The Official RMS Team Blog

Your official source for all the latest news and tech tips for Microsoft AD RMS and Azure RMS.

Windows Azure Active Directory Rights Management Preview now available

Windows Azure Active Directory Rights Management Preview now available

  • Comments 16
  • Likes

We’re delighted to bring information protection and rights management to Microsoft’s Office 365 Preview cloud offering with the today’s beta launch of Windows Azure Active Directory Rights Management. With Windows Azure AD Rights Management, customers can protect their data by encrypting and managing access rights, including Office documents, Exchange email, and SharePoint document libraries across Office 365 preview services and applications. The technology is highly integrated into Office 2013 Preview, Exchange Online Preview, and SharePoint Online Preview, and offers a seamless experience for both end users and administrators in document authoring, email, and SharePoint publishing.

Some of the benefits include:

Safeguarded sensitive information

  • Users can protect their data directly using the Office Suite and ISV rights-management enabled applications.  No additional steps are required – authoring documents, sending email, and publishing to SharePoint offer a consistent data protection experience.

Protection travels with the data

  • Customers remain in control of who has access to their data, whether in the cloud, existing IT infrastructure, or at the user’s desktop. Customers can choose to encrypt their data and restrict access according to their business requirements.

Integrated with Office 2013 Preview and Office 365 Preview services

  • Consistent rights management policy and data protection is applied and enforced throughout the Office 365 services and Office applications. Users can author, access, and manage their information safely, whether from a mobile device, Windows desktop, file share, email, or SharePoint libraries.  Customers can choose to collaborate and share their data securely with other Office 365 users, and know their policies are enforced consistently and their information remains protected.

Default information protection policies

  • Administrators and users can use standard policies for many common business scenarios: "Company Confidential –Read Only" and "Do Not Forward." A rich set of usage rights are supported such as read, copy, print, save, edit, and forward to allow flexibility in defining custom usage rights.

Using Windows Azure AD Rights Management, all these scenarios are seamless enabled with no additional administrator installation or deployments required. Learn more about the Windows Azure AD Rights Management at our at Technet site.

Check back shortly for a follow on post from Tejas Patel, a program manager on the Windows Azure Active Directory Rights Management team, for detailed steps on how you can enable this with the Office 365 Preview.




  • Hi Dan,

    great new! When talking about mobile devices I assume you're talking about Windows Phone? I assume to use ADRMS on Blackberry, Android and IPhone/IPad customers should use 3rd party like

    Regarding the "Azure" in "Azure ADRMS" - is it integrated into the "Azure AD"? That means no need for any on premise AD/RMS to use RMS with Office 365?



  • Hi Lisa,

    Thanks, we're excited too.

    Mobile device support today is enabled either by an Exchange Active Sync (EAS) offer or a 3rd party solutions offer. Today Windows Mobile supports EAS in the native mail client. The Apple iOS native mail client does not enable this capability at this time but a recent Samsung Android phone does. Other vendors offer mobile applications to enable EAS on various platforms (e.g.: Nitrodesk) or offer solutions (e.g.: Gigatrust) to enable mobile phone support.

    Regarding your topology question: That is correct. You can have an Exchange Online mailbox that is RMS enabled with no RMS deployment on premises.  

    Thanks for the comments.

  • Hi Dan,

    Have a couple of questions for you.

    1. Does Windows Azure Active Directory Rights Management (here and after AADRM) works the same way with AD FS in x-org scenarios? I mean the scenarios when Office 2013 or Office 265 Enterprise user protects document with AADRM for partner in another company.

    2. Does AADRM supports TUD and TPD for migration cases and legacy infrastructures?

    3. And the last question for the moment. In your comment for your another blog post at you said that AADRM uses Cryptographic Mode 2 (and thats why Mac isn't supported). But Windows Mobile also doesn't support Cryptographic Mode 2 (accordingly to the FAQ at And AFAIK it also doesn't support MS-ASRM protocol ( Can you clarify this point?

  • Hi Alexey,

    Sorry for the delay. Thank you for your questions. Here are replied we hope cover your thoughts:

    1) AADRM and cross organization scenarios: Our general philosophy is that if you can send unprotected email to someone you should be able to send them protected email. Most readers of this blog are likely to realize that this is not a quite seamless process given the involved identity providers must be federated for this flow to be authenticated. AADRM is currently focused at supporting the Office 365 deployments. In that environment we automatically 'federate' to all other Office 365 organizations to make for simple, secure collaboration. On-premises today AD RMS enables collaboration when two organizations enable trust of their RMS systems (TUD relationship; ADFS federation). The cross-type collaboration (on-premise to cloud; cloud to on-premise) is not yet supported through this same mechanism but is something we're focused on. As of now, if an organization setups up an Office 365 federation (DirSync) then they meet the prior cloud/cloud criteria. We're working on enabling companies to federate in this manner without having to purchase the fuller Office 365 suite (e.g.: email or SharePoint services). This is known as  Azure Active Directory services and you can read more about this on Kim's blog at

    2) AADRM and TUD/TPD: At this moment AADRM does not support TUD or TPD imports/exports to on-premises RMS deployments. Given the above, and the fact that our clients will make use of the sender's RM service, we're not seeing an urgent need. Is there a particular scenario you're looking to support?

    3) AADRM and crypto mode 2: Windows Phone (and other mobile platforms) use the Exchange Active Sync method of support RMS. This lets it consume email protected with AADRM without modification. Windows Mobile 6.x does not support Cyptographic Mode 2 so it is not supported. We are in the processing of bringing our Rights Management SDK v2.0 (aka MSIPC) to other platforms as native implementations. We have no dates to share right now but we're well aware of information protection needing to be 'everywhere our users are'. Before too long we'll have support for Windows, WinRT/Metro, Windows Mobile, iOS, and Mac. In the meantime implementations using Exchange Active Sync work for most common cases. e.g.: I have a Kindle FIRE running Nitrodesk's TouchDown mail client that lets me read my protected emails.

    Thanks again for given us the opportunity to share these details.

  • Hey Dan,

    Thanks for your reply. It's really interesting.

    Especially that you don't support TPD and TUD in AADRMS. Because here at AADRMS Tech Center ( we can find the example of using PowerShell commandlet for importing TPD. And another one quite interesting thing is listing and setting URL for migrating rights managed contend described here at It seems like TUD scenarios. I can't say that I have the real case around this but I probably know how deeply I diving into AD RMS from my blog posts (e.g. ;)

    And the last one one question for now is about revoking RAC. Is it available with AADRMS?

  • Hi Alexey,

    We're focused the core, volume use patterns. Over time we'll light up many other capabilities. We'll post more about bootstrapping and the client licensing model in a future post.

    PS: The commands you call out have to do with Exchange's use of RMS or migrating out of AADRM.

  • Having issues with IRM and Exchange Online:

    I have a Hybrid Deployment with all mailboxes in the cloud, using MSDSO (Azure AD) and Dirsync. I have a few Educational A3 licenses which have the RMS feature, see below. I enabled AADRM but cant run Enable-OrganizationCustomization which I assume because it was enabled during Hybrid configuration. The next road block seems to be Set-IRMConfiguration –RMSOnlineKeySharingLocation "". There is no command for -RMSOnlineKeySharingLocation when I tab through set-irmconfigurations commands. What am I missing here? Thanks in advance for any information.

    Get-MsolUser -UserPrincipalName "UPN").Licenses[0].ServiceStatus

    ServicePlan ProvisioningStatus

    ----------- ------------------

    RMS_S_ENTERPRISE PendingInput






  • @Nick: I can't say for sure without more data, but the error you are seeing is consistent with your O365 tenant being running on the previous version (v.14), not 2013 (v.15). The command you are trying to use is only available on 2013. If you created your tenant more than a few weeks ago you might still be on that version.

  • Hi,

    I have two questions.

    1. Does Azure AD RMS within Office 365 support external users, i.e. users with an individual Microsoft Account (e.g. I tried it with a pilot configuration, but without any luck.

    2. My understanding is that in order  to use the 'cloud' version of RMS we need to install the RMS Client 2.1 on client machines. Does this client support Office 2010 on for example a Windows 7 machine? Because we tried it in Word and the result was that we keep getting the 'old'  signin interface for Windows Live ID accounts.

    Any experience with this situation, anyone?

    Many thanks,


  • HI @Peter_MS,

    here are my "2 cents" and I hope, that can help you.

    --> 1.) Yes, external users are supportet. When you go to the website you can using any eMail adress... But, with my experirence, there is general an issue with eMail adresses from LiveID with the same credentials inside Office 365 / Azure Active Directory. Since two or three years, there is a not fixed problem. It is very better, when you're using an eMail address to register at that dosn't a LiveID, too!

    I tried it and it is working very fine ;-)

    For better understanding. When you register your eMail address at, you are creating a Microsoft Azure Active Directory Account and a New Organization. So, when you logon with that ID, the ADFS and STS based login sites dosn't "know" what is the right directory for your logn... This is only my personal thinking of that problem ;-)

    --> 2.) Yes, the current client at  support Microsoft Office 2010. At the end of August was some updates. Please try the new version. Look at the article



    [MVP Office 365]

  • Very interesting discussion. I wonder how the Licensing only feature is mapped in Azore RMS. so instead of hosting windows server, the enterprise host connector on the server, and that is all? SQL are taken care of by MS?

  • I wonder if the concept of segregated Licensing Only servers sub-enrolled disappear with Azure RMS?. How could that role work with LO concept behind?

  • One more interesting question, whcih I have benn wondering about. Cloud balancing and Cloud bursting are some basic cloud characterstics. In Microsoft work cloud bursting, I think has been addressed as portbailtiy, means that the application can be moved back and forth between a hosted data center and an on-premises data center without any modifications to the application's code or its operations. If both options are available, the risks of using the cloud are reduced.
    How these two have been addressed in Azure RMS?

  • Hi Dan,

    I would like to know if AD RMS to Azure RMS migration is possible? If yes what are the steps to be taken.
    If no then what can an organiztion do who have AD RMS Infra and would like to move to Azure? Is there any way where we can have AD RMS and Azure RMS running side by side?

  • Last year we had a grant and 365 was installed on our system, but not much follow up. searching on line regarding encryption I came across Windows Azure Rights Management Office 365 Enterprise. we received 365 as a not for profit agency. I am not sure if there is a cost related to your Department or if you are a section of Microsoft.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment