The Official RMS Team Blog

Your official source for all the latest news and tech tips for Microsoft AD RMS and Azure RMS.

The NEW Microsoft RMS has shipped!

The NEW Microsoft RMS has shipped!

  • Comments 34
  • Likes

Happy Wednesday!

I have the honor of sharing that the new RMS offering is now live, in general availability! We’re announcing the final release of all SDKs, most Apps, related services, and we’re giving details on how you can explore each of them. Lots more news coming over the coming weeks so follow us on Twitter @TheRMSGuy for up to the moment updates.


Why should you care? The new Microsoft RMS enables organizations to share sensitive documents within their organization or to other organizations with unprecedented ease. These documents can be of any type, and you can consume them on any device. Given the protection scheme is very robust, the file can even be openly shared… even on consumer services like SkyDrive/DropBox/GDrive.

This is the first of many blogs on the final release. If you’d like more immediate background information on Microsoft Rights Management, check out this TechEd Talk. I’ll also strongly recommend you read the new RMS whitepaper for added details. We have an updated website with per role subsites and we’ll soon post RMS flyers. We also have user forums.



 In short, here is what we’re promising at this juncture:


  • I can protect any file type
  • I can consume protected files on devices important to me
  • I can share with anyone
    • Initially, I can share with any business user; they can sign up for free RMS
    • I can eventually share with any individual (e.g.  MS Account, Google IDs in CY14)
  • I can sign up for a free RMS capability if my company has yet to deploy RMS


  • I can keep my data on-premises if I don’t yet want to move to the cloud
  • I am aware of how my protected data is used (near realtime logging)
  • I can control my RMS ‘tenant key’ from on-premises
  • I can rely on Microsoft in collaboration with its partners for complete solutions

These promises combine to create two very powerful scenarios:

  1. Users can protect any file type. Then share the file with someone in their organization, in another organization, or with external users. They can feel confident that the recipient will be able to use it.
  2. ITPros have the flexibility in their choice of storage locale for their data, and Security Officers have the flexibility of maintaining policies across these various storage classes. It can be kept on premises, placed in a business cloud data store such as SharePoint, or it can placed pretty much anywhere and remain safe (e.g. thumb drive, consumer-grade cloud drives, etc.).

 The RMS whitepaper offers plenty of added detail.

 User experience of sharing a document

Here’s a quick fly-by through one of the many end-to-end user experiences. We’ve chosen the very common ‘Sensitive Word document’ scenario. While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application):


You are then offered the protection screen. This screen will be provided by the SDK and thus will be the same in all RMS-enlightened applications:

When you have finished addressing and selecting permissions, click SEND. An email will be created that is ready to be sent but you we let you edit it first:


The recipient of this email can simply open the document.

 If you’re a hands-on learner, just send us an email using this link and we’ll invite
you to consume a protected document the same way partner of yours would.


If the user does not have access to RMS, they can sign up for free. (Yes, free). In this flow the user will simply provide the email address they use in their day-to-day business. (That’s right, you won’t need to create a parallel free-email account to consume sensitive work documents.) We’ll ask the user to verify possession via a challenge/response, and then give them access to both consume and produce RMS protected content. (Yes, they can not only consume but also share their own sensitive documents as a free evaluation.)



The user can consume the content. Here we’ll show you how that looks like on an iPhone. In this case they got an email with a protected image (PJPG). They open it and are greeted with a login prompt so we can verify their right to view the protected image. Once verified, the user is granted access to see the image and to review the rights offered to them (click on the info bar):



With this covered, let’s jump into the specifics of what we’re releasing…


Foundational Developer SDKs

Today we are offering you 6 SDKs in RELEASE form. Those SDKs target Windows for PCs, Windows Store Apps, Windows for Phone 8, iOS, Android, and Mac OSX.

 It’s worth noting the Windows SDK offers a powerful FILE API that is targeted at solution providers and IT Pros. This Windows-based SDK has already been released. It will let you protect any file via PowerShell script as well. E.g. Using the FileAPI and PowerShell you can protect a PDF or an Office document, natively, without any additional software.

 The RMS sharing application

Today we’re releasing the RMS sharing application. It is available on: Windows for PCs, Windows for Phone 8, iOS, and Android. The Windows store application and Mac OSX will be forthcoming (Spring CY14).

You can get the application and sign up for free RMS here.

The applications let you consume ‘generically protected’ content (PFILEs), protected text and image formats, and also now lets you generated protected images right from the device. We call this the ‘Secure whiteboard’ feature: Take a photo of the meeting room whiteboard and share it with all attendees, securely. This said, we recognize it can serve many other creative uses.


It's important to note that Office itself is not yet available in full form on all mobile devices so consumption of natively protected Office files is limited until such time that Microsoft Office is released on your desired platform. In the meantime, you can protect Office files using the [x] Allow consumption on all devices option. This will result in the share of a generically protected (PFILE) Office file. e.g.: Here we show that My Sensitive Document.Docx will be generically protected to the PFILE format. This results in the recipients getting a protected file -- one that requires authorization, that can be audited on each use, and that can expire on the date you set -- but this file will have to be shared without the finely granular rights that you might desire (thus the slider control is disabled). These good things will come in time. This said, it's worth calling out that this flow lets your iOS and Android recipients consume the protected content you send to them in their respective applications (e.g.: on iOS you can open the Word document in Pages).


The Azure RMS Service

The above offers are bound to the Azure RMS service. This service has been in worldwide production since late 2012 as it powers the Office 365 integrated RMS features. We’ve added support for the new mobile SDKs and RESTful endpoints but overall, that service has been up and running in 6 geographies worldwide (2x EU, 2x APAC, 2x US) and is fully fault tolerant (Active-Active for the SaaS geeks amongst you).

We’re also offering the BYOK – Bring Your Own Key – capability discussed in the whitepaper. This ensures that your RMS tenant key is treated with utmost care within a Thales hardware security module. This capability prevents export of the key even with a quorum of administrator cards! You can learn more about HSMs from partner Thales here.

We’re also offering near-realtime logging of all activities related to RMS and key usage. Simply point Azure RMS to Azure blob storage and the logging begins.

 The bridge to on-premises

Today we’re also announcing the RMS connector. This connector enables your on-premises Exchange servers and on-premises SharePoint servers to make use of all the above. It’s a simple relay that ‘connects’ these servers to Azure RMS. The RMS connector is easy to configure and lightweight to run.   

To download the connector:

RMS connector documentation:

 The RMS for individuals offer

As called out above, not everyone will have RMS in their company, so we’ll offer RMS to individuals for free within organizations. This offer is located at If you share with others, they can simply sign up. If you are the first one to the party, you can simply sign up. No strings attached.

Wrapping up, we hope you’ll agree that we did pretty well at solving a long-standing issue of persistent data protection. We’ve done so in a way that can also be used within your organization and that honors the critical needs of your IT staff. We’re offering you immediate access to evaluate all the relevant parts: SDKs, Apps, Azure service, connectors, and the self-sign up portal. For each, I’ve given shared with you links to help you get started. 


We’ve got a flurry of daily blog posts coming our over the next 2 weeks on Planning, Licensing, Step-by-Step guides, and some coverage of specific scenarios. Stay in touch via twitter: @TheRMSGuy Don't hesitate to let us know what you'd like to hear about!


 Dan Plastina
   on behalf of the Microsoft RMS team

  • Excellent news , Well done. Super technology.

  • @Sean. Thanks! It's been a hard push and we're now ready to work with all of you on the next set of priorities.

  • This is fantastic Dan, perfect timing to help Enterprise customers with secure collaboration needs (Cloud, Cross-Premises, On-prem + Individuals)!


  • @Cristian, Thanks. Over the next many days new blogs will be posted with lots of good data. Stay tuned. @TheRMSGuy twitter feeds will be used to share other info too.

  • You guys ROCK! Awesome technology ... perfect mix of services and devices!

  • Could the new RMS be a true replacement for Hosted Encryption solutions for secure email or is it mainly focused around securing documents.


  • @Abdul -- made our day, thanks.

    @ Robert G -- it's a bit of both. We're focused on documents right now given the challenges of embedded mail clients (e.g.: iOS mail reader). That said, hosted encryption solutions (we have one) is improving and the two shall get closer and closer in time. We fully understand that users do both email and docs. The same problems facing SMIME face RMS protected emails (an unsuspecting recipient needs to do work). By sending a protected document in an Unprotected email we're able to smooth out the flow substantially. By offering a free 'RMS for Individuals' offer we're able to smooth out the cross-org authentication flows. Lots more to come though... we're just warming up!

  • Any plans to extend granular functionalities with SharePoint integration? Currently it's limited to setting a RMS level on library level. It would be nice to use different RMS permission levels based on sharepoint permissions (e.g. specific users can print documents, while others can just open documents without printing)

  • @Bjorn: Please send an email to with this ask. We will forward the ask to our SharePoint colleagues as well.

  • Hi,

    what is the application to download for Iphone ?

  • Thank you Bjorn for asking about the detailed level for SharePoint. This is exciting news! I was reviewing third party tools like Intralinks to work with our SharePoint and am very pleased at RMS's stated capabilities. Looking forward to testing them out! Thanks, Dan! - Melanie

    P.S. Is this going to be integrated with Yammer at all, or applied to files shared via Yammer?

  • @vishwanath: just go to and click on the little apple link :)

  • @Bjorn, @ Melanie, The answer to all the "Is it going to be integrated with..." questions are "YES!". We work with lots of team both internal and external. Our first push was getting the SDKs done and a basic app that could open PFILE from all relevant platforms. We also put a strong focus on the on-premises organizations needing RMS For them, we built the connector and the innovative HSM based key storage. With those done, we're not onto the next phases. Follow #TheNewRMS for updates.

    In terms of the specific asks above for SharePoint -- the ask is a common one. Consider your voice heard but we have not public promise to make at this time.

    In terms of the comments on Interlinks -- I just had a wonderful dinner with the kind leadership team at Interlinks on Monday. Great people building great products.

    Hope that helps even though I skirted directly answering your question ;)

  • how the rms sharing application will be licensed or it will be free. if i have enterprise customer  shall i download only the client or there will fees. ?

  • I'm trying to understand the protection of email vs. the protection of document.

    For an Office 365 user, if I want to protect an email as well as an attached document, do I have to apply RMS to the document first, and then attach it to an email that is also RMS protected? If I only protect the email but the document itself has not been RMS protected, will the recipient sill need to authentication against Azure AD before seeing either the email or the attachment?

    Also, when I RMS-protect an email message, the message will be protected at rest, correct? What about the attachments associated with the message?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment