Category Archives: Azure RMS, RMS for O365

Use Group Based Licensing to Active Office 365 Users

The Story

I got a request to place users into Security Groups for management purposes, The client have already users active but many of those users have left the work place and still have E3 or E1 Licenses which they should not have since this is pricey licenses and backing up users details is the easiest and most cost effective way of handling this.

So, To start (Prerequisites):

The Group based licensing management is a new feature, Was introduced in 2019 and not many people know that it is there however, This feature doesn’t come for free as you know (Since it’s Microsoft) and you must have a license for it or at least have users with E3 licensing model. So the requirements are:

  • – Azure AD Premium P1 or Higher
  • – Office 365 E3 or Higher.
  • – EMS or Higher.

How does it work?

In order for you to get this to work  you need to make sure you have planned from where you want to manage those groups and their licenses, Online? Or On-Premises?

If Online

If you’re going to do this online, then you need to create a group for each Licensing Model which represents the intended License and its users e.g. Office365-E1 is going to be created as a security group and dedicated to E1 License users.

Office365-E3 will also be created the same way and users of License type E3 will be added to it.

If On-Premises

If you’re going to manage those groups on-premises, Then you must have ADConnect (Azure AD Sync) tool to sync those groups after creating them.

In my case I have created those groups in the following manner:

image

After creating those groups, You will need to sync them to Office 365 using ADConnect. To force this to sync immediately fire up Powershell on Azure Connect Server and type

Start-ADSyncSyncCycle -PolicyType delta

image

image

What If I have users already assigned with License?

If you have users already assigned licenses and want to manage them using Group Based licensing then you’re going to have to get a list of all your users with their Licenses information into a CSV file and Import those users to the groups you created base on the license they have.

I created a PowerShell that would match user’s names and based on the license mentioned in the CSV file would add them to the relevant group but first you need to export Users from Office 365.

Export Users and their license from Office 365

First of all we’ll connect to Office 365 MSOL Service using Online Powershell

image

Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,UsageLocation,@{n=”Licenses Type”;e={$_.Licenses.AccountSKUid}},SignInName,UserPrincipalName,@{n=”ProxyAddresses”;e={$_.ProxyAddresses}}| Export-csv -Path C:ExportlicenseUsage.csv -notype

image

So this is how my CSV look right after I exported the users, We need to do some tuning on this CSV file to clean it and get it ready for our PowerShell.

image

There are total of 6 columns in this folder, If for whatever reason you wanted to use the ProxyAddress to distinguish users feel free to keep them in the script but in my case I didn’t need them so I deleted the entire column.

So I will keep the following (Remove Spacing between License Type)

  • DisplayName
  • UsageLocation
  • LicenseType
  • SignInName
  • UserPrincipalName

The Value of the License Type is usually formatted like this “TenantName: License” and in order to make this column useful I am going to remove the Tenant name from all the cells.

Find and Replace can easily remove and clean these values for you.

image

After cleaning the column, this is how it looks

image

This should be useful for us now along with the PowerShell to add the users to their relevant groups.

On Active Directory from an elevated PowerShell

Run PowerShell ISE  from a privileged account and copy + paste this script in ISE,

$ImportedUsers = Import-csv “C:\Users\AD\Desktop\ExportlicenseUsage.csv”

Foreach ($ImportedUser in $ImportedUsers){
$License = $ImportedUser.LicensesType
$E3 = “E3-Office365”
$E1 = “E1-Office365”
$EMS = “EMS-Office365”
$Sam = $ImportedUser.SamAccountName
$ImportedUPN = $ImportedUser.UserPrincipalName

$AllUsers = Get-ADUser -Filter * -Properties *
         Foreach ($User in $AllUsers)
         {
         $UPN = $User.UserPrincipalName

            if($user.UserPrincipalName -eq $ImportedUPN -and $License -match “EMS”)
                 {
                 Add-ADGroupMember -Identity $EMS -Members $Sam
                 Write-Host $($UPN) “User has EMS License and has been added to the Group EMS” -ForegroundColor DarkGreen -BackgroundColor White
                 }
                     ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains “STANDARDPACK”)
                     {
                     Add-ADGroupMember -Identity $E1 -Members $Sam
                     Write-Host $($UPN) “User has E1 License and has been added to the Group E1” -ForegroundColor black -BackgroundColor green
                     }
                         ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains “ENTERPRISEPACK”)
                         {
                         Add-ADGroupMember -Identity $E3 -Members $Sam
                         Write-Host $($UPN) “User has E3 License and has been added to the Group E3” -ForegroundColor Blue -BackgroundColor White
                         }
         }
}

image

Enabling Group Based License from Azure Portal

After this script finishes, I can open Azure Portal

From Azure Active Directory > Licenses > All Products

image   image    image

I will choose the license which I want to assign to a group of which I have created on my on-premises AD

image

Click on the License (Office 365 E1)  and choose Assign from top menu

image

Make sure you select assignment options and customize the license according to the products you want your group members to use then click on Users and Groups and select the relevant Group which you’ve created (In my case it’s E1-Office365)

image

Here, The group has been assigned

image

Click assign and you should be done

image

We will do the same for E3 Users

image

image

NOTE

From now on, Removing any user from this group will revoke their license and any service connected to it, You must be very careful when removing users from this group.

Microsoft has done great job covering this thoroughly and in a great detail including Scripts to be able to do many things like grabbing users who have an inherited license from a group or manually assigned. I am writing down the references if you’re more curious into these.

References:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-assign

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-ps-examples

How to Bulk Delete Exchange Online Distribution and Office 365 groups


Part of Office 365 security auditing is to ensure that all users and groups in your organization are created for a purpose of which you’re aware of and can control these users, groups.

After auditing groups on Office 365 Exchange CP, I noticed that it’s not possible to bulk or multi delete groups from CP and it has to be done one by one or go through the better and more professional way of using PowerShell.


Create CSV for groups to be deleted:

In order for you to delete multiple groups at once you’ll need to first create file with the groups that needs to be deleted. Download the CSV from Groups tab in Exchange Admin Center as in the below screenshot.


image

Once you download the file you can create a new column where you’ll highlight the once to be deleted and export the csv after filtering the once to be deleted.


image


Connect to Office 365:

Once you’ve got the file ready, You only need to connect to Office 365, You might want to make sure you have an App Password created with the privileged account if your MFA is enabled to delete/create groups or users.

To create an app password you must login to your account and follow these steps

https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183

After logging in to Exchange Online ( Office 365 ) you will be able to bulk delete groups using the following script

# This script deletes selected groups imported from csv file “Groups-to-delete.csv”
# CSV file contains the following
# DISPLAYNAME,GROUPTYPE,STATUS,EMAIL,Delete
# Group1(ADEO),Distribution list,Group1@Moh10ly.com,yes
# Make sure you use an APP Password to authenticate Exchange Online
$cres = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cres -Authentication Basic -AllowRedirection
Import-PSSession $Session
$groups = Import-Csv “C:\Users\groups-to-delete.csv”
foreach ($group in $groups)
{
$GroupID = $Group.Email
$DN = $group.DISPLAYNAME
$State = $group.STATUS
If (Get-DistributionGroup -Identity $GroupID){
Write-Host $DN exists and will be deleted -ForegroundColor Green
Remove-DistributionGroup -Identity $GroupID -Confirm } else
{
Write-Host $DN “Group doesn’t exist”
}
}

image


Delete Office 365 Type Groups:

In the case you have Office 365 type groups, Those groups are not considered Exchange groups and they don’t reside in Exchange server but Azure AD and they must be deleted from there. Assuming I want to delete some Office 365 groups that has name (Kaizala) in their display name.

First let’s connect to Azure AD, which will allow you to see the Office 365 groups and be able to delete them.


Connecting to Azure AD

image

Let’s get the Kaizala groups and see if the powershell command will show us the result positively.

Get-AzureADMSGroup | Where-Object {$_.displayname -like “*kaiza*”}

image

Let’s delete these groups using this cmdlet

Get-AzureADMSGroup | Where-Object {$_.displayname -like “*kaiza*”} | Remove-AzureADMSGroup

image

image

After deleting, now we can see that Kaizala groups are all deleted.

NOTE: Microsoft will keep those groups for a day if you mistakenly have deleted them you’ll be able to recover them from ECP.

If not, They will remain in the Recycle bin for 30 days before permanently getting deleted.


Hope this article helped you.

Deploying Azure RMS with Exchange 2010 and Exchange 2013 on-premises and in Hybrid Environment with Exchange online

In this post I am going to demonstrate how to integrate Office 365 RMS (Basic) with Office 365 Exchange online in Hybrid Environment with Exchange 2013 and Exchange 2010 in the same organization and then I’ll activate Azure RMS to deploy a new template and apply it on my on-premises Exchange servers.

To do this, you will need

1- an active Office 365 subscription with Exchange online.

2- Azure Subscription.

3- One Public IP to publish RMS URL.

4- Access to your public domain’s DNS to create the RMS A record.

5- Public Certificate that includes the RMS SAN in order to work with Azure RMS.

 

Starting with the deployment I will start by Introducing a small summary of what’s RMS from MS KB article.

 

1- AZURE RMS in Exchange Hybrid deployment:

Overview of the Microsoft Rights Management connector

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations. You can use this connector even if some of your users are connecting to online services, in a hybrid scenario. For example, some users’ mailboxes use Exchange Online and some users’ mailboxes use Exchange Server. After you install the RMS connector, all users can protect and consume emails and attachments by using Azure RMS, and information protection works seamlessly between the two deployment configurations.

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

Applications that support Azure RMS

From <https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedApplications>

Requirements for Azure Rights Management

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

Prerequisites for the RMS connector

  1. The Rights Management (RMS) service is activated

clip_image001[4]

Click Manage

clip_image002[4]

Click Activate

clip_image003[4]

Click Activate

clip_image004[4]

clip_image005[4]

Activated

2. Second Requirement: Organization must have Azure AD and AADSync enabled with local AD.

clip_image001[6]

I’ll activate Azure AD in order to support user authentication for RMS.

clip_image002[6]

Azure RMS templates

clip_image003[6]

3. Third Requirement: Clients must support RMS (Windows)

https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedDevices

clip_image004[6]

4. Users must run applications that support RMS.

https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedApplications

5. Firewall must be enabled for RMS

Check ports and IPs

https://support.office.com/en-US/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

Note:

The following deployment scenario is not supported:

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

6. RMS Licenses:

Cloud subscriptions that support Azure RMS

To use Azure RMS, you must have at least one of the following subscriptions:

  • Office 365
  • Azure RMS Standalone
  • Enterprise Mobility Suite
  • RMS for individuals

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

Note: In Enterprise Plan 3 RMS already exists with basic access

clip_image001[8]

Subscription to use (Office 365 or Azure RMS) and control RMS templates

Azure AD

If you want to manage and control RMS templates you’ll need to have Azure Subscription where you can manage the templates of your Azure AD.

Office 365

If you only have Office 365 subscription and you don’t want to activate your azure AD then you won’t have access to the templates to configure new templates.

clip_image002[8]

 

7. Integration of Azure RMS with Exchange 2013 On-premises (With Exchange 2010) and Hybrid integration with Exchange online

Windows Requirements

You will also need to install on these servers, a version of the RMS client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that you can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008. The minimum version for Windows Server 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

Exchange Requirements

Note:

To Use RMS with Exchange 2010 you will need Exchange 2010 SP3 RU6 installed and for Exchange 2013 you’ll need CU3 or Later (Build 15.00.0775.038).

  • Exchange Server 2010 with Exchange 2010 Service Pack 3 Rollup Update 6

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

My Servers

My Exchange 2010 server (Exch01) has SP3 but no RU installed. So I’ll install the latest RU since it includes all the previous rollups already.

http://go.microsoft.com/fwlink/p/?LinkId=616365

clip_image001[10]

Exchange 2013 Server has CU8 installed so I don’t need to install anything on it.

clip_image002[10]

Requirements to Install RMS connector

A- A minimum of two member computers on which to install the RMS connector:

  • A 64-bit physical or virtual computer running one of the following operating systems:
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
  • At least 1 GB of RAM
  • A minimum of 64 GB of disk space
  • At least one network interface
  • Access to the Internet via a firewall (or web proxy) that does not require authentication
  • Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector

From <https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_Prereqs>

B- Download the RMS connector tool from http://go.microsoft.com/fwlink/?LinkId=314106

clip_image003[8]

clip_image004[8]

clip_image005[6]

clip_image006[4]

clip_image007[4]

clip_image008[4]

clip_image009[4]

Validating installation if successful or not by navigating to the below link on the server where RMS connector is installed.

A successful installation will show the below screenshot.

http://localhost/_wmcs/certification/servercertification.asmx

clip_image001[12]

clip_image002[12]

clip_image003[10]

clip_image004[10]

clip_image005[8]

Configuring DNS for the URL

Configure the Exchange servers on premises to use Windows Azure Active Directory via the newly installed connector.

clip_image006[6]

In order to setup the URL on Exchange 2013, you must download the script GenConnectorConfig.ps1 on Exchange 2013 Server and run it as following

Download Link

http://go.microsoft.com/fwlink/?LinkId=314106

clip_image007[6]

I have published the RMS on my Pfsense Firewall (Reverse proxy) and I am able to browse to the page… (not able to authenticate though because I selected only Exchange servers group for authentication.

clip_image008[6]

Now I will run the same script on Exchange 2010 but will change the parameter

.\GenConnectorConfig.ps1 -ConnectorUri http://rms.adeo-office365.ga -SetExchange2010

clip_image009[6]

Now Enable Information Rights Management on Exchange on-premises Servers

In Microsoft Exchange Server 2013, Information Rights Management (IRM) is enabled by default for internal messages.

From <https://technet.microsoft.com/en-us/library/bb124077(v=exchg.150).aspx>

(NOTE: Seems that Microsoft is wrong about the IRM enabled by default for Internal messages as the InternalLicensingEnabled is set to False on my Exchange 2013 server).

clip_image010[4]

Now On Exchange 2013 ECP I’ll check if the RMS is there or not!

clip_image011[4]

I will create a new transport rule as following

clip_image012[4]

If I am the recipient, I will be allowed to only view the email … let’s see this after we apply it

I have sent an email and it seems that the email has been encrypted and is asking me for my email confirmation or Phone number.

clip_image013[4]

Trying to take a screenshot of the Email, It seems that the RMS is working perfectly since part of the view only permission is not taking screenshots of Outlook while the RMS is enabled.

clip_image014[4]

Azure RMS Client for Windows

http://go.microsoft.com/fwlink/?LinkId=313954

clip_image001[14]

clip_image002[14]

clip_image003[12]

REF

https://technet.microsoft.com/en-us/library/dn375964.aspx

https://technet.microsoft.com/en-us/library/dd638140(v=exchg.150).aspx#irm

https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_ExchangeServer

https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_Prereqs

https://fazarsusanto.wordpress.com/2015/05/02/azure-rms-rms-connector/

To open a RMS encrypted PDF you’ll need to download the following:

  1. RMS Client Download

http://download.microsoft.com/download/3/C/F/3CF781F5-7D29-4035-9265-C34FF2369FA2/setup_msipc_x64.exe

  1. Microsoft Online Service Assistant

http://www.microsoft.com/en-us/download/details.aspx?id=28177

Once Signed in, you’ll get the following protection

clip_image004[12]

Note:

If you try and share protected documents with any other mail service like Gmail or Hotmail you will get the following error.

Coming Soon

We can’t yet share protected files with some of your recipients.

clip_image005[10]

-WORD documents

clip_image006[8]

 

NOTES

Monday, September 14, 2015

1:56 PM

NOTEs:

  1. If a user is activated in a transport role with RMS protection role (Office 365 RMS). Then the user won’t be allowed to use Azure RMS rules (Configure specific rule).

During this time the permission to use RMs will show up as following “Loading permissions…”

clip_image001[16]

  1. Transport rule may take 15 minutes to take affect after being created or deleted.
  2. Sending email with Exchange online (Azure RMS Rule) with (View online rule) to another Office 365 tenant mail gives the following

clip_image002[16]

clip_image003[14]

clip_image004[14]

In order to access e-mails that are sent to users from different tenants or business e-mails. You’ll have to get a free Microsoft RMS account from here

https://portal.aadrm.com/

Once you are signed up , you will get an e-mail like the following

clip_image005[12]

After you sign in you’ll be able to access the protected document as in the below snapshot. And you can also view your permissions or whether you can edit/modify the document or not

clip_image006[10]

The person who sent an email will also get a notification e-mail telling him that you’ve got access to the document if he has ticked the option that allow him to track the email that he sent along.

clip_image007[8]

 

To compare between Azure RMS and AD RMS please navigate to the following link

Azure RMS comparison

 

If you have any question please don’t hesitate to contact me or leave a comment.