Azure Rights Management

Azure Rights Management (often abbreviated to Azure RMS) is the protection technology used by Azure Information Protection.

Offers
Offer SKU
648BF77B-1F0A-4911-8066-CAF37D67DC72
Helps classify, label and protect confidential documents and emails persistently. Access to information can also be controlled by specifying permissions on shared data. It’s simple to use and deeply integrated with Office 365.
Quantity
Duration
1 Month Free
excl VAT

What is Azure Rights Management?

What is Azure Rights Management? - AIP | Microsoft Docs

To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. While the classic client continues to work as configured, no further support is provided, and maintenance versions will no longer be released for the classic client.

We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent deprecation blog.

Azure Rights Management (Azure RMS) is the cloud-based protection technology used by Azure Information Protection.

Azure RMS helps to protect files and emails across multiple devices, including phones, tablets, and PCs by using encryption, identity, and authorization policies.

For example, when employees email a document to a partner company, or save a document to their cloud drive, Azure RMS's persistent protection helps secure the data.

  • Protection settings remain with your data, even when it leaves your organization's boundaries, keeping your content protected both within and outside your organization.
  • Azure RMS may be legally required for compliance, legal discovery requirements, or best practices for information management.
  • Use Azure RMS with Microsoft 365 subscriptions or subscriptions for Azure Information Protection. For more information, see the Microsoft 365 licensing guidance for security & compliance page.

Azure RMS ensures that authorized people and services, such as search and indexing, can continue to read and inspect the protected data.

Ensuring ongoing access for authorized people and services, also known as "reasoning over data", is a crucial element in maintaining control of your organization's data. This capability may not be easily accomplished with other information protection solutions that use peer-to-peer encryption.

Protection features

What is Azure Rights Management?

What is Azure Rights Management? - AIP | Microsoft Docs

To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are deprecated as of March 31, 2021. While the classic client continues to work as configured, no further support is provided, and maintenance versions will no longer be released for the classic client.

We recommend that you migrate to unified labeling and upgrade to the unified labeling client. Learn more in our recent deprecation blog.

Azure Rights Management (Azure RMS) is the cloud-based protection technology used by Azure Information Protection.

Azure RMS helps to protect files and emails across multiple devices, including phones, tablets, and PCs by using encryption, identity, and authorization policies.

For example, when employees email a document to a partner company, or save a document to their cloud drive, Azure RMS's persistent protection helps secure the data.

  • Protection settings remain with your data, even when it leaves your organization's boundaries, keeping your content protected both within and outside your organization.
  • Azure RMS may be legally required for compliance, legal discovery requirements, or best practices for information management.
  • Use Azure RMS with Microsoft 365 subscriptions or subscriptions for Azure Information Protection. For more information, see the Microsoft 365 licensing guidance for security & compliance page.

Azure RMS ensures that authorized people and services, such as search and indexing, can continue to read and inspect the protected data.

Ensuring ongoing access for authorized people and services, also known as "reasoning over data", is a crucial element in maintaining control of your organization's data. This capability may not be easily accomplished with other information protection solutions that use peer-to-peer encryption.

Protection features

PROTECTION FEATURES

Feature

Description

Protect multiple file types

In early implementations of Rights Management, only Office files could be protected, using built-in Rights Management protection.

Azure Information Protection provides support for additional file types. For more information, see 
Supported file types.

Protect files anywhere

When a file is protected, the protection stays with the file, even if it is saved or copied to storage that is not under the control of IT, such as a cloud storage service.

   

Collaboration features

COLLABORATION FEATURES

Feature

Description

Safely share information

Protected files are safe to share with others, such as an attachment to an email or a link to a SharePoint site.

If the sensitive information is within an email message, protect the email, or use the Do Not Forward option from Outlook.

Support for business-to-business collaboration

Because Azure Rights Management is a cloud service, there’s no need to explicitly configure trusts with other organizations before you can share protected content with them.

Collaboration with other organizations that already have a Microsoft 365 or an Azure AD directory is automatically supported.

For organizations without Microsoft 365 or an Azure AD directory, users can sign up for the free 
RMS for individuals subscription, or use a Microsoft account for supported applications.

   

 Tip

Attaching protected files, rather than protecting an entire email message, enables you to keep the email text un-encrypted.

For example, you may want to include instructions for first-time use if the email is being sent outside your organization. If you attach a protected file, the basic instructions can be read by anyone, but only authorized users will be able to open the document, even if the email or document is forwarded to other people.

Platform support features

Azure RMS supports a broad range of platforms and applications, including:

PLATFORM SUPPORT FEATURES

Feature

Description

Commonly used devices
not just Windows computers

Client devices include:

- Windows computers and phones
- Mac computers
- iOS tablets and phones
- Android tablets and phones

On-premises services

In addition to working seamlessly with Office 365, use Azure Rights Management with the following on-premises services when you deploy the RMS connector:

- Exchange Server
- SharePoint Server
- Windows Server running File Classification Infrastructure

Application extensibility

Azure Rights Management has tight integration with Microsoft Office applications and services, and extends support for other applications by using the Azure Information Protection client.

The 
Microsoft Information Protection SDK provide your internal developers and software vendors with APIs to write custom applications that support Azure Information Protection.

For more information, see 
Other applications that support the Rights Management APIs.

   

Infrastructure features

Azure RMS provides the following features to support IT departments and infrastructure organizations:

 Note

Organizations always have the choice to stop using the Azure Rights Management service without losing access to content that was previously protected by Azure Rights Management.

For more information, see Decommissioning and deactivating Azure Rights Management.

Create simple and flexible policies

Customized protection templates provide a quick and easy solution for administrators to apply policies, and for users to apply the correct level of protection for each document and restrict access to people inside your organization.

For example, for a company-wide strategy paper to be shared with all employees, apply a read-only policy to all internal employees. For a more sensitive document, such as a financial report, restrict access to executives only.

Configure your labeling policies in the Microsoft 365 compliance center:

Easy activation

For new subscriptions, activation is automatic. For existing subscriptions, activating the Rights Management service requires just a couple of clicks in your management portal, or two PowerShell commands.

Auditing and monitoring services

Audit and monitor usage of your protected files, even after these files leave your organization’s boundaries.

For example, if a Contoso, Ltd employee works on a joint project with three people from Fabrikam, Inc, they might send their Fabrikam partners a document that's protected and restricted to read-only.

Azure RMS auditing can provide the following information:

  • Whether the Fabrikam partners opened the document, and when.
  • Whether other people, who were not specified, attempted, and failed to open the document. This might happen if the email was forwarded on, or saved to a shared location.

AIP administrators can track document usage and revoke access for Office files. Users can revoke access for their protected documents as needed.

Ability to scale across your organization

Because Azure Rights Management runs as a cloud service with the Azure elasticity to scale up and out, you don’t have to provision or deploy additional on-premises servers.

Maintain IT control over data

Organizations can benefit from IT control features, such as:

MAINTAIN IT CONTROL OVER DATA

Feature

Description

Tenant key management

Use tenant key management solutions, such as Bring Your Own Key (BYOK) or Double Key Encryption (DKE).

For more information about, see:
Planning and implementing your AIP tenant key
DKE in the Microsoft 365 documentation.

Auditing and usage logging

Use auditing and usage logging features to analyze for business insights, monitor for abuse, and perform forensic analysis for information leaks.

Access delegation

Delegate access with the super user feature, ensuring that IT can always access protected content, even if a document was protected by an employee who then leaves the organization.
In comparison, peer-to-peer encryption solutions risk losing access to company data.

Active Directory synchronization

Synchronize just the directory attributes that Azure RMS needs to support a common identity for your on-premises Active Directory accounts, by using a hybrid identity solution, such as Azure AD Connect.

Single-sign on

Enable single-sign on without replicating passwords to the cloud, by using AD FS.

Migration from AD RMS

If you've deployed Active Directory Rights Management Services (AD RMS), migrate to the Azure Rights Management service without losing access to data that was previously protected by AD RMS.

   

Security, compliance, and regulatory requirements

Azure Rights Management supports the following security, compliance, and regulatory requirements:

Azure Rights Management uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia, so your keys can be used only in your region.

  • Certification for the following standards:
    • ISO/IEC 27001:2013 (./includes ISO/IEC 27018)
    • SOC 2 SSAE 16/ISAE 3402 attestations
    • HIPAA BAA
    • EU Model Clause
    • FedRAMP as part of Azure Active Directory in Office 365 certification, issued FedRAMP Agency Authority to Operate by HHS
    • PCI DSS Level 1

For more information about these external certifications, see the Azure Trust Center.

 

   
   
   
   

Collaboration features

COLLABORATION FEATURES

Feature

Description

Safely share information

Protected files are safe to share with others, such as an attachment to an email or a link to a SharePoint site.

If the sensitive information is within an email message, protect the email, or use the Do Not Forward option from Outlook.

Support for business-to-business collaboration

Because Azure Rights Management is a cloud service, there’s no need to explicitly configure trusts with other organizations before you can share protected content with them.

Collaboration with other organizations that already have a Microsoft 365 or an Azure AD directory is automatically supported.

For organizations without Microsoft 365 or an Azure AD directory, users can sign up for the free 
RMS for individuals subscription, or use a Microsoft account for supported applications.

   

 Tip

Attaching protected files, rather than protecting an entire email message, enables you to keep the email text un-encrypted.

For example, you may want to include instructions for first-time use if the email is being sent outside your organization. If you attach a protected file, the basic instructions can be read by anyone, but only authorized users will be able to open the document, even if the email or document is forwarded to other people.

Platform support features

Azure RMS supports a broad range of platforms and applications, including:

PLATFORM SUPPORT FEATURES

Feature

Description

Commonly used devices
not just Windows computers

Client devices include:

- Windows computers and phones
- Mac computers
- iOS tablets and phones
- Android tablets and phones

On-premises services

In addition to working seamlessly with Office 365, use Azure Rights Management with the following on-premises services when you deploy the RMS connector:

- Exchange Server
- SharePoint Server
- Windows Server running File Classification Infrastructure

Application extensibility

Azure Rights Management has tight integration with Microsoft Office applications and services, and extends support for other applications by using the Azure Information Protection client.

The 
Microsoft Information Protection SDK provide your internal developers and software vendors with APIs to write custom applications that support Azure Information Protection.

For more information, see 
Other applications that support the Rights Management APIs.

   

Infrastructure features

Azure RMS provides the following features to support IT departments and infrastructure organizations:

 Note

Organizations always have the choice to stop using the Azure Rights Management service without losing access to content that was previously protected by Azure Rights Management.

For more information, see Decommissioning and deactivating Azure Rights Management.

Create simple and flexible policies

Customized protection templates provide a quick and easy solution for administrators to apply policies, and for users to apply the correct level of protection for each document and restrict access to people inside your organization.

For example, for a company-wide strategy paper to be shared with all employees, apply a read-only policy to all internal employees. For a more sensitive document, such as a financial report, restrict access to executives only.

Configure your labeling policies in the Microsoft 365 compliance center:

Easy activation

For new subscriptions, activation is automatic. For existing subscriptions, activating the Rights Management service requires just a couple of clicks in your management portal, or two PowerShell commands.

Auditing and monitoring services

Audit and monitor usage of your protected files, even after these files leave your organization’s boundaries.

For example, if a Contoso, Ltd employee works on a joint project with three people from Fabrikam, Inc, they might send their Fabrikam partners a document that's protected and restricted to read-only.

Azure RMS auditing can provide the following information:

  • Whether the Fabrikam partners opened the document, and when.
  • Whether other people, who were not specified, attempted, and failed to open the document. This might happen if the email was forwarded on, or saved to a shared location.

AIP administrators can track document usage and revoke access for Office files. Users can revoke access for their protected documents as needed.

Ability to scale across your organization

Because Azure Rights Management runs as a cloud service with the Azure elasticity to scale up and out, you don’t have to provision or deploy additional on-premises servers.

Maintain IT control over data

Organizations can benefit from IT control features, such as:

MAINTAIN IT CONTROL OVER DATA

Feature

Description

Tenant key management

Use tenant key management solutions, such as Bring Your Own Key (BYOK) or Double Key Encryption (DKE).

For more information about, see:
Planning and implementing your AIP tenant key
DKE in the Microsoft 365 documentation.

Auditing and usage logging

Use auditing and usage logging features to analyze for business insights, monitor for abuse, and perform forensic analysis for information leaks.

Access delegation

Delegate access with the super user feature, ensuring that IT can always access protected content, even if a document was protected by an employee who then leaves the organization.
In comparison, peer-to-peer encryption solutions risk losing access to company data.

Active Directory synchronization

Synchronize just the directory attributes that Azure RMS needs to support a common identity for your on-premises Active Directory accounts, by using a hybrid identity solution, such as Azure AD Connect.

Single-sign on

Enable single-sign on without replicating passwords to the cloud, by using AD FS.

Migration from AD RMS

If you've deployed Active Directory Rights Management Services (AD RMS), migrate to the Azure Rights Management service without losing access to data that was previously protected by AD RMS.

   

Security, compliance, and regulatory requirements

Azure Rights Management supports the following security, compliance, and regulatory requirements:

Azure Rights Management uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia, so your keys can be used only in your region.

  • Certification for the following standards:
    • ISO/IEC 27001:2013 (./includes ISO/IEC 27018)
    • SOC 2 SSAE 16/ISAE 3402 attestations
    • HIPAA BAA
    • EU Model Clause
    • FedRAMP as part of Azure Active Directory in Office 365 certification, issued FedRAMP Agency Authority to Operate by HHS
    • PCI DSS Level 1

For more information about these external certifications, see the Azure Trust Center.

x
We use cookies to give you the best experience. If you do nothing we'll assume that it's ok. Close