information rights management feature guide (legacy...

IRM Feature Guide

Legacy Platform Release

Office 365 Dedicated & ITAR-Support Plans

© 2015 Microsoft Corporation. All rights reserved.

of 50

Information Rights Management

Feature Guide

(Legacy Platform Release)

Applies to: Office 365 Dedicated – Legacy Platform Releases

Topic Last Modified: 2015-07-07

This feature guide describes the Information Rights Management (IRM) implementation used for the

legacy releases of Office 365 Dedicated. The following topics are presented in the guide:

What Is Information Rights Management?

IRM Implementation in Office 365 Dedicated

Establishing the IRM Environment

Using IRM Clients

Supporting the IRM Environment

IRM Super User Access

IRM Feature Guide




of 50

Out of Scope Topics The following information is not covered in this guide:

Active Directory Rights Management Services (AD RMS) fundamentals. The protection

technology used to support IRM in Office 365 is Active Directory Rights Management Services (AD

RMS). The IRM implementation for Office 365 requires the existence of an AD RMS infrastructure

within your on-premises environment. Because your organization already supports your own AD

RMS environment, it is expected that you are familiar with AD RMS functionality. Therefore, the

scope of this guide only addresses the uniqueness of the AD RMS implementation for Office 365.

Details regarding how to build an AD RMS environment or how to utilize any common tools and

interfaces within AD RMS are out of scope for this guide.

Exchange Online and SharePoint Online fundamentals. IRM functionality is utilized by Exchange

Online and SharePoint Online. AD RMS features offered with Office 365 and applicable to the

Exchange Online and SharePoint Online services are described within this guide. Detailed

information regarding the feature sets of Exchange Online and SharePoint Online, or how to

establish these environments, is out of scope for this guide.

IRM-enabled application fundamentals. Procedures describing how to utilize specific Microsoft or

third-party IRM-enabled applications are out of scope for this guide.

IRM Feature Guide




of 50

Notes:

1. Not all published Microsoft documentation for IRM or AD RMS is applicable for the

Office 365 Dedicated and ITAR-support plan offerings. Documentation simply labeled

Office 365 for Enterprises may only pertain to the multi-tenant plans for Office 365 and

not Office 365 Dedicated plans.

2. This document specifically applies to Exchange Online Dedicated customers on legacy

infrastructure platforms (Exchange 2010 Aruna, Exchange 2010 ANSI-D, or Exchange 2013

ANSI-D) and SharePoint Online Dedicated customers using SharePoint 2010. For all cases,

the content applies to the legacy AD RMS implementation that involves the placement of

AD RMS servers on-premises and within Microsoft datacenters. Unless otherwise indicated,

the information presented is applicable to the International Traffic in Arms Regulations

(ITAR-support) version of each server release.

Additional Resources See the IRM landing page in the Customer Extranet site for additional implementation information and

diagnostic tools. Contact your Microsoft Service Delivery Manager for information on how to obtain

access to the Customer Extranet site.

https://sharepoint.partners.extranet.microsoft.com/sites/MMS%20Knowledge%20Base/Release%20Docs/Information%20Rights%20Mgmt/Information%20Rights%20Mgmt%20Rel%20Docs.htm

IRM Feature Guide




of 50

What Is Information Rights Management? Information Rights Management (IRM) enables content publishers to create rights-protected content

such as an email message or document. Rights-protected content is content that is intended for use by

specific individuals and that carries specific restrictions placed on the use of the content item.

When IRM protection is applied to a message or document, the item becomes encrypted.

Accompanying the encrypted item is an issuance license used to maintain restrictions on access to, and

uses of, the content. These restrictions vary depending on the level of permissions granted to the

recipient(s). Typical restrictions include making a document read-only, disabling copying of text, not

allowing users to save a copy of the document, or preventing users from printing the document. Client

applications that read IRM-supported file types use the issuance license to enforce use restrictions. To

decrypt the item and consume the content, the recipient of the message or document must obtain an

end user license issued through interaction between their client device and the IRM environment.

IRM helps individuals enforce their personal preferences regarding the transmission of personal or

private information. It also helps organizations enforce corporate policy governing the control and

dissemination of confidential or proprietary information – within the organization and with customers

and partners. The following table summarizes how IRM does and does not protect content.

IRM Feature Guide




of 50

IRM helps to … IRM does not prevent …

Prevent an authorized recipient of protected content

from forwarding, copying, modifying, printing, faxing,

or pasting the content for unauthorized use; copying

restrictions include the use of the Print Screen or

Snipping Tool features of Microsoft Windows.

Content from being captured by third-party

screen-capture programs.

Protect supported attachment file formats with the

same level of protection as the message.

Content from being erased, stolen, or captured

and transmitted by malicious programs such

as Trojan horses, keystroke loggers, and

certain types of spyware.

Maintain content restrictions regardless of where the

content is delivered.

Content from being lost or corrupted because

of the actions of computer viruses.

Support file expiration to prevent content in

documents, workbooks, or presentations to no longer

be viewed after a specified period of time.

Restricted content from being hand-copied or

retyped from a display on a recipient's screen.

Enforce corporate policies that govern the use and

dissemination of content.

Use of imaging devices such as cameras to

photograph IRM-protected content displayed

on the screen.

How Is Information Protected? Office 365 dedicated plans use Active Directory Rights Management Services (AD RMS) to implement

the IRM protection feature. AD RMS uses extensible rights markup language (XrML)-based certificates

and licenses to certify computers and users. The XrML certificates and licenses are also used to encrypt

and protect content.

When content such as a document or a message is protected using AD RMS, an XrML license containing

the rights that authorized users have to the content is attached to the content. To access IRM-protected

content, AD RMS-enabled applications must procure a use license for the authorized user from a

trusted AD RMS server.

IRM Feature Guide




of 50

The use license contains the public key to decrypt the protected content. Note that the AD RMS

protection mechanisms do not utilize Active Directory certificate services or public key infrastructure

(PKI) protection methods. AD RMS utilizes a database to hold data for certification, licensing, and

publishing activities and also relies on Active Directory to provide identity, authentication, group

expansion, and discovery services.

The diagram and text that follow provide an overview of client certificate acquisition, license issuance,

and the encryption, delivery, and decryption of content.

1. An individual who intends to protect content and consume content protected by others must first

acquire certificates that enroll his or her computer and domain user account into the AD RMS

certificate hierarchy. A certificate that identifies a computer is called a machine certificate and one

that identifies a user is called a rights account certificate (RAC) also referred to as a group identity

certificate (GIC). An IRM-supported application must retrieve these certificates from an activation

service configured on an AD RMS server in the same Active Directory forest as the user.

IRM Feature Guide




of 50

2. After activated, an individual who wants to publish protected content uses their IRM-supported

application to create an issuance license, also referred to as a publishing license, that specifies who

can use the content and the terms of that use. The terms typically specify the time period for which

the license is valid and enumerate the rights granted to the consumer. Common rights typically

include the right to view, print, edit, and forward. The IRM-supported application can send the

issuance license to an AD RMS publishing service to be signed or use a client licensor certificate

(CLC) to sign the license offline. If the IRM-supported application uses online signing, the publishing

service signs the issuance license and returns it. The signing process also produces an owner license

that is saved in the license store of the user's computer. An owner license contains the OWNER right

that enables the user (in this case the individual who wants to protect content) to exercise all rights

enumerated by the issuance license. The IRM-supported application retrieves and binds to the

owner license and encrypts the content.

3. The encrypted content and the signed issuance license are then made available for distribution to

appropriate consumers. The distribution method is arbitrary and varies by application.

4. After an activated user has retrieved the signed issuance license, the IRM-supported application

uses it to request an end-user license, also known as a use license, from the AD RMS licensing

service specified in the issuance license. The end-user license contains a list of rights and conditions

that apply to the requesting user.

5. The IRM-supported application binds to, and enforces, the rights enumerated in the end-user

license and uses the public key in the issuance license to decrypt the protected content.

IRM Feature Guide




of 50

IRM Implementation in Off ice 365 Dedicated The Information Rights Management (IRM) feature for Office 365 Dedicated plans has specific

capabilities and constraints when compared to an on-premises IRM implementation. IRM protection is

available for Exchange Online and SharePoint Online. Both services rely upon the existence of your on-

premises AD RMS infrastructure, the export of the AD RMS server licensor certificate (SLC) “public” key

or trusted user domain (TUD) from one or more forests within this environment, and the import of each

TUD into the Office 365 AD RMS infrastructure dedicated to the subscribing organization.

The following sections describe how the IRM functionality applies to the Exchange Online and

SharePoint Online services, and points out other IRM feature implementation considerations your

organization should address.

1. Exchange Online Implementation

2. SharePoint Online Implementation

3. Additional Implementation Considerations

IRM Feature Guide




of 50

Exchange Online Implementation Exchange Online messaging services can be provided solely from the Office 365 environment or within

a hybrid configuration involving on-premises and online Exchange resources. The hybrid configuration,

illustrated in the following diagram, is referred to as coexistence.

Exchange Online as an independent service will provide IRM protection for email and attachments that

are created and consumed within Office 365. IRM protection for email and documents is invoked when

an AD RMS rights policy template is applied to the email message. The template applies restrictions on

forwarding, the extraction of information from the message, saving the message, or printing the

message. Usage rights are attached to the message itself and remain with the message regardless of

whether the message remains within, or travels between, on-premises, online, and other external

environments.

For a coexistence environment, additional IRM functionality is available if the AD RMS trusted published

domain (TPD) of each on-premises AD RMS cluster is made available for use in the Office 365 AD RMS

infrastructure dedicated to your organization. A TPD collectively represents the server licensor certificate

(SLC), AD RMS cluster “private” key, and rights policy templates of the on-premises cluster. Providing

the TPD for use within Office 365 is optional. Two closely related reasons to support consideration of a

TPD import into the Office 365 environment are the following:

IRM Feature Guide




of 50

Exchange coexistence with support for legacy protected content. If a user has an on-premises

mailbox which holds content protected by their on-premises AD RMS cluster and the mailbox is

migrated to the Exchange Online environment, the on-premises TPD will be needed to perform

virus scanning and to apply transport protection rules against the migrated content.

Newly protected content within on-premises environment is forward to Exchange Online

environment. If email messages and documents are protected within the on-premises environment

on an ongoing basis and the content is forwarded to the Exchange Online environment, the

presence of the on-premises TPD will allow the Office 365 AD RMS cluster to (a) issue use licenses

for email messages protected by the on-premises cluster and (b) allow system level Exchange

Online functions (for example, virus scanning and transport rule application) to be performed

against the forwarded content.

In addition, the presence of the imported TPD within Office 365 environment provides the following

functionality:

Availability of on-premises rights policy templates. All rights policy templates associated with

the source AD RMS licensing server for the TPD will be loaded into the Office 365 environment. The

templates can be used by IRM-enabled applications to decrypt content originally protected within

your on-premises environment.

Support for IRM in Outlook Web App. Users can use Outlook Web App to read IRM-protected

messages generated within the on-premises Exchange environment. IRM-protected messages in

Outlook Web App can be accessed through Internet Explorer, Firefox, Safari, and Google Chrome

(no plug-in required) browsers and include full-text search, conversation view, and the preview

pane. Exchange Online will pre-license the IRM-protected content for immediate viewing within

Outlook Web App and the ability to use WebReady document viewing of content also will be

provided by Outlook Web App.

Support for IRM in Exchange ActiveSync. Users with mobile devices that support the IRM

features of the Exchange ActiveSync protocol can open and work with IRM-protected messages

generated within the on-premises Exchange environment without tethering the phone or installing

additional IRM software. Administrators can control the use of this feature using Role-Based Access

Control (RBAC) and Exchange ActiveSync policies.

Indexing of IRM-protected messages to support Search. IRM-protected messages are indexed

and searchable. Headers, subject, body, and attachments are included. Users can search items

protected in Outlook and Outlook Web App within the on-premises Exchange environment and

administrators can search protected items by searching multiple mailboxes.

IRM Feature Guide




of 50

Application of Exchange Online transport protection rules. IRM-protected messages can be

decrypted to allow your defined transport protection rules to be applied within Exchange Online.

This provides persistent protection for the file regardless of where it is sent and prevents

forwarding, copying, or printing, depending on the rights policy template applied.

Malware scanning following transport decryption. IRM-protected messages received by

Exchange Online can be decrypted and forwarded to the Forefront Protection for Exchange (FPE)

application for virus scanning within the Exchange servers of Office 365.

Journal Report decryption for legal discovery and regulatory purposes. When messages

marked for journaling are sent to an external archive, a decrypted, clear-text copy of the IRM-

protected messages (including Office and XPS attachments) can be included in journal reports. This

allows IRM-protected messages to be indexed and searched for legal discovery and regulatory

purposes. The original IRM-protected message is also included in the report.

Unified Messaging Hosted Voicemail protection. Either senders or administrators can apply IRM-

protection to voice messages to prevent unauthorized individuals from consuming the message

and to prevent recipients from forwarding it, saving a copy of it, or saving or copying the audio

attachment. To apply these restrictions, senders must mark the message as “private.” For additional

information, see Understanding Protected Voice Mail.

Note:

Outlook Protection Rules (the application of IRM protection when messages are sent by an

Outlook client) are not supported.

http://technet.microsoft.com/en-us/library/dd351041(v=exchg.141).aspx

IRM Feature Guide




of 50

SharePoint Online Implementation For on-premises and SharePoint Online installations, an IRM protector is used to automatically encrypt

and decrypt a document placed in a library or attached to a list item. Document protection is managed

by (1) a use license that grants rights to a specific user, (2) the AD RMS policy set on the SharePoint

library or list, and (3) the rights granted within the library or list for specific users.

With Office 365, SharePoint will use a client licensor certificate (CLC) issued by the Office 365 AD RMS

cluster to protect documents. The SharePoint Online user will then acquire a use license from the Office

365 AD RMS cluster to consume the protected documents. When requesting a use license, a consumer

will use the rights account certificate (RAC) issued by your on-premises AD RMS cluster. The user’s RAC

is recognized since the Office 365 AD RMS cluster has a copy of the TUD from the on-premises

environment. SharePoint Online has no use for the on-premises TPD since SharePoint Online servers

never request a use license from the Office 365 AD RMS cluster.

Within SharePoint Online, IRM protector applications exist only for Word, Excel, PowerPoint, XML Paper

Specification (XPS) format, and InfoPath forms. For additional information describing how IRM

protection is implemented with SharePoint, see the MSDN article IRM Framework Architecture in

SharePoint Foundation.

http://go.microsoft.com/fwlink/p/?LinkID=149706


IRM Feature Guide




of 50

Additional Implementation Considerations When planning for implementation of the IRM feature, your organization may need to consider the

following:

Prerequisites to support an Exchange coexistence environment where messaging content is

protected and consumed between an Office 365 online environment and your on-premises

environment (see Hybrid Deployment on the Exchange Server 2013 Release Documentation landing

page).

Integration with other authentication systems, Unified Messaging applications, and other IT

environments external to Office 365 or the environments managed by your organization.

Supported versions of Exchange Online, SharePoint Online, server and client operating systems,

web browsers, client applications, and mobile devices.

Use of third-party IRM applications to protect content and the use of two-factor authentication

applications in conjunction with IRM.

Automatic rules-based protection of email and the automatic determination of revoked rights to

access IRM-protected content.

For a complete list of the capabilities and constraints of the IRM feature set including expanded

descriptions of each topic, see the AD RMS Service Description (Legacy Platform Release) on the IRM

landing page of the Customer Extranet site.

https://sharepoint.partners.extranet.microsoft.com/sites/MMS%20Knowledge%20Base/Release%20Docs/Exchange/E15%20Readiness/main.html

https://sharepoint.partners.extranet.microsoft.com/sites/MMS%20Knowledge%20Base/Release%20Docs/Exchange/E15%20Readiness/main.html

IRM Feature Guide




of 50

Establishing the IRM Environment The IRM feature for Office 365 Dedicated plans provides rights management capabilities for

organizations subscribed to Exchange Online and SharePoint Online. To establish an IRM environment,

you must understand how to configure and administer an on-premises AD RMS environment. You also

must be familiar with the scope of the IRM offering for Office 365 Dedicated including specific IT

environment requirements, non-supported functionality, and limitations associated with the Exchange

Online Dedicated and SharePoint Online Dedicated offerings. See the AD RMS Service Description

(Legacy Platform Release) on the IRM landing page of the Customer Extranet site. The prerequisites for

using the IRM feature are described in the following sections.

On-premises AD RMS Implementation

This prerequisite applies to Exchange Online and SharePoint Online.

The IRM feature will function only in conjunction with an AD RMS implementation within your on-

premises environment. The feature is not available to organizations that do not already manage their

own an AD RMS environment. If your organization does not have the required AD RMS infrastructure,

this environment first must be established before subscribing to the IRM feature. For more information,

see Installing an AD RMS Cluster.

Two-way Forest Trust with Selective Authentication

This prerequisite applies to Exchange Online.

Office 365 AD RMS application servers need to make calls to your Active Directory and AD RMS servers.

Without a trust from your environment to the Office 365 Active Directory environment, these calls

would fail. The Selective Authentication setting restricts the use of an Active Directory trust to allow only

designated credentials to leverage the trust. To establish the required trust, a Change Request must be

submitted on behalf of your organization by your Microsoft Service Delivery Manager (SDM). An

environment discovery process will follow and specific Customer Environment Configuration for Identity

(CECI) documentation will be provided to your organization.


IRM Feature Guide




of 50

The two-way forest trust can be implemented with adequate security controls to support only the IRM

feature. For additional information, see Two-way Forest Trust with Selective Authentication FAQs. Also

see Security Configurations for Trusts.

The SDM assigned to your account can provide access to Microsoft personnel capable of assisting with

the implementation of the two-way forest trust configuration.

Trusted User Domain for Every AD RMS Cluster

This prerequisite applies to Exchange Online and SharePoint Online.

Your organization must export and provide to Microsoft the trusted user domain (TUD) for every AD

RMS certification cluster within your on-premises environment to be integrated with Office 365. The

addition of a TUD allows the Office 365 AD RMS certification cluster to process requests for client

licensor certificates or use licenses from each user whose rights account certificates (RAC) was issued by

a different AD RMS certification cluster. A TUD is similar to an Active Directory Domain Services (AD DS)

domain trust in that it allows the access to a foreign AD RMS cluster using a user RAC issued by the

local AD RMS cluster. The TUD from every on-premises AD RMS forest to be integrated with Office 365

must be provided to Microsoft. Each TUD is imported into the Office 365 AD RMS managed cluster.

The TUD is the public key equivalent to an x.509 public key infrastructure (PKI) certificate. Since the TUD

is used in a manner equivalent to the purpose of a PKI “public” key, a TUD owner can provide this

component without security risk. The delivery of the TUD will be coordinated between your IT staff and

the assigned Microsoft Deployment Program Manager.

The SDM assigned to your account can provide access to Microsoft personnel capable of assisting with

the transfer of a copy of the on-premises TUD(s).

https://sharepoint.partners.extranet.microsoft.com/sites/MMS%20Knowledge%20Base/Training/Identity/IRM/Two-way%20Forest%20Trust%20with%20Selective%20Authentication%20FAQs.pdf

http://go.microsoft.com/fwlink/?LinkId=309231

IRM Feature Guide




of 50

Supported IRM Configurations The Information Rights Management (IRM) feature is supported in the following environment

configurations for Office 365 dedicated plans and ITAR-support plans:

Exchange Online only.

Exchange Online with on-premises Exchange.

SharePoint Online only.

Exchange Online and SharePoint Online.

Exchange Online with on-premises Exchange and SharePoint Online.

As stated in the AD RMS Service Description (Legacy Platform Release) accessible via the IRM landing

page of the Customer Extranet site, the IRM feature does not support the following:

Interaction with AD RMS via federation protocols or clients.

Support for AD RMS trusts involving systems that are not within the security realm of your

organization.

Integration with Windows Live ID.

IRM Feature Guide




of 50

The following diagram illustrates the principle elements required to implement the IRM feature to

support the configurations listed above. Also shown are the trust-granting relationships between the

environments.

As shown in the diagram, the following characteristics apply to an Office 365 dedicated plan or ITAR-

support plan implementation of IRM:

The on-premises or online environment is capable of protecting Exchange email messages and

Office documents. Documents can be protected when attached to an IRM-protected email

message, using a Microsoft IRM-enabled application, or when placed within an IRM-enabled

SharePoint document library or list. Conditions related to the protection and consumption of

content are described in the table below.

IRM Feature Guide




of 50

If the on-premises environment TPD has been imported into the Office 365 AD RMS cluster

dedicated to your organization, all of the features described in the Exchange Online Implementation

section can be utilized.

The following table identifies the IRM protection and consumption characteristics for content shared

within and between the IRM source and destination environments.

IRM Source

Environment

Characteristics

IRM Destination

Environment

Characteristics

Source

environment

Source application Consumption

application

Office 365

consumption

experience

On-premises

consumption

experience

Office 365 Outlook or

Outlook Web App

Outlook Content

consumable within

Office 365

environment by

authorized user

(Office

attachments also

consumable)

Content

consumable within

on-premises

environment by

authorized user

(Office

attachments also

consumable)

Office 365 Outlook or

Outlook Web App

Outlook Content

consumable within

Office 365

environment by

authorized user

(Office

attachments also

consumable)

Content

consumable within

on-premises

environment by

authorized user

(Office

attachments also

consumable)

IRM Feature Guide




of 50

IRM Source

Environment

Characteristics

IRM Destination

Environment

Characteristics

Office 365 Other Office

applications

(native Word,

Excel, and

PowerPoint

formats or XPS)

Office applications Content

consumable within

environment by

authorized user

Content

consumable within

environment by

authorized user

Office 365 SharePoint SharePoint Authorized user

must access source

SharePoint Online

document library

or list to retrieve

document

Authorized user

must access source

SharePoint Online

document library

or list to retrieve

document

On-premises Outlook or

Outlook Web App

Outlook Content

consumable within

Office 365

environment by

authorized user (

Office attachments

also consumable)

Content

consumable within

on-premises

environment by

authorized user

(Office

attachments also

consumable)

IRM Feature Guide




of 50

IRM Source

Environment

Characteristics

IRM Destination

Environment

Characteristics

On-premises Outlook or

Outlook Web App

Outlook Web App Content (email and

Office

attachments)

consumable within

Office 365

environment by

authorized user if

your organization

has provided on-

premises TPD(s)

for import into

Office 365

Content

consumable within

on-premises

environment by

authorized user

(Office

attachments also

consumable

On-premises Other Office

applications

(native Word,

Excel, and

PowerPoint

formats or XPS)

Office applications Content

consumable within

environment by

authorized user

Content

consumable within

environment by

authorized user

On-premises SharePoint SharePoint Authorized user

must access source

on-premises

SharePoint

document library

or list to retrieve

document

Authorized user

must access source

on-premises

SharePoint

document library

or list to retrieve

document

IRM Feature Guide




of 50

Export and Import of Trusted User Domain By default, an AD RMS cluster does not service requests from a user with a rights account certificate

(RAC) issued by a different AD RMS cluster. To allow on-premises users to publish and consume

protected content within Office 365, the on-premises AD RMS domains must be added to a list of

trusted user domains within the Office 365 AD RMS infrastructure. The process involves the export of

the server licensor certificate (SLC) of every on-premises forest that provides AD RMS functionality to

the users that will utilize the Office 365 environment. Each exported SLC represents the trusted user

domain (TUD) of that specific AD RMS environment. These “trusted” domains are then imported into

the “trusting” Office 365 environment.

The following diagram illustrates the initial steps to export/import a TUD (steps 1 – 3) followed by the

publishing steps for IRM-protected content and the consumption scenarios (steps 4 – 9) for Office

applications (Outlook Web App premium and Exchange ActiveSync experiences excluded due to their

use of the AD RMS pre-licensing capability). Your service delivery manager and Deployment Program

Manager can assist with planning and execution of the TUD export/import process.

IRM Feature Guide




of 50

Identif ication of Trusted Email Domains An identity within AD RMS is the email address held within the Active Directory “mail” attribute for the

user. All users and groups that use AD RMS to acquire licenses and publish content must have an email

address configured within the on-premises Active Directory. When the process to import each TUD you

provide into the Office 365 environment is complete, an administrator for the Office 365 AD RMS

cluster can place a Change Request to specify which remote email domains of the on-premises

environment will become trusted email domains.

Note:

We recommend identifying which remote email domains will be trusted within the Office 365

AD RMS environment; otherwise, it may be possible for a user from a “trusted” (on-premises)

user domain to impersonate a user from another Active Directory forest.

IRM Feature Guide




of 50

Exchange and SharePoint Online

Considerations This topic describes the following considerations when implementing an IRM environment for Exchange

Online.

Trusted publishing domain (TPD) sharing

Rights policy templates

Transport protection rules

Journaling report decryption

Protection policies for SharePoint Online are descried in the Considerations for SharePoint Online

section.

Trusted Publishing Domain Sharing The optional IRM functionality for Exchange Online described in the Exchange Online Implementation

section relies upon the existence of your on-premises trusted publishing domain (TPD)—the “private”

key of the AD RMS cluster and rights policy templates--within the Office 365 AD RMS environment. To

provide this functionality, specific steps must be followed to export/import the TPD. The AD RMS

product requires the use of a password to protect a TPD at the time of export (the export process

prompt for a password). Specific instructions describing the TPD export process can be found in the

TechNet article Exporting a Trusted Publishing Domain. A Microsoft service delivery manager (SDM)

then can be contacted to place a Change Request to arrange to have the TPD provided to Microsoft for

import.


IRM Feature Guide




of 50

Note:

If an on-premises environment has more than one AD RMS licensing cluster, the export of the

TPD from each cluster is recommended to ensure IRM-protected content is processed properly

within the Office 365 environment. The export action is especially relevant for Exchange

coexistence configurations. Selective TPD exchange will result in restrictions being placed on

the additional functionality described in the topic IRM Implementation in Office 365 Dedicated.

Conversely, Microsoft can provide the TPD for the Office 365 environment to your organization for

import within your on-premises environment to support the bulk decryption of content for legal

discovery purposes. If the Office 365 TPD is required, your SDM and Deployment Program Manager can

assist with planning and execution of the TPD export/import process. To address smaller scale content

decryption requirements, your compliance personnel can use the “super user” access method described

in the topic IRM Super User Access.

Rights Policy Templates As previously described, several Microsoft applications have the native ability to apply specific rights

management protection features. If an organization desires to define specific IRM protection policies to

be applied to content, rights policy templates can be used. A template such as “Company Confidential”

could be used to allow only employees to have the ability to view content but not forward, copy, or

save the document outside of the company. An “Expires in 30 days” policy could be used to ensure

content is made invalid after 30 days. The custom templates can be applied using Microsoft Office

applications, Outlook Web App, or via transport protection rules.

The following table provides a summary of the native rights and permissions that are available with

specific applications. Also shown are the custom rights available when using rights policy templates.

IRM Feature Guide




of 50

Permission Office App XPS App1 SharePoint

Server

Windows

Mobile

Devices

AD RMS

Rights Policy

Templates2

Full Control Yes Yes Yes No Yes

Export (Save

As)

Yes Yes No No Yes

View (Read) Yes Yes Yes Yes Yes

Extract (copy) Yes Yes Yes No Yes

Allow Macros Yes No No Yes Yes

Reply Yes No No No Yes

View Rights No No No No Yes

Save No Yes Yes No Yes

Print Yes Yes Yes No Yes

Edit Yes No Yes No Yes

Forward No No No No Yes

Reply All No No No Yes Yes

Custom Rights No No No No Yes

1 XML Paper Specification (.xps) file format.

2 SharePoint Server IRM, Windows Mobile 6.x, and Windows Phone 7.5, 7.8, & 8.0 do not support

applying protection through templates. SharePoint Server will only store documents protected through

templates and will apply the additional IRM protection settings of the SharePoint library or list.

Windows Mobile and Windows Phone can only consume documents and email protected through

templates.

If rights policy templates are created and used within an on-premises AD RMS environment of your

security realm, these templates can be imported into the dedicated Office 365 environment for use by

Microsoft Office applications and Exchange Online to decrypt IRM protected content. The templates

become available for decryption use only by following the Trusted Publishing Domain Sharing process.

IRM Feature Guide




of 50

Note:

Whenever updates are applied to any of the on-premises environment templates, the same

updates must be applied to the Office 365 environment to ensure availability is consistent

throughout the enterprise by re-execution of the TPD sharing process.

When templates are imported into Office 365 via the TPD sharing process, the state of each

template is set as “Archived” and cannot be modified or used for transport protection within

Office 365. To create templates to be applied to content within Office 365, see the Creation of

rights policy templates within Office 365 section; to apply templates for transport protection

use, see the Transport Protection Rules section.

The re-import of a TPD into the Office 365 environment will remove all templates associated

with the prior TPD import followed by the loading of the new template versions into the

environment.

Important:

Because content may exist within Office 365 that was protected using a specific on-premises rights

policy template or a custom rights policy template created within Office 365, an appropriate best

practice is to retain templates for an extended period to ensure older protected content can be

decrypted.

IRM Feature Guide




of 50

Creation of Rights Policy Templates Within the Office 365 environment, additional rights policy templates can be created for use by Office

applications, Office Web App, or for transport protection. As shown below, newly created templates

become immediately accessible to Office Web App users and for transport protection; the templates

must be propagated to Office clients.

Prior to attempting to create or edit templates, confirm the administrative user has been added to the

RMS Template Administrators security group. The options to perform template creation and editing

within Office 365 are the following:

1. AD RMS snap-in for the Microsoft Management Console (MMC)

2. Windows PowerShell using the ADRMSAdmin provider

IRM Feature Guide




of 50

MMC Method

To use the MMC method, a connection must be made to the AD RMS cluster within Office 365. An SSL

connection, as shown in the example below, must be created. The Microsoft Deployment Program

Manager can provide the Office 365 AD RMS cluster URL.

Remote Windows PowerShell Method

To use the Remote Windows PowerShell method to create rights policy templates, use the following

Windows PowerShell commands:

1. Import the AD RMS Windows PowerShell administration module.

Import-module AdRmsAdmin

2. Create a Windows PowerShell drive that represents the AD RMS cluster to be administered.

New-PSDrive -Name <drive> -PsProvider AdRmsAdmin -Root <clusterURL>

The following example represents the creation of a drive named RMS that represents the AD RMS

cluster hosted within a fictitious Office 365 environment named 999d:

New-PSDrive -name RMS -PsProvider AdRmsAdmin -Root

https://rms.999.d.office365.com

3. Set the current location.

IRM Feature Guide




of 50

Set-Location <drive> :\[ <container>]

<drive> is the name of the drive created in a previous step (RMS in the example)

<container> is the optional path name of the container within the drive. For information about how to use these containers, see Understanding the AD RMS Administration Provider Namespace.

The following example sets the current location to the RightsPolicyTemplate container in the RMS

drive:

Set-Location RMS:\RightsPolicyTemplate

4. Create a rights policy template.

New-Item -Path <drive>:\RightsPolicyTemplate -LocaleName < <locale_names> -DisplayName "<display_names>" -Description "<descriptions>"

<drive> = name of the Windows PowerShell drive created in the previous step

<locale_names> = language and location

<display_names> = name of template

<descriptions> = general description of template

Example:

New-Item -Path RMS:\RightsPolicyTemplate -LocaleName en-us_-DisplayName "O365 - FTE Only" -Description "Limits rights to full time employees only"

5. Complete the customization of the newly created template as described in the following:

Editing a Rights Policy Template using MMC

Editing a Rights Policy Template using PowerShell

Other reference information describing the initial creation of the template is the following:

Create a New Rights Policy Template using MMC

Using Windows PowerShell to Administer AD RMS

Creating a New Rights Policy Template using PowerShell

http://technet.microsoft.com/en-us/library/cc754172(v=WS.10).aspx

http://technet.microsoft.com/en-us/library/ee221050(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc754068.aspx

http://technet.microsoft.com/en-us/library/ee221079%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/ee221074(v=WS.10).aspx

IRM Feature Guide




of 50

Note:

If a TPD from your AD RMS environment has been imported into the Office 365 environment,

the on-premises templates will be recognized by Office 365. These templates are loaded into

the Office 365 AD RMS cluster in an Archived state and can only be used to support the

decryption of content protected on-premises; these templates cannot be renamed or modified.

Important:

When new templates are created within either the on-premises or online environments, care

must be taken to apply a unique name to each template to prevent a template name collision

from occurring when a TPD is transferred between the on-premises and Office 365

environments since the existence of duplicate template names will block TPD import.

Transport Protection Rules Exchange Online can scan messages in transit and classify them as required. AD RMS protection is

considered to be another action within a transport rule and can be combined with any other transport

protection rule predicates and actions. A specific AD RMS rights policy template created within Office

365 can be associated with a specific transport rule. Note, however, that a transport rule to protect

content will not be honored if the content has already been IRM-protected by an application.

To associate an AD RMS rights policy template with an Exchange Online transport rule, the rights policy

template must be created in the Office 365 AD RMS service. As stated above, a template imported via a

TPD is set as Archived and cannot be used.

Applying Newly Created Rights Policy Templates as Transport

Protection

A newly created rights policy template can be associated with a transport rule by either creating a new

rule (New-TransportRule cmdlet) or modifying an existing rule (Set-TransportRule cmdlet) via Remote

Windows PowerShell along with the use of the ApplyRightsProtectionTemplate parameter. For more

information, see the TechNet articles Transport Protection Rules and Create a Transport Protection Rule,

which also includes a link to information describing how to disable a rule.



IRM Feature Guide




of 50

Important:

Improperly constructed transport rules have the potential to cause the issuance of a large

volume of non-delivery reports (NDRs) and to degrade system performance. Confirming

transport rule logic is essential before associating a template with a transport rule. To disable a

malfunctioning transport rule, use the Disable-TransportRule "transport_rule_name"

cmdlet of Remote Windows PowerShell and the Enable-TransportRule "transport_rule_name" cmdlet to re-enable the rule. To completely remove a disabled transport rule, contact Microsoft Online Services Support.

Note:

If a rights policy template used by a transport protection rule is deleted from the Office 365 AD

RMS cluster but the transport rule continues to attempt to use the template, the RMS server will

fail to license the content and a NDR will be sent to the sender.

Journaling Report Decryption When sending messages to an external journal archive, IRM-protected messages and a decrypted

(clear-text) copy of each message will be included in the journal reports. Any Microsoft Office and XPS

attachments also will be decrypted and a protected and unprotected copy of the attachment will

accompany the archived message. Having unencrypted copies of the message and attachments allows

these messages to be indexed and searched for legal discovery and regulatory purposes. The original

IRM-protected message is also included in the report.

IRM Feature Guide




of 50

Note:

Forced Transport Layer Security (TLS) communication is recommended between Exchange

Online and the target external archiving system to prevent any information from being

transported in an unencrypted state.

If the Proofpoint service provided by Exchange Online is used as an archiving solution,

Proofpoint will not process a journal report that contains an encrypted and decrypted copy of

an Exchange message – the message instead will be moved to the Archiving Issues folder. An

alternative procedure is to request disablement of transport server decryption for all IRM-

protected messages, allow a single encrypted message to be retrieved by Proofpoint, and allow

Proofpoint to index the To, From, Date, Subject, and Attachment Type attributes of the

message. For eDiscovery purposes, compliance personnel can utilize an elevated privilege to

examine IRM-protected messages held in Proofpoint (or other mailboxes) by implementing the

“super user” access method described in the IRM Super User Access section.

Considerations for SharePoint Online Rights policy templates similar to those used by Microsoft Office clients are not used by SharePoint

Online. Protection policies are solely based upon IRM policy settings for the SharePoint Online library or

list.

Any additional protection applied to the content other than AD RMS protection from within the Office

365 environment (for example, protection provided by third-party applications or by a SharePoint

system outside of the Office 365 environment) cannot be decrypted by SharePoint Online. The content

will be considered opaque to SharePoint Online which means indexing and identification using the

search capability of SharePoint Online will not be possible.

IRM Feature Guide




of 50

Using IRM Clients Information Rights Management (IRM) functionality in Office 365 can use a variety of client-based

systems and devices. The list of supported clients includes traditional “rich client” desktop and laptop

systems using Microsoft Outlook or Microsoft Outlook Web App, popular Web browsers that support

Outlook Web App Premium version, and select mobile devices.

IRM protection is applied to email by applying an AD RMS rights policy template to the email message.

Usage rights are attached to the message itself to allow protection to be in effect while the client is

online or offline and also while the client is inside and outside of an organization's firewall. The rights

policy template applied to an email message can control what permissions recipients have on a

message and Microsoft Office attachments such as forwarding, extracting information from a message,

saving a message, or printing a message.

Note:

Email attachments that are not a native Office file type are encrypted along with an Microsoft

Exchange Online email message. When the message is decrypted, the attachment will not have

IRM restrictions. In SharePoint Online, no level of protection is provided to a non-native Office

file type that is uploaded into, or downloaded from, a document library or list.

You can find client information on Microsoft TechNet and from other Microsoft sources to help you

become familiar with the steps to configure an IRM client and how to interact with the IRM user

interface for these clients. The information below includes special notes and links to reference material.

A complete list of supported features and limitations is included in the AD RMS Service Description

(Legacy Platform Release) accessible via the IRM landing page of the Customer Extranet site.

Rich Client Systems The following requirements and recommendations exist for rich client systems (for example, Windows

operating system based) used for IRM protection.

IRM Feature Guide




of 50

Use Latest AD RMS Client

All clients that use IRM must use the latest AD RMS client and install the hotfix to remove the manifest

expiry feature on client systems (Microsoft Support article 979099).

Distribute Rights Policy Templates

Client systems require a copy of the Office 365 rights policy templates. Propagation of the templates is

accomplished by following methods commonly used for on-premises AD RMS installations, namely, (1)

via the AD RMS web service; (2) from a client that has already downloaded the templates via the web

service; (3) via a publishing universal naming convention (UNC) location. If a UNC location is used, the

location must be on-premises and the Office 365 AD RMS service account must have write access

permissions to the UNC location. A slip stream Change Request must be placed with Microsoft Online

Services to establish a UNC template export arrangement.

Configure Local Intranet Zone in Internet Explorer

Clients used for IRM applications must be configured to use Windows Integrated Authentication when

accessing the Office 365 licensing URL. The most common method to implement the settings is to place

the fully qualified domain name (FQDN) for the Office 365 AD RMS licensing URL in the Local Intranet

Zone within the security settings of Internet Explorer. The Group Policy settings feature of Active

Directory can be used to distribute the security setting. We also recommend adding the FQDN of the

local AD RMS cluster to the Local Intranet Zone of the client.

Implement Registry Overrides to Point to Off ice 365 Licensing URL

To simplify administration and support, a single AD RMS cluster can be used for licensing. For more

information about the method that allows you to set client registry override keys, see the TechNet

article AD RMS Client Service Discovery. The EnterprisePublishing key should be set to the URL of the

Office 365 AD RMS licensing cluster (for example, https://rms.999.d.office365.com) to allow the AD RMS

client to discover the Office 365 AD RMS cluster. You can obtain the value for your Office 365

environment from the Office 365 Deployment Program Manager assigned to your organization.




IRM Feature Guide




of 50

Clean Up Previous AD RMS Customizations

All AD RMS clients that were used with a previous AD RMS release should be re-initialized by

performing the following:

1. Delete the Digital Rights Management (DRM) folder in %localappdata%\Microsoft\

2. Delete any cached configurations stored in the following registry locations:

a) HKEY_CURRENT_USER\Software\Microsoft\Office\X.0\Common\DRM

b) HKEY_CURRENT_USER\Software\WoW6432Node\Microsoft\Office\X.0\Common\DRM

3. Delete any custom AD RMS-related registry values that may have been deployed.

Web Browsers and Off ice Online Only the “premium” version of Outlook Web App (version for a thick client Web browser) provides

support for IRM in Exchange Online. If you use the “light” version on a mobile device, it will not render

IRM-protected messages or documents. To use Outlook Web App with a thick client web browser, the

pre-licensing capability must be enabled in Exchange Online.

In SharePoint Online, content placed in an IRM-protected document library or list is opened in a Web

browser by Office Online as read-only. For more information about forcing IRM-protected items to

open in the native application loaded on the client, see Set the default open behavior for browser-

enabled documents (Office Web Apps when used with SharePoint 2013).

Note:

Use of the Print Screen function and Snippet tool can’t be blocked when viewing IRM-protected

content using a Web browser application (i.e., Outlook Web App or Office Online).

For the latest list of supported browsers for the IRM feature, see Office 365 system requirements (Web

browsers sections). For more information about additional browser constraints in SharePoint Online,

see Plan browser support in SharePoint 2013.



https://support.office.com/en-us/article/Office-365-system-requirements-719254C0-2671-4648-9C84-C6A3D4F3BE45?ui=en-US&rs=en-US&ad=US


IRM Feature Guide




of 50

Mobile Devices Mobile device support is provided for Windows Mobile 6.x and Windows Phone version 7.5 and later

devices. IRM feature functionality support is not provided by Microsoft for Android, BlackBerry OS,

Apple iOS, or Nokia Symbian OS devices. Third-party products providing IRM-enabled applications for

the unsupported devices may exist. Microsoft does not endorse the use of, or provide support for, any

third-party IRM products.

Similar to the use of a web browser to interact with the IRM environment of Office 365, the pre-

licensing capability must be enabled in Exchange Online for mobile devices. TechNet articles related to

the use of mobile devices provided by Microsoft include:

Integrate AD RMS and Windows Mobile

Opening AD-RMS Protected Files on Your Windows Mobile Phone.

Windows Phone version 7.5 and later all include built-in functionality to access rights-managed email

and Office documents.

An up-to-date list of supported mobile devices is described in the AD RMS Service Description (Legacy

Platform Release) accessible via the IRM landing page of the Customer Extranet site.



IRM Feature Guide




of 50

Supporting the IRM Environment The following table summarizes the assigned ownership of Information Rights Management (IRM)-

related support issues that arise in the Office 365 environment.

Function or Scenario Description Customer Microsoft

Troubleshooting client

issues

Follow procedures described with the IRM Client

Diagnostic Handbook available from the Customer

Extranet site. (See your service delivery manager

(SDM) for Customer Extranet site access.) The tools

described can be used for initial troubleshooting,

gathering environmental information, and

reconfiguring AD RMS on the client machine. If

client issues persist, your organization must utilize

their Microsoft Premier Support Contract to access

AD RMS specialists at Microsoft technical support.

Yes No

On-premises AD RMS

server support

Performing any steps against the on-premises AD

RMS servers. If server issues persist, your

organization must utilize their Microsoft Premier

Support Contract to access AD RMS specialists at

Microsoft technical support.

Yes No

O365 AD RMS issues

that affect all users

Office 365 users of your environment are unable to

connect to the Office 365 licensing pipeline URL

after verifying the following on-premises services

are functional:

AD RMS service

Network

DNS

Active Directory Domain Services

Client Computers

No Yes

IRM Feature Guide




of 50

Function or Scenario Description Customer Microsoft

Implement tasks

requested through the

Change Request

Analysis System (CRAS)

Contact your SDM to place an environment

changes within CRAS. After the request has been

received and processed, Microsoft implements the

specified changes.

No Yes

A service request for support from Microsoft will require that your organization provide specific error

messages, client operating system version, client application software with version number (for example,

Outlook and Internet Explorer), and related information. To submit a request, you use the IRM template

in the Escalation Template/Infrastructure folder of the Customer Extranet site for Office 365 dedicated

plans.

IRM Feature Guide




of 50

IRM Super User Access The AD RMS super user access feature provides the ability for your authorized personnel to examine

IRM-protected content for compliance purposes. Your organization must create a Universal Distribution

Group to hold the Active Directory user accounts placed into the group by your administrative staff. A

member of the group will have rights to open IRM-protected mail messages and files.

Create or Identify a Universal Distribution Group To support super user access, your organization is required to provide the name of an on-premises

Universal Distribution Group that will be granted access in the Office 365 AD RMS cluster. If a specific

Universal Distribution Group is already used for super user access by the on-premises AD RMS cluster,

the same group can be used by the Office 365 cluster. Alternatively, a different UDG can be created.

Controlling access to the chosen group and regularly auditing membership changes of the group is

strongly recommended.

Note:

The Universal Distribution Group must be outside the scope of Office 365 directory

synchronization (MMSSPP). The Universal Distribution Group must have an email address

specified in the mail attribute object in Active Directory; the email address must be unique and

should not be re-used on any other objects in any of your directories.

Configure the Access Control List on the

GroupExpansion Folder When the Office 365 AD RMS service was activated, the MGD-GSG-RMSService security group was

granted read and execute permissions on specific Web Services source files (.asmx) used by the on-

premises AD RMS cluster. The permissions granted allow the Office 365 AD RMS service to certify on-

premises users. Similar steps must be followed for the GroupExpansion.asmx file on all AD RMS Root

IRM Feature Guide




of 50

Certification clusters to allow AD RMS to validate user permissions. For specific instructions on this task,

see the TechNet article Configure the Access Control List on the GroupExpansion Folder.

Verify the GroupExpansionServiceURL Value The GroupExpansionServiceURL value in the on-premises AD RMS Root Certification Cluster

database must be set to the Certification URL DNS name. If the certification URL was renamed on the

on-premises Root Certification Cluster, the value will be set to the Licensing URL DNS name and must

be updated. To view or update the value, use the RMS Config Editor utility in the Rights Management

Services Administration Toolkit, which is available at the Microsoft Download Center.

To view the GroupExpansionServiceURL value, connect to the database server, select the Configuration

Database, and view the contents of the DRMS ClusterPolicies table. Locate the

GroupExpansionServiceURL value in the table (typically row 124). For more information on using the

RMS Config Editor, refer to the Readme_RMS_Config_Editor file provided with the Rights Management

Services Administration Toolkit.

Example

Intranet cluster URLs

Licensing: https://licensing.customer.com/_wmcs/licensing

Certification: https://certification.customer.com/_wmcs/certification/certification.asmx

Extranet cluster URLs

Licensing: https://licensing.customer.com/_wmcs/licensing

Certification: https://certification.customer.com/_wmcs/certification/certification.asmx

If the current GroupExpansionServiceURL value is https://licensing.customer.com/_wmcs/groupexpansion,

this value must be updated to https://certification.customer.com/_wmcs/groupexpasion.






IRM Feature Guide




of 50

Active Directory Rights Management Services

FAQs for Off ice 365 Dedicated Information Rights Management (IRM) is an optional feature available with the Exchange Online and

SharePoint Online services of Office 365 dedicated plans. Active Directory Rights Management Services

(AD RMS) is the underlying Microsoft technology used to support IRM. The following frequently asked

questions (FAQs) can help you better understand IRM functionality and how AD RMS is implemented.

Note:

1. See Information Rights Management for Office 365 Dedicated for a complete description of

how to implement, administer, and support an IRM implementation in Office 365 dedicated

plans.

2. Unless otherwise indicated, the information presented also applies to the International Traffic in

Arms Regulations (ITAR-support) version of Office 365.

3. Recent updates applied to this article contain an asterisk (*) at the beginning of each item title.

1. What is a RAC?

A rights account certificate (RAC) identifies a user account by binding the account into the pre-

production or production certificate hierarchy. Each RAC is tied to the machine certificate of the

computer on which the user is activated. A RAC and a machine certificate must exist before an end-

user license can be created and content encrypted or decrypted. A user can have more than one

RAC on a computer, one for each AD RMS service against which the user is activated, but the user

cannot transfer a RAC between computers.

IRM Feature Guide




of 50

2. What is a TUD and how is it used?

A trusted user domain (TUD) is an AD RMS file that is similar in function to the public key of an

X.509 private/public key pair. The act of adding a TUD from one AD RMS cluster to another cluster

results in the receiving AD RMS cluster trusting the RACs that were issued by the source AD RMS

cluster. Exchanging a TUD is similar to implementing an Active Directory trust in that it allows users

from one Active Directory environment to be trusted by another Active Directory environment.

3. What is the scope and frequency of TUD export from the on-premises environment followed

by import into Office 365?

The TUD of every on-premises forest containing accounts for users that also will utilize Office 365 is

required. Each TUD is imported once into the Office 365 AD RMS managed cluster.

4. Is the Office 365 TUD imported into the on-premises AD RMS systems of the customer?

The TUD for the Office 365 managed AD RMS cluster does not need to be imported into the

customer environment.

5. What is a TPD?

A trusted publishing domain (TPD) is an encryption key used at the time content is published. The

addition of TPD allows one AD RMS cluster to issue use licenses against publishing licenses that

were issued by a different AD RMS cluster. A TPD is added by importing the server licensor

certificate and private key of the server to trust. TPD sharing is only useful when using Exchange

Online and is most commonly used when there is both on-premises Exchange and Exchange Online.

TPD sharing is optional.

IRM Feature Guide




of 50

6. What circumstances require the on-premises TPD to be provided for use within Office 365?

The TPD of the on-premises AD RMS environment is needed to allow Exchange content protected

on-premises to be decrypted by Exchange Online. The import of the TPD is used to transfer all of

the on-premises rights policy templates to the online environment (see FAQ entries below for

further info re: template management). In addition, the TPD is used to support the following IRM

features:

Prelicensing

Outlook Web App WebReady document viewing

IRM Decryption for Exchange Search

IRM in Outlook Web App

Journal Report Decryption

IRM with Exchange ActiveSync clients

Note:

Transport Decryption can be provided by Exchange Online by creating new templates for this

purpose within Office 365 (see guidelines regarding template creation within the Office 365 IRM

Feature Guide). See the IRM agents table in Information Rights Management for a handy

reference describing how IRM agents on Exchange Transport servers are used to support the

above listed features.

A customer with more than one licensing cluster may choose to enable the above features for only

a subset of their content protected on-premises by providing the TPD from selected RMS licensing

clusters. If the on-premises TPD is not provided, Exchange Online will process content protected

on-premises as opaque. Messages and files will be delivered using Exchange Online but the content

will not be rendered within Outlook Web App, scanned for malware, available for transport rules,

decrypted for journaling, indexed for searching, or delivered to Exchange ActiveSync devices.









IRM Feature Guide




of 50

7. Is the on-premises TPD needed to decrypt content placed within SharePoint?

SharePoint does not utilize the on-premises TPD. If content protected by an on-premises IRM

system is uploaded into SharePoint Online, the content will not be decrypted and the existing

protection will be preserved. In this scenario, SharePoint Online also will not be able to index or

search the IRM protected file.

8. Is the export of the on-premises TPD a one-time operation or are there scenarios where the

TPD needs to be re-exported and provided to Office 365?

The export of the on-premises TPD and the import into Office 365 is needed to enable IRM features

for Exchange Online. Following the initial export/import procedure, the following circumstances will

trigger the need to re-export the on-premises TPD for import into Office 365:

Changes made to on-premises AD RMS rights policy templates.

Creation of new on-premises AD RMS rights policy templates.

Policy templates that are imported via TPD exchange are locked for editing, which is an AD

RMS product feature and not a design characteristic of Office 365. Since the imported

templates cannot be modified, any template changes made with the on-premises

environment must be re-exported for import into Office 365.

Note:

If User Rights settings are changed within an on-premises template and the corresponding

template within Office 365 is not updated, content protected by Exchange Online or consumed

by authorized users within Exchange Online will utilize the older set of User Rights.

If content is protected within the on-premises environment using a newly created rights

policy template and the template is not exported for use by Exchange Online, an attempt to

decrypt content within Office 365 by a consumer or by an IRM feature requiring this specific

template will fail.

IRM Feature Guide




of 50

9. If a customer elects to provide their on-premises TPD to Office 365, how is it used within the

service?

The customer TPD is used to decrypt content that was protected using the customer’s AD RMS

service. When an Exchange Online Transport server needs to decrypt content, it will call the Office

365 AD RMS service to license the content. The TPD also is used to support the features described

Question 6.

10. When is the Office 365 TPD used to encrypt content?

The Office 365 TPD (encryption key) is used when the Exchange Online Transport server is required

to encrypt content. This occurs when Outlook Web App or an Exchange ActiveSync client is used for

protecting content and when a transport rule is used to apply AD RMS protection.

11. What security controls are used to protect keys stored in the Office 365 AD RMS service?

Office 365 follows applicable security best practices documented for the AD RMS product including

least privilege access, database isolation, and physical access controls. A comprehensive explanation

of Office 365 security practices can be found in Standard Response to Request for Information –

Security and Privacy at the Microsoft Download Center.

12. Can the Office 365 AD RMS service be configured to allow templates to be published to a

Uniform Naming Convention (UNC) location?

Yes, but the following conditions apply:

An on-premises UNC is required.

The Office 365 AD RMS service account must have write access permissions to the UNC

location.

13. Can the Office 365 TPD be exported and made available for use in a customer managed on-

premises AD RMS environment to allow content encrypted using the Office 365 AD RMS

service to be decrypted on-premises?

The Office 365 TPD can be exported and provided for use in the customer environment for

situations requiring the bulk decryption of content to support litigation discovery and the migration

of accounts from Office 365 back to the on-premises environment. Your service delivery manager

(SDM) can assist with providing instructions to place the request and the import guidelines to be

followed.



IRM Feature Guide




of 50

14. How is the two-way Active Directory trust used in conjunction with the Office 365 AD RMS

service account to access on-premises RMS cluster(s)?

The Office 365 AD RMS service account uses the Allowed to Authenticate right (granted on the on-

premises Active Directory domain controllers and AD RMS web servers) to authenticate to the on-

premises Active Directory and to look up the on-premises AD RMS service connection point. The

Office 365 AD RMS server then makes HTTPS requests to the Certification URL found in the on-

premises service connection point in order to retrieve RAC information for users that need licenses

for content. More specifically, the _wmcs/certification/server.asmx and

_wmcs/certification/precertification.asmx files are called by the Office 365 AD RMS service using the

identity of the Office 365 AD RMS service account.

15. Is the Office 365 AD RMS service account granted permissions directly to the on-premises

Active Directory and AD RMS service or is an Active Directory security group used?

Office 365 will provide an Active Directory security group for use in configuring the necessary

permissions. A security group is used instead of the AD RMS service account for ease of

troubleshooting as well as flexibility with future design changes. The use of groups rather than

individual security principals is a well-established best practice.

16. How can membership be monitored for the group used to allow the Office 365 AD RMS

service account to access the on-premises AD RMS service?

Customers can monitor the membership of the Active Directory group used to provide access to

on-premises resources, however, this capability may not existing within Office 365 in the future.

Office 365 does not provide any reporting regarding this configuration item.

IRM Feature Guide




of 50

17. How can Office 365 Exchange transport rules be configured to apply AD RMS protection?

Standard self-service tools are used to configure transport rules for Exchange Online. To associate a

rights policy template with a transport rule, the customer must first create the template within the

Office 365 AD RMS service. Template management is possible using either the AD RMS

Administration snap-in for the Microsoft Management Console (MMC) or by using Remote

Windows PowerShell . A customer also can use Remote Windows PowerShell commands to

associate the template with a specific rule.

Note:

AD RMS rights policy templates imported into the Office 365 service using the TPD

exchange method are not available for use in Exchange transport rules since these

templates are marked as Archived and cannot be modified. This is an AD RMS product

limitation.

18. If a new AD RMS cluster is added within the on-premises enterprise, what tasks are required

to integrate the clusters with Office 365?

Essentially, the same assessment and integration process used for the initial deployment will be

executed again. Because an established environment exists, this process is likely to be completed

more quickly. Implementation time depends upon configuration characteristics.

19. Can an on-premises Exchange server decrypt content protected in the Office 365 service?

The on-premises Exchange server will not be able to decrypt content, however, users with on-

premises mailboxes that use Outlook will be able to read content protected in Office 365.

20. *Why must the on-premises AD RMS Certification URL be different from the Licensing URL?1

When the Exchange Online service needs to license (encrypt or decrypt) and process content that

was protected by the customer AD RMS cluster, the licensing transaction must be directed to the

Office 365 AD RMS service. Because the Licensing URL in the protected content wrapper will be the

on-premises Licensing URL, that URL needs to be redirected to the Office 365 AD RMS cluster. This

redirection is accomplished through DNS.

If the customer Licensing and Certification URLs were identical, calls to both URLs would be

redirected to the Office 365 AD RMS service. This would cause the user certification process

(including the process to obtain the user’s RAC for use in the licensing process) to fail.

IRM Feature Guide




of 50

21. *Why does Office 365 recommend changing the Certification URL rather than the Licensing

URL?1

Changing an AD RMS Licensing URL has implications on content already protected using that URL

but changing the Certification URL does not affect previously issued RACs. While changing the

customer Licensing URL would meet the Office 365 requirement, the potential impact of making

this change is significant; changing a Certification URL has essentially no impact.

Note:

Microsoft strongly recommends using an FQDN, rather than a single-label name, for the

Certification URL. Using a single label name (for example, https://certify) for an AD RMS

URL can cause service issues. The first security-related concern is the use of a rogue server

established to share the same server name and to lure clients to use it to protect content

without the possibility of the clients to differentiate between the two. The second concern is

related to multi-forest or cross-company collaboration environments presenting a situation

where different AD RMS servers with identical names would conflict. If identical names are

used for AD RMS servers, an attempt to exchange protected content between the

identically named servers would fail due to clients being directed to the wrong cluster after

resolving the single-label server name. These issues are not related to the Office 365

implementation. The use of an FQDN is considered to be a general AD RMS best practice.

22. *An attempt to change the Certification URL using the AD RMS Administration snap-in for

MMC was not allowed. How can the change be applied?1

The AD RMS Certification URL cannot be changed using the AD RMS Administration snap-in for

MMC. The AD RMS Certification URL can be changed via direct modification of the

serviceBindingInformation attribute of the Active Directory AD RMS service connection point.

This operation can be done using ADSIEDIT, LDP, or other Active Directory object editor.

23. *How will changing the Certification URL affect the AD RMS service and clients?1

Changing the Certification URL shouldn’t affect any existing services, clients, or content. If a client

has trouble reactivating after the SCP has been changed, the DRM folder under the user’s profile

can be deleted to force the client to reactivate itself with the new URL.

IRM Feature Guide




of 50

24. Why is it recommended to configure Extranet URLs for the on-premises AD RMS service?

Different IRM-enabled applications follow different sequences to license content. Some attempt to

utilize the Intranet URL stamped in protected content first; if this fails, the application will try the

Extranet URL. Other applications follow the opposite sequence. Some applications will assume the

Extranet URL is valid and not try the Intranet URL if the former is not present. In order to avoid

failure scenarios or performance issues due to applications looking for the Extranet URL and not

finding it, it is strongly recommended that an Extranet URL is configured. Adding an Extranet URL is

not related to actually publishing the service to the Internet and can be done at any time without

impacting the service.

25. Is a new SSL certificate required for the on-premises AD RMS service?

The on-premises AD RMS SSL certificate must contain all URLs that are used to contact the on-

premises AD RMS service. If the Certification URL must be changed to meet Office 365 integration

requirements, then the SSL certificate will need to be updated to include the new Certification URL.

26. *After a rename of the on-premises Certification URL, is it possible to use a DNS CNAME

(alias) record to resolve the Certification URL to the Licensing URL?1

No, the fully qualified name in the Certification URL cannot resolve as an alias to the fully qualified

name of the Licensing URL. If the Certification URL were to resolve as the Licensing URL, calls to

either URL would be redirected to the Office 365 AD RMS service. However, it is possible to use a

DNS alias record to resolve the Licensing URL to the Certification URL.

27. *Is it possible to make the on-premises AD RMS Certification URL a DNS subdomain of the

Licensing URL?1

The Certification DNS name must not fall within the DNS path of the Licensing name. For instance,

if the Licensing URL is https://rms.contoso.com, the Certification URL cannot be

https://certify.rms.contoso.com.

28. Can Journal decryption be disabled?

At the request of the customer, Exchange Journal decryption can be disabled.

IRM Feature Guide




of 50

29. Why can’t users view IRM protected messages in Outlook Web App when the message is also

signed with an S/MIME certificate?

Using IRM and S/MIME together is not supported in the Outlook Web App experience. In scenarios

where both IRM protection and S/MIME signatures are required, users should be directed to use the

Outlook client.

1 An architecture change implemented within the Exchange Server 2013 platform of Exchange Online

allows the on-premises AD RMS Certification URL and the Licensing URL to be identical rather than

unique. When your environment has been upgraded, either URL configuration can be applied.