The NEW Microsoft RMS has shipped!

Published Sep 07 2018 10:41 PM 275 Views
First published on CloudBlogs on Nov, 05 2013

Happy Wednesday!

I have the honor of sharing that the new RMS offering is now live, in general availability! We’re announcing the final release of all SDKs, most Apps, related services, and we’re giving details on how you can explore each of them. Lots more news coming over the coming weeks so follow us on Twitter @TheRMSGuy for up to the moment updates.

Why should you care? The new Microsoft RMS enables organizations to share sensitive documents within their organization or to other organizations with unprecedented ease. These documents can be of any type, and you can consume them on any device. Given the protection scheme is very robust, the file can even be openly shared… even on consumer services like SkyDrive/DropBox/GDrive.

This is the first of many blogs on the final release. If you’d like more immediate background information on Microsoft Rights Management, check out this TechEd Talk . I’ll also strongly recommend you read the new RMS whitepaper for added details. We have an updated website with per role subsites and we’ll soon post RMS flyers. We also have user forums .


In short, here is what we’re promising at this juncture:


  • I can protect any file type
  • I can consume protected files on devices important to me
  • I can share with anyone
    • Initially, I can share with any business user; they can sign up for free RMS
    • I can eventually share with any individual (e.g.  MS Account, Google IDs in CY14)
  • I can sign up for a free RMS capability if my company has yet to deploy RMS


  • I can keep my data on-premises if I don’t yet want to move to the cloud
  • I am aware of how my protected data is used (near realtime logging)
  • I can control my RMS ‘tenant key’ from on-premises
  • I can rely on Microsoft in collaboration with its partners for complete solutions

These promises combine to create two very powerful scenarios:

  1. Users can protect any file type. Then share the file with someone in their organization, in another organization, or with external users. They can feel confident that the recipient will be able to use it.
  2. ITPros have the flexibility in their choice of storage locale for their data, and Security Officers have the flexibility of maintaining policies across these various storage classes. It can be kept on premises, placed in a business cloud data store such as SharePoint, or it can placed pretty much anywhere and remain safe (e.g. thumb drive, consumer-grade cloud drives, etc.).

The RMS whitepaper offers plenty of added detail.

User experience of sharing a document

Here’s a quick fly-by through one of the many end-to-end user experiences. We’ve chosen the very common ‘Sensitive Word document’ scenario. While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application):

You are then offered the protection screen. This screen will be provided by the SDK and thus will be the same in all RMS-enlightened applications:

When you have finished addressing and selecting permissions, click SEND. An email will be created that is ready to be sent but you we let you edit it first:

The recipient of this email can simply open the document.

If you’re a hands-on learner, just send us an email using this link and we’ll invite
you to consume a protected document the same way partner of yours would.

If the user does not have access to RMS, they can sign up for free. (Yes, free). In this flow the user will simply provide the email address they use in their day-to-day business. (That’s right, you won’t need to create a parallel free-email account to consume sensitive work documents.) We’ll ask the user to verify possession via a challenge/response, and then give them access to both consume and produce RMS protected content. (Yes, they can not only consume but also share their own sensitive documents as a free evaluation.)

The user can consume the content. Here we’ll show you how that looks like on an iPhone. In this case they got an email with a protected image (PJPG). They open it and are greeted with a login prompt so we can verify their right to view the protected image. Once verified, the user is granted access to see the image and to review the rights offered to them (click on the info bar):

With this covered, let’s jump into the specifics of what we’re releasing…

Foundational Developer SDKs

Today we are offering you 6 SDKs in RELEASE form. Those SDKs target Windows for PCs, Windows Store Apps, Windows for Phone 8, iOS, Android, and Mac OSX.

It’s worth noting the Windows SDK offers a powerful FILE API that is targeted at solution providers and IT Pros. This Windows-based SDK has already been released . It will let you protect any file via PowerShell script as well. E.g. Using the FileAPI and PowerShell you can protect a PDF or an Office document, natively, without any additional software.

The RMS sharing application

Today we’re releasing the RMS sharing application. It is available on: Windows for PCs, Windows for Phone 8, iOS, and Android. The Windows store application and Mac OSX will be forthcoming (Spring CY14).

You can get the application and sign up for free RMS here .

The applications let you consume ‘generically protected’ content (PFILEs), protected text and image formats, and also now lets you generated protected images right from the device. We call this the ‘Secure whiteboard’ feature: Take a photo of the meeting room whiteboard and share it with all attendees, securely. This said, we recognize it can serve many other creative uses.

It's important to note that Office itself is not yet available in full form on all mobile devices so consumption of natively protected Office files is limited until such time that Microsoft Office is released on your desired platform. In the meantime, you can protect Office files using the [x] Allow consumption on all devices option. This will result in the share of a generically protected (PFILE) Office file. e.g.: Here we show that My Sensitive Document.Docx will be generically protected to the PFILE format. This results in the recipients getting a protected file -- one that requires authorization, that can be audited on each use, and that can expire on the date you set -- but this file will have to be shared without the finely granular rights that you might desire (thus the slider control is disabled). These good things will come in time. This said, it's worth calling out that this flow lets your iOS and Android recipients consume the protected content you send to them in their respective applications (e.g.: on iOS you can open the Word document in Pages).

The Azure RMS Service

The above offers are bound to the Azure RMS service. This service has been in worldwide production since late 2012 as it powers the Office 365 integrated RMS features. We’ve added support for the new mobile SDKs and RESTful endpoints but overall, that service has been up and running in 6 geographies worldwide (2x EU, 2x APAC, 2x US) and is fully fault tolerant (Active-Active for the SaaS geeks amongst you).

We’re also offering the BYOK – Bring Your Own Key – capability discussed in the whitepaper. This ensures that your RMS tenant key is treated with utmost care within a Thales hardware security module. This capability prevents export of the key even with a quorum of administrator cards! You can learn more about HSMs from partner Thales here .

We’re also offering near-realtime logging of all activities related to RMS and key usage. Simply point Azure RMS to Azure blob storage and the logging begins.

The bridge to on-premises

Today we’re also announcing the RMS connector. This connector enables your on-premises Exchange servers and on-premises SharePoint servers to make use of all the above. It’s a simple relay that ‘connects’ these servers to Azure RMS. The RMS connector is easy to configure and lightweight to run.

To download the connector:

RMS connector documentation:

The RMS for individuals offer

As called out above, not everyone will have RMS in their company, so we’ll offer RMS to individuals for free within organizations. This offer is located at . If you share with others, they can simply sign up. If you are the first one to the party, you can simply sign up. No strings attached.

Wrapping up, we hope you’ll agree that we did pretty well at solving a long-standing issue of persistent data protection. We’ve done so in a way that can also be used within your organization and that honors the critical needs of your IT staff. We’re offering you immediate access to evaluate all the relevant parts: SDKs, Apps, Azure service, connectors, and the self-sign up portal. For each, I’ve given shared with you links to help you get started.

We’ve got a flurry of daily blog posts coming our over the next 2 weeks on Planning, Licensing, Step-by-Step guides, and some coverage of specific scenarios. Stay in touch via twitter: @TheRMSGuy Don't hesitate to let us know what you'd like to hear about!


Dan Plastina
on behalf of the Microsoft RMS team

Version history
Last update:
‎Sep 07 2018 10:41 PM