ADRMS to AzRMS Migration - AD RMS Templates using the ANYONE group

%3CLINGO-SUB%20id%3D%22lingo-sub-727533%22%20slang%3D%22en-US%22%3EADRMS%20to%20AzRMS%20Migration%20-%20AD%20RMS%20Templates%20using%20the%20ANYONE%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-727533%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20question%20about%20this%20section%20of%20the%20documentation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMigration%20phase%202%20-%20server-side%20configuration%20for%20AD%20RMS%20-%20%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fmigrate-from-ad-rms-phase2%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fmigrate-from-ad-rms-phase2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fmigrate-from-ad-rms-phase2%3C%2FA%3E%3C%2FP%3E%3CP%3E%23%23%3C%2FP%3E%3CP%3EIf%20your%20templates%20in%20AD%20RMS%20used%20the%20ANYONE%20group%2C%20the%20closest%20equivalent%20group%20in%20Azure%20Information%20Protection%20is%20named%20AllStaff-7184AB3F-CCD1-46F3-8233-3E09E9CF0E66%40%3CTENANT_NAME%3E.onmicrosoft.com.%20For%20example%2C%20this%20group%20might%20look%20like%20the%20following%20for%20Contoso%3A%20AllStaff-7184AB3F-CCD1-46F3-8233-3E09E9CF0E66%40contoso.onmicrosoft.com.%20This%20group%20contains%20all%20users%20from%20your%20Azure%20AD%20tenant.%3C%2FTENANT_NAME%3E%3C%2FP%3E%3CP%3EWhen%20you%20manage%20templates%20and%20labels%20in%20the%20Azure%20portal%2C%20this%20group%20displays%20as%20your%20tenant's%20domain%20name%20in%20Azure%20AD.%20For%20example%2C%20this%20group%20might%20look%20like%20the%20following%20for%20Contoso%3A%20contoso.onmicrosoft.com.%20To%20add%20this%20group%2C%20the%20option%20displays%20Add%20%3CORGANIZATION%20name%3D%22%22%3E%20-%20All%20members.%3C%2FORGANIZATION%3E%3C%2FP%3E%3CP%3E%23%23%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20I%20keep%20the%20ANYONE%20group%20in%20the%20template%20imported%20to%20Azure%20RMS%20%2F%20AIP%20or%20should%20I%20remove%20the%20ANYONE%20group%20permission%20on%20the%20template%3F%3C%2FP%3E%3CP%3EIf%20I%20should%20keep%20the%20ANYONE%20group%2C%20when%20is%20this%20entry%20being%20used%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EJuergen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-727533%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733278%22%20slang%3D%22en-US%22%3ERe%3A%20ADRMS%20to%20AzRMS%20Migration%20-%20AD%20RMS%20Templates%20using%20the%20ANYONE%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733278%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20the%20AIP%20template%2C%20you%20may%20delete%20entry%20for%20the%20ANYONE%20group%20and%20add%20the%20group%20%22AllStaff-7184AB3F-CCD1-46F3-8233-3E09E9CF0E66%40%3CTENANT_NAME%3E.onmicrosoft.com%22%20instead.%3C%2FTENANT_NAME%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3CBR%20%2F%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-735114%22%20slang%3D%22en-US%22%3ERe%3A%20ADRMS%20to%20AzRMS%20Migration%20-%20AD%20RMS%20Templates%20using%20the%20ANYONE%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-735114%22%20slang%3D%22en-US%22%3E%3CP%3EMartin%2C%20thank%20you%20for%20the%20clarification.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Hi,

 

I have a question about this section of the documentation.

 

Migration phase 2 - server-side configuration for AD RMS - https://docs.microsoft.com/en-us/azure/information-protection/migrate-from-ad-rms-phase2

##

If your templates in AD RMS used the ANYONE group, the closest equivalent group in Azure Information Protection is named AllStaff-7184AB3F-CCD1-46F3-8233-3E09E9CF0E66@<tenant_name>.onmicrosoft.com. For example, this group might look like the following for Contoso: AllStaff-7184AB3F-CCD1-46F3-8233-3E09E9CF0E66@contoso.onmicrosoft.com. This group contains all users from your Azure AD tenant.

When you manage templates and labels in the Azure portal, this group displays as your tenant's domain name in Azure AD. For example, this group might look like the following for Contoso: contoso.onmicrosoft.com. To add this group, the option displays Add <organization name> - All members.

##

 

Should I keep the ANYONE group in the template imported to Azure RMS / AIP or should I remove the ANYONE group permission on the template?

If I should keep the ANYONE group, when is this entry being used?

 

Thanks

Juergen

2 Replies

On the AIP template, you may delete entry for the ANYONE group and add the group "AllStaff-7184AB3F-CCD1-46F3-8233-3E09E9CF0E66@<tenant_name>.onmicrosoft.com" instead.

 

Regards,
Martin

Martin, thank you for the clarification.