locked
Restricting RMS to be configured by a set group of users RRS feed

  • Question

  • Hi, I am currently testing and configuring IRM.

    As per article: http://technet.microsoft.com/library/jj658941 I have setup RMS so that configuration of IRM is restricted to a Security Group, but - when I test this out non members of this group can still configure IRM at the library level?

    "If you don’t want all users to be able to protect files immediately by using Azure RMS, you can configure user onboarding controls by using the Set-AadrmOnboardingControlPolicyWindows PowerShell command. You can run this command before or after you activate Azure RMS."

    I have ran the cmdlet and triple checked that it has set the onboarding control policy but to no avail. I also found a seperate cmdlet that seems like it could do what I am after also found  at http://technet.microsoft.com/en-us/library/jj585027.aspx

    Add-AadrmRoleBasedAdministrator - Manage users and groups who are authorized to administer the Rights Management service for your organization. 

    Which has had no effect also. 

    Hoping someone out there has experience trying to configure IRM with these cmdlet's and can explain them a little further.

    Saturday, September 26, 2015 5:24 AM

All replies

  • I can explain why the cmdlets don't do what you want to do - but unfortunately, not how to achieve your goal.  I can try asking, but it's a SharePoint question rather than an RMS question.

    The onboarding controls are for client applications, not server applications. That's why Set-AadrmOnboardingControlPolicy doesn't work for you, here.  In the same article (https://technet.microsoft.com/library/jj658941):

    ... Server-side applications, such as Exchange, can implement their own per-user controls for RMS-integration to achieve the same result.

    So after configuring your onboarding policy, only your security group should see the templates in the RMS sharing application, for example.  But it has no effect on SharePoint libraries.

    I can see why you thought Add-AadrmRoleBasedAdministrator should work for you, here. But this is for administrative control for the Azure RMS service itself.  For example, who can activate or de-active Azure RMS, set on-boarding controls, configure RMS templates. After the Azure RMS service is activated and enabled for SharePoint, site owners can enable IRM for their libraries.  Azure RMS has no concept of SharePoint site owners so cannot control what they can do - which is why I think this is a SharePoint question.  I don't know if you can restrict which settings a site owner can configure - I haven't seen this anywhere.

    Sunday, September 27, 2015 5:26 PM
  • I can explain why the cmdlets don't do what you want to do - but unfortunately, not how to achieve your goal.  I can try asking, but it's a SharePoint question rather than an RMS question.

    The onboarding controls are for client applications, not server applications. That's why Set-AadrmOnboardingControlPolicy doesn't work for you, here.  In the same article (https://technet.microsoft.com/library/jj658941):

    ... Server-side applications, such as Exchange, can implement their own per-user controls for RMS-integration to achieve the same result.

    So after configuring your onboarding policy, only your security group should see the templates in the RMS sharing application, for example.  But it has no effect on SharePoint libraries.

    I can see why you thought Add-AadrmRoleBasedAdministrator should work for you, here. But this is for administrative control for the Azure RMS service itself.  For example, who can activate or de-active Azure RMS, set on-boarding controls, configure RMS templates. After the Azure RMS service is activated and enabled for SharePoint, site owners can enable IRM for their libraries.  Azure RMS has no concept of SharePoint site owners so cannot control what they can do - which is why I think this is a SharePoint question.  I don't know if you can restrict which settings a site owner can configure - I haven't seen this anywhere.Hi Carol,

    Thanks for this, your response has cleared up the cmdlets, appreciate your response.

    Sunday, September 27, 2015 11:38 PM