MIP migration

Frequent Contributor

Questions on migrating AD-RMS to MIP


Hi Community,


One of our customer would like to migrate from on-prems AD RMS to Microsoft Information Protection (MIP)


Their environment:


AD RMS implemented on Windows Server 2012 R2

No Rights Policy Templates defined, No trusts, No exclusions are defined

Database in MS SQL cluster

Cryptographic Mode is type 1 with physical HSM (1024bit SHA-1)

SharePoint integration with IRM

Exchange integration with email encryption


Their plan:


They would like to retire their AD RMS infrastructure. They need to take care of existing encrypted documents. Mainly they are focusing on documents at SharePoint, other documents also can be important. They would like to use MIP by default at SharePoint Online sites and at some on-premises SharePoint sites.


Their Challenges/Queries:


We know that Importing RSA 1,024-bit keys is not supported.


1. In this case, is it possible to migrate 1024bit-SHA1 encryption key from HSM to MIP? If not, is there any other best practices?

2. How does migration affect MIP? Meaning, how can they control users not use AD RMS after migration and need to force them to use MIP sensitivity labels?


Any pointers would be of great help.

0 Replies