The Official RMS Team Blog

Your official source for all the latest news and tech tips for Microsoft AD RMS and Azure RMS.

Major Update: Improved Office file support + Service improvements

Major Update: Improved Office file support + Service improvements

  • Comments 24
  • Likes

Hi Everyone,

Today, we’re announcing a major update to RMS, which is based on your enthusiastic feedback and guidance. We’ll share with you the significant changes to the RMS application(s), our Azure RMS cloud offering, and how we’re bringing the new features of Azure RMS to a broader range of organizations with differing deployment requirements for their cloud service.

The RMS team and I have lots of interaction with passionate business leaders both online and in person. We deeply appreciate your partnership! We collected your individual feedback and validated it with our informal Customer Advisory Board (CAB). Here’s where 313 voters who manage 17 million users are from. We love the diversity given how impactful regional differences are in this space.

(To vote simply join our advisory board so you can sway us too! We have a similar RMS development partner group)

You also shared with us your diverse environment. As expected, mobile support is critical but we were surprised to see Linux pushed higher than OS X. We don’t currently have a Linux story but your input will clearly have us revisit that.

The most interesting set of responses are related to the question of ‘why you seek to protect your data’:

You cited as most critical the ability to share sensitive documents with others. Next up were two needs to partition document sharing within your company. A strong fourth vote was ensuring compliance.

Our Promise to You

As a direct result of these inputs (and other clear industry trends) today our deliverables are focused on offering you the following promises:

  1. Protect the workplace documents you share with others, make it work on all devices. We made this promise 6 months ago but we fell short of letting you interact with protected Office documents on your mobile devices. You insisted that we enable the consumption of Word, Excel, PowerPoint, and PDF documents on your mobile devices… and you asked for it ‘now’.

  2. Protect the documents you have internally. Do so with an effective means of partitioning them. We were asked to permit protecting documents to a subset of your workforce. We had gaps in Azure RMS and you wanted to better understand how the various DLP (data loss prevention) offers work with us.

  3. Enable the Azure RMS feature set for customers where less of a cloud exposure is desired/required. Some of you are highly regulated and want to maintain your RMS key on-premises. Some of you also raised concern with having to perform a directory sync of so many properties ‘just for RMS’.

We hope you agree that addressing the gaps in these 3 areas would represent a substantial update to RMS. Let’s review what we have done for each of them.

#1 Protect the workplace docs you share with others, make it work on all devices.

First, we know that you desire built-in support for RMS into Microsoft Office on all platforms. We currently support RMS in Office 2010, Office 2013, and Office 365 but lack comprehensive support on other platforms. We -- the Office team + the RMS team -- are committed to adding RMS support. The involved teams are working on this now. This said, as I’m sure you can appreciate, the RMS blog is not the right place to disclose the Office release cadence so please stay tuned to @TheRMSGuy (twitter) and this blog for future public disclosures.

To address your immediate need, we’ve come up with a way of supporting the sharing of secured Office documents in advance of the native Office support. We’ve done so via the RMS application’s Share Protected button. When you invoke Share Protected to share Office documents we send your email recipients both an RMS protected version of the Office document and a protected PDF copy of the same file. To ensure success at opening one of these files, we now have RMS-protected PDF rendering built into all of our free RMS applications. As we had in the past, if your recipients don’t have RMS we also offer them a 100% free RMS account.

As an added bonus feature for those using Azure RMS, we enabled email notifications of document use (or abuse). This lets the document sender know if their sensitive document is being used as intended. This is quite critical as we all know that IT can’t easily detect document abuse given their lack awareness of initial intended use. Now the sender can play an important role of responsibly sharing sensitive documents. Let's review the end to end user flow.

Note: The Share Protected button is added to Outlook, Word, Excel, and PowerPoint (v2010 and 2013) when you install the RMS app for Windows

 

Do you prefer to experience it first hand?
If so, just send us an email and CC your colleagues. We’ll send you this blog post as a protected document.

Sender creates an email message, invokes SHARE PROTECTED

Sender selects the permissions (and options) they want to grant to the recipient

Recipient receives the email on their device. Note the two attachments of the same name.


After installing RMS App, the user opens the PPDF on their devices.
These are all the same Quarterly Sales Report.XLS, rendered as PPDF
(Clockwise from center: iPad, Windows Phone, Android Phone, Windows, OS X, Android tablet, and iPhone)

 

The sender gets email notification so that they can monitor for abuse

We’ve provided information previously on this blog about the RMS sign up process, and you’ll find it fully documented on TechNet, so I've omitted that detail here. We support sharing within your business and to other businesses and we continue to support free signup (if needed) for your recipients at http://portal.aadrm.com. Support for consumer social identities like Microsoft Account (aka Live ID) and Gmail IDs remains in our active work backlog. 

 Here’s how to get started

#2 Protect the documents you have internally, with a more effective way to partition them

A user can create files that are protected to a subset of people within their company. For example, let’s say that Brenda wants to protect a legal case file to the ‘Legal Department’. The traditional means of doing this is via RMS templates. Once protected, only current (and future) membership of the ‘Legal Department’ will have access to these files. Using RMS templates there are countless way of setting up data partitions within your organization… just keep it simple so that ‘IT does not get in the way’ of people have access to their files.

AD RMS already supports custom global templates. Until recently Azure RMS had a fixed set of two templates. As of today, it now supports customizable global templates too. Here’s what it looks like:

Our new Admin console lets you create, manage, and learn about policy templates

 

The new template ‘Top Secret’ is created and placed in an ‘Archived’ state until you ‘Publish’ it

 

Administrator can now configure and publish the new template

This is a quick introduction. For more detailed information, see Configuring Custom Templates for Azure Rights Management. We also modified our RMS SDKs to pick up these updated templates more quickly. When Office 2013 refreshes their SDK (next public update) they will get this quicker update time.

We know that the act of enabling RMS is not totally sufficient to protect all your sensitive documents – you will want more automated means of driving documents to be protected. The breath of our Microsoft and partner offers here is what really sets Microsoft Rights Management apart from the others in this space. Let me share with you how the most common and effective means of enabling proactive RMS protection. When available, I’ve included a link to some free videos on the topic.

Last but not least, another core ask was to improve the usage logs. The Share Protected flows we are releasing today put both the file name and the publish date into the logs. We have more logging enhancements in the works but those remain out of reach for this update as code changes must happen in Office itself. We are keeping this ask on our active work list.

#3 Offer the Azure RMS feature set to cloud reluctant customers

The Microsoft Rights Management offer supports two deployment options: on premises and Azure hosted. Some ‘cloud reluctant’ organizations require that their RMS authorization decisions and key management remain within the walls of their organization. We recognize this is an important business requirement from our worldwide customers.  Let’s share with you the changes we’re now making to Azure RMS.

Today the Azure RMS offering looks like this:

For ‘cloud ready’ organizations (the top half), we showcase Office 365 with Azure AD and Azure AD Sync; Azure RMS performs the core information protection duties and Azure services are relied on for the remainder of the workloads.

For ‘cloud reluctant’ organizations (the bottom half), the Azure RMS connector permits Exchange, SharePoint and FCI on premises to use Azure RMS to protect essential information. For some, this is still too much cloud exposure. The core feedback we’ve heard is that local RMS traffic should remain local – it should not reach out to Azure AD. When collaborating, leveraging Azure AD is a massive benefit, but not if the full set of AD sync properties is required. We’re addressing both of these concerns while also future proofing your environments.  

Let’s now consider this updated diagram:

It’s pretty simple to see several few very important changes:

  1. Only Azure AD remains in the cloud with most of the Azure RMS related and dependent services now being on premises.

  2. AAD Sync now offers configurable profiles. This permits an organization only using Azure RMS for B2B (sending and receiving) to publish the minimal set of required properties. In fact, the only properties required are those made public when sending an email to the other person. We introduced the new Azure AD Sync offering in this blog post.

  3. A new Azure RMS deployment option, the Azure RMS hub, enables you to maintain your core RMS logic and key services on premises for all authorization and cryptographic transactions, while delegating B2B transactions to Azure AD. Yes – you read this correctly, your encryption keys remain on premises in your control! Plainly stated, you are in full control of your key and all internal RMS traffic remains within the new Azure RMS hub. 

We’re also going to tackle the oft requested ability to migrate from AD RMS to Azure RMS. Sidebar: Some of you may be surprised that cloud reluctant customers demand support for migration to Azure RMS. We've found a common misconception about what Azure RMS ‘sees’ as part of its role in protecting your data. Some believe that using Azure RMS means that your data travels to the cloud. It does NOT, ever go to the cloud unless you put the document there. The sharing of a document between two on-premises organizations only has an authorization traffic -- an authentication token and the RMS license that was embedded in the document – sent to Azure RMS for evaluation. The document itself remains within your on-premises client. Our client side developer libraries built into each RMS enlightened application handle all the client side decryption. This is an important tidbit of information for those of you increasingly looking to outsource aspects of your core infrastructure. Now you can offload RMS hosting to us knowing that the cloud RMS service never sees any of your content.

With this storyline shared with you, we are promising the following:

  • Later this month we will offer the option for AD RMS customers to migrate to Azure RMS without losing access to their previously protected data. The Azure RMS Migration Toolkit will allow customers with an AD RMS deployment to migrate their keys and policies to Azure RMS, leveraging the Bring your Own Key and RMS connector features to provide full functionality from RMS in the cloud minimizing service disruption to their users.

We hope the above 3 offers give you a clear indication that we very much care about the needs of all of our organizations.


 
In Summary

  1. Office is committed to enabling RMS on all their platforms. It will take a bit of time.
  2. RMS app is offering an immediate protected Office and protected PDF capability by leveraging our new PPDF capability.
  3. Email notification makes RMS more desirable to information workers. It empowers them to take an active role in secure sharing.
  4. We’ve added OS X support.
  5. Azure RMS is better than ever with templates and logging enhancements.
  6. Azure RMS, with the new Azure RMS hub deployment option, permits even the most cloud reluctant organizations to benefit from RMS.

Best of all, we’re not slowing down anytime soon!

Thanks, 
  Dan on behalf of the RMS team
  @TheRMSGuy

Comments
  • Great Information, looking forward to trying the new features.

  • Thanks for the update Dan! Massive improvements! Congrats!

  • Thanks for all the work!

  • @Ryan, Marcus, Domink: Thanks gentlemen! The team will much appreciate it!

  • What about integration of external users (who do not use an Azure AD) in RMS templates? As far as I know, this is not possible. I already asked in the technet forums* and a Microsoft employee.

    It is not viable to always include all recipient email addresses when sharing protected documents. It is necessary that we can simply select a template (configured in the Azure management portal) that includes external users (who do not use an Azure AD).

    * http://social.technet.microsoft.com/Forums/en-US/68c61e88-0699-4f1d-8f53-64b73edc9683/azure-rms-template-with-microsoft-accounts?forum=WindowsAzureAD

  • @Gordian -- you are correct. Today we don't permit templates in include external users. It's been by design. Templates have historically always been internal only and letting their be external users can lead to inadvertent data leakage. We do support the use case though: A common IT practice is to create v- (vendor) or E- (external), etc accounts in your AD and then reference them. This way you are in control of these identities and their lifecycle. The downside of this model is that you have shifted the burden of identity management to your AD team. Not ideal. We are considering several other more federated approaches to this problem as part of our Azure AD offering. RMS would leverage that enhanced base offer. Most to these thoughts are setup to better support the B2C (Customer) scale out challenge. E.g.: Banks, automotive supply chain management, etc.

    If your (or other readers) have feedback on use cases you need to see work, drop up at note to AskIPTeam@microsoft.com.

  • If you would like more information about the RMS sharing app, we've just published this: http://curah.microsoft.com/191031/how-rms-protects-all-file-types-by-using-the-rms-sharing-app

  • @Dan -- thanks for the extensive and quick clarification. At least I now have solid confirmation ;-).

  • Dan Plastina: Why not make it possible to allow unauthenticated users to cosume the protected content through a Azure RMS template? (=anyone with Office 2010/2013) withou the need to autehnticate to Azure AD/RMS account? What's wrong with this approach if a customer wants it?

  • Thanks for your hardwork - the PDF feature is a great addition!!! However, for a great B2C usage we'd appreciate Gmail/Microsoft accounts support or even better external anonymous read-only consumption as already suggested above.

  • I also like the idea to protecting a document "in-place" through the app instead of sending it straight away.

  • What is the status with the Mac Client?

  • @Tlapka -- If the is unauthenticated the protection serves no purpose. We do want to permit an un-named user to work for B2B though. e.g.: Share with everyone@AnotherCompany.com so you can share to anyone in another organization but not people outside of that other company.

    @Shaun -- Thanks for the kudos. We want social IDs too :)

    @ Shaun -- You can do that today using the right-click menu in the Explorer on Windows

    @ Dominik -- OS X still pending app store approval... The process is a bit of a waiting game. It takes longer for first time apps to get through (which is why all the other apps were quicker to release).



  • Dan Plastina: Thank you, for the reply. My point is that you can already do this with Office 2010/2013 - when you apply rights management protection to a document and check "Allow everyone to read this document" this allows un-authenticated cosumption (=read only). So I am wondering, why this is not possible with the Azure RMS template.

    We do use this often because it servers these purposes:
    1) You don't need to know recepients' user names and they don't need to use Azure RMS
    2) This makes a document read-only and we can be sure that recepients make no changes to it
    3) You can apply document expiration to the document this way

    E.g. when we communicate with government institutions this is the only type of protection we use (making sure we know everyones' user names and that they use Azure RMS is unrealistic).We usually don't want the recepients to make changes to the documents and/or want the documents to expire after some specific period of time. Having a Azure RMS template for this would make things a lot easier (we don't have an on-prem RMS server otherwise we would just set the templates this way there easily)

    Also, in this thread http://blogs.technet.com/b/rms/archive/2013/07/31/the-new-microsoft-rights-management-services-whitepaper.aspx Gagan Gulati wrote that "Everyone" rights are coming so I'm wondering if anything changed in this matter.

  • Also, I have two more feedbacks considering RMS security:

    1) The default "Confidential" template allows programatic access to the content of a document (I think you call it "Macro" access in the Azure RMS template creation dialog). This way, e.g. tabular data from a protected Excel spreadsheet can be loaded into an unprotected document (in Excel -> Connections -> Other sources -> select the protected document (the protected file needs to be opened during this and the data need to be in tabular form)) and from there, copied away/printed/etc. Not very "Confidential".

    2) Owners of a protected document don't need to validate their redentials online even if the template requires that. (= the locally cached owner license never expire). This way, a lost/stolen machine allows offline access to documents even when it shouldn't. (to reproduce apply RMS protection to a document and see that the locally cached license never expires on the machine where the protection was applied).

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment