We’re delighted to bring information protection and rights management to Microsoft’s Office 365 Preview cloud offering with the today’s beta launch of Windows Azure Active Directory Rights Management. With Windows Azure AD Rights Management, customers can protect their data by encrypting and managing access rights, including Office documents, Exchange email, and SharePoint document libraries across Office 365 preview services and applications. The technology is highly integrated into Office 2013 Preview, Exchange Online Preview, and SharePoint Online Preview, and offers a seamless experience for both end users and administrators in document authoring, email, and SharePoint publishing.
Some of the benefits include:
Safeguarded sensitive information
Protection travels with the data
Integrated with Office 2013 Preview and Office 365 Preview services
Default information protection policies
Using Windows Azure AD Rights Management, all these scenarios are seamless enabled with no additional administrator installation or deployments required. Learn more about the Windows Azure AD Rights Management at our at Technet site.
Check back shortly for a follow on post from Tejas Patel, a program manager on the Windows Azure Active Directory Rights Management team, for detailed steps on how you can enable this with the Office 365 Preview.
great new! When talking about mobile devices I assume you're talking about Windows Phone? I assume to use ADRMS on Blackberry, Android and IPhone/IPad customers should use 3rd party like rmsviewer.com?
Regarding the "Azure" in "Azure ADRMS" - is it integrated into the "Azure AD"? That means no need for any on premise AD/RMS to use RMS with Office 365?
Thanks, we're excited too.
Mobile device support today is enabled either by an Exchange Active Sync (EAS) offer or a 3rd party solutions offer. Today Windows Mobile supports EAS in the native mail client. The Apple iOS native mail client does not enable this capability at this time but a recent Samsung Android phone does. Other vendors offer mobile applications to enable EAS on various platforms (e.g.: Nitrodesk) or offer solutions (e.g.: Gigatrust) to enable mobile phone support.
Regarding your topology question: That is correct. You can have an Exchange Online mailbox that is RMS enabled with no RMS deployment on premises.
Thanks for the comments.
Have a couple of questions for you.
1. Does Windows Azure Active Directory Rights Management (here and after AADRM) works the same way with AD FS in x-org scenarios? I mean the scenarios when Office 2013 or Office 265 Enterprise user protects document with AADRM for partner in another company.
2. Does AADRM supports TUD and TPD for migration cases and legacy infrastructures?
3. And the last question for the moment. In your comment for your another blog post at blogs.technet.com/.../enabling-windows-azure-rights-managment-in-office-365-enterprise-preview.aspx you said that AADRM uses Cryptographic Mode 2 (and thats why Mac isn't supported). But Windows Mobile also doesn't support Cryptographic Mode 2 (accordingly to the FAQ at technet.microsoft.com/.../hh867439(WS.10).aspx). And AFAIK it also doesn't support MS-ASRM protocol (msdn.microsoft.com/.../ff631362(v=exchg.80)) Can you clarify this point?
Sorry for the delay. Thank you for your questions. Here are replied we hope cover your thoughts:
1) AADRM and cross organization scenarios: Our general philosophy is that if you can send unprotected email to someone you should be able to send them protected email. Most readers of this blog are likely to realize that this is not a quite seamless process given the involved identity providers must be federated for this flow to be authenticated. AADRM is currently focused at supporting the Office 365 deployments. In that environment we automatically 'federate' to all other Office 365 organizations to make for simple, secure collaboration. On-premises today AD RMS enables collaboration when two organizations enable trust of their RMS systems (TUD relationship; ADFS federation). The cross-type collaboration (on-premise to cloud; cloud to on-premise) is not yet supported through this same mechanism but is something we're focused on. As of now, if an organization setups up an Office 365 federation (DirSync) then they meet the prior cloud/cloud criteria. We're working on enabling companies to federate in this manner without having to purchase the fuller Office 365 suite (e.g.: email or SharePoint services). This is known as Azure Active Directory services and you can read more about this on Kim's blog at www.identityblog.com
2) AADRM and TUD/TPD: At this moment AADRM does not support TUD or TPD imports/exports to on-premises RMS deployments. Given the above, and the fact that our clients will make use of the sender's RM service, we're not seeing an urgent need. Is there a particular scenario you're looking to support?
3) AADRM and crypto mode 2: Windows Phone (and other mobile platforms) use the Exchange Active Sync method of support RMS. This lets it consume email protected with AADRM without modification. Windows Mobile 6.x does not support Cyptographic Mode 2 so it is not supported. We are in the processing of bringing our Rights Management SDK v2.0 (aka MSIPC) to other platforms as native implementations. We have no dates to share right now but we're well aware of information protection needing to be 'everywhere our users are'. Before too long we'll have support for Windows, WinRT/Metro, Windows Mobile, iOS, and Mac. In the meantime implementations using Exchange Active Sync work for most common cases. e.g.: I have a Kindle FIRE running Nitrodesk's TouchDown mail client that lets me read my protected emails.
Thanks again for given us the opportunity to share these details.
Thanks for your reply. It's really interesting.
Especially that you don't support TPD and TUD in AADRMS. Because here at AADRMS Tech Center (technet.microsoft.com/.../jj585001) we can find the example of using PowerShell commandlet for importing TPD. And another one quite interesting thing is listing and setting URL for migrating rights managed contend described here at technet.microsoft.com/.../jj584998. It seems like TUD scenarios. I can't say that I have the real case around this but I probably know how deeply I diving into AD RMS from my blog posts (e.g. blogs.technet.com/.../ad-rms-under-the-hood-server-bootstrapping.aspx) ;)
And the last one one question for now is about revoking RAC. Is it available with AADRMS?
We're focused the core, volume use patterns. Over time we'll light up many other capabilities. We'll post more about bootstrapping and the client licensing model in a future post.
PS: The commands you call out have to do with Exchange's use of RMS or migrating out of AADRM.
Having issues with IRM and Exchange Online:
I have a Hybrid Deployment with all mailboxes in the cloud, using MSDSO (Azure AD) and Dirsync. I have a few Educational A3 licenses which have the RMS feature, see below. I enabled AADRM but cant run Enable-OrganizationCustomization which I assume because it was enabled during Hybrid configuration. The next road block seems to be Set-IRMConfiguration –RMSOnlineKeySharingLocation "sp-rms.na.aadrm.com/.../ServicePartner.svc". There is no command for -RMSOnlineKeySharingLocation when I tab through set-irmconfigurations commands. What am I missing here? Thanks in advance for any information.
Get-MsolUser -UserPrincipalName "UPN").Licenses.ServiceStatus
@Nick: I can't say for sure without more data, but the error you are seeing is consistent with your O365 tenant being running on the previous version (v.14), not 2013 (v.15). The command you are trying to use is only available on 2013. If you created your tenant more than a few weeks ago you might still be on that version.
I have two questions.
1. Does Azure AD RMS within Office 365 support external users, i.e. users with an individual Microsoft Account (e.g. outlook.com)? I tried it with a pilot configuration, but without any luck.
2. My understanding is that in order to use the 'cloud' version of RMS we need to install the RMS Client 2.1 on client machines. Does this client support Office 2010 on for example a Windows 7 machine? Because we tried it in Word and the result was that we keep getting the 'old' signin interface for Windows Live ID accounts.
Any experience with this situation, anyone?
here are my "2 cents" and I hope, that can help you.
--> 1.) Yes, external users are supportet. When you go to the website http://portal.aadrm.com/ you can using any eMail adress... But, with my experirence, there is general an issue with eMail adresses from LiveID with the same credentials inside Office 365 / Azure Active Directory. Since two or three years, there is a not fixed problem. It is very better, when you're using an eMail address to register at http://portal.aadrm.com/ that dosn't a LiveID, too!
I tried it and it is working very fine ;-)
For better understanding. When you register your eMail address at http://portal.aadrm.com/, you are creating a Microsoft Azure Active Directory Account and a New Organization. So, when you logon with that ID, the ADFS and STS based login sites dosn't "know" what is the right directory for your logn... This is only my personal thinking of that problem ;-)
--> 2.) Yes, the current client at http://portal.aadrm.com/ support Microsoft Office 2010. At the end of August was some updates. Please try the new version. Look at the article blogs.technet.com/.../the-new-microsoft-rms-is-live-in-preview.aspx
[MVP Office 365]