RMS Architecture EMS Partner Bootcamp TechReady 18 9/17/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Rights Management Today Active Directory Authentication and collaboration Integration Rights Management Mobile endpoints Rights Management Services Client integration Client integration Connectors User Authentication Integration BYO Key Key Management Active Directory

Architecture – Azure RMS Overview of Azure RMS Components Service dependencies Pre-requisites RMS On-Premises infrastructure is pretty simple. You need at a minimum: Active Directory Domain Services AD RMS server role installed on a member server SQL Server, installed on the AD RMS server as bare minimum or for availability. We recommend deploying SQL Server on a separate server or fail over cluster Client components (AD RMS Client and RMS-enabled applications) The AD RMS server itself is an ASP.NET application running on IIS If you choose to install the AD RMS role via UI or PS the required IIS features will be installed automatically. AD RMS in Windows Server 2008 will also require MSMQ for logging purposes © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Azure RMS Built on Azure Several “Roles” SMSG Readiness 9/17/2018 Windows Azure RMS Built on Azure Service is completely built on Azure Utilizes compute, storage, sync and Azure core monitoring infrastructure Service currently deployed to 2 datacenters in each region with redundancy on read operations. Several “Roles” RMS Web Services – All core RMS endpoints Includes the “core” web service endpoints (Certify, GetCLC, AcquireLicense, AcquireTemplates, REST endpoints for mobile clients) STS – Responsible for authenticating users to endpoints KMS – Responsible for cryptography operations Windows Azure RMS is a service that’s equivalent to AD RMS but run from the cloud. As such it runs on Windows Azure, and integrates tightly with Azure AD. Its internal details are of little relevance to our customers since all they see are the end points we present, but the fact that is built on Azure means it is highly available highly redundant and highly scalable, things our customers DO care about. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure RMS architecture SMSG Readiness 9/17/2018 Azure RMS architecture Windows Azure: Commerce/AAD/OrgID We can see that Azure RMS sits in the cloud in a position similar to AD RMS does on-premises. It talks to Azure AD for all its authentication and group membership evaluation needs, and integrates with cloud services such as Exchange Online and SharePoint online. One internal detail that IS relevant to customers needs is that Exchange Online, unlike SharePoint online, does not talk *directly* to Azure RMS, but through a small RMS engine running inside EXO, that provides licensing support to EXO without having to make calls to Azure RMS. This is due to historical reasons and may change in the future. The consequence of this is that the feature set available through Azure RMS may not be 100% exposed through the Exchange functionality. For example, Bring your own Key and IRM logging capabilities are not integrated with Exchange Online. Speaking of ByoK, we see that RMS relies on a separate service called Key Management Service which handles all public key cryptography operations for RMS (e.g. key storage, key creation, signing and decryption of symmetric keys, etc.). This service abstracts all crypto capabilities from RMS so it can obtain new features (such as Bring your own Key, discussed later) with little impact to RMS itself. We will discuss KMS in due time. Exchange Online RMS SharePoint Online RAP KMS Outlook/Office Web Access Companion OWA/EAS Client © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Service dependencies Azure Azure AD Office 365 SMSG Readiness 9/17/2018 Service dependencies Azure Azure AD Commercial customer needs AAD tenant Individuals (consumers) get “unclaimed tenants” automatically for their domain Tenant created automatically with Azure RMS or Office 365 signup Email address, group membership and authentication need to work (Dirsync/Federation) Office 365 Not a strict requirement, but integrated As you can imagine, Azure RMS relies on Windows Azure, but the customer does not have to provision Azure machines by themselves, this is all transparently managed by the RMS offering. They DO have to set up an Azure AD tenant and configure it adequately, so Azure RMS can work with the customer’s identities. This means performing dirsync with the cloud so Azure RMS can perform group expansion and either setting up password hash sync or federation so users can authenticate seamlessly. Office 365 is not a requirement for Azure RMS, but it is integration is very tight and highly streamlined. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Requirements Customer must have AAD setup Clients SMSG Readiness 9/17/2018 Requirements Customer must have AAD setup AADSync with minimal attributes Password hash sync OR federation Group membership MUST be synced Clients Windows 7+ Office 2010+ RMS sharing app (optional if using Office 2013) Windows Phone, RT, iOS or Android devices must have RMS app As said, customer must have Azure AD deployed and configured. Customer must also be running recent versions of their clients and servers, in general anything with a 2010 or higher number works. Minimum client OS is Windows 7. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.