Forum Discussion
SharePoint Online with Azure RMS
At the risk of sounding like a total noob. I wanted to ask to clarify some issue I am having when setting up Azure RMS.
I am in the process of setting up Azure RMS with our Exchange Online and SharePoint Online.
I have enabled RMS in Office 365 (azure)
I have enabled IRM for SharePoint Online
I have created a SharePoint Site (and Sub-Site) that has IRM configured on the library.
It may sound like a simple question, but I want to upload files to the site from a network share and want them protected to only certain users (based on a group)
I have upload the files and want all files to be read-only by a specific group (and only editable by another group). To my knowledge you need to setup an RMS Template/Policy eg. 'Confidential Policy'. When I setup IRM for the library, it does apply when opening the file (as you can see 'Confidential Policy' in the yellow bar at the top of the document), but under the permissions. It is NOT Read Only. Users can Edit, Copy and Save. The only thing restricted is Print, Export and Access the document programmatically.
My question is, how do I configure these permissions and where?
So far I can only make these restrictions by setting the 'Protect Document' option in Word (when opening the document). These templates are were setup in the Azure Classic portal.
Any Suggestions?
- Rajesh KhanikarCopper Contributor
Hi Adrian,
SharePoint IRM and Azure RMS are related, but they are not same.
With Azure RMS, you create Azure RMS templates and apply them to the documents. The rights you apply lives within the document, no matter where you store them or how you share them. In general, Azure RMS works in the organisation's domain level + security group. Example, john@contoso.com can apply a template to a document that allows everyone within contoso.com READ ACCESS (but NO PRINT) the document. John can send that document to his colleague@contoso.com by email, Azure will check for access right when the recipient opens the document using an Azure RMS supported application (e.g. Microsoft Office). If someone@contoso.com forwards that document to someone@xyz.com, that someone@xyz.com won't be able to read that document. How do you apply Azure RMS templates? Normally, end users can use the AIP client or Office backstage.
With SharePoint IRM, you configure a library to use Azure IRM. You define the rights at the library level. You cannot use Azure RMS templates in a SharePoint library. Rights are applied ONLY when the document leaves the library. Within the library, documents are not protected using Azure IRM. Therefore, within SharePoint, you would create contributor or viewer group to control permission. This is by design to ensure that documents within SharePoint IRM configured library can be indexed, so that search returns those documents.
Now, if you upload an Azure RMS protected document to a SharePoint library (Azure RMS templates applied using AIP client or Office backstage), Search will not be able to index it, Search will not return that document.
- alphadeltaromeoCopper Contributor
Thanks.
So further to this the only way i can utilise the Track and Revoke (AIP) client is to have the file protected using an AzRMS Template (or cutom - AIP) for each file in the SharePoint site.
Those only protected by IRM dont seem to have that feature. ie. when selecting Track and Revoke for a document protected by IRM
We can’t find that document.
You can only track documents that you protected using the Azure Information Protection app on Windows.
This only seems to work with those protected with AzRMS.
At present, is this the only option or would FCI with the AzRMS connector be a suitable instance for storing highly confidential data?
Ignite is around the corner, I'm sure we will hear more information about the AIP/SPO integration there. If you can wait a few weeks that is.
In the meantime, nothing is stopping you from storing individually-protected files in SPO or anywhere else, and taking advantage of tracking/revoking. You will however loose the ability to "reason over data", as your applications will not be able to access those documents as well.
Right, I just replied in the other thread, but Rajesh Khanikar's answer is waaaaay more detailed than mine :) Thanks Rajesh!
- Rajesh KhanikarCopper Contributor
Hi Adrian,
Azure RMS and SharePoint Azure IRM are related but not same.
With Azure RMS, you create RMS templates and apply them to the documents, rights are applied on the document level. How do you apply the templates? As an end user, you do this using AIP (Azure Information Protection) Add-in in Office or you can use backstage of Office application.
Azure RMS protection lives within the document, no matter where they are stored and how they are shared (email, DropBox, OneDrive etc.).
When you use SharePoint IRM, it is different. You configure a library to use IRM, you define the protection requirements at the library level. You cannot use Azure RMS templates in a SharePoint library. Protection is applied on the document ONLY when the document leaves the library (e.g. when you download a document). This design is to ensure that SharePoint can index the documents, and Search can find the documents. So within SharePoint, the document living within an IRM protected library doesn't have any protection, within SharePoint you control access using SharePoint permission. For example, you can create contributor or viewer group to control who can edit and who can view.
Now, if you upload an Azure RMS protected document to a SharePoint library (when you apply the templates using AIP client using Office), rights applied on the document will not be affected. SharePoint search will not be able to index that file, it won't show up in the Search.
In general Azure RMS/IRM works on the organisation's domain level. Example, john@contoso.com can apply a template to a document that allows read access to anybody within contoso.com domain, now if someone from the contoso.com forwards that document to someone@xyz.com, that someone@xyz.com will not be able to read the document.
- alphadeltaromeoCopper Contributor
OK, so I've figured this out. IRM doesn't explicit work with Azure RMS templates. It basically keeps the SharePoint Online permissions to the file. This means that if the file was downloaded and tried to open on another computer (as another user) you would still need to be a member of a group that has access to the file.
...users could edit the files before as the default permission was 'Contributor'
Also I wanted to ask if this be a good instance to store highly confidential files or would you suggest storing the files locally and setup on a 2012R2 server, with the AzRMS connector and FCI? I am looking at sharing the files with some external users also, which is why i opted for AzRMS rather than AD RMS.
- Dean_GrossSilver Contributor
To add to the excellent description provided by Rajesh Khanikar, MS has stated that they are working on improving the integration story but I don't think they have provided a public timeframe for when we can expect that.
Here is a great summary of the numerous names used by this technology, https://docs.microsoft.com/en-us/information-protection/understand-explore/aka.