Information Rights Management

[Pages:7]Dedicated and ITAR-support Plans

Information Rights Management

New Activation Scenarios for Office 365 Dedicated

Applies to: Exchange Online Dedicated & SharePoint Online Dedicated ? Legacy & vNext Releases

Topic Last Modified: 30-Dec-2015

The Information Rights Management (IRM) feature of Exchange Online Dedicated and SharePoint Online Dedicated utilizes rights management technology developed by Microsoft. Service implementations to support the IRM feature set are provided by Active Directory Rights Management Services (AD RMS) and Azure Rights Management Services (Azure RMS). The legacy IRM offering for Exchange Online Dedicated and SharePoint Online Dedicated has relied upon the availability of AD RMS hosted within the Office 365 Dedicated operating environment in addition to the use of comparable AD RMS infrastructure within the customer premises environment. The legacy release of the ANSI 2013 platform of Exchange Online Dedicated in addition to the vNext releases of Exchange Online Dedicated and SharePoint Online Dedicated are now able to utilize Azure RMS. The cloud based Azure RMS offering provides content protection features that can be extended beyond your enterprise and also offers common third-party mobile devices support, reduced rights management infrastructure costs, and simplified administration of rights management protection services. Rights management activation scenarios for IRM, the readiness steps involved for each scenario, specific guidance for multi-region customers, and the use of Azure RMS without integration with Office 365 Dedicated are described in the sections below.

Note: Unless otherwise stated in the material, the implementation concepts for the International Traffic

in Arms Regulations (ITAR-support) version of Exchange Online and SharePoint Online will be similar to the material described in this document; specific guidance will be forthcoming.

Information Rights Management Activation Scenarios EXO-D & SPO-D ? Legacy & vNext Releases Office 365 Dedicated & ITAR-Support Plans ? 2015 Microsoft Corporation. All rights reserved.

Page 1 of 7

Dedicated and ITAR-support Plans

Rights Management New Activation Scenarios

Typical scenarios for a new rights management services implementation for Exchange Online Dedicated and Sharepoint Online Dedicated include the following:

Use of your on-premises AD RMS implementation to support Exchange Online (applies to Exchange Online only)

Activation of a new Azure RMS instance (applies to legacy and vNext releases of Exchange Online and/or only the vNext release of SharePoint Online)

For the scenarios described, your organization has not been using (a) the legacy hosted AD RMS solution for Office 365 Dedicated or (b) Azure RMS to protect your Exchange Online or SharePoint Online content.

Notes: 1. SharePoint Online Dedicated only supports integration with Azure RMS; the SharePoint Online

operational environment must be the vNext release. 2. Exchange Online Dedicated can utilize either your on-premises AD RMS implementation or Azure

RMS; the Exchange Online operational environment must be the ANSI 2013 or vNext release. 3. The Bring Your Own Key (BYOK) option with Azure RMS (also known as the Azure Key Vault)

involves the transfer of your own on-premises key to Microsoft via a Hardware Security Module (HSM). The use of this capability is not fully compatible with Exchange Online at this time. Recommended is to allow Azure RMS to generate and manage your encryption key. The same key will be used for Exchange Online and SharePoint Online. See Planning and Implementing Your Azure Rights Management Tenant Key for additional information.

Information Rights Management Activation Scenarios EXO-D & SPO-D ? Legacy & vNext Releases Office 365 Dedicated & ITAR-Support Plans ? 2015 Microsoft Corporation. All rights reserved.

Page 2 of 7

Dedicated and ITAR-support Plans

Use of On-premises AD RMS with Exchange Online

If your organization has an established AD RMS implementation on-premises, the integration of this configuration with Exchange Online Dedicated (ANSI 2013 or vNext release) is an IRM option.

Important:

The integration of Exchange Online with an on-premises AD RMS implementation is possible at this time; however, the current Exchange Online service roadmap does not include future support for this configuration. The use of Azure RMS as a long term rights management infrastructure solution is recommended.

To utilize on-premises AD RMS infrastructure, your configuration must meet the following requirements:

1. At least one functional (production ready) on-premises AD RMS cluster must exist for each onpremises Active Directory forest. If rights protected content will need to be shared across forests, both forests must have AD RMS deployed and a Trusted User Domain (TUD) must be exchanged between the clusters.

2. To view protected content (including mail messages in Outlook), the clients that utilize your Exchange Online environment must have connectivity with, and access to, the on-premises AD RMS cluster that was used to protect the content.

3. At least one Trusted Publishing Domain (TPD) must be imported from your on-premises AD RMS environment into Exchange Online. If you have multiple AD RMS certification or licensing clusters, you can import one TPD, select TPDs, or all TPDs based upon your usage scenario. Exchange Online only will be able to decrypt content associated with an imported TPD.

Note:

For multi-region customers, a TPD from one of the regions must become the default TPD. Any content protected within Exchange Online Dedicated will be protected using this TPD. If your online environment spans two regions (e.g., North America and Europe), all users will connect to the same on-premises AD RMS cluster to request a license. See the Multi-region Customers section for additional information.

4. Your on-premises AD RMS servers must be Windows Server 2008 or later.

Information Rights Management Activation Scenarios EXO-D & SPO-D ? Legacy & vNext Releases Office 365 Dedicated & ITAR-Support Plans ? 2015 Microsoft Corporation. All rights reserved.

Page 3 of 7

Dedicated and ITAR-support Plans

If your organization has an on-premises implementation of AD RMS, you must perform the following steps to integrate your Exchange Online Dedicated instance with your on-premises AD RMS implementation:

1. Import at least one TPD from your on-premises AD RMS environment into Exchange Online Dedicated as your primary/active key. If you have several AD RMS clusters, you can import TPD keys from any or all of the clusters that are associated on-premises Exchange environments that will interact with Exchange Online Dedicated. See Configure IRM to use an on-premises AD RMS server for more information. To perform the required administrative actions within Exchange Online Dedicated, you must be a member of the Records Management role group (legacy ANSI 2013 or vNext releases) or the Organization Management role group (vNext release only).

2. Complete the steps within Configure IRM to use an on-premises AD RMS server to apply a rights policy template and to enable IRM.

Activation of New Azure RMS Instance

If your organization does not have an existing rights management implementation associated with Exchange Online Dedicated or SharePoint Online Dedicated and you intend to integrate Azure RMS with these online services, refer to the article collection Getting Started with Azure Rights Management for introductory information. In addition, your rights management implementation must meet the following requirements:

1. Your organization must be licensed to use Azure RMS. Licenses are included with the Office 365 Enterprise E3 and E4 license plans; an Azure RMS license can be purchased for other plan types.

2. You must be using an Active Directory synchronization tool provided by Microsoft to synchronize your on-premises directory to Azure Active Directory. Recommend is the use of Azure Active Directory Connect (a.k.a., AAD Connect).

3. Clients must use a minimum of Windows 7, Office 2010, and the Rights Management Sharing Application for Windows. Since Office 2013 clients provide native Azure RMS integration, installation of the sharing application is not required. Outlook for Mac and Office for Mac 2016 both also provide native support for Azure RMS.

4. To view protected content (including mail messages in Outlook), the client must have Internet connectivity to access the Azure RMS endpoints.

5. Only the vNext release of SharePoint Online Dedicated can be integrated with Azure RMS; the legacy release of SharePoint Online Dedicated cannot be accommodated.

Information Rights Management Activation Scenarios EXO-D & SPO-D ? Legacy & vNext Releases Office 365 Dedicated & ITAR-Support Plans ? 2015 Microsoft Corporation. All rights reserved.

Page 4 of 7

Dedicated and ITAR-support Plans

To integrate Azure RMS with Exchange Online Dedicated and/or SharePoint Online Dedicated, you must perform the following:

1. Activate Azure Rights Management in the Office 365 admin center and then configure Exchange Online and/or SharePoint Online to use Azure RMS. The steps to configure Exchange Online to use Azure RMS are described in Configure IRM to use Azure Rights Management article. To perform the required administrative actions within Exchange Online Dedicated, you must be a member of the Records Management role group (legacy ANSI 2013 or vNext releases) or the Organization Management role group (vNext release). The steps to configure SharePoint Online Dedicated vNext to use Azure RMS are described in Set up Information Rights Management (IRM) in SharePoint admin center.

Notes:

1. If your organization is in possession of legacy Trusted Publishing Domain (TPD) keys from a former AD RMS installation, you can upload these keys following the instructions provided in Configure IRM to use Azure Rights Management. Loading the keys within Azure RMS allows legacy protected content to be decrypted.

2. If your online environment spans two geographic regions (e.g., North America and Europe), all users will connect to the same Azure RMS instance (single geographic region) to request a license. See the Multi-region Customers section for additional information.

3. If your organization already has an active Azure RMS tenant, you can integrate this tenant with your Exchange Online and/or SharePoint Online service instance of Office 365 Dedicated. Since your customer domain names have a 1:1 relationship with a single Azure RMS tenant ID, your Exchange Online and SharePoint Online instances must use the same tenant ID. If your organization has more than one Office 365 tenant (e.g., an Office 365 Dedicated and an Office 365 multi-tenant instance), the sharing of IRM content will work properly between the tenants since this is a native capability of Azure RMS.

Information Rights Management Activation Scenarios EXO-D & SPO-D ? Legacy & vNext Releases Office 365 Dedicated & ITAR-Support Plans ? 2015 Microsoft Corporation. All rights reserved.

Page 5 of 7

Dedicated and ITAR-support Plans

Multi-Region Customers

As an Exchange Online Dedicated (ANSI 2013 or vNext release) and/or SharePoint Online Dedicated (vNext release only) customer, your organization can choose to use either on-premises AD RMS integration or the use of Azure RMS based upon the valid implementation scenarios described above. In either case, you will have one (1) authoritative rights management environment that is used to protect new content.

In the case of on-premises AD RMS use, any content protected by Exchange Online Dedicated involves the use of the single cluster key of the on-premises environment regardless of the geographic location of the user. When decrypting content protected by Exchange Online Dedicated, the user will need to connect to the on-premises cluster to request a use license.

If two users in disparate business groups or geographically different locations receive IRM-protected content that was protected by Exchange Online Dedicated, those users will connect to the same onpremises AD RMS cluster to request a use license. Scenarios involving the application of IRM by Exchange Online Dedicated to protect content include applying rights management templates within Outlook on the Web (formerly Outlook Web App) or a transport protection rule.

The "single key" scenario does not apply when an on-premises AD RMS cluster was engaged by a "thick" client application (e.g., Outlook or other Microsoft Office applications) to protect content. In this scenario, the client will connect to whichever on-premises AD RMS cluster is associated with that protected content.

When using Azure RMS, the "single key" concept broadly applies. Your multi-region clients become associated with a single Azure RMS region (e.g., North America or EMEA). The single region Azure RMS assignment will be used by all client types in your environment regardless of their business unit affiliation or geographic location.

Information Rights Management Activation Scenarios EXO-D & SPO-D ? Legacy & vNext Releases Office 365 Dedicated & ITAR-Support Plans ? 2015 Microsoft Corporation. All rights reserved.

Page 6 of 7

Dedicated and ITAR-support Plans

Azure RMS Use Without

Office 365 Dedicated Integration

If you are an existing Office 365 Dedicated customer without an integrated rights management implementation for Exchange Online Dedicated or SharePoint Online Dedicated, your organization can consider the use of Azure RMS for specific, limited purpose, content protection scenarios. Usage examples include the following:

Anticipation of an expected and/or pending migration to the vNext releases of Exchange Online Dedicated and SharePoint Online Dedicated

Pre-purchased service subscriptions that include Azure RMS licenses Plethora of Azure RMS benefits for mobile clients (e.g., iOS and Android support)

You should review the guidelines described in Configuring Azure Rights Management. Important topics to review are establishing directory synchronization with Azure Active Directory (see Preparing for Azure Rights Management), Activating Azure Rights Management, and other customer-driven tasks.

Configuration changes are not required for your clients. The client decision tree to locate RMS services is as follows:

If a registry override exists, use the RMS infrastructure specified If not, determine if a Service Connection Point exists If not, perform an Azure RMS discovery

Recommended is the installation of the RMS Sharing App on all clients in your environment. Besides introducing support for native or raw file encryption, the app also bundles all pre-requisites for an Office 2010 or 2013 client into a single package to make the deployment and initialization of Azure RMS use as simple as possible. See Rights Management sharing application user guide for more information.

If you use Azure RMS prior to migrating to a vNext service release, the rights managements instance that is created will not be integrated with your legacy release of Exchange Online Dedicated or SharePoint Online Dedicated. End users will have the ability to author and consume rights protected content on their clients (e.g., Outlook to Outlook); however, no backend features will be available. Examples include the following:

Rendering of protected content in Outlook for the Web (formerly OWA) Journal Decryption of protected content Transport Protection and Decryption Rules SharePoint Library IRM protection

Information Rights Management Activation Scenarios EXO-D & SPO-D ? Legacy & vNext Releases Office 365 Dedicated & ITAR-Support Plans ? 2015 Microsoft Corporation. All rights reserved.

Page 7 of 7

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download