The New Rights Management Service (RMS) – Very Sticky!


Josh Condie – Rights Management Services (RMS) is probably one of the most under utilized security and compliance features in Office (and available in Office 365).  Yet, there is probably no “stickier” function available to partners positioning the Enterprise subscriptions of Office 365 against any competition.  The ability to define granular security, usage and compliance on documents at both the author level and the at the corporate level (via templates loaded directly into each Office application), is function that becomes irreplaceable once the end-user community is properly trained.  It also prevents the accidents in document and content sharing better than anything (save for a very restrictive firewall).  Accidental sharing of email attachments with external parties (via email auto-complete errors or other) is a prime cause of breach of confidentiality across many industries – from Public Sector to Healthcare to Legal to Financial, etc.

Here’s a condensed definition of RMS:

Microsoft RMS enables the flow of protected data on all important devices, of all important file types, and lets these files be used by all important people in a user’s collaboration circle. Yes, RMS will now protect any file type (not just Microsoft Office documents), let you access them on many devices (not just Windows PCs), and enable sharing with other organizations (not just within your organization). Furthermore ITPros can perform simple, planned deployments of RMS or, if not deployed by the ITPro, Information workers (IWs) can adopt RMS on their own (dubbed ‘RMS for Individuals’) for free.

The Microsoft Rights Management suite is implemented as a Windows Azure service. For brevity, we reference it within as Azure RMS so as not to confuse with Windows Server AD Rights Management Services (aka ADRMS). It comprises a set of RMS applications that work on all your common devices, a set of software development kits, and related tooling. By leveraging Windows Azure Active Directory, the Azure RMS service acts as a trusted hub for secure collaboration where one organization can easily share information securely with other organizations without additional setup or configuration. The other organization(s) may be existing Azure RMS customers but if not, they can use a free Azure ‘RMS for Individuals’ capability.


Last week we expanded the RMS offering, both on-premise and in the cloud (O365 integrated seamlessly with Azure RMS) in a significant fashion.  Please reference this blog for the details: Some key excerpts:

RMS enables organizations to share sensitive documents within their organization or to other organizations with unprecedented ease. These documents can be of any type, and you can consume them on any device. Given the protection scheme is very robust, the file can even be openly shared… even on consumer services like SkyDrive™/DropBox™/GDrive™.

Today we’re announcing the preview of SDKs, Apps, and Services, and we’re giving details on how you can explore each of them. If you’d like some background on Microsoft Rights Management, check out this TechEd Talk. I’ll also strongly recommend you read the new RMS whitepaper for added details.

Promises of the new Microsoft Rights Management services


  • I can protect any file type
  • I can consume protected files on devices important to me
  • I can share with anyone
    • Initially, I can share with any business user; they can sign up for free RMS
    • I can eventually share with any individual (e.g. MS Account, Google IDs in CY14)
    • I can sign up for a free RMS capability if my company has yet to deploy RMS


  • I can keep my data on-premise if I don’t yet want to move to the cloud
  • I am aware of how my protected data is used (near realtime logging)
  • I can control my RMS ‘tenant key’ from on-premise
  • I can rely on Microsoft in collaboration with its partners for complete solutions

These promises combine to create two very powerful scenarios:

  1. Users can protect any file type. Then share the file with someone in their organization, in another organization, or with external users. They can feel confident that the recipient will be able to use it.
  2. ITPros have the flexibility in their choice of storage locale for their data and Security Officers have the flexibility of maintaining policies across these various storage classes. It can be kept on premise, placed in an business cloud data store such as SharePoint, or it can placed pretty much anywhere and remain safe (e.g. thumb drive, personal consumer-grade cloud drives).

The RMS whitepaper offers plenty of added detail.


User experience of sharing a document

Here’s a quick fly-by thru one (of the many) end to end user experiences. We’ve chosen the very common ‘Sensitive Word document’ scenario. While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application):

You are then offered the protection screen. This screen will be provided by the SDK and thus will be the same in all RMS-enlightened applications:

When you are done with addressing and selecting permissions, you invoke SEND. An email will be created that is ready to be sent but you we let you edit it first:

The recipient of this email can simply open the document.

If you’re a hands-on learner, just send us an email using this link and we’ll invite
you to consume a protected document the same way partner of yours would.


There is a great TechEd Training Session here:


Comments (0)

Skip to main content