Friday, 22 May 2015

An Overview of Azure RMS including custom templates

EMS Landing page

Simon May presented an excellent Microsoft Virtual Academy session yesterday. The session described and demonstrated Azure Rights Management Services. You can find the video in the Enterprise Mobility Core Skills section.

Azure Rights Management Services Core Skills Jump Start

The following areas were discussed:
  • Activating Azure RMS
  • Protecting the files your users share
  • Tacking and revoking usage of protected files
  • Building and managing templates
  • Integrating with on-premises services

This is the Microsoft description of that particular session:

Learn how to protect your organization's data with Azure Rights Management Services (RMS), and share securely inside and outside your organization. Plus, find out why information protection is a 100-percent "must have" for your organization, and get hands-on experience and technical know-how from Microsoft experts. 

Azure RMS looks like a really exciting technology. Have a look at some TechNet Library documents for some RMS details.

What is RMS

Activating RMS

As soon as the service is activated, you have two default templates that administrators and users can select to quickly and easily apply information protection to files. But you can also create your own custom templates for additional options and settings.

After I watched the session I dived right in to test the technology and it's really cool. Let's see what it looks like. It's so easy to configure and use. I've separated this blog into the following sections:

  • Activate RMS
  • Assign Licenses to user
  • Create RMS template
  • Use RMS template to protect email 

Activate RMS

Launch your Azure Portal and open Azure Active Directory.

Select "Rights Management".

Select "Activate". I have already Activated in the screenshot above. Note that you can also "deactivate" RMS if you wish. You are now ready to assign RMS licenses to users.

Assign RMS Licenses to users

There are two ways to do this.

Assign licenses associated with your Office 365 subscription...... or..... can assign your Enterprise Mobility Suite (EMS licenses). Just drill into the EMS license.....

.....and add the required users.

Create RMS Template

OK. let's get started. Open Rights Management again and select your organization.

 The "Getting Started with Rights Management" wizard is launched. Choose to create a new template.

Choose your language and enter a name and description.

The template has been created. Now choose to "Manage templates". 

See the default templates and the custom template that we created. Select the new template for configuration.

Choose "Configure rights for users and groups".

Click "Get Started Now".

Select the users or groups that will be allowed to use the template. Note that Groups must be mail-enabled to be available for selection.

I've chosen some test users.

Now we must assign the required RMS rights to our users. You can choose one of the pre-configured roles (or create a custom role) 

Viewer: View, Reply, Reply All

Reviewer: View, Edit, Reply, Reply All, Forward

Co-Author: View, Edit, Copy, Print, Reply, Reply All, Forward

Co-Owner: All Rights

Custom: Assign Right Individually

I've chosen Custom this time as I want to see how securely I can send emails. 

I've chosen the very minimum here. I just want the recipient to be able to "View Content".

Now select Configure so that we can publish the template. Click to Publish.

We can configure other options like "Content Expiration" and "Offline Access".


The template status is now "Published". We're not quite finished yet. I have to refresh the templates so that my users can see them. I'm testing with Outlook Web App so I need to use PowerShell.

Launch Azure PowerShell and connect to your subscription. Execute the following command to refresh the templates:
Import-RMSTrustedPublishingDomain -Name "RMS Online - 1" -RefreshTemplates -RMSOnline 

Verify that the template has been added:

Get-RMSTemplate -TrustedPublishingDomain "RMS Online - 1" -Type All

Finally, for each imported template that you want to be available in the Outlook Web App, you must use the Set-RMSTemplate cmdlet and set the Type to Distributed

Set-RMSTemplate -Identity "<name of the template>" -Type Distributed 

To refresh templates for Office 2013 users: 

Office 2013 refreshes templates every 7 days by default. You can speed that up by using a registry editor and deleting the data for the LastUpdatedTime value 

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<MicrosoftRMS_FQDN>\Template 

Restart your Office applications

Users will see new template immediately. 

To refresh templates for Office 2010 users: 

Just log off and back on again.

Use RMS template to protect email.

Now we come to the business end. What is the experience like for users?

A user creates a new email and chooses Options > Set Permissions. See all the available templates (including my custom template).

I've chosen the custom template and the email can be sent.

The recipient gets the email and can only view the content. This is really cool and highly secure. Note that any attachments would be "rights protected" also. Test some scenarios and see what you think.

Remember that I was testing here using Exchange Online. If you use Exchange On-premise you must install the RMS Connector. I'll be reviewing that shortly.

In my next blog I'll be having a look at the RMS Sharing App and RMS Document Tracking.


  1. Great read and looking forward to blogs on Sharing App and RMS Doc tracking

  2. Hi Gerry,
    I started looking at this recently and got everything configured. However I cannot seem to do the refresh in powershell for exchange online.
    I launched the Azure Powershell (re-downloaded the newest version) connected my subscription. I ran the command to get-RMSTrustedPublishingDomain, but any of those command are failed to recognise, did you have to download anything to import these modules? I come across some RSAT tools, but they wouldn't download.

    Any advise on how you did this would be appreciated.
    Thanks in advance.

    1. You'll need to import all the commands via a few powershell commands, creating $cred and $PSsession and importing it to download the commands to let you do this. Hoep this helps.

  3. How I can setup for external users or for personal account

  4. Is there a way to force a fresh for on-prem exchange servers using the Azure RMS connector?