word from users that they were not able to see the original template they were using when trying to protect a document, only the new "Confidential" and "Confidential - View Only" templates that
  I know are provided by the Azure Rights Management Service.
  I have scoured the web and the Microsoft IT forums, but cannot find any information about restrictions on using on-premises AD RMS along with the Azure Rights Management Service at the same time. I really like the idea of using the Azure version as then
  our corporate users can get their policies on all their devices and when outside the network as well as the great new sharing options for other users outside the organization. However, I also need to have some more granular control over at least one template
  which I can do with the on-premises AD RMS.
  My question is: can you have both rights management services running at the same time? At this point, I may have to disable the Azure Rights Management Service in order to restore the previous functionality that my users are relying on, but I'd like to have
  both options available if possible and short of that, maybe migrate over to the Azure hosted version. In addition, is there any documentation that includes considerations for migrating from AD RMS to Azure RMS?

  "In addition, is there any documentation that includes considerations for migrating from AD RMS to Azure RMS?"
  Just in case you missed the announcement, migration from AD RMS to Azure RMS is now supported:
  Blog post announcement:
  http://blogs.technet.com/b/rms/archive/2015/01/29/january2015majorupdate.aspx
  Migration documentation:
  https://technet.microsoft.com/en-us/library/Dn858447.aspx

• AD RMS

  I have one AD RMS server installed in Dev environment. I want to ensure that users will be able to access the documents already secured and will be able to restrict access on new documents even if AD RMS server goes down for a while.I am testing it at
  my end but getting mixed results. So not clear with the results. I see some security settings in the AD RMS template but I am not clear with what does what.Please share your experience in case you have already worked on it.

  AD RMS might not be the right solution for your requirements. Azure RMS sounds like a much better fit for you.
  When a protected document is opened for the first time, RMS (both ADRMS and Azure RMS) must validate the user at least once. Then if the RMS template used to protect the document allows for offline access, then that same user can subsequently open that same
  document for the period of time defined in the RMS template (for example, up to 7 days). So during that 7 day offline period, the RMS service can be down and the user can still open the protected document, however, users who have not contacted the RMS service
  at least once will not be able to open the document when the RMS server is offline. That is why Azure RMS is a better fit for your needs, because a Cloud service is highly available, much more so that what most organizations can design for their on-premise
  environments. 
  For more information about RMS concepts, and what the security settings are in the RMS templates, see these URLS:
  RMS Concepts
  http://blogs.technet.com/b/rms/archive/2012/04/16/ad-rms-infrastructure-concepts-part-1.aspx
  RMS Whitepaper (July 2013)
  http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-58-79-43/Microsoft-Rights-Management-_2D00_-English-_2800_July-2013_2900_.docx
  Azure RMS Pricing
  http://blogs.technet.com/b/rms/archive/2013/07/16/azure-rms-pricing-and-availability.aspx
  RMS Prerequisites
  http://technet.microsoft.com/en-us/library/dd772659(v=ws.10).aspx
  RMS Team Blog
  http://blogs.technet.com/b/rms/
  Azure RMS on Technet
  http://technet.microsoft.com/en-us/library/jj585024
  How RMS protects documents
  http://blogs.technet.com/b/rms/archive/2012/04/16/licenses-and-certificates-and-how-ad-rms-protects-and-consumes-documents.aspx
  RMS Best Practices Guide
  http://technet.microsoft.com/en-us/library/jj735304.aspx
  IRM Deployment Guide in Office for Mac 2011
  http://www.microsoft.com/en-us/download/details.aspx?id=20825
  RMS Forum
  http://social.technet.microsoft.com/Forums/en-us/rms/threads
  RMS Troubleshooting Guide
  http://social.technet.microsoft.com/wiki/contents/articles/13130.ad-rms-troubleshooting-guide.aspx
  Joe Stocker www.TheCloudTechnologist.com

• RMS Client support for ADFS 3 with MFA

  We are using Azure RMS. The Users are synchronized from on-premise AD onto Azure AD. If we configure the Relying Party Trust for Azure RMS authentication with MFA (Multi-Factor-Authentication like SMS, OneTimeToken...), the User couldn't login from a Windows
  Client with the RMS Client installed.
  The reason is, that RMS Client only ask for username and password. A another box for OTP, SMS Code and so on doesn't appears.
  Because the login into Azure RMS to get access to protected documents is very sensitive, it should be able to using MFA with the RMS Client.
  Are there a timeline to implement MFA support in the RMS Client (e.q. for Windows)?
  Thanks for your help.

  Office apps have historically required app passwords since they didn't support MFA. Newer Office apps are now using modern authentication that allow sign-in through ADFS and/or Azure AD. If MFA is enabled in Azure AD for federated accounts, the primary
  authentication should be done by ADFS, after which Azure AD will perform the MFA. The new Android apps came out later than the new iOS apps. There is a blog post put out by the Office team with details on the modern auth for their apps at
  http://aka.ms/officemodernauth.