Enterprise Mobility and Security Blog

RSS

Hello everyone,

We’ve got lots of exciting news today. Earlier this year, we announced the preview of Document Tracking feature at Ignite conference. Today we are excited to announce the world-wide, general availability of this feature. We’re equally excited to release Multi-Factor Authentication support and announce the release of Outlook on Android supporting RMS. Lastly, by popular request, the team has worked overtime to create a public preview of RMS sharing app that enables non-admin users – those who are not administrators on their machine – to install the applications too.  

Below you will find the details on each one of them. Our team are already hard at work at the next wave of news and software… both of which are sure to delight!

Reminders: Follow us on twitter (@TheRMSGuy) and join in our community on Yammer.

 

Azure RMS Document Tracking General Availability

As we explained in our preview blog, we’ve extended our base document protection promise to now be these 4 core points:

  1. Your users can protect documents and share them both internally as well as with other businesses.
  2. They can limit who gets access to their documents and can set a document expiration date.
  3. The sender can (now) monitor the use, and thus abuse, of each of these documents shared using a variety of views.
  4. If the senders do not like what they see, they can (now) revoke access to the document regardless of where it is stored.

The last two promises are now in General Availability (GA) while the first two are the Azure RMS offers that have been in market for a while. These promises give our users immense control over their documents.  The scenarios are easy, and quick to implement. Check out the preview blog for a step-by-step guide on how to try out the scenario.

So what’s new with the GA?

  • As of today, the feature is available worldwide, and is fully supported.
  • IT admins who want to try out the functionality before making it live for their users now have the ability to disable document tracking and enable it later for their tenants using PowerShell cmdlets.
  • We have taken feedback from customers, made a large number of critical and UI bug fixes and in general stabilized the product.

And what’s coming?

  • Document Tracking is a Azure RMS Premium feature. Very soon, we will enforcing the restriction. Till then existing Office 365 E3/E4 users may be able to sign in to access Document Tracking site. Check out our FAQs for details.
  • The Document Tracking site is in English only across all geographies today. The localized bits are being deployed across geographies. We will make the document tracking site available in 43 languages over the next few weeks.
  • If you are a developer, here is the good news: You can already use RMS SDK 2.1 for Windows, to provide document tracking data from your application. If you have RMS enabled applications on iOS, Android, and Mac, the updated SDK to support document tracking are coming soon. Watch out for an update here.  
  • We’re planning the next round of enhancements. If you have ideas, please send them to askIPteam@microsoft.com.

 

Multi-factor authentication in Rights Management clients

Next, we want to share with you some great news about modern authentication update in RMS applications that enable you to use stronger authentication with Azure RMS.

We heard a lot of feedback from customers who need additional assurance in the identity of recipients of their RMS-protected documents. Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security when users sign-in. It is one of important cloud security controls. MFA usually works by requiring any two or more of the following verification methods:

  • Something you know (typically a password or PIN)
  • Something you have (a card or trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

You can learn more about what is MFA, how it works, and available methods from our friends in the Azure MFA team by reading What is Azure Multi-Factor Authentication. And now you can use all these different modern authentication methods like Azure MFA service or server, smart cards, or compatible One Time Password on-premises solution with your Rights Management applications that support modern authentication.

Today we’re announcing the support for Rights Management with modern authentication for the following clients:

  1. Rights Management sharing application on all platforms: Windows desktop, iOS, Android, OSX, and Windows Phone
  2. Office 2013 (requires an update via usual update channels)
  3. Office clients on mobile devices
  4. Office 2016 on Mac
  5. Office 2016 for other platforms (ready upon release)
  6. Any other application written to the RMS SDK (developer kit) that has been updated to use the Active Directory Authentication Library (ADAL)-based sign in flows.

The typical user experience will look similar to this:

  1. The user opens a protected document and is prompted to provide their user name and password:

Sign-in in the Right Management application on Windows

If MFA is enforced for the user, this flow will now challenge the user to enter or use their second factor. This screen will vary widely based on what the organization choses to do: Azure MFA, smart card, etc.. What you see here is the Azure MFA version from Azure AD Premium:

Text message as the second factor in the Right Management application on Windows

2. In this particular case, the user must enter the code that they receive in the text message on their phone, access is granted, and they can then open the RMS-protected document.

 

This modern authentication update enables the following new authentication scenarios with Azure RMS:

  1.  MFA for Rights Management client applications

With the new ADAL-based modern authentication in our Rights Management client applications, your users can sign in using true multi-factor authentication. The second factor of authentication the user must provide is dependent on the configuration by your IT administrator: this could be a phone call or text message from Azure MFA, or one-time password (OTP) from a supported MFA solution integrated with your on-premises AD FS or 3rd party federation server.

2. SAML-based third-party identity provider sign-in

Now, with the modern ADAL-based authentication flow, users can sign in to RMS client applications even when using an identity provider that uses SAML-P 2.0 – for example, one of 3rd party federation servers.

3. Smart card and certificate-based authentication

If you have deployed Active Directory Federation Services (AD FS) on-premises, you may elect to configure users to sign in with smart card/certificate-based authentication. In this configuration, your users are not required to enter their user name and password. Instead, they use smart cards (physical or virtual) for authentication.

Note however that support for smart cards is challenging on mobile devices running iOS or Android.

How to get the update

With this announcement we released an updated version (1.0.1908) of the Rights Management sharing application for Windows. This version onwards supports modern authentication.

Our partners in the Office team blogged about their support for modern authentication. You should install the most current version of Office clients (June update or later in Office on Windows).

 

Getting started with MFA

You can learn more about MFA requirements for Azure RMS and client requirements in the Rights Management sharing application administrator guide.

We recommend you learn more about Azure MFA and how it works. For customers that use Microsoft-managed tenants, it is really easy to configure Azure MFA for your users. But you can always use it on-premises too, with Azure MFA server – the following article can help you to choose the right solution for your environment.

If you are specifically interested in modern authentication with Office 365 services, please refer to Plan for multi-factor authentication for Office 365 deployments.

 

MFA support on iOS

On iOS, MFA support on Office applications and RMS sharing application works only with PhoneFactor MFA application (this is the previous version of Azure Authenticator). We have found a bug with the new iOS Azure Authenticator app and RMS. We are actively working to fix this. Expect an update in the next few weeks. In the meantime, you can try out MFA with RMS on all other platforms.

 

Outlook Android with RMS support

If you install the latest version of Outlook app on your Android device, you will find that this app now supports opening and replying to RMS protected emails. Our friends at Office are working incredibly hard to make Outlook the app of choice on all mobile platforms, and the RMS feature further helps with the mission. Here’s the latest screenshot showing this support: 

 

RMS sharing app Public Preview for ‘non-admin’ users

Our customers love Secure B2B collaboration support via RMS sharing app. The Share Protected add-in in Office apps is one of the most common ways to share documents outside the company. With easy sign up for recipients via RMS for individuals, users can send the document any business account in the world. 

A critical piece of feedback we have received from customers is that they want their recipients who are not admins on their PC to be able to install the RMS sharing app. We’ve listened and are pleased to announce a Preview release of the RMS sharing app that non-admin users can install.

We made the required architectural changes to bring this functionality to life and we now invite you to experience the scenario of deploying the RMS sharing app when you are not an admin on your PC!  Below are the instructions to try out the preview build:

  1. Go to https://connect.microsoft.com/site1170/Downloads/DownloadDetails.aspx?DownloadID=59163 
  2. Download all four files.
  3. Follow instructions in readme.pdf

[NOTE: If you receive an error, you haven’t registered on Microsoft Connect. To register: go to www.connect.microsoft.com, sign in with your Microsoft Account > Directory> 'View Connect products currently not accepting feedback'  > Search for Rights Management Services > Join.]

  

In Summary

  • Azure RMS Premium customers can now fully enjoy the incredible value of Document Tracking and File Revocation. Those using the basic offer included in Office 365 have a few more weeks to learn to love this feature as well.
  • Multi-factor Authentication with Azure RMS is now supported and adds incredible value for your important documents.
  • Secure B2B collaboration is about to become a lot easier with RMS via the new RMS sharing app on Windows

We have had an incredible year with many new innovations, but we are not done yet. If you have any questions or feedback, please post it below. Also, you can write to us at askipteam@microsoft.com.

 

Thanks,

Dan on behalf of our incredibly dedicated RMS team