Forum Discussion
SharePoint Online with Azure RMS
Hi Adrian,
SharePoint IRM and Azure RMS are related, but they are not same.
With Azure RMS, https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-policy-templates and apply them to the documents. The rights you apply lives within the document, no matter where you store them or how you share them. In general, Azure RMS works in the organisation's domain level + security group. Example, john@contoso.com can apply a template to a document that allows everyone within contoso.com READ ACCESS (but NO PRINT) the document. John can send that document to his colleague@contoso.com by email, Azure will check for access right when the recipient opens the document using an Azure RMS supported application (e.g. Microsoft Office). If someone@contoso.com forwards that document to someone@xyz.com, that someone@xyz.com won't be able to read that document. How do you apply Azure RMS templates? Normally, end users can use the https://www.microsoft.com/en-us/download/details.aspx?id=53018 or Office backstage.
With SharePoint IRM, https://support.office.com/en-us/article/Apply-Information-Rights-Management-to-a-list-or-library-3bdb5c4e-94fc-4741-b02f-4e7cc3c54aa1 to use Azure IRM. You define the rights at the library level. You cannot use Azure RMS templates in a SharePoint library. Rights are applied ONLY when the document leaves the library. Within the library, documents are not protected using Azure IRM. Therefore, within SharePoint, you would create contributor or viewer group to control permission. This is by design to ensure that documents within SharePoint IRM configured library can be indexed, so that search returns those documents.
Now, if you upload an Azure RMS protected document to a SharePoint library (Azure RMS templates applied using AIP client or Office backstage), Search will not be able to index it, Search will not return that document.
Thanks.
So further to this the only way i can utilise the Track and Revoke (AIP) client is to have the file protected using an AzRMS Template (or cutom - AIP) for each file in the SharePoint site.
Those only protected by IRM dont seem to have that feature. ie. when selecting Track and Revoke for a document protected by IRM
We can’t find that document.
You can only track documents that you protected using the Azure Information Protection app on Windows.
This only seems to work with those protected with AzRMS.
At present, is this the only option or would FCI with the AzRMS connector be a suitable instance for storing highly confidential data?
Ignite is around the corner, I'm sure we will hear more information about the AIP/SPO integration there. If you can wait a few weeks that is.
In the meantime, nothing is stopping you from storing individually-protected files in SPO or anywhere else, and taking advantage of tracking/revoking. You will however loose the ability to "reason over data", as your applications will not be able to access those documents as well.
Hi,
sorry to sound like a total noob, what do you mean "reason over data"?
Agreed, Ignite could provide a better solution, but I need to have some options in place for the meantime.
Rather than protecting each file individually (as there are 200+ files), would it be a suitable solution to setup an FCI server and apply the RMS template via classification.... and then upload them to SPO?
To classify a large amount of files, you could write a script, for which you will require https://docs.microsoft.com/en-us/information-protection/deploy-use/install-powershell. In a computer where you have AIP client installed and configured, the PowerShell commands are automatically available for you to carry out automation using custom scripts. For example, you can use cmdlet (ref this https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipfileclassification?view=azureipps)
Set-AIPFileClassification
To automatically set an Azure Information Protection label on one or more file(s), according to conditions that are configured in the policy.
