Posts Tagged ‘RMS’

#O365 #SharePoint Online–#IRM #RMS – what works, what doesn’t in a business context-Part 6

October 16, 2015 Leave a comment

This article is part of a series:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Parts 1 to 5 discuss IRM capability from a SharePoint perspective.  Details:

Part 1:

In the second article we covered file type support.

Part 2:

In the third article we covered file type support in detail as well as the document library experience.

Part 3:

In the fourth article we covered IRM permissions in comparison with SharePoint permissions.


In the fifth article we looked at the different clients across Windows, Mac and Mobile to see how they reacted to a protected file.

Part 5:

So we have covered the SharePoint IRM capabilities a lot and in the conclusion to this series of articles, we shall discuss the various merits of the IRM implementation in SharePoint vs. AD RMS capabilities.

Before we do that however, we need to discuss Azure AD RMS (Active Directory Rights Management Server.

To put things into context, SharePoint IRM is essentially a subset of the functionality of Azure AD RMS (Source(s):, and in my initial interaction, the two capabilities don’t quite interact with each other in the way you would expect (the very reason this series of articles started in fact!)

Let’s get started….

What is Azure RMS?

So my biggest suggestion to answer this would be to take a look at these set of articles:

High level… like the SharePoint IRM O365 solution we have been looking at in the previous articles, it would appear that Azure RMS is a superset of the SharePoint IRM functionality.  By this I mean that Azure RMS is the overriding technology and SharePoint IRM is a small portion of the overall capability.

How does it work with standard office files?

Take a look at this article:

Which gives us a good indication of the potential support for this solution but is the reality for users… lets take a look:

Microsoft Office Interaction (Desktop)

After you install the Azure RMS client application in Windows or Mac OSX, you have an add-in added to your Microsoft Office suite like this:


By clicking on Share Protected the following screen pops up with various options including:

  • Policy selection (standard ones and corporate specific setup by your company)
  • Expiration of the permissions which will lock down the document once the date has passed
  • Document tracking notifications via email
  • Ability to revoke permission as required.


    You can target these permissions to specific user email address and the address entered can have blacklists (for example etc.)



Once you click send, this pops up as it works its protection voodoo magic:


Then outlook pops up with a pre-formatted message with not just a Word document but also a Protected PDF also!  (This is also the case with the add-in for Excel and PowerPoint)

If you do this same option from within an Outlook email.  You must have an attachment on the email, it will then run through the same process, create a Protected PDF as well and send the email.


The Microsoft Azure RMS service also sends you a follow up email straight away with confirmation of who you sent it to and details on how to track and revoke access:


Clicking on the tracking link gives you an overview of the document, with tracking details and the ability to control the access.


From this screen you can see who has access currently, when  (Timeline) & Where (Map) they accessed the document.  Settings also controls your notifications.

At the bottom of the screen you can get an excel report of the activity on the document as well as the ability to revoke access.

How does it work with file formats outside of Microsoft Office?

For any other file type, extensions to Windows Explorer have been added in the right click context menu of the file(s) selected.  Just to note, you cannot protect a folder.


Once you select the permission type, the file is protected in place.

If you select Custom Permissions… the same dialogue appears as before whilst we were in the MS Office application allowing you to select permissions and notification options.

Now, because you are protecting a file that may not have built in support for the Azure RMS capabilities, as part of the client install for Azure RMS, you have a file viewer.

So for the Yammer Logo png that we have above, we get the following when we double click the protected file:


As you can see, it has changed the file extension to a ppng file type and now Windows opens it inside the Microsoft Rights Management viewer.  I wrapper if you will that will check the file permissions centrally within Azure RMS before you can open the file.

How can I get this capability – Server Setup?

Start by looking here:

Essentially you login to your tenant admin and you can choose to use Microsoft’s security keys and activate the service.

How can I get this capability – Client Setup?

The Office add-in and the Windows Explorer options are installed using a free client available here:

Next Post(s)

Ok, these posts appear to get very long as I start to delve into things… so we are splitting things up further…  next up, we shall explore the permission options including revoking access to documents from a central location.

We will also, in a future post compare this solution with the SharePoint IRM capability, which we know is related but in my brief experience is not necessarily the same!

So until I find time to do the next post… stay nerdy peeps!


#O365 #SharePoint Online–Information Rights Management #IRM–what works, what doesn’t in a business context-Part 5

October 3, 2015 3 comments

This article is part of a series:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Part 1:

In the second article we covered file type support.

Part 2:

In the third article we covered file type support in detail as well as the document library experience.

Part 3:

In the fourth article we covered IRM permissions in comparison with SharePoint permissions.


Ok, next up is the client experience.  We all work in a connected world with multiple devices from mobile to desktop to web.

Let’s take a look at the experience people get across the various devices.  The devices I shall be looking at are:

  • Windows
  • Mac OSX
  • iOS – iPhone
  • iOS – iPad
  • Android
  • Windows Mobile
  • Web

For this test, I have a Word document which had its IRM rights applied last week with an expiry set to 1 day.

This is an example of the settings I am using against my list:


So without further ado:

Windows – Microsoft Word 2016

As per Word 2013 on windows, Word 2016 asks you to login to your work account to proceed.


Windows – Microsoft Word 2013

As we showed in earlier posts – expired content asks for it to be re-authenticated when off the network where the document came from.


Interestingly, if you are already on the same network, it re-authenticates in the background and it just opens the document.

Windows – Microsoft Word – Universal App

Now that we have Windows 10 upon us and the new rules around the Microsoft Office Mobile Apps being free (screens 10.1” or under), this feels likes a perfect opportunity to try this out on my HP Stream 7 running Windows 10 with the Microsoft Word Universal App.

As you can see, it recognizes the file and is prompting for the credentials to open the file!  Editing is not supported yet, but with the appropriate credentials it can call home and you can view the content.


Windows – Word Pad

The hacker in me likes to try other, non-standard avenues… WordPad doesn’t know what to do with the document…


Windows – Open Office

OpenOffice (Apache Foundation – 4.1.1 – latest) doesn’t know what to do either.  It doesn’t recognize the file format.


Windows – Libre Office

Libre Office, also based on Open Office, opens the file and it appears corrupted.  You cannot tell any of the original contents.


Mac OSX – Microsoft Word 2016

With the 2016 revision you can see it fully recognizes the file format and gives the ability to login with your work account!


Mac OSX – Word 2013

In Word 2013 on the Apple Mac, we can see that the document is protected but we do not have the ability to open with our work account.


iOS iPhone – Microsoft Word

Word on the iPhone supports IRM protection and in this scenario, I was off the network using my non-company account.

As you can see, it tries to load, tells me there’s a problem and states that it is under rights management.  Exactly the experience you would hope for from the Microsoft suite of applications.

I suspect a future release will expand on this area.

IMG_1685 IMG_1686 IMG_1687

iOS iPhone – Documents Free (Mobile Office Suite)

No support for IRM on a free MS Word alternative on the App Store.  Further proving that the protection is in the file as expected!


iOS iPad – Microsoft Word

As per the iPhone app, we get the same experience.  In a future release I suspect we will see a more expansive feature set when it comes to IRM.


iOS iPad – Documents Free (Mobile Office Suite)

No support for IRM on a free MS Word alternative on the App Store.  Further proving that the protection is in the file as expected!


Android – Microsoft Word

As you can see, the Android version of Office also supports IRM in terms of detection, but not in terms of opening or editing.  I suspect this will appear in a future release.


Windows Mobile 8.1 – Microsoft Word

As we can see, Word on Windows Mobile as expected doesn’t open the protected file, but rather than recognizing that it is protected with IRM, we get this…


Web – Office Online – Microsoft Word

Office Online understands that it is protected by IRM and stops access.


Interestingly however you cannot edit IRM protected documents online, which means you have to use the desktop application to update the documents.

You get a clue when you try to preview the document from within the library:


Then when you open it in Word Online, you have no option to edit:


From a usability point of view, I will be recommending to my users to always ensure that this setting is enabled to avoid confusion:


This will stop the preview of the document showing and it will only open in Microsoft Word

Web – Google Docs

We just get an unknown error from Google Docs…



So there you have it.  Although this doesn’t consider all applications, it covers most common and some uncommon applications across the majority of platforms (Sorry Blackberry users… just didn’t have the platforms around to test.).

It is fair to say that whether the application supports the SharePoint implementation of IRM or not, you are protected.  It is also fair to say that really you should limit your experience of updating files to the Microsoft Office suite.

To summarize the above findings; take a look at the table below:


Although I focused on the Word application in this post, Excel and PowerPoint on the core platforms (Windows, Apple OSX) work in the same way.

We are assured that the mobile apps that Microsoft produce for iOS, Android and Windows Mobile will support IRM properly soon, but no timeline has been given at the time of writing for this article.  (Please note we will be looking at Azure RMS support in the next few articles where mobile capabilities are available with latest releases)

Next Post(s)

I think we have covered the SharePoint IRM enough… Let’s take a look at Microsoft RMS (Rights Management Server) in Azure next.  It is a similar technology but not the same as IRM (Information Rights Management).

After we have had a look at that, I’ll compare and contrast against my scenarios here at work!

Till the next time… stay nerdy!

#O365 #SharePoint Online–Information Rights Management #IRM–what works, what doesn’t in a business context-Part 4

September 24, 2015 1 comment

This article is part of a series:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Part 1:

In the second article we covered file type support.

Part 2:

In the third article we covered file type support in detail as well as the document library experience.

Part 3:

So we have talked about what IRM in SharePoint is, file type support and limitations, document library experiences etc. lets get down to permissions.  What can you restrict…

A good place to start is here:

To quote specifically from the site:

How IRM can help protect content

IRM helps to protect restricted content in the following ways:

  • Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or copying and pasting the content for unauthorized use
  • Helps to prevent an authorized viewer from copying the content by using the Print Screen feature in Microsoft Windows
  • Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail after it is downloaded from the server
  • Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again
  • Helps to enforce corporate policies that govern the use and dissemination of content within your organization

How IRM cannot help protect content

IRM cannot protect restricted content from the following:

  • Erasure, theft, capture, or transmission by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware
  • Loss or corruption because of the actions of computer viruses
  • Manual copying or retyping of content from the display on a screen
  • Digital or film photography of content that is displayed on a screen
  • Copying through the use of third-party screen-capture programs
  • Copying of content metadata (column values) through the use of third-party screen-capture programs or copy-and-paste action

So seems pretty straight forward and of course this applies to the file types mentioned in the previous posts on this subject.

  • Word
  • Excel
  • PowerPoint
  • XPS

Interestingly, this Microsoft article mentions InfoPath but at the time of writing for this article, that did not appear to be the case in SharePoint Online (2015-09-23)

At the bottom of the article is starts talking about how list / library permissions compare to IRM permissions.  Again to quote from the site (just for completeness):


So I hear what you are saying… come on Giles… now you are just copying content from a web site and re-purposing it.  To a degree that is true… but lets put the above into something that makes more sense to the standard Business User that doesn’t really know what permission levels mean etc.

So we can essentially translate the above to the following:


Now it makes a bit more sense.

So lets get some users together in these groups and see what effect that has on the IRM permissions when you open a document…


So we can see as an owner of the site, I own the document and have full permissions to Copy, Print, Save, Export etc.

If you notice, I also have no expiry on this document either.  Which means downloading the document offline means that the permissions will stay with me as long as I am on a domain controlled PC logged in as the user mentioned in the pop up.



As a member, we can View, Edit, Copy, Print and Save.  This makes sense since as a member you are likely to be creating documentation in the first place.


Remember you can also control who can see versions of documents within SharePoint as well as the ability to control if you can only see your only content.

You can find these configurations in the Library Settings under Versioning Settings:


So what we are seeing here is IRM permissions layered on top of SharePoint’s standard permissions working hand in hand!

Also notice that the expiry for these permissions come into effect on Thursday, September 24, 2015.  At this point, the document (if it is offline from SharePoint), will be entirely locked down, even if you are authorized and you would have to go back to the source library to get a new copy.

When something has expired, this is what you see in the application:



Lastly, as a Visitor to my site, you can only view the document.  Now as mentioned earlier, it does not control any other application.  So you could still print screen potentially or use a tool like Snag It to capture the information.  The rules below only pertain to the application implementing the IRM rights.



On a high level, it would appear IRM really comes into its own when you want to prevent your content from leaving the organization.  It stops the content being shown to unauthorized users and since this is implemented at a file level, USB drives and Email Attachments cannot circumvent the protection in place.

However, at the end of the day, if you have an authorized user that wants to be malicious then they can open the documentation, copy the content from the screen and re-produce it in an un-protected form.  So just to confirm, this isn’t a magic bullet to solve all your IP protection woes and lets not forget, content is created in an unprotected form first and is only protected once it is uploaded into SharePoint.

Next Post(s):

  • The Client Experience. Windows, OSX (if I can find a mac), Mobile, Web – you name it, I will endeavor to try it
  • Unsupported Files – A look at the desktop RMS client and how that works with SharePoint

Useful Links:

Apply IRM to a list or library:

#O365 #SharePoint Online–Information Rights Management #IRM–what works, what doesn’t in a business context-Part 3

September 23, 2015 Leave a comment

This article is part of a series:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Part 1:

In the second article we covered file type support.

Part 2:

Welcome to the third article in this series about the IRM implementation in SharePoint.  This post will be mostly focusing on how Windows Explorer interacts with Document Libraries with IRM enabled.

The Scenario

We are maintaining the same settings as the previous two articles, but using a document library instead of a list. 


As stated previously, behavior is the same but of course with a document library you can interact with it via Windows Explorer, drag and drop, in application via Word etc. as well as the standard upload process.  Let’s see if it maintains the protection that we have put in place…

To recap the supported file types:

  • Word, Excel, PowerPoint 2003 to 2016
  • PDF

Now as part of my ongoing research I have found mentions of XPS and InfoPath as well, so we shall give those a go as well.

In these tests I shall try all variants of the files for doc to docx and the macro and template versions in between.

Also unlike the previous articles I shall widen the uploads to include Excel and PowerPoint in the examples.

So without further ado…

Standard Upload

  • Supported File Type (Word, Excel, PowerPoint, PDF, XPS,)
  • Unsupported File Type (PNG, InfoPath)
    From my standard upload testing the results are as follows:


Document Library Screenshot:


XPS files uploaded fine and were protected by SharePoint IRM however, my client was not configured and could not access the IRM server in my setup.

Furthermore, I got this result when trying to open a protected XPS in the browser (IE11):


The client result was:


PS. I found that InfoPath was not supported in SharePoint Online (as of 2015-09-23 – not surprising given that it is not part of Office 2016 anymore.  (Office 2016 was released this week by the way – yay Smile)

Drag and Drop

In true scientific experiment fashion, same files, different upload method…

  • Supported File Type (Word, Excel, PowerPoint, PDF, XPS,)
  • Unsupported File Type (PNG, InfoPath)
    For this I shall be using the drag and drop capability that was introduced in SharePoint 2013 and is still available in 2016.  I shall drag and drop all files (supported and unsupported at once)

It is good to say that the result is the same as the standard upload method and the error messages it returns for unsupported file types make sense.



Just remember the issues with XPS I experienced this time round and the PDF IRM supportability issues from the last post are still present in the document library.  See Part 2 for details.

Windows Explorer

One more time around…same files, different upload method…

  • Supported File Type (Word, Excel, PowerPoint, PDF, XPS,)
  • Unsupported File Type (PNG, InfoPath)

Like the drag and drop method to the document library I shall be dragging all files into the Windows Explorer view that opens up when you click this button on the library ribbon:


Dragging the files into Windows Explorer view… in progress:


So everything was going will until I got to the unsupported files:


So as you would expect, it definitely stopped the file getting into the library as you would expect.  You have the option to skip the file which moves on to the next file and processes it based on the same rules.

The good news is, we have stayed in compliance!

The bad news is that error message:

An unexpected error is keeping you from copying the file.  If you continue to receive this error, you can use the error code to search for help with this problem.

Error 0x80070021: The process cannot access the file because another process has locked a portion of the file.

Now as a techy, I would totally expect that error from Windows Explorer… after all, it doesn’t know what SharePoint is, it just knows that it has failed.

From a business user perspective, this is confusing and will no doubt start calls to the help desk.  The help desk may not know the answer either and it will result in an escalated call to the SharePoint Admins / Operations teams.

Not much to be done, but adds credence as to why I am blogging on this subject.  Hopefully some google’rs / bing’rs will find this post and have a bit more information about what could be going on.


So there you have it, whatever way you get files in, it works… I can confirm that in each case, opening the files showed that they were protected with IRM.  Windows Explorer for unsupported files is a bit messy but not surprising.

Next Post(s)

  • I will eventually get to how to deal with unsupported file formats with the desktop RMS client but as I dig deeper, more and more topics become more appropriate to discuss
  • IRM permissions vs. SP Library permissions
  • Client Experience – Protect & Unprotected…
    Anyway, till the next one…  stay SharePointin’

#O365 #SharePoint Online–Information Rights Management #IRM–what works, what doesn’t in a business context-Part 2

September 22, 2015 1 comment

This article is part of a series:

Part 1:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Let’s dig a bit deeper with what works in SharePoint Online:

Setup within SharePoint Online.

So I could talk about the Tenant Administration side of things but honestly, its not difficult, and these articles are more business focused.  If you are interested, take a look here:

Assuming you have Information Rights Management (IRM) turned on in your Office 365 tenant, you will have the following options in the settings of your lists and libraries:


Do not get confused with Information Management policy settings at the bottom, this is entirely different involving audit trails, bar coding etc.

Once you click, you get a screen as follows (pre-filled in for my example in this blog series)


Most of these are fairly self explanatory, but allow me to get into specifics on some of these items:

Set additional IRM library settings > Do not allow users to upload documents that do not support IRM

Seems, kind of vague and initial Google (Bing…) searches did not help me, after some digging however, we find something… only certain file types are supported within SharePoint:

  • PDF
  • The 97-2003 file formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
  • The Office Open XML formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
  • The XML Paper Specification (XPS) format

And in my further research, for Word, Excel and PowerPoint, your standard office suite has been supporting this capability since Microsoft Office 2003 on Windows and since Office for Mac 2011 on OSX.

But what about Multi-factor Authentication I hear you cry out…

Well that was supported in Office 2013 in an update around November 2014 (last year):

The end result of this is fairly painless to the user.  They upload unprotected files (that are supported).  SharePoint protects the files and when you open them from SharePoint, you get this:


Word opens the file, checks the RMS server for the permissions against the user opening the file and if you have the rights, you can see the document.

If you don’t have the rights, you get this:


Further Gotcha’s / Things we need to know: PDF Support

Essentially what we are seeing here is that we need to have a level of support for IRM in both the server (to set the policy) and on the client (to enforce the policy)

As stated above, Microsoft Office has been supporting this in some form since 2003 for Windows and 2001 for the Mac.

On the Adobe Reader side of things, it is a little different.

Adobe Reader does not support IRM protected PDF’s unfortunately and when you try you get this response:


So for the well initiated or hacker minded, I know what you are thinking… Microsoft Word can open PDF’s… what happens then:

Well they thought of everything:


Thankfully you can use some alternative PDF Readers.  Here is the run down on supportability:


Foxit Reader (Free) does display the PDF but with a suggestion that you should buy the RMS plugin:


I can confirm that you can view the whole document with the free product with the IRM restrictions in place.  However the watermark shown above appears on every page.

Lastly, just to confirm the security Foxit supports for IRM PDF files:


Further Gotcha’s / Things we need to know: Other / Unsupported File Types

If you attempt to upload a file that is unsupported, you get the following message from SharePoint.


File Type Conclusions

So bottom line is, if you need to protect Word, Excel & PowerPoint files than this solution provides a way to protect content without much trouble to the end user.

If you want to use PDF files as well then you will need to use Fixit or NitroPDF on Windows and unfortunately for OSX, it won’t be supported.

Lastly, all examples so far shown are using a standard custom list with attachments.  The functionality in a document library is the same in 99% of cases.

The Next Post

As I look further and further into this topic, more and more questions are unraveling.  In the next post(s), I shall be exploring:

  • What happens when we use Windows Explorer view with a document library?
  • How does the Microsoft RMS plugin help us for unsupported file types?

I am sure there will be more questions as I look further, but as this is a pressing concern for my company, you will see more posts soon.  Till the next time…

Useful Links:

Microsoft Office Compatibility (older information):

Microsoft Office 2007 IRM support:

Microsoft Office 2003 IRM support:

Microsoft Office 2013 MFA Support:

#O365 #SharePoint Online–Information Rights Management #IRM–what works, what doesn’t in a business context-Part 1

September 21, 2015 2 comments

I know I said I would get to the new features of Document Management in SharePoint 2016, and the plan is still do to that… but at work I have come across the need to use IRM for one of my internal customers.  So without further ado…

The Scenario

Migrating a site with Restricted Confidential data from On-Premise to SharePoint Online.  Everything within the network is nice and secure requiring two factor authentication to connect to the VPN from a domain connected laptop.  It is nice and secure!  Couple that with strict password and domain communication policies, security within the network seems good.

Of course, now as a company we want to take advantage of the great savings offered by Office 365.  Office 365 doesn’t require a VPN to connect any more and suddenly the need for information rights management feels way more important than ever.

Multi Factor Authentication

So combat some of this, we can require multi-factor authentication to connect to the Office 365 tenant.  If you do this properly, then you will have a nice, unhindered experience within your corporate network and a multi-factor authentication login from outside your network.  (Please note you will need Microsoft Office 2013 as a client for outside your network).

This is all well and good but that doesn’t stop you logging into your personal PC and downloading the file using your corporate account.  That is where IRM comes in…

Information Rights Management (IRM)


As a brief overview, IRM essentially controls what a user can do in a client application regarding a document based on who they are logged in as and the group they belong to.

For Example:

Corporate Network

You have a protected Word document and you are authenticated inside your corporate network.  You have permissions to View, Print, Edit the file etc…


You have a protected Word document and you open the file on your personal computer.  You cannot View, Print or Edit the file regardless of how you received the file (link to a SharePoint site, an Email Attachment or perhaps via a USB drive).

Personal Computer

So ideally what we are looking for is this:


And just so we know what I mean by the Red, Amber, Green symbols above…



Guest Devices

Of course in this very modern bring your own device to work world, guest devices means a lot of different platforms and form factors.

  • iPhone
  • iPad
  • Android
  • Windows Phone
  • Windows RT (Maybe…)
  • Windows
  • Mac OSX
  • + others no doubt (blackberry for example…)
  • Thankfully, thanks to Microsoft view on being portable in this world is not tied to device, they have for the most part covered all devices with their Microsoft Office suite which fully covers IRM protection standards across the above listed platforms.

      However, in this changing world, there are always some caveats…  this series of articles will begin to discuss…

    Stay tuned for the next article when we talk about:

  • SharePoint specifics such as setup, file type support, unsupported file types…
  • What you can do about unsupported file types etc.

Useful links for learning…

%d bloggers like this: