Major Update: Improved Office file support + Service improvements

First published on CloudBlogs on Aug, 26 2014

Hi Everyone,

Today, we’re announcing a major update to RMS, which is based on your enthusiastic feedback and guidance. We’ll share with you the significant changes to the RMS application(s), our Azure RMS cloud offering, and how we’re bringing the new features of Azure RMS to a broader range of organizations with differing deployment requirements for their cloud service.

The RMS team and I have lots of interaction with passionate business leaders both online and in person. We deeply appreciate your partnership! We collected your individual feedback and validated it with our informal Customer Advisory Board (CAB). Here’s where 313 voters who manage 17 million users are from. We love the diversity given how impactful regional differences are in this space.

(To vote simply join our advisory board so you can sway us too! We have a similar RMS development partner group)

You also shared with us your diverse environment. As expected, mobile support is critical but we were surprised to see Linux pushed higher than OS X. We don’t currently have a Linux story but your input will clearly have us revisit that.

The most interesting set of responses are related to the question of ‘why you seek to protect your data’:

You cited as most critical the ability to share sensitive documents with others . Next up were two needs to partition document sharing within your company . A strong fourth vote was ensuring compliance .

Our Promise to You

As a direct result of these inputs (and other clear industry trends) today our deliverables are focused on offering you the following promises:

1. Protect the workplace documents you share with others, make it work on all devices. We made this promise 6 months ago but we fell short of letting you interact with protected Office documents on your mobile devices. You insisted that we enable the consumption of Word, Excel, PowerPoint, and PDF documents on your mobile devices… and you asked for it ‘now’.
   
   
2. Protect the documents you have internally. Do so with an effective means of partitioning them. We were asked to permit protecting documents to a subset of your workforce. We had gaps in Azure RMS and you wanted to better understand how the various DLP (data loss prevention) offers work with us.
   
   
3. Enable the Azure RMS feature set for customers where less of a cloud exposure is desired/required . Some of you are highly regulated and want to maintain your RMS key on-premises. Some of you also raised concern with having to perform a directory sync of so many properties ‘just for RMS’.

We hope you agree that addressing the gaps in these 3 areas would represent a substantial update to RMS. Let’s review what we have done for each of them.

#1 Protect the workplace docs you share with others, make it work on all devices.

First, we know that you desire built-in support for RMS into Microsoft Office on all platforms. We currently support RMS in Office 2010, Office 2013, and Office 365 but lack comprehensive support on other platforms. We -- the Office team + the RMS team -- are committed to adding RMS support. The involved teams are working on this now. This said, as I’m sure you can appreciate, the RMS blog is not the right place to disclose the Office release cadence so please stay tuned to @TheRMSGuy (twitter) and this blog for future public disclosures.

To address your immediate need, we’ve come up with a way of supporting the sharing of secured Office documents in advance of the native Office support . We’ve done so via the RMS application’s Share Protected button. When you invoke Share Protected to share Office documents we send your email recipients both an RMS protected version of the Office document and a protected PDF copy of the same file. To ensure success at opening one of these files, we now have RMS-protected PDF rendering built into all of our free RMS applications. As we had in the past, if your recipients don’t have RMS we also offer them a 100% free RMS account .

As an added bonus feature for those using Azure RMS, we enabled email notifications of document use (or abuse). This lets the document sender know if their sensitive document is being used as intended. This is quite critical as we all know that IT can’t easily detect document abuse given their lack awareness of initial intended use. Now the sender can play an important role of responsibly sharing sensitive documents. Let's review the end to end user flow.

Note: The Share Protected button is added to Outlook, Word, Excel, and PowerPoint (v2010 and 2013) when you install the RMS app for Windows .

Do you prefer to experience it first hand?
If so, just send us an email and CC your colleagues. We’ll send you this blog post as a protected document.

Sender creates an email message, invokes SHARE PROTECTED

Sender selects the permissions (and options) they want to grant to the recipient

Recipient receives the email on their device. Note the two attachments of the same name.

After installing RMS App, the user opens the PPDF on their devices.
These are all the same Quarterly Sales Report.XLS, rendered as PPDF
(Clockwise from center: iPad, Windows Phone, Android Phone, Windows, OS X, Android tablet, and iPhone)

The sender gets email notification so that they can monitor for abuse

We’ve provided information previously on this blog about the RMS sign up process, and you’ll find it fully documented on TechNet , so I've omitted that detail here. We support sharing within your business and to other businesses and we continue to support free signup (if needed) for your recipients at http://portal.aadrm.com . Support for consumer social identities like Microsoft Account (aka Live ID) and Gmail IDs remains in our active work backlog.

Here’s how to get started

• Let us send you a protected document (use your work email address because Microsoft Account/GMail/etc, and personalized variants are not yet supported)
• Azure RMS Trial: Sign up here
• RMS applications: http://portal.aadrm.com/home/download
  • Useful videos: https://youtu.be/j9U9FUy9Anc for PCs and https://youtu.be/1k3yUoKniwQ for mobile devices.
• Windows Desktop: http://go.microsoft.com/fwlink/?LinkId=313954
• Window Phone: http://go.microsoft.com/fwlink/?LinkId=328512
• iPhone and iPad: http://go.microsoft.com/fwlink/?LinkId=325338
• Android: http://go.microsoft.com/fwlink/?LinkId=325340
• Apple OS X: https://itunes.apple.com/us/app/rms-sharing/id908570259

#2 Protect the documents you have internally, with a more effective way to partition them

A user can create files that are protected to a subset of people within their company. For example, let’s say that Brenda wants to protect a legal case file to the ‘Legal Department’. The traditional means of doing this is via RMS templates. Once protected, only current (and future) membership of the ‘Legal Department’ will have access to these files. Using RMS templates there are countless way of setting up data partitions within your organization… just keep it simple so that ‘IT does not get in the way’ of people have access to their files.

AD RMS already supports custom global templates. Until recently Azure RMS had a fixed set of two templates. As of today, it now supports customizable global templates too. Here’s what it looks like:

Our new Admin console lets you create, manage, and learn about policy templates

The new template ‘Top Secret’ is created and placed in an ‘Archived’ state until you ‘Publish’ it

Administrator can now configure and publish the new template

This is a quick introduction. For more detailed information, see Configuring Custom Templates for Azure Rights Management . We also modified our RMS SDKs to pick up these updated templates more quickly. When Office 2013 refreshes their SDK (next public update) they will get this quicker update time.

We know that the act of enabling RMS is not totally sufficient to protect all your sensitive documents – you will want more automated means of driving documents to be protected. The breath of our Microsoft and partner offers here is what really sets Microsoft Rights Management apart from the others in this space. Let me share with you how the most common and effective means of enabling proactive RMS protection. When available, I’ve included a link to some free videos on the topic.

• Office 365
  • Official documentation: http://technet.microsoft.com/en-us/library/dn532171.aspx
  • Detailed video: https://www.youtube.com/watch?v=6AQiIKwCOLo
  • Short video: https://www.youtube.com/watch?v=P_XJmscXlfo
• Exchange 2013 + Office 2013 lets you enable very powerful and user friendly DLP
  • Official documentation: http://technet.microsoft.com/en-us/library/cc179103(v=office.15).aspx
  • Useful video: https://www.youtube.com/watch?v=tfsX1U6TDXo
• SharePoint ‘Protected Libraries’
  • Official documentation: http://office.microsoft.com/en-us/sharepoint-help/apply-information-rights-management-to-a-l...
  • Useful video: https://www.youtube.com/watch?v=_fYzX3jM1VM
• Windows Server ‘File Classification Infrastructure’ and ‘Work Folders’ (roaming desktops)
  • Official documentation: http://technet.microsoft.com/library/hh831701.aspx
  • Useful video: https://www.youtube.com/watch?v=lt3CCx_YNQ0

Last but not least, another core ask was to improve the usage logs. The Share Protected flows we are releasing today put both the file name and the publish date into the logs. We have more logging enhancements in the works but those remain out of reach for this update as code changes must happen in Office itself. We are keeping this ask on our active work list.

#3 Offer the Azure RMS feature set to cloud reluctant customers

The Microsoft Rights Management offer supports two deployment options: on premises and Azure hosted. Some ‘cloud reluctant’ organizations require that their RMS authorization decisions and key management remain within the walls of their organization. We recognize this is an important business requirement from our worldwide customers.  Let’s share with you the changes we’re now making to Azure RMS.

Today the Azure RMS offering looks like this:

For ‘cloud ready’ organizations (the top half), we showcase Office 365 with Azure AD and Azure AD Sync; Azure RMS performs the core information protection duties and Azure services are relied on for the remainder of the workloads.

For ‘cloud reluctant’ organizations (the bottom half), the Azure RMS connector permits Exchange, SharePoint and FCI on premises to use Azure RMS to protect essential information. For some, this is still too much cloud exposure. The core feedback we’ve heard is that local RMS traffic should remain local – it should not reach out to Azure AD. When collaborating, leveraging Azure AD is a massive benefit, but not if the full set of AD sync properties is required. We’re addressing both of these concerns while also future proofing your environments.

Let’s now consider this updated diagram:

It’s pretty simple to see several few very important changes:

1. Only Azure AD remains in the cloud with most of the Azure RMS related and dependent services now being on premises.
   
   
2. AAD Sync now offers configurable profiles. This permits an organization only using Azure RMS for B2B (sending and receiving) to publish the minimal set of required properties. In fact, the only properties required are those made public when sending an email to the other person. We introduced the new Azure AD Sync offering in this blog post.
   
   
3. A new Azure RMS deployment option, the Azure RMS hub, enables you to maintain your core RMS logic and key services on premises for all authorization and cryptographic transactions, while delegating B2B transactions to Azure AD. Yes – you read this correctly, your encryption keys remain on premises in your control! Plainly stated, you are in full control of your key and all internal RMS traffic remains within the new Azure RMS hub.

We’re also going to tackle the oft requested ability to migrate from AD RMS to Azure RMS. Sidebar: Some of you may be surprised that cloud reluctant customers demand support for migration to Azure RMS. We've found a common misconception about what Azure RMS ‘sees’ as part of its role in protecting your data. Some believe that using Azure RMS means that your data travels to the cloud. It does NOT, ever go to the cloud unless you put the document there. The sharing of a document between two on-premises organizations only has an authorization traffic -- an authentication token and the RMS license that was embedded in the document – sent to Azure RMS for evaluation. The document itself remains within your on-premises client. Our client side developer libraries built into each RMS enlightened application handle all the client side decryption. This is an important tidbit of information for those of you increasingly looking to outsource aspects of your core infrastructure. Now you can offload RMS hosting to us knowing that the cloud RMS service never sees any of your content.

With this storyline shared with you, we are promising the following:

• Later this month we will offer the option for AD RMS customers to migrate to Azure RMS without losing access to their previously protected data. The Azure RMS Migration Toolkit will allow customers with an AD RMS deployment to migrate their keys and policies to Azure RMS, leveraging the Bring your Own Key and RMS connector features to provide full functionality from RMS in the cloud minimizing service disruption to their users.

• • To learn more, join our advisory board and Sign up for Azure RMS Migration Toolkit Preview .

• Early next year we will have a private preview of the Azure RMS hub. This Azure RMS hub will be generally available when you tell us it is ready. Our current hopes are that this will be in the spring of 2015. In the meantime, you can make use of Azure RMS in your pilots… you might even like it.
  • To learn more, join our advisory board and Sign up for the Azure RMS hub preview
    
    
• Available immediately is the Mobile Device Extensions add-on (MDE) for AD RMS. This add on lets client applications built to the new V4 RMS SDKs interoperate with AD RMS. Note that this add-on does not enable all of the features of Azure RMS.
• • MDE documentation: http://technet.microsoft.com/en-us/library/dn673574(v=ws.10).aspx
  • MDE download point: http://www.microsoft.com/en-us/download/details.aspx?id=43738
  • If you want to compare Azure Rights Management and AD RMS, see http://technet.microsoft.com/en-us/library/jj739831.aspx
    
    

We hope the above 3 offers give you a clear indication that we very much care about the needs of all of our organizations.

In Summary

1. Office is committed to enabling RMS on all their platforms. It will take a bit of time.
2. RMS app is offering an immediate protected Office and protected PDF capability by leveraging our new PPDF capability.
3. Email notification makes RMS more desirable to information workers. It empowers them to take an active role in secure sharing.
4. We’ve added OS X support.
5. Azure RMS is better than ever with templates and logging enhancements.
6. Azure RMS, with the new Azure RMS hub deployment option, permits even the most cloud reluctant organizations to benefit from RMS.

Best of all, we’re not slowing down anytime soon!

Thanks,
Dan on behalf of the RMS team
@TheRMSGuy