Home > Work > #O365 #SharePoint Online–#IRM #RMS – what works, what doesn’t in a business context-Part 6

#O365 #SharePoint Online–#IRM #RMS – what works, what doesn’t in a business context-Part 6

This article is part of a series:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Parts 1 to 5 discuss IRM capability from a SharePoint perspective.  Details:

Part 1: https://spandps.com/2015/09/21/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-1/

In the second article we covered file type support.

Part 2: https://spandps.com/2015/09/22/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-2/

In the third article we covered file type support in detail as well as the document library experience.

Part 3: https://spandps.com/2015/09/23/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-3/

In the fourth article we covered IRM permissions in comparison with SharePoint permissions.

Part4: https://spandps.com/2015/09/24/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-4/

In the fifth article we looked at the different clients across Windows, Mac and Mobile to see how they reacted to a protected file.

Part 5: https://spandps.com/2015/10/03/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-5/

So we have covered the SharePoint IRM capabilities a lot and in the conclusion to this series of articles, we shall discuss the various merits of the IRM implementation in SharePoint vs. AD RMS capabilities.

Before we do that however, we need to discuss Azure AD RMS (Active Directory Rights Management Server.

To put things into context, SharePoint IRM is essentially a subset of the functionality of Azure AD RMS (Source(s): https://technet.microsoft.com/en-us/magazine/2009.04.insidesharepoint.aspx?pr=blog, https://social.technet.microsoft.com/forums/windowsserver/en-US/d5c64cfe-0778-4a3b-a02e-4eae3ca9ac43/what-is-difference-between-ad-rms-and-irm) and in my initial interaction, the two capabilities don’t quite interact with each other in the way you would expect (the very reason this series of articles started in fact!)

Let’s get started….

What is Azure RMS?

So my biggest suggestion to answer this would be to take a look at these set of articles:

High level… like the SharePoint IRM O365 solution we have been looking at in the previous articles, it would appear that Azure RMS is a superset of the SharePoint IRM functionality.  By this I mean that Azure RMS is the overriding technology and SharePoint IRM is a small portion of the overall capability.

How does it work with standard office files?

Take a look at this article:

Which gives us a good indication of the potential support for this solution but is the reality for users… lets take a look:

Microsoft Office Interaction (Desktop)

After you install the Azure RMS client application in Windows or Mac OSX, you have an add-in added to your Microsoft Office suite like this:


By clicking on Share Protected the following screen pops up with various options including:

  • Policy selection (standard ones and corporate specific setup by your company)
  • Expiration of the permissions which will lock down the document once the date has passed
  • Document tracking notifications via email
  • Ability to revoke permission as required.


    You can target these permissions to specific user email address and the address entered can have blacklists (for example outlook.com etc.)



Once you click send, this pops up as it works its protection voodoo magic:


Then outlook pops up with a pre-formatted message with not just a Word document but also a Protected PDF also!  (This is also the case with the add-in for Excel and PowerPoint)

If you do this same option from within an Outlook email.  You must have an attachment on the email, it will then run through the same process, create a Protected PDF as well and send the email.


The Microsoft Azure RMS service also sends you a follow up email straight away with confirmation of who you sent it to and details on how to track and revoke access:


Clicking on the tracking link gives you an overview of the document, with tracking details and the ability to control the access.


From this screen you can see who has access currently, when  (Timeline) & Where (Map) they accessed the document.  Settings also controls your notifications.

At the bottom of the screen you can get an excel report of the activity on the document as well as the ability to revoke access.

How does it work with file formats outside of Microsoft Office?

For any other file type, extensions to Windows Explorer have been added in the right click context menu of the file(s) selected.  Just to note, you cannot protect a folder.


Once you select the permission type, the file is protected in place.

If you select Custom Permissions… the same dialogue appears as before whilst we were in the MS Office application allowing you to select permissions and notification options.

Now, because you are protecting a file that may not have built in support for the Azure RMS capabilities, as part of the client install for Azure RMS, you have a file viewer.

So for the Yammer Logo png that we have above, we get the following when we double click the protected file:


As you can see, it has changed the file extension to a ppng file type and now Windows opens it inside the Microsoft Rights Management viewer.  I wrapper if you will that will check the file permissions centrally within Azure RMS before you can open the file.

How can I get this capability – Server Setup?

Start by looking here: https://technet.microsoft.com/en-us/library/dn440580.aspx

Essentially you login to your tenant admin and you can choose to use Microsoft’s security keys and activate the service.

How can I get this capability – Client Setup?

The Office add-in and the Windows Explorer options are installed using a free client available here: https://portal.aadrm.com/home/download

Next Post(s)

Ok, these posts appear to get very long as I start to delve into things… so we are splitting things up further…  next up, we shall explore the permission options including revoking access to documents from a central location.

We will also, in a future post compare this solution with the SharePoint IRM capability, which we know is related but in my brief experience is not necessarily the same!

So until I find time to do the next post… stay nerdy peeps!

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: