locked
Can AD RMS and Azure RMS coexist? RRS feed

  • Question

  • We are using AD RMS and would like to move to Azure RMS. I have read the migration document https://docs.microsoft.com/en-ca/information-protection/plan-design/migrate-from-ad-rms-to-azure-rms

    What happens if the user was not added to any of the groups that has access to the custom templates created in Azure RMS? Do they still get to see the AD RMS templates? This is the use case that is prompting the question of co-existence. We are not using HYOK configuration.

    I have read a paragraph in this article: https://docs.microsoft.com/en-ca/information-protection/deploy-use/activate-service under the section "Configuring onboarding controls for a phased deployment" that gives me the impression that the user who is not part of the security group can consume the protected document but the question is can they use AD RMS, since they are not part of Azure RMS? Does it default to AD RMS? Thanks!

    Monday, November 28, 2016 8:20 PM

All replies

  • Is the scenario you're asking about for when some users are still on AD RMS and some users have moved to Azure RMS where you've imported your AD RMS keys and templates, but you've created new custom templates?  Having 2 separate instances of RMS (AD RMS and Azure RMS) isn't supported as per the Important callout on the main requirements page https://docs.microsoft.com/en-us/information-protection/get-started/requirements

    During the migration process, you deploy scripts on a computer-by-computer basis, so that clients stop connecting to AD RMS and start connecting to Azure RMS. It's normal to do this in batches so they don't all move over at once, but we encourage you to keep the co-existence time short.

    Until clients are moved over to use Azure RMS, they continue to communicate with AD RMS and can apply the AD RMS templates. It's possible to have completely different templates on each deployment, but would be very confusing for users and could result in being unable to open content, which is why we don't recommend this.

    Yes, by default, Windows computers will use AD RMS if you have a Service Connection Point installed. You can learn more about how this happens with the RMS discovery process: https://docs.microsoft.com/en-us/information-protection/rms-client/client-deployment-notes#rms-service-discovery

    Tuesday, December 13, 2016 9:40 PM