-->
Applies to: Azure Information Protection, Office 365
Information Rights Management (IRM) helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. The permissions are stored in the document, workbook, presentation, or e-mail message, where they are authenticated by an IRM server. Windows MacOS What IRM does.
We have AD RMS ( windows 2012 R2 - Cryptographic Mode 2 ) setup and want to use RMS features for Mac(Apple) users, as i found, if Cryptographic Mode 2 is used on ADRMS, we need Office 2016 ( as Office. I tried to delete files which are written in the following URL. URLs By searching the web, I found the way to reset Office 2011 for Mac IRM client, but is it same as for Office for Mac 2016?
Relevant for: AIP unified labeling client and classic client.
Note
To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. Learn more in the official deprecation notice.
Azure Rights Management (Azure RMS) is the protection technology used by Azure Information Protection.
Azure RMS is a cloud-based protection service that uses encryption, identity, and authorization policies to help secure files and emails across multiple devices, including phones, tablets, and PCs. Protection settings remain with your data, even when it leaves your organization's boundaries, keeping your content protected both within and outside your organization.
The following image shows how Azure RMS provides protection for Microsoft 365, as well as on-premises servers and services. Protection is also supported by popular end-user devices running Windows, macOS, iOS, and Android.
Use Azure RMS with Microsoft 365 subscriptions or subscriptions for Azure Information Protection. For more information about individual subscription types and supported features, see the Azure Information Protection pricing site.
Sample Azure RMS use case
Employees might email a document to a partner company, or save a document to their cloud drive.
Using Azure RMS's persistent protection helps secure company data, and may also be legally required for compliance, legal discovery requirements, or best practices for information management.
Azure RMS ensures that authorized people and services, such as search and indexing, can continue to read and inspect the protected data.
Ensuring ongoing access for authorized people and services, also known as 'reasoning over data', is a crucial element in maintaining control of your organization's data. This capability may not be easily accomplished with other information protection solutions that use peer-to-peer encryption.
Business problems solved by Azure Rights Management
Use the following lists and tables to identify business requirements or problems that your organization might have in protecting documents and emails, and how the Azure Rights Management technology can address your needs.
Tip
If you are familiar with the on-premises version of Rights Management, Active Directory Rights Management Services (AD RMS), you might be interested in the comparison table from Comparing Azure Rights Management and AD RMS.
Protection features
| Feature | Description |
|---|---|
| Protect multiple file types | In early implementations of Rights Management, only Office files could be protected, using built-in Rights Management protection. Azure Information Protection provides support for additional file types. For more information, see Supported file types. |
| Protect files anywhere. | When a file is protected, the protection stays with the file, even if it is saved or copied to storage that is not under the control of IT, such as a cloud storage service. |
Collaboration features
| Feature | Description |
|---|---|
| Safely share information | Protected files are safe to share with others, such as an attachment to an email or a link to a SharePoint site. If the sensitive information is within an email message, protect the email, or use the Do Not Forward option from Outlook. |
| Support for business-to-business collaboration | Because Azure Rights Management is a cloud service, there’s no need to explicitly configure trusts with other organizations before you can share protected content with them. Collaboration with other organizations that already have a Microsoft 365 or an Azure AD directory is automatically supported. For organizations without Microsoft 365 or an Azure AD directory, users can sign up for the free RMS for individuals subscription, or use a Microsoft account for supported applications. |
Tip
Attaching protected files, rather than protecting an entire email message, enables you to keep the email text un-encrypted.
For example, you may want to include instructions for first-time use if the email is being sent outside your organization. If you attach a protected file, the basic instructions can be read by anyone, but only authorized users will be able to open the document, even if the email or document is forwarded to other people.
Platform support features
Azure RMS supports a broad range of platforms and applications, including:
| Feature | Description |
|---|---|
| Commonly used devices not just Windows computers | Client devices include: - Windows computers and phones - Mac computers - iOS tablets and phones - Android tablets and phones |
| On-premises services | In addition to working seamlessly with Office 365, use Azure Rights Management with the following on-premises services when you deploy the RMS connector: - Exchange Server - SharePoint Server - Windows Server running File Classification Infrastructure |
| Application extensibility | Azure Rights Management has tight integration with Microsoft Office applications and services, and extends support for other applications by using the Azure Information Protection client. The Azure Information Protection SDKs provide your internal developers and software vendors with APIs to write custom applications that support Azure Information Protection. For more information, see Other applications that support the Rights Management APIs. |
Infrastructure features
Azure RMS provides the following features to support IT departments and infrastructure organizations:
Note
Organizations always have the choice to stop using the Azure Rights Management service without losing access to content that was previously protected by Azure Rights Management.
For more information, see Decommissioning and deactivating Azure Rights Management.
Create simple and flexible policies
Customized protection templates provide a quick and easy solution for administrators to apply policies, and for users to apply the correct level of protection for each document and restrict access to people inside your organization.
For example, for a company-wide strategy paper to be shared with all employees, apply a read-only policy to all internal employees. For a more sensitive document, such as a financial report, restrict access to executives only.
Configure your labeling policies in your labeling admin center:
Unified labeling client: Use the Microsoft 365 security center, the Microsoft 365 compliance center, or the Microsoft 365 Security & Compliance Center.
For more information, see the sensitivity labeling documentation for Microsoft 365.
Classic client: Use the Azure portal. For more information, see Configuring and managing templates for Azure Information Protection.
Easy activation
For new subscriptions, activation is automatic. For existing subscriptions, activating the Rights Management service requires just a couple of clicks in your management portal, or two PowerShell commands.
Auditing and monitoring services
Audit and monitor usage of your protected files, even after these files leave your organization’s boundaries.
For example, if a Contoso, Ltd employee works on a joint project with three people from Fabrikam, Inc, they might send their Fabrikam partners a document that's protected and restricted to read-only.
Azure RMS auditing can provide the following information:
Whether the Fabrikam partners opened the document, and when.
Whether other people, who were not specified, attempted, and failed to open the document. This might happen if the email was forwarded on, or saved to a shared location.
Note
For classic client users only, the document tracking site lets users and administrators track, and if necessary, revoke access to protected documents.
Ability to scale across your organization
Because Azure Rights Management runs as a cloud service with the Azure elasticity to scale up and out, you don’t have to provision or deploy additional on-premises servers.
Maintain IT control over data
Organizations can benefit from IT control features, such as:
| Feature | Description |
|---|---|
| Tenant key management | Use tenant key management solutions, such as Bring Your Own Key (BYOK) or Double Key Encryption (DKE). For more information about, see: - Planning and implementing your AIP tenant key - DKE in the Microsoft 365 documentation. |
| Auditing and usage logging | Use auditing and usage logging features to analyze for business insights, monitor for abuse, and perform forensic analysis for information leaks. |
| Access delegation | Delegate access with the super user feature, ensuring that IT can always access protected content, even if a document was protected by an employee who then leaves the organization. In comparison, peer-to-peer encryption solutions risk losing access to company data. |
| Active Directory synchronization | Synchronize just the directory attributes that Azure RMS needs to support a common identity for your on-premises Active Directory accounts, by using a hybrid identity solution, such as Azure AD Connect. |
| Single-sign on | Enable single-sign on without replicating passwords to the cloud, by using AD FS. |
| Migration from AD RMS | If you've deployed Active Directory Rights Management Services (AD RMS), migrate to the Azure Rights Management service without losing access to data that was previously protected by AD RMS. |
Security, compliance, and regulatory requirements
Azure Rights Management supports the following security, compliance, and regulatory requirements:
Use of industry-standard cryptography and supports FIPS 140-2. For more information, see the Cryptographic controls used by Azure RMS: Algorithms and key lengths information.
Support for nCipher nShield hardware security module (HSM) to store your tenant key in Microsoft Azure data centers.
Azure Rights Management uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia, so your keys can be used only in your region.
Certification for the following standards:
- ISO/IEC 27001:2013 (./includes ISO/IEC 27018)
- SOC 2 SSAE 16/ISAE 3402 attestations
- HIPAA BAA
- EU Model Clause
- FedRAMP as part of Azure Active Directory in Office 365 certification, issued FedRAMP Agency Authority to Operate by HHS
- PCI DSS Level 1
For more information about these external certifications, see the Azure Trust Center.
Next steps
For more technical information about how the Azure Rights Management service works, see How does Azure RMS work?
With Office 365 and Information Rights Management, you can set permissions on your emails or office files to help keep company data secure. I’m going to show you how to apply an Information Rights Management policy to an email in Outlook.
First, open a new message window.
Then, select the File tab from the ribbon, and from the Info pane, select the dropdown labeled Set Permissions.
I’m going to choose the Do Not Forward option. Outlook will tell me what this policy entails, and I can hit the Back arrow to return to my message. Outlook will let me know at the top of my message that my policy has been applied and which permissions it will restrict or allow.
I’m going to send this to myself, so we can see how a message that’s been sent with restrictions looks when it arrives in your inbox. I’m also going to send it to a Gmail account, so we can see how it appears when looked at by a non-Outlook or external user.
Here’s the message I’ve just sent, and this red icon here indicates that this message has been received with restrictions. Since I’m the one who sent this message, I will still be able to forward it, but if you tried to forward a message you received with this policy applied, you would get a popup dialogue box letting you know that this action is not allowed.
IRM can also stop recipients from taking screenshots of your message. I’m going to click on this message from a coworker, which you can see by the icon here, has a restriction applied. I am currently recording my screen, so as soon as the message is in view, my recording turns black, preventing me from capturing any of the content in his message. I am able to record the screen in my own message because I have rights to the content as the message creator, so when I click back on my own message, the recording will return.
Irm Protected Document
It’s worth noting that this only works with the Outlook Client, so if your recipient is using the OWA app or another mail service—like Gmail, they will not have forwarding abilities, but they might still be able to capture the content in the body of your message.
It’s always a good idea to make sure you’re sending confidential information only to a trustworthy source. Even if they’re using the Outlook client, nothing can prevent a recipient from recreating your content manually.
Now I’m going to navigate to the Gmail account where I’ve sent this message, so we can see how this works without the Outlook client. In Gmail, I’ve received a notification about the email with a link to view the message. When I click Read the Message, I have two options.
Irm In Office 365
I can either Sign in with Microsoft or Sign in with a One-Time Passcode. Your recipient can choose Sign in with a One-Time Passcode. They’ll get this page that lets them know to check their inbox for the code. I’m going to go back to the Gmail inbox, copy the code, and enter it here to see the message.
Microsoft Office Irm
And here is the message I sent. You’ll notice that I am able to reply in this window, but the Forward option is greyed out.
That’s how you apply an Information Rights Management policy to a message in Outlook with Office 365.