In this post I am going to demonstrate how to integrate Office 365 RMS (Basic) with Office 365 Exchange online in Hybrid Environment with Exchange 2013 and Exchange 2010 in the same organization and then I’ll activate Azure RMS to deploy a new template and apply it on my on-premises Exchange servers.
To do this, you will need
1- an active Office 365 subscription with Exchange online.
2- Azure Subscription.
3- One Public IP to publish RMS URL.
4- Access to your public domain’s DNS to create the RMS A record.
5- Public Certificate that includes the RMS SAN in order to work with Azure RMS.
Starting with the deployment I will start by Introducing a small summary of what’s RMS from MS KB article.
1- AZURE RMS in Exchange Hybrid deployment:
Overview of the Microsoft Rights Management connector
The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations. You can use this connector even if some of your users are connecting to online services, in a hybrid scenario. For example, some users’ mailboxes use Exchange Online and some users’ mailboxes use Exchange Server. After you install the RMS connector, all users can protect and consume emails and attachments by using Azure RMS, and information protection works seamlessly between the two deployment configurations.
Applications that support Azure RMS
Requirements for Azure Rights Management
- The Rights Management (RMS) service is activated
2. Second Requirement: Organization must have Azure AD and AADSync enabled with local AD.
I’ll activate Azure AD in order to support user authentication for RMS.
Azure RMS templates
3. Third Requirement: Clients must support RMS (Windows)
4. Users must run applications that support RMS.
5. Firewall must be enabled for RMS
Check ports and IPs
The following deployment scenario is not supported:
- Running AD RMS and Azure RMS side-by-side in the same organization, except during migration, as described in Migrating from AD RMS to Azure Rights Management.
6. RMS Licenses:
To use Azure RMS, you must have at least one of the following subscriptions:
- Office 365
- Azure RMS Standalone
- Enterprise Mobility Suite
- RMS for individuals
Note: In Enterprise Plan 3 RMS already exists with basic access
Subscription to use (Office 365 or Azure RMS) and control RMS templates
If you want to manage and control RMS templates you’ll need to have Azure Subscription where you can manage the templates of your Azure AD.
If you only have Office 365 subscription and you don’t want to activate your azure AD then you won’t have access to the templates to configure new templates.
7. Integration of Azure RMS with Exchange 2013 On-premises (With Exchange 2010) and Hybrid integration with Exchange online
You will also need to install on these servers, a version of the RMS client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that you can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008. The minimum version for Windows Server 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.
To Use RMS with Exchange 2010 you will need Exchange 2010 SP3 RU6 installed and for Exchange 2013 you’ll need CU3 or Later (Build 15.00.0775.038).
- Exchange Server 2010 with Exchange 2010 Service Pack 3 Rollup Update 6
My Exchange 2010 server (Exch01) has SP3 but no RU installed. So I’ll install the latest RU since it includes all the previous rollups already.
Exchange 2013 Server has CU8 installed so I don’t need to install anything on it.
Requirements to Install RMS connector
A- A minimum of two member computers on which to install the RMS connector:
- A 64-bit physical or virtual computer running one of the following operating systems:
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- At least 1 GB of RAM
- A minimum of 64 GB of disk space
- At least one network interface
- Access to the Internet via a firewall (or web proxy) that does not require authentication
- Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector
B- Download the RMS connector tool from http://go.microsoft.com/fwlink/?LinkId=314106
Validating installation if successful or not by navigating to the below link on the server where RMS connector is installed.
A successful installation will show the below screenshot.
Configuring DNS for the URL
Configure the Exchange servers on premises to use Windows Azure Active Directory via the newly installed connector.
In order to setup the URL on Exchange 2013, you must download the script GenConnectorConfig.ps1 on Exchange 2013 Server and run it as following
I have published the RMS on my Pfsense Firewall (Reverse proxy) and I am able to browse to the page… (not able to authenticate though because I selected only Exchange servers group for authentication.
Now I will run the same script on Exchange 2010 but will change the parameter
.\GenConnectorConfig.ps1 -ConnectorUri http://rms.adeo-office365.ga -SetExchange2010
Now Enable Information Rights Management on Exchange on-premises Servers
In Microsoft Exchange Server 2013, Information Rights Management (IRM) is enabled by default for internal messages.
(NOTE: Seems that Microsoft is wrong about the IRM enabled by default for Internal messages as the InternalLicensingEnabled is set to False on my Exchange 2013 server).
Now On Exchange 2013 ECP I’ll check if the RMS is there or not!
I will create a new transport rule as following
If I am the recipient, I will be allowed to only view the email … let’s see this after we apply it
I have sent an email and it seems that the email has been encrypted and is asking me for my email confirmation or Phone number.
Trying to take a screenshot of the Email, It seems that the RMS is working perfectly since part of the view only permission is not taking screenshots of Outlook while the RMS is enabled.
Azure RMS Client for Windows
To open a RMS encrypted PDF you’ll need to download the following:
- RMS Client Download
- Microsoft Online Service Assistant
Once Signed in, you’ll get the following protection
If you try and share protected documents with any other mail service like Gmail or Hotmail you will get the following error.
We can’t yet share protected files with some of your recipients.
Monday, September 14, 2015
- If a user is activated in a transport role with RMS protection role (Office 365 RMS). Then the user won’t be allowed to use Azure RMS rules (Configure specific rule).
During this time the permission to use RMs will show up as following “Loading permissions…”
- Transport rule may take 15 minutes to take affect after being created or deleted.
- Sending email with Exchange online (Azure RMS Rule) with (View online rule) to another Office 365 tenant mail gives the following
In order to access e-mails that are sent to users from different tenants or business e-mails. You’ll have to get a free Microsoft RMS account from here
Once you are signed up , you will get an e-mail like the following
After you sign in you’ll be able to access the protected document as in the below snapshot. And you can also view your permissions or whether you can edit/modify the document or not
The person who sent an email will also get a notification e-mail telling him that you’ve got access to the document if he has ticked the option that allow him to track the email that he sent along.
To compare between Azure RMS and AD RMS please navigate to the following link
If you have any question please don’t hesitate to contact me or leave a comment.