RMS in Exchange Online Joe Schulman Program Manager, Forefront For Office Microsoft Confidential.

RMS in Exchange OnlineJoe SchulmanProgram Manager, Forefront For Office

Microsoft Confidential

Agenda

• What is RMS?

• Supported Topologies

• How to deploy RMS to customers in Exchange Online


What is RMS?

• Rights Management Services is a Windows component that enables applications to protect content.• Protect = Encrypt and Usage Rights (DRM)• http://technet.microsoft.com/en-us/library/cc771627.aspx • http://en.wikipedia.org/wiki/Rights_Management_Services

• First shipped in Windows Server 2003 timeframe, latest release was Server 2K8 R2

• RMS is integrated in Microsoft products• Office clients (Excel, Word, PowerPoint, Outlook)• SharePoint

• Exchange (as IRM)

3Microsoft Confidential

http://technet.microsoft.com/en-us/library/cc771627.aspx


http://en.wikipedia.org/wiki/Rights_Management_Services

http://en.wikipedia.org/wiki/Rights_Management_Services

| Copyright© 2010 Microsoft Corporation

RMS in Exchange

• RMS integrated as Information Rights Management (IRM) in• Exchange 2010 SP1 (includes OWA)• Exchange Online in Office 365 beta

• IT Pros configure using RMS Server and Exchange PowerShell cmdlets

• End users experience RMS in Office clients and OWA

• Exchange Server cracks open RMS content automatically to enable common features• Transport routing• Indexing for search• Viewing in OWA• Unified Messaging (private voicemails)


ProtectIRM Support

• Persistent protection • Protects your sensitive information no matter where it is sent• Usage rights locked within the document itself• Protects online and offline, inside and outside of the firewall

• Granular control • Users apply IRM protection directly within an email• Organizations can create custom usage policy templates such

as "Confidential—Read Only"• Limit file access to only authorized users

Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an email.

Granular protection that travels with the data

Supported Topologies


On-premise IRM

Contoso Inc.

AD RMS Server

Exchange Server 2010

• Same deployment as with Exchange 2007

• Exchange depends on AD RMS Server to decrypt and encrypt content


Business-to-Business IRM


Microsoft Federation Gateway

Contoso Inc. Fabrikam Inc.

Partners can: • Read/reply to externally

protected mail in Outlook Web App

• Decrypt protected mail to search, journal, filter, apply transport rules

Extend Exchange 2010 IRM capabilities to partners*

AD RMS Server

Organizations set up trust through Microsoft Federation Gateway.Fabrikam contacts RMS server for Use License.Protected message is sent to Fabrikam recipient.Fabrikam decrypts message for indexing, search, etc.Recipient reads/replies to protected message in Outlook Web App.


*Requires Exchange Server 2010 Service Pack 1


Exchange Online IRM (no on-premise Exchange)

Contoso Inc.

AD RMS Server

Exchange Online

Embedded RMS Server

Exchange Online: • Uses embedded RMS Server

for encrypting and decrypting• Requires on-premise for

managing RMS templates

Outlook

OWA and Mobile

Configuring RMS in Exchange OnlineHow to enable RMS in Office 365


Today’s demo: Enabling RMS in Exchange Online• We want to enable information workers to send rights-

protected content with Exchange Online

• Four steps:• 1. Configure on-premise RMS server, export TPD

• 2. Import TPD in Exchange Online

• 3. Make templates visible to users

• 4. Enable IRM in Exchange Online


Waving my hand – Configuring RMS Templates• Step 1: Configure on-premise RMS, create RMS templates• Great documentation http://

technet.microsoft.com/en-us/library/cc731599.aspx

• Two key concepts• RMS Templates

• Options end-users can select to protect mail• Defines usage rights• E.g. “All Microsoft FTE – Read Only”

• Trusted Publishing Domain• 10k-foot view: this is the tenant’s private key for encrypting content• Only step is to export it:

http://technet.microsoft.com/en-us/library/ee221062(WS.10).aspx

• Assume you followed the guides with on-premise RMS and have your TPD






Connect to PowerShell in Exchange Online

• Guide: http://help.outlook.com/en-us/beta/cc952755.aspx?sl=1

• $LiveCred = Get-Credential -Credential• $Session = New-PSSession -ConfigurationName

Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

• Import-PSSession $Session

http://help.outlook.com/en-us/beta/cc952755.aspx?sl=1



Connecting to PowerShell


Step 2: Import TPD in Exchange Online

• Run Import-RMSTrustedPublishingDomain• Must be used for each TPD you need to import• Also imports RMS templates

• Import-RMSTrustedPublishingDomain• -FileData $([byte[]](Get-Content -Encoding byte -Path "<Path to

exported TPD, i.e., c:\tpd.xml>" -ReadCount 0))• -Name "TPD Name“• -ExtranetLicensingUrl https://<external rms cluster

hostname>/_wmcs/licensing• -IntranetLicensingUrl https://<internal rms cluster

hostname>/_wmcs/licensing

• The documentation for this is not yet public


Importing the TPD


Step 3: Make templates visible to users

• By default templates are “Archived” and not visible.

• To see all templates:• Get-RMSTemplate -Type:All

• To make our new template “Distributed” (i.e. visible)• Set-RMSTemplate -Identity <template identity> -Type:Distributed

• Note: Do Not Forward is Exchange and Outlook-specific – it cannot be modified


Step 4: Enable IRM in Exchange Online

• Simply flip the IRM switch:• Set-IRMConfiguration -InternalLicensingEnabled $true


End users immediately see the changes in OWA


Sending the sensitive message


Recipient Experience


Replying to a Message


More Information

• Using Exchange PowerShell in Office 365• http://help.outlook.com/en-us/beta/cc952755.aspx?sl=1

• RMS Overview• http://technet.microsoft.com/en-us/library/cc771627.aspx




© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


AppendixExtra commands for other common configuration steps and marketing slides


Notes on Import-RMSTrustedPublishingDomain• When prompted for a password, enter the password used

during export of the TPD from AD RMS.

• When a TPD is imported, the corresponding templates from AD RMS are also imported. The TPD contains the templates that were created with the specific SLC contained within the TPD. Exchange will support up to 20 templates per TPD.

• The URLs that are specified when importing will be used by Outlook clients and will also be used when content needs to be decrypted and Exchange needs to figure out which TPD to use. In order to ensure the right TPD is used these URLs must match the configuration in your on-premise AD RMS cluster.


Changing the default TPD

• The first TPD is assumed the default (which is why we didn’t configure it). If you want to change the default TPD, use cmdlet:

• Set-RMSTrustedPublishingDomain -Identity <TPD ID> -Default

• Users only see templates from the default TPD, but they can decrypt content from any TPD


Updating Exchange Online with new TPD

• Same Import-RMSTrustedPublishingDomain cmdlet, just with –RefreshTemplates switch

• $data = [byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., c:\tpd.xml>" -ReadCount 0)

• Import-RMSTrustedPublishingDomain -FileData $data -Name "TPD Name" -RefreshTemplates


Transport Protection Rules

• IRM protection can be triggered based on sender, recipient, content and other conditions

• Office 2003, 2007, and 2010 attachments also protected

Apply RMS policies automatically using Transport Rules

Apply “Do Not Forward” or custom RMS templates

Automatically apply IRM

Protect


IRM protection can still be applied manually

User can be granted option to turn off rule for non-sensitive email

Adding recipient or distribution list can trigger IRM protection automatically before sending

Protect

Provide users for IRM protection optionsOutlook Protection Rules


IRM in Outlook Web App

Native support for IRM in Outlook Web App eliminates need for Internet Explorer Rights Management add-on

Protected messages can be viewed as WebReady Documents

Access to standard and custom RMS templates

Access protected messages online

• Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages

Protect


IRM Search

Conduct full-text search of IRM-protected mail in Outlook (online), Outlook Web App, and multi-mailbox search

Index and search protected items

Protect

Content within protected attachments can also be searched

Protected voicemail


“Do Not Forward” template

• Integration with AD RMS and Exchange Unified Messaging

• Permissions designated by sender (by marking the message as private) or by administrative policy

Protected VoicemailPrevent forwarding of voicemail

Protect

Protect All messages or only messages marked Private

RMS in Exchange Online Joe Schulman Program Manager, Forefront For Office Microsoft Confidential.

Documents

Transcript of RMS in Exchange Online Joe Schulman Program Manager, Forefront For Office Microsoft Confidential.