Joe Schulman Program Manager, Forefront For Office RMS in Exchange Online Joe Schulman Program Manager, Forefront For Office Microsoft Confidential

Agenda What is RMS? Supported Topologies How to deploy RMS to customers in Exchange Online Microsoft Confidential

What is RMS? Rights Management Services is a Windows component that enables applications to protect content. Protect = Encrypt and Usage Rights (DRM) http://technet.microsoft.com/en-us/library/cc771627.aspx http://en.wikipedia.org/wiki/Rights_Management_Services First shipped in Windows Server 2003 timeframe, latest release was Server 2K8 R2 RMS is integrated in Microsoft products Office clients (Excel, Word, PowerPoint, Outlook) SharePoint Exchange (as IRM) Microsoft Confidential

RMS in Exchange RMS integrated as Information Rights Management (IRM) in Exchange 2010 SP1 (includes OWA) Exchange Online in Office 365 beta IT Pros configure using RMS Server and Exchange PowerShell cmdlets End users experience RMS in Office clients and OWA Exchange Server cracks open RMS content automatically to enable common features Transport routing Indexing for search Viewing in OWA Unified Messaging (private voicemails)

Granular protection that travels with the data 4/16/2017 3:00 PM IRM Support Protect Granular protection that travels with the data Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an email. Persistent protection Protects your sensitive information no matter where it is sent Usage rights locked within the document itself Protects online and offline, inside and outside of the firewall Granular control Users apply IRM protection directly within an email Organizations can create custom usage policy templates such as "Confidential—Read Only" Limit file access to only authorized users Situation Users may not be familiar with Information Rights Management. Slide objective Explain Information Rights Management and its benefits. Talking points Persistent protection Protects your sensitive information no matter where it goes (for example, an IRM- protected email will remain protected if its sent externally, downloaded to a USB drive, etc.) Usage rights locked within the document itself Protects online and offline, inside and outside of the firewall Granular control Users apply IRM protection directly within an email Users can define who can open, modify, print, forward an email Organizations can create custom usage policy templates such as "Confidential—Read Only" Limit file access to only authorized users © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Supported Topologies

On-premise IRM Same deployment as with Exchange 2007 Contoso Inc. Exchange depends on AD RMS Server to decrypt and encrypt content AD RMS Server Exchange Server 2010

Business-to-Business IRM Extend Exchange 2010 IRM capabilities to partners* Microsoft Federation Gateway Contoso Inc. Fabrikam Inc. AD RMS Server Exchange Server 2010 Exchange Server 2010 Partners can: Read/reply to externally protected mail in Outlook Web App Decrypt protected mail to search, journal, filter, apply transport rules Situation Slide objective Explain how the same Exchange federation used for calendar sharing can also be used to extend Exchange 2010 IRM support features to partners. Talking points [Build 1] Partners create trust with Microsoft Federation Gateway Sender federates on-premises RMS server with the Microsoft Federation Gateway. (Requires software that ships in Windows Server 2008 R2 SP1.) Partner federates their Exchange 2010 server with MFG. [Build 2] Protected message is sent to Fabrikam recipient. Message can be automatically protected (via Outlook Protection Rules or Transport Protection Rules) or manually (in OLK/OWA) [Build 3] Fabrikam contacts RMS server for Use License. Fabrikam’s Exchange server contacts MFG to get a SAML token for this message proving Fabrikam’s identity Fabrikam’s Exchange server contacts Contoso’s RMS server, presenting the SAML token from MFG and requesting a Use License [Build 4] Fabrikam decrypts message for indexing, search, etc. Sending organization has the option to prevent journal decryption by partner’s Exchange 2010 (all other IRM support functions enabled). [Build 5] Recipient can read/reply to protected message in OWA Recipient can also search message in OWA and Outlook (online). Note: To read/reply in Outlook, organization and partner also need to federate using Active Directory Federation Services. Recipient reads/replies to protected message in Outlook Web App. Organizations set up trust through Microsoft Federation Gateway. Fabrikam decrypts message for indexing, search, etc. Protected message is sent to Fabrikam recipient. Fabrikam contacts RMS server for Use License. *Requires Exchange Server 2010 Service Pack 1

Exchange Online IRM (no on-premise Exchange) Contoso Inc. AD RMS Server Embedded RMS Server Outlook Exchange Online OWA and Mobile Exchange Online: Uses embedded RMS Server for encrypting and decrypting Requires on-premise for managing RMS templates

Configuring RMS in Exchange Online How to enable RMS in Office 365

Today’s demo: Enabling RMS in Exchange Online We want to enable information workers to send rights-protected content with Exchange Online Four steps: 1. Configure on-premise RMS server, export TPD 2. Import TPD in Exchange Online 3. Make templates visible to users 4. Enable IRM in Exchange Online

Waving my hand – Configuring RMS Templates Step 1: Configure on-premise RMS, create RMS templates Great documentation http://technet.microsoft.com/en-us/library/cc731599.aspx Two key concepts RMS Templates Options end-users can select to protect mail Defines usage rights E.g. “All Microsoft FTE – Read Only” Trusted Publishing Domain 10k-foot view: this is the tenant’s private key for encrypting content Only step is to export it: http://technet.microsoft.com/en-us/library/ee221062(WS.10).aspx Assume you followed the guides with on-premise RMS and have your TPD

Connect to PowerShell in Exchange Online Guide: http://help.outlook.com/en-us/beta/cc952755.aspx?sl=1 $LiveCred = Get-Credential -Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

Connecting to PowerShell

Step 2: Import TPD in Exchange Online Run Import-RMSTrustedPublishingDomain Must be used for each TPD you need to import Also imports RMS templates Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., c:\tpd.xml>" -ReadCount 0)) -Name "TPD Name“ -ExtranetLicensingUrl https://<external rms cluster hostname>/_wmcs/licensing -IntranetLicensingUrl https://<internal rms cluster hostname>/_wmcs/licensing The documentation for this is not yet public

Importing the TPD

Step 3: Make templates visible to users By default templates are “Archived” and not visible. To see all templates: Get-RMSTemplate -Type:All To make our new template “Distributed” (i.e. visible) Set-RMSTemplate -Identity <template identity> -Type:Distributed Note: Do Not Forward is Exchange and Outlook-specific – it cannot be modified

Step 4: Enable IRM in Exchange Online Simply flip the IRM switch: Set-IRMConfiguration -InternalLicensingEnabled $true

End users immediately see the changes in OWA

Sending the sensitive message

Recipient Experience

Replying to a Message

More Information Using Exchange PowerShell in Office 365 RMS Overview http://help.outlook.com/en-us/beta/cc952755.aspx?sl=1 RMS Overview http://technet.microsoft.com/en-us/library/cc771627.aspx

Microsoft Confidential

Appendix Extra commands for other common configuration steps and marketing slides

Notes on Import-RMSTrustedPublishingDomain When prompted for a password, enter the password used during export of the TPD from AD RMS. When a TPD is imported, the corresponding templates from AD RMS are also imported. The TPD contains the templates that were created with the specific SLC contained within the TPD. Exchange will support up to 20 templates per TPD. The URLs that are specified when importing will be used by Outlook clients and will also be used when content needs to be decrypted and Exchange needs to figure out which TPD to use. In order to ensure the right TPD is used these URLs must match the configuration in your on-premise AD RMS cluster.

Changing the default TPD The first TPD is assumed the default (which is why we didn’t configure it). If you want to change the default TPD, use cmdlet: Set-RMSTrustedPublishingDomain -Identity <TPD ID> -Default Users only see templates from the default TPD, but they can decrypt content from any TPD

Updating Exchange Online with new TPD Same Import-RMSTrustedPublishingDomain cmdlet, just with –RefreshTemplates switch $data = [byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., c:\tpd.xml>" -ReadCount 0) Import-RMSTrustedPublishingDomain -FileData $data -Name "TPD Name" -RefreshTemplates

Transport Protection Rules Automatically apply IRM Apply RMS policies automatically using Transport Rules Situation Information Rights Management (IRM) has been easy to apply by a user in Outlook. But users often forget to apply the appropriate protection. Slide objective Show how transport protection rules make it easy to apply IRM-protection automatically by policy. Talking points When used with Active Directory® Rights Management Services (AD RMS), transport protection rules enable an administrator to automatically apply IRM protection to email (including Office and XPS attachments) after a message is sent. Along with the standard list of conditions that can be applied to all rules, transport protection rules also give us the option of various Rights Management Services (RMS) templates. This enables us to specify exactly how a message can be handled by authorized users, whether it can be copied, forwarded and so on. Apply “Do Not Forward” or custom RMS templates IRM protection can be triggered based on sender, recipient, content and other conditions Office 2003, 2007, and 2010 attachments also protected

Outlook Protection Rules Provide users for IRM protection options Adding recipient or distribution list can trigger IRM protection automatically before sending Situation Not all email may require IRM-protection. Slide objective Show how Outlook Protection Rules combined the benefit of automatic application of IRM-protection with the option to disable protection when appropriate. Talking points Outlook Protection Rules automatically trigger Outlook to apply an RMS template based on sender or recipient identities before it is sent. With Outlook Protection Rules, administrators can also enable users to turn off protection for non- sensitive email. Also, since the messages are protected at the desktop before being sent out to Exchange, Outlook Protection Rules allow your organization to block third-party service providers or onsite Exchange administrators from viewing sensitive content that is sent between your employees. User can be granted option to turn off rule for non-sensitive email IRM protection can still be applied manually

Access protected messages online IRM in Outlook Web App Protect Access protected messages online Native support for IRM in Outlook Web App eliminates need for Internet Explorer Rights Management add-on Access to standard and custom RMS templates Situation Previous version of Exchange did not include support for IRM in Outlook Web App. Slide objective Discuss how new native support for IRM in Outlook Web App extends the ability of organizations to leverage IRM-protection. Talking points Support for IRM in Outlook Web App enables users to read and reply to (as well as reply all, forward, block print, cut/copy) IRM-protected messages natively, just like in Outlook. IRM-protected messages in Outlook Web App can be accessed through Windows® Internet Explorer®, Firefox, and Safari (no plug-in required) and includes full-text search, conversation view and preview pane. Eliminates the need for IE Rights Management Add-on Cross-Browser support enables Firefox and Safari users to create/consume RMS protected messages Mac users can create/consume RMS protected messages Conduct full-text search on RMS protected messages in Outlook Web App With additional support for WebReady Document Viewing for IRM-protected messages, recipients can view protected attachments without having to install or start the associated application (such as Microsoft Word, Microsoft PowerPoint®, Adobe Acrobat, etc.) Protected messages can be viewed as WebReady Documents Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages

Index and search protected items IRM Search Protect Index and search protected items Conduct full-text search of IRM-protected mail in Outlook (online), Outlook Web App, and multi-mailbox search Situation IRM protection gets in the way of system access to protected messages. This breaks essential parts of organizational infrastructure such as searching of IRM protected messages. Slide objective Discuss native support for IRM search. Talking points Conduct full-text search of IRM-protected mail and attachments in Outlook (online) and Outlook Web App IRM Search enables indexing and searching of IRM-protected messages, including headers, subject, body, and attachments Also applies to multi-mailbox search Content within protected attachments can also be searched Protected voicemail

Prevent forwarding of voicemail Protected Voicemail Protect Prevent forwarding of voicemail Protect All messages or only messages marked Private Situation With the ability to forward voicemail messages comes new potential for data leaks. Objective Information Rights Management can be applied to voicemail messages to prevent unwanted forwarding of messages Talking points Using Active Directory Rights Management Services, it can apply Do Not Forward permissions to voice messages that are designated either by the sender (by marking the message as private) or by administrative policy. This prevents the forwarding of protected voicemails in a playable form to unauthorized persons, regardless of the mail client used. Multi-media playback restriction prevents voicemail from being transferred to desktop “Do Not Forward” template Integration with AD RMS and Exchange Unified Messaging Permissions designated by sender (by marking the message as private) or by administrative policy