locked
Questions about adopting Azure RMS RRS feed

  • Question

  • Hi guys,

    We are currently on a little mixed environment using Exchange Online in a hybrid as the only workload within Office 365 as of now. We have AD DS and Azure AD connect in place.

    We will start to adopt SharePoint Online with Azure Information Protection / Azure RMS.

    We have some Sharepoint sites that are currently on-prem and it seems that they should stay there so we need to deploy 2 Azure RMS Connector servers to be able to utilize Azure RMS for these on-prem sites.

    I have read the Microsoft docs over and over again but Im still having  a bunch questions I want to outline:

    - Azure Information Protection is the common word but it only classifies and labels the files, Azure RMS actually protects the document?

    - Since we are on Exchange Online we have to let Microsoft handle the key within the Azure Key Vault. HYOK is not an option.

    - To start in a small scale we can just activate the service for the whole tenant but create security group and use the Set-AadrmOnboardingControlPolicy to enable users within that group to be the only one to use Azure RMS and apply classification, labeling and protection but user that are not part of that group can still consume the documents?

    - If we start small with that group of small people and deploy a sharepoint online pilot site and enable IRM for that site. How can we enforce that documents that are created or uploaded to that site library will be classified as sensitive?

    - Are users not part of that group able to create documents on that pilot site but not apply any AIP/RMS stuff on the content?

    - What happens if we within the policy enable: All documents and emails must have a label (applied automatically or by users)? Will this work in conjunction with our small pilot group? this will not break anything, just that all users within that group must label a document?

    - below that settings we can see: Select the default label. this makes me a bit confused. we would perhaps like the default label for documents created on their local pc or homefolder to be personal but on specific sharepoint sites to be something else, depending on the library perhaps confidential and it will require a protection setting? How can we separate this if we only have one setting for this within one policy? multiple policies? when do one know which policy to use?

    - if we create a document within word and a specific text or lets say a credit-card number is typed, how does one configure what to trigger? for instance if we would like it to recommend to be sensitive or MUST apply it to be confidential?

    - Cant say I understand this correctly:

    a) classifying documents is when we identify the sensitivity of the document (automatically via a ruleset or manually via the RMZ client addon-buttons)?

    b) labeling the document is if we decide to add a watermark, footer or header information?

    c) protecting is when we utilize Azure RMS to enforce usage rights (authenticating towards the service) and restrictions which means if one can print, forward, edit etc...?

    d) global policy (for all users in the tenant) - were we can see colored labels...? (is this policy basically saying that all these labels will be presented via the Azure RMS client for Word for an example?)

    e) templates - when does this come into play? 

    - To have this feature within Word/Excel online we don't have to do anything, its out-of the box?

    - To use the Office 2013/2016 suite with this "native" support we have to deploy the client? It doesn't matter if we've deployed office traditionally via non Office 365 Office image or if we utilized the on-click installer?

    - If we share protected documents with another company and that company is also subscribed to Azure AD and can authenticate towards the Azure RMS service they are good to go if granted access to the document?

    - If we share protected documents with another company that does not utilize Office 365/Azure AD they will be able to create a personal account while still using their company or organizational email address and they can authenticate and consume the document? will that "account" get listed within our companies Azure AD as external recipient or something? or is this not presented to us at all?

    - To enable this service for Exchange Online we have to do a bunch of powershell cmdlets?

    - If we will have some mailboxes on-prem in the hybrid we can utilize the Azure RMS connector to get Azure RMS support we don't have to involve an on-prem RMS solution correct?

    Sorry if my questions bump in to one another, jumped back and forth while typing them.

    All help appreciated!

    Thanks!


    Wednesday, March 8, 2017 10:18 PM

All replies

  • Wow - way too many questions for a single forum post!  Sounds like you would benefit from some consultancy to help you along this journey for your specific requirements.  I'll take the first three questions now & you will probably get more answers if you limit your questions or identify the most important to get you started.  Since you said you've read a lot of documentation, I'm hoping you found the deployment roadmap that outlines what to do and when.

    "Azure Information Protection is the common word but it only classifies and labels the files, Azure RMS actually protects the document? 

    Answer: Azure Information Protection is the "product" that you purchase and it includes the Azure Rights Management service for data protection.  This is a common confusion, hopefully answered by this FAQ: What's the difference between Azure Information Protection and Azure Rights Management?

    "Since we are on Exchange Online we have to let Microsoft handle the key within the Azure Key Vault. HYOK is not an option."

    Answer: If you want full functionality with Exchange Online, yes, use the default of a Microsoft-managed key that is automatically created for you. This also makes for a much faster deployment (less to do!).  However, just to clarify, this key isn't stored in Azure Key Vault but is stored with your tenant and is specific to Azure Information Protection.

    "To start in a small scale we can just activate the service for the whole tenant but create security group and use the Set-AadrmOnboardingControlPolicy to enable users within that group to be the only one to use Azure RMS and apply classification, labeling and protection but user that are not part of that group can still consume the documents?"

    Answer: Correct.  That's exactly what onboarding controls are for.  Then deploy the Azure Information Protection client to just these few users for your pilot and get comfortable with the configuration and the end user workflows.  If you haven't tried it for yourself yet, start with the quick start tutorial that might answer some of your other questions and then start experimenting with different options.

    Thursday, March 9, 2017 6:55 PM
  • Thanks for your reply Carol!
    Thursday, March 9, 2017 8:23 PM