The Official RMS Team Blog

Your official source for all the latest news and tech tips for Microsoft AD RMS and Azure RMS.

Create custom templates in Azure RMS with the Azure Management Portal

Create custom templates in Azure RMS with the Azure Management Portal

  • Comments 11
  • Likes

Happy Thursday everyone,

Today we’re announcing the preview of our new custom template work as well as integration into the Azure  Management Portal. Both are features we have been asked for by you, our customers.

As usual, follow us on this blog, @TheRMSGuy on twitter or join in on the fun at www.yammer.com/AskIPTeam. We’re soon going to add a new mail list option as that has been commonly requested (think “push blogs”).

 

As the AD RMS crowd know, custom templates let you define the protection policies you would like to roll out within your organization. Whether your organization is using Azure RMS in as part of your on premises deployment (via the RMS connector) or as part of Office 365, you can now do this via the Azure Management Portal.  

Managing Azure RMS custom templates from the Azure Management Portal

To get started you can open the Office 365 admin center, click on Service Settings, choose Rights Management and then select manage. On the Rights Management section you can select additional configuration which will lead you to the new Rights Management section of the Azure Management Portal. Alternatively, you can navigate directly to https://manage.windowsazure.com. Once there select the Active Directory service on the left, then click on Rights Management and choose your tenant from the list. You will need an Azure subscription to access this portal, if you don’t have one you can get one for free.

 


 

Once there you will see the Quick Start screen, where you will notice you now have the option to create custom Rights Policy templates. When you initially activate Azure Rights Management capabilities in your organization we automatically create two default Rights Policy Templates that cover the most common needs in the majority of organizations. These two policies, called “<Organization> – Confidential” and “<Organization> – Confidential View Only” and give all users in your organization either full access or restricted access to the documents protected with them.

Custom templates complement these default policies, giving you more flexibility in controlling how groups of users within the organization can access and use sensitive documents. With custom templates you can designate different groups of users that will have access to documents protected with these templates, and you can define an access level or a list of rights for each of these groups. You can also control for how long content protected with these templates will be accessible, and you can define whether you want to require users to be online to access the content (thus, getting maximum control over their ability to access the document in case your policies change over time and ensuring all accesses to the documents get logged) or you want to allow them to cache document licenses so they get the ability to access the content from disconnected locations for up to a defined period of time.

Please note, as our favorite superhero would say ‘with great power comes great responsibility’. Don’t go crazy with templates. Start simple. Even more, keep it simple. Think of your users and, above all, keep the your XACML loving experts away from this tool. You’ll thank us later.

By way of example, most of our leading RMS organizations have less than 10 company-wide templates, which is a list most users can quickly scan through to identify the template they need. Use short names and descriptive titles. Don’t redundantly say template. List company name as there may be others later on. In the description, express what rights are granted and to whom. When read by a normal user, it should offer clear guidance. It’s not an SMS so stay away from TLA or MLAs that only the ENG or R&D IT understand. K?

Example of a poor choice:                  HR Template  -- This template protects files for human resources. RO/DNF.

A better choice:                                    Contoso HR Sensitive -- Grants view only rights to Contoso human resources employees only. No ability to print or forward.

  

Let’s go through the exercise of creating a custom Rights Policy template. Let’s say you want to create a policy for your new product specifications. You want everyone in your engineering and marketing organizations to be able to access these specifications, but only engineers should be able to modify them. 

 

You start from the Getting Started screen where you can click on the option to Create an additional rights policy template:

 

 

You will be asked to select a default language for your template. You can configure a template to have a name and a description that is available in multiple languages, which is useful if in your organization you have users that speak different languages that could deny understanding the policy on a document because it was in a language they don’t understand. For our example we will enter one name in English (which users will see listed in their applications when they open the option to protect content, in general it is advised to include the name of your company in the name of the templates in case users have to use templates from multiple organizations, but to keep it simple in our case we will enter “Product Specifications”) and a description that users consuming the content will see, usually at the top of their document in a yellow banner (it is recommended that this description clearly indicates the expectations regarding the handling of the document and indicates what rights users can expect on the document). Enter any description you want for this exercise.

After entering the name and description click Next.

 

After you have created your template and added a name and description for it, you  can select Templates at the top of the screen and select the Product Specifications template from the list to configure additional settings.

 


 

Once you have selected the template you can add users and groups to it by clicking on the Rights option and then clicking on the Add button at the bottom of the screen.

 


 

When adding people to your policies, it is generally advised that you use groups instead of individual users. After all you usually want to grant rights to people based on their role or position and the work they do, not based on who they are, and individual users change positions and join and leave the company, so assigning rights to individual users makes maintaining the policies much easier. Keep in mind that your groups must have an email address for you to be able to use them in a custom template. If you need to add rights to a group, you can do that from the Office 365 management portal. In this case, you will add the Engineers group to grant them rights.

 

Select a group from the list of groups in your directory (in our case the Engineers group), then click on the Next button. You will be able to select from a list of pre-defined access levels such as Co-owner or Viewer. If you need more granularity in the assignment of rights, you can choose the Custom option, where you will be able to assign individual rights such as the ability to copy, print or save a document.  In our example you should add co-owner rights to the Engineering group so they have full control over their specifications. You can then add the Marketing group to grant them viewer rights, or you can grant them custom rights if they have the need to print and copy content from the specifications into other documents.

 

After you have finished assigning rights, you can configure additional settings such as defining a duration for the document or settings for offline access, or you can define additional languages with names and descriptions for the template. You do this by clicking on the Configure option. For our template, you can leave these settings at their default values, which offer a good balance of security versus usability.

 

Once that is done, your template is ready for publishing. Until you publish your template it will remain in an Archived state, where it won’t be distributed to users. We will publish this template by clicking on the Publish button at the top of the Configure screen. Once published the template will be made available to users in their favorite applications so they can be used to protect their sensitive documents (sensitive product specification documents in our example):

 

 

Some applications may take a while to download the new templates, or they may require that the users log off and log back on to get templates refreshed. To learn more about this or about configuring custom templates see our online help at http://technet.microsoft.com/en-us/library/dn642472.aspx#BKMK_HowToConfigureCustomTemplates.

 

This is just the beginning for our new management portal, over the next few months we will continue adding capabilities here so keep an eye on this blog for future announcements. In the meantime, leave us some feedback below, or via @TheRMSGuy on twitter or at www.yammer.com/AskIPTeam.

 

Thanks,

Dan on behalf of the RMS team

Comments
  • Congrats! I can't wait to try this.

    Currently, We are using RMS Through our O365, when trying to manage RMS with our O365 Admin , we are forwaded to the Azure Managment Portal with the following: "We were unable to find any subscriptions associated with your account." and it asks us fo purchase a license. Where it asks for credit card and so on....

    Any idea how to bypass this?

  • Hi Dominik. Sorry to see you are having trouble signing up.
    The good news is that you don't need to actually purchase a license, you can simply sign up for a free Azure account. You can ask on the same page to create a free account, and that should work without limitation. You still have to enter a credit card number, but it won't be charged since you only need a free Azure account but not to subscribe to any paid services. We are evaluating alternatives to eliminate this requirement for signing up to an Azure account. I hope this is not a problem for you.
    Regards,

    Enrique

  • Hello RMS team and thank you, this feature was what we were looking for. However, I have a question: Is it not possible to assign permissions to anonymous users (= unauthenticated to Azure RMS service)? E.g. I want some internal users to have full-control permissions, some other internal users to have edit only permissions, and than all external users to have read-only permissions. In the users selection dialog I can only select users/groups in our own active drectory. How do I set permissions for "Everyone else"?

  • This is a most welcome feature as we currently have AD RMS with custom templates as well as Office 365 and I've been waiting to move to Azure RMS for a while now. Now that we can move to Azure RMS, one thing that I'm not clear on are the rights and auditing of the users that can create/modify custom RMS templates. Also, I don't necessarily like the idea of only using security groups for RMS template assignments as we have domain admins that could change the group memberships, but we want to restrict all RMS template modifications to a couple of our security team members. Thoughts?

  • Hi Chris,
    I'm glad you will be using this feature as part of your plan to migrate to Azure RMS.
    Auditing of template modification can be done by examining the service logs, you can learn more about logging at http://blogs.technet.com/b/rms/archive/2014/01/07/enabling-and-using-logging-in-azure-rms.aspx.
    I am not sure I understand your second concern, could you elaborate more? Is your concern that the template administration cannot be delegated to individual users? If so, I will take note of this request and see if we can implement it in the future. Regards,
    Enrique

  • Hello Tlapka,
    What you request is something we are currently evaluating in some form. Right now we don't think allowing policies to specify anonymous (unauthenticated) access would be of much value to most of our customers, but an "anyone" scope (that is, all authenticated users, regardless of their organization or even as individuals) is something we are considering for an upcoming release. Would this solve your requirements?

  • Enrique Saggese: Thank you for your reply. An "Anynone" scope (=anyone authenticated to Azure RMS) is not what we are looking for. Simply because the user needs to authenticate and that is not very practical when we need to share documents with external users who do not use Office365/Azure RMS or have a Microsoft account. We would welcome a possibility to create a template which would allow "Everyone" with Office 2010/2013 to open the document with read only permissions (without the need to authenticate to Azure RMS).

  • +1 View-only rights for anyone can already be set in Office desktop apps in Backstage -> Restrict Permission by People -> Restricted Access. So why not let us create a preset template in Azure RMS?

  • We have an Office 365 E3 client who would like to secure a unique file format (.SDU) using IRM/RMS. Is this supported or technically possible? Our research seems to suggest that we cannot do this in a SharePoint online environment as it is limited to securing only Microsoft generated file formats.

  • Interested in what other customers are asking about custom templates? See this top10 list: http://curah.microsoft.com/72405/top-10-customer-questions-about-azure-rms-custom-templates

  • Hi,
    Can the custom templates get applied to documents or email shared outside the organization ? If its not there now any idea when would it be on the roadmap

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment