Office 365 – RMS + IRM + External Sharing

Author by Drew Madelung

I have began working with IRM policies in Office 365 more often recently and ran into a situation that surprised me. The situation revolved around a document that had an IRM policy applied to it and was shared with an external user. What I found out was that:

an IRM protected document that is shared to an external user, will not be able to be viewed after it is downloaded, unless they used an Office 365 ID to access the document.

I have confirmed this scenario with Microsoft as being unsupported. If a standard Live ID is used the document will be able only be able to be viewed in the browser.

Example

Test Document 1 is in an IRM protected library and shared with an email@outlook.com account.  It can be viewed in the browser and the IRM policy can be viewed as working.

2015-03-05 22_45_18-Test Document 1.docx

If that document is downloaded and then opened the user will receive and error stating “You do not have credentials that allow you to open this document. You can request updated permissions from ” No matter what you choose here you will never be able to access the document.

2015-03-05 22_48_56-Word

The only way to allow that external user to access the document is to change permission directly on the document itself using the “Change Permission” option in the yellow notification bar in the full Word client.

2015-03-05 22_53_00-Test Document 1.docx - Word

The reason that this is happening is because when a Live ID (non-O365 user) downloads a document from a SharePoint Online (SPO) protected library, SPO protects the doc with IRM by giving permission to your Live ID. When Office client opens the document, it needs to connect to the Azure RMS server using an Org ID. Then Office explicitly looks for an Org ID token that has right to open it, which is by design. It fails because no Org ID  actually is given permission (the permission is given to the Live ID). Basically that external user was granted permission in SharePoint Online but that permission does not pass through to Azure RMS unless they use an O365 account.

I don’t believe this is a common scenario but I believe this is an important use case to know as I could not find this unsupported scenario documented anywhere. As the move to O365 continues we need to know what we can and cannot do to protect our data.

To continue this post I have included information and configuration steps around Azure RMS and IRM in Office 365.

1. Azure Rights Management System (RMS)

RMS exists to protect company data. It uses encryption, identity, and authorization policies to help secure your files. RMS has been around for quite awhile in the on-premises world attached with Windows Server under Active Directory RMS (ADRMS). Although Azure RMS is built on this framework it is not the same. Azure RMS can can coexist along with on-premises. Azure RMS is also known as the Microsoft Rights Management suite. It comprises a set of RMS applications that work on all your common devices, a set of software development kits, and related tooling. By leveraging Windows Azure Active Directory, the Azure RMS service acts as a trusted hub for secure collaboration where one organization can easily share information securely with other organizations without additional setup or configuration.

A few facts about Microsoft’s Azure RMS:

  • Azure RMS is at the core of the Rights Management suite and relies on Windows Azure services.
  • A document is protected by RMS without the document being sent to the Azure service.
  • Viewing or sharing protected documents is enabled without the documents themselves being sent to the Azure service.
  • Sharing a file occurs without the document being relayed via the Azure RMS service.
  • Actual customer content is never accessible to RMS data protection services, nor to anyone compelling the service to do something on their behalf.
  • More than just office documents are supported.

The following picture shows how Azure RMS works (including O365):

2015-03-05 20_48_48-What is Azure Rights Management_

Here are some good links to learn more about Azure RMS:

  1. Comparing Azure Rights Management and AD RMS
  2. The Evolution of Microsoft's Rights Management Services
  3. The Official RMS Team Blog
  4. Channel 9 video on Microsoft Rights Management

Activating RMS in Office 365

You can activate RMs in O365 using the management portal or Powershell. Here are the cmdlets available to administering Azure RMS using powershell. Here is how to activate it using the O365 management portal:

1.  Navigate to your Office 365 admin center

2.  Under service settings click Rights Management

2015-03-05 21_00_16-Mozilla Firefox

3.  On the Rights Management page click Manage

2015-03-05 21_01_48-Mozilla Firefox

4.  Click Activate

2015-03-05 21_03_12-Rights Management

5.  That’s it! Real tough huh? Two default RMs policies will also be created for you.

You can manage Azure RMS directly from the Azure Management Portal as well. You can create manage the current policy templates that were created and also create new templates here.

2015-03-05 21_11_36-Active Directory - Windows Azure

2. Information Rights Management (IRM)

Azure RMS is the underlying technology used to support IRM. When you use SharePoint Online or SharePoint Server, you can use IRM integration, which lets administrators protect lists or libraries. IRM enables you to limit the actions that users can take on files that have been downloaded from lists or libraries. IRM encrypts the downloaded files and limits the set of users and programs that are allowed to decrypt these files. IRM can also limit the rights of the users who are allowed to read files, so that they cannot take actions such as print copies of the files or copy text from them.

Unlike some of the other applications that support RMS, information protection is always applied by an administrator, never an end user. And it is applied at the list or library level for all documents in that container, rather than on individual files. This makes it easier to ensure a consistent level of protection for an entire set of documents or files. IRM can thus help your organization to enforce corporate policies that govern the use and dissemination of confidential or proprietary information.

Activating IRM in SharePoint Online

The IRM service must first be enabled for SharePoint Online. Then, you can specify Information Rights Management for a library. SharePoint does not use rights policy templates, although there are SharePoint configuration settings that you can select that closely match the settings that you can specify in templates. When new documents are created in this library, or when new documents are uploaded to it, they automatically inherit the protection that’s configured for the library.

Here are the steps to activate IRM in SharePoint Online:

1.  Navigate to the SharePoint Online admin center

2.  Click settings in the left navigation

2015-03-05 21_21_08-Manage site collections

3.  Scroll down the Information Rights Management (IRM) section and select “Use the IRM service specified in your organization” and then click Refresh IRM Settings

2015-03-05 21_22_48-Mozilla Firefox

4.  You will see it updated stating “We successfully refreshed your settings.”

2015-03-05 21_25_24-Mozilla Firefox

5.  And we’re done!  IRM policies can now be applied across your site collections.

If you use SharePoint Server, you can use the information protection features with Azure Rights Management by deploying the RMS connector, which acts as a relay between your on-premises servers and the RMS cloud service. For more information, see Deploying the Azure Rights Management Connector.

Adding an IRM policy to a library

You can use IRM to help control and protect files that are downloaded from lists or libraries.

1.  Navigate to the library/list you want to configure IRM

2.  On the ribbon, click the Library tab, and then click Library Settings (If you are working in a list, click the List tab, and then click List Settings).

3.  Under Permissions and Management, click Information Rights Management.
If the Information Rights Management link does not appear, IRM might not be enabled for your site.

4.  On the Information Rights Management Settings page, select the Restrict permission to documents in this library on download check box to apply restricted permission to documents that are downloaded from this list or library.

2015-03-05 22_24_26-TDS

5.  In the Create a permission policy title box, type a descriptive name for the policy that you can use later to differentiate this policy from other policies. For example, you can type Company Confidential if you are applying restricted permission to a list or library that will contain company documents that are confidential. Also add a description that will appear to people who use these documents to help explain how they should handle the documents.

6.  To apply additional restrictions to the documents in this list or library, click Show Options. There are a multitude of options to help secure your content.

2015-03-05 22_38_01-TDS

On a small side note, you can apply IRM policies to OneDrive for Business document libraries but there is not an easy way to automatically apply the policies to all sites. Also as an employee has full control over their OneDrive for Business site they could remove the policy on purpose or accidentally.

Have fun locking down your content!

Author

Drew Madelung

Technical Architect