Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

SharePoint Online with Azure RMS

Copper Contributor

At the risk of sounding like a total noob. I wanted to ask to clarify some issue I am having when setting up Azure RMS.

 

I am in the process of setting up Azure RMS with our Exchange Online and SharePoint Online.

I have enabled RMS in Office 365 (azure)

I have enabled IRM for SharePoint Online

 

I have created a SharePoint Site (and Sub-Site) that has IRM configured on the library.

 

It may sound like a simple question, but I want to upload files to the site from a network share and want them protected to only certain users (based on a group)

 

I have upload the files and want all files to be read-only by a specific group (and only editable by another group). To my knowledge you need to setup an RMS Template/Policy eg. 'Confidential Policy'.  When I setup IRM for the library, it does apply when opening the file (as you can see 'Confidential Policy' in the yellow bar at the top of the document), but under the permissions. It is NOT Read Only. Users can Edit, Copy and Save. The only thing restricted is Print, Export and Access the document programmatically.

 

My question is, how do I configure these permissions and where?

 

So far I can only make these restrictions by setting the 'Protect Document' option in Word (when opening the document). These  templates are were setup in the Azure Classic portal.

 

Any Suggestions?

14 Replies

OK, so I've figured this out. IRM doesn't explicit work with Azure RMS templates. It basically keeps the SharePoint Online permissions to the file. This means that if the file was downloaded and tried to open on another computer (as another user) you would still need to be a member of a group that has access to the file.

...users could edit the files before as the default permission was 'Contributor'

 

 

Also I wanted to ask if this be a good instance to store highly confidential files or would you suggest storing the files locally and setup on a 2012R2 server, with the AzRMS connector and FCI? I am looking at sharing the files with some external users also, which is why i opted for AzRMS rather than AD RMS.

Hi Adrian,

Azure RMS and SharePoint Azure IRM are related but not same.

 

With Azure RMS, you create RMS templates and apply them to the documents, rights are applied on the document level. How do you apply the templates? As an end user, you do this using AIP (Azure Information Protection) Add-in in Office or you can use backstage of Office application.

Azure RMS templates from Office backstageAzure RMS templates from Office backstage

 

Azure RMS protection lives within the document, no matter where they are stored and how they are shared (email, DropBox, OneDrive etc.).

 

When you use SharePoint IRM, it is different. You configure a library to use IRM, you define the protection requirements at the library level. You cannot use Azure RMS templates in a SharePoint library. Protection is applied on the document ONLY when the document leaves the library (e.g. when you download a document). This design is to ensure that SharePoint can index the documents, and Search can find the documents. So within SharePoint, the document living within an IRM protected library doesn't have any protection, within SharePoint you control access using SharePoint permission. For example, you can create contributor or viewer group to control who can edit and who can view.

 

Now, if you upload an Azure RMS protected document to a SharePoint library (when you apply the templates using AIP client using Office), rights applied on the document will not be affected. SharePoint search will not be able to index that file, it won't show up in the Search.

 

In general Azure RMS/IRM works on the organisation's domain level. Example, john@contoso.com can apply a template to a document that allows read access to anybody within contoso.com domain, now if someone from the contoso.com forwards that document to someone@xyz.com, that someone@xyz.com will not be able to read the document.

Hi Adrian,

SharePoint IRM and Azure RMS are related, but they are not same.

 

With Azure RMS, you create Azure RMS templates and apply them to the documents. The rights you apply lives within the document, no matter where you store them or how you share them. In general, Azure RMS works in the organisation's domain level + security group. Example, john@contoso.com can apply a template to a document that allows everyone within contoso.com READ ACCESS (but NO PRINT) the document. John can send that document to his colleague@contoso.com by email, Azure will check for access right when the recipient opens the document using an Azure RMS supported application (e.g. Microsoft Office). If someone@contoso.com forwards that document to someone@xyz.com, that someone@xyz.com won't be able to read that document. How do you apply Azure RMS templates? Normally, end users can use the AIP client or Office backstage.

Azure RMS.png

 

With SharePoint IRM, you configure a library to use Azure IRM. You define the rights at the library level. You cannot use Azure RMS templates in a SharePoint library. Rights are applied ONLY when the document leaves the library. Within the library, documents are not protected using Azure IRM. Therefore, within SharePoint, you would create contributor or viewer group to control permission. This is by design to ensure that documents within SharePoint IRM configured library can be indexed, so that search returns those documents.

 

Now, if you upload an Azure RMS protected document to a SharePoint library (Azure RMS templates applied using AIP client or Office backstage), Search will not be able to index it, Search will not return that document.

To add to the excellent description provided by @Rajesh Khanikar, MS has stated that they are working on improving the integration story but I don't think they have provided a public timeframe for when we can expect that. 

Here is a great summary of the numerous names used by this technology, https://docs.microsoft.com/en-us/information-protection/understand-explore/aka.

 

Right, I just replied in the other thread, but @Rajesh Khanikar's answer is waaaaay more detailed than mine :) Thanks Rajesh!

Thanks.

So further to this the only way i can utilise the Track and Revoke (AIP) client is to have the file protected using an AzRMS Template (or cutom - AIP) for each file in the SharePoint site.

Those only protected by IRM dont seem to have that feature. ie. when selecting Track and Revoke for a document protected by IRM 

We can’t find that document.

 

You can only track documents that you protected using the Azure Information Protection app on Windows.

This only seems to work with those protected with AzRMS.

 

At present, is this the only option or would FCI with the AzRMS connector be a suitable instance for storing highly confidential data?

Ignite is around the corner, I'm sure we will hear more information about the AIP/SPO integration there. If you can wait a few weeks that is.

 

In the meantime, nothing is stopping you from storing individually-protected files in SPO or anywhere else, and taking advantage of tracking/revoking. You will however loose the ability to "reason over data", as your applications will not be able to access those documents as well.

Hi,

sorry to sound like a total noob, what do you mean "reason over data"?

Agreed, Ignite could provide a better solution, but I need to have some options in place for the meantime.

Rather than protecting each file individually (as there are 200+ files), would it be a suitable solution to setup an FCI server and apply the RMS template via classification.... and then upload them to SPO?

It's a term, basically means "allowing the applications to work with the data". Which is not possible if you encrypt the files outside of SharePoint and upload them to a library.

One thing to keep in mind, is that Microsoft's approach to Azure IP, is based on the premise that the person working on file understands the content and is therefore able to make the best judgement about the label that should be assigned. The approach also presume that the IT organization  is best suited to determine what type of protection should be assigned to the various labels. By splitting the responsiblities like this, organization get much more control than they get with the all or nothing approach provide by IRM in SP. 

sureley this would be feasible as I would want users to download the protcted files and use the desktop applications (rather than Word Online, for example). I doubt they would be using the search features or indexing in SharePoint Online.

To classify a large amount of files, you could write a script, for which you will require Windows PowerShell for Azure Rights Management. In a computer where you have AIP client installed and configured, the PowerShell commands are automatically available for you to carry out automation using custom scripts. For example, you can use cmdlet (ref this link)

Set-​AI​PFile​Classification

To automatically set an Azure Information Protection label on one or more file(s), according to conditions that are configured in the policy.

you can do that with a regular document library without IRM enabled. Assign the Azure IP licenses to the users, deploy the add-in to them, create the labels, create the protection templates and give the users some instructions. 

As long as you are fine with SPO not being able to index the file and loosing some funcitonality (search, DLP processing, etc), yes, it's feasible.