Can you protect any file with Azure RMS?

- select the contributor at the end of the page -
You shouldn't wait to get hacked before you start thinking about the vulnerability of your confidential company documents. Consider this: Your employees are already emailing and uploading these docs to cloud services daily, sharing them with business partners, customers and suppliers. And you have no control over how this information is protected once it's left your network, unless you apply rights management.

Rights management doesn't just encrypt files; it encrypts them so only specific people can open them (rather than anyone with the password) and it lets you choose what those people can do with the file once they have it. But the problem with rights management has always been having to set up complex federation arrangements with every company you want to exchange documents with, many of which will be short-term connections, small businesses without the necessary resources, or both.

Even Microsoft, which added rights management to Office over a decade ago, has only ever federated with a handful of companies to do secure information exchange. Thankfully, the new Azure Rights Management Service promises to make rights management easier, and it can protect more than just Office files and emails, on more than just PCs, without moving documents to the cloud. And like so many cloud services, it's something you can adopt formally, but it's also something your users can just start utilizing on their own.

Using Azure RMS

RMS is included in some versions of Office 365, but you can also set up Azure RMS for your organization. If you have on-premise Exchange, you can use the RMS connector, which doesn't require a highly available SQL Server. Either option will let you protect email, so users can send messages and documents, and control whether these can be forwarded or printed.

Those users can also protect files directly, either inside an RMS-enabled application like Office or with the free RMS sharing application, which protects files in-place (on the drive, file share or cloud storage) or by protecting a copy that they can share (in email or any other desired way). And they can do it for free, even if you're not subscribing to Azure RMS.

Your recipients can open protected files just by signing up to the RMS for Individuals service here and downloading the Windows RMS sharing app from the same page. They can choose permissions for protected documents (like view, edit, copy and print), they can set an expiry date for the file and they can make users log in each time they open the file. This way, each time the document is opened, you get an audit trail and the user gets an email.

If you want to manage everything (and see the audit logs), you'll need to sign up for Azure RMS. This lets you reclaim the Azure Active Directory tenant, which is created when individual users sign up and make custom templates of policies that users can apply to a file. This includes role-based templates for sharing internally. If you have RMS included in your Office 365 tenant, follow the instructions here.

You might also want to grab the Windows SDK for RMS, as you'll need it to add RMS to your own LOB apps, or you can use the FileAPI and PowerShell scripts to protect PDF and Office files without the RMS sharing app.

What works and what doesn't

Azure RMS is a business service, meaning that users can't yet sign up with a Gmail or an Outlook email address; a company email is required (with Active Directory to give them the authentication token). Also, unlike previous versions of rights management, this works for more than Windows and Office; Office 365 ProPlus, Office Professional Plus 2013 and Office Professional 2010 can all create and read protected documents once the free RMS sharing app is installed.

If you want to protect files, you can only do that with the RMS sharing app on Windows, for the full range of files. There are several third-party tools that can protect files: RightsWatch protection software works with Azure RMS, and Secude has tools that use RMS to protect SAP data (like Halocore for SAP NetWeaver). And while users can protect an entire folder in place with the sharing app, it only protects existing files, not new ones, unless you set up a system like Dynamic Access Control or Work Folders in Windows Server or protected libraries in SharePoint.

Reading protected files on multiple devices

Of course, there are more options for reading protected files on multiple devices. There's a growing list of ‘RMS-enlightened' software and apps for Windows, iOS and Android-and the new Outlook for Mac supports RMS-protected mail, as does OWA on both iOS and Android, for protected email.

You can open RMS-protected email in TITUS Mail and NitroDesk on iOS or in Samsung Email, 9Folders, GigaTrust, TITUS and NitroDesk Touchdown on Android (and in the Windows Phone and BlackBerry email clients too, as well as the Windows 8 and RT Mail app). Foxit Reader (on iOS and Android) and the GigaTrust App for Android can open protected PDFs.

On Windows, Nitro Pro and Foxit PDF Reader can both open protected PDFs, as can Adobe Acrobat and Reader 10 and 11 with the pay-for Gigatrust Desktop PDF extension (there's a 90 day free trial for 100 users here. GigaTrust is also working on an RMS viewer and editor for Word, Excel and PowerPoint as well as PDF files (initially for Android and soon for iOS).

Office, RMS and "generic protection"

There are free RMS apps from Microsoft for OS X, Windows Phone, iOS and Android for opening protected files on devices (and sending protected versions of photos, but not other file types). The Windows app can open protected files, and it can also create them. The RMS sharing apps can open protected versions of .TXT, .XML, .JPG, .PDF, .PNG, .TIFF, .BMP and .GIF files (with the usual variations like .JPE and .JFIF). Any other file types get what Microsoft calls "generic protection" as a .PFILE, unless they're Office documents.

Generic protection means they're locked to the recipient (and this person has to log in each time they open the file, giving you an audited access log). These can also include expiry dates, but PFILES can't have granular permissions (at least not yet) like allowing editing but blocking printing, and they can't stop users from forwarding.

Things are slightly more complicated for Office away from the PC, because Office for iPad and Android doesn't yet support RMS (nor does Office for Mac 2011, just the new Outlook). Office Online lets you view protected documents, but only if they're saved in SharePoint Online, OneDrive or OneDrive for business. And Apple hasn't added RMS support to Pages or Numbers.

You can still protect and share Office documents. The first version of the Windows RMS sharing app lets you save Office documents as PFILES by saying you want them available on multiple platforms (those files would then open on iOS in Numbers, Pages or Office). You can still do this with the SDK, but it's not advised, as generic protection doesn't actually offer much protection at all.

Now the sharing app saves and sends both a protected Office document and a protected PDF, so you can open the PDF in the iOS, Android and Mac OS X RMS. Or you can open the protected Office document in TITUS Docs on iOS, or the upcoming GigaTrust App for Android. We expect the Office apps to eventually add RMS support, which will make this much easier.

There isn't yet a CAD application that can directly save and open protected files, either, so you'll have to wrap them in protected PFILES (although there's a lot of interest in an enlightened CAD application and we expect to see one for Windows--last fall Microsoft showed a proof-of-concept version of Siemens JT2Go and a Windows Store 3D viewer with RMS-protected JT CAD files).

And don't forget...

While technology can do a lot to protect information, it's no match for humans. You can block printing and screen capture, but if someone runs Windows in a virtual machine, they can capture an image of the open document or they can just pull out a phone and take a picture. What they can't do is pretend that they didn't know the rules. At that point, they're deliberately leaking information, and that's a management problem, not a technology issue.



sign up for ARMS.png

Signing up for Azure RMS is free for users, so you can expect to see protected files start showing up in email

Azure rms.png

Sign up for Azure RMS as a business and you can see audit logs and manage the service

add template.png

Add a custom template that users can protect documents with so they assign the correct rights

Get our content first. In your inbox.

Loading form...

If this message remains, it may be due to cookies being disabled or to an ad blocker.


Mary Branscombe

has been a technology journalist for over two decades, and she’s been the formal or informal IT admin for most of the offices she’s worked in along the way. She was delighted to see the back of Netware 3.11, witnessed the AOL meltdown first-hand the first time around when she ran the AOL UK computing channel, and has been a freelance tech writer ever since. She's used every version of Windows (client and server) and Office released, and every smartphone too. Her favourite programming language is Prolog, giving her a soft spot for Desired State Configuration in PowerShell 4. And yes, she really does wear USB earrings. Find her on Twitter @marypcbuk.