Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joe Schulman Program Manager, Forefront For Office

Published byMarlene Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "Joe Schulman Program Manager, Forefront For Office"— Presentation transcript:

1 Joe Schulman Program Manager, Forefront For Office
RMS in Exchange Online Joe Schulman Program Manager, Forefront For Office Microsoft Confidential

2 Agenda What is RMS? Supported Topologies
How to deploy RMS to customers in Exchange Online Microsoft Confidential

3 What is RMS? Rights Management Services is a Windows component that enables applications to protect content. Protect = Encrypt and Usage Rights (DRM) First shipped in Windows Server 2003 timeframe, latest release was Server 2K8 R2 RMS is integrated in Microsoft products Office clients (Excel, Word, PowerPoint, Outlook) SharePoint Exchange (as IRM) Microsoft Confidential

4 RMS in Exchange RMS integrated as Information Rights Management (IRM) in Exchange 2010 SP1 (includes OWA) Exchange Online in Office 365 beta IT Pros configure using RMS Server and Exchange PowerShell cmdlets End users experience RMS in Office clients and OWA Exchange Server cracks open RMS content automatically to enable common features Transport routing Indexing for search Viewing in OWA Unified Messaging (private voic s)

5 Granular protection that travels with the data
4/16/2017 3:00 PM IRM Support Protect Granular protection that travels with the data Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an . Persistent protection Protects your sensitive information no matter where it is sent Usage rights locked within the document itself Protects online and offline, inside and outside of the firewall Granular control Users apply IRM protection directly within an Organizations can create custom usage policy templates such as "Confidential—Read Only" Limit file access to only authorized users Situation Users may not be familiar with Information Rights Management. Slide objective Explain Information Rights Management and its benefits. Talking points Persistent protection Protects your sensitive information no matter where it goes (for example, an IRM- protected will remain protected if its sent externally, downloaded to a USB drive, etc.) Usage rights locked within the document itself Protects online and offline, inside and outside of the firewall Granular control Users apply IRM protection directly within an Users can define who can open, modify, print, forward an Organizations can create custom usage policy templates such as "Confidential—Read Only" Limit file access to only authorized users © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Supported Topologies

7 On-premise IRM Same deployment as with Exchange 2007 Contoso Inc.
Exchange depends on AD RMS Server to decrypt and encrypt content AD RMS Server Exchange Server 2010

8 Business-to-Business IRM
Extend Exchange 2010 IRM capabilities to partners* Microsoft Federation Gateway Contoso Inc. Fabrikam Inc. AD RMS Server Exchange Server 2010 Exchange Server 2010 Partners can: Read/reply to externally protected mail in Outlook Web App Decrypt protected mail to search, journal, filter, apply transport rules Situation Slide objective Explain how the same Exchange federation used for calendar sharing can also be used to extend Exchange 2010 IRM support features to partners. Talking points [Build 1] Partners create trust with Microsoft Federation Gateway Sender federates on-premises RMS server with the Microsoft Federation Gateway. (Requires software that ships in Windows Server 2008 R2 SP1.) Partner federates their Exchange 2010 server with MFG. [Build 2] Protected message is sent to Fabrikam recipient. Message can be automatically protected (via Outlook Protection Rules or Transport Protection Rules) or manually (in OLK/OWA) [Build 3] Fabrikam contacts RMS server for Use License. Fabrikam’s Exchange server contacts MFG to get a SAML token for this message proving Fabrikam’s identity Fabrikam’s Exchange server contacts Contoso’s RMS server, presenting the SAML token from MFG and requesting a Use License [Build 4] Fabrikam decrypts message for indexing, search, etc. Sending organization has the option to prevent journal decryption by partner’s Exchange 2010 (all other IRM support functions enabled). [Build 5] Recipient can read/reply to protected message in OWA Recipient can also search message in OWA and Outlook (online). Note: To read/reply in Outlook, organization and partner also need to federate using Active Directory Federation Services. Recipient reads/replies to protected message in Outlook Web App. Organizations set up trust through Microsoft Federation Gateway. Fabrikam decrypts message for indexing, search, etc. Protected message is sent to Fabrikam recipient. Fabrikam contacts RMS server for Use License. *Requires Exchange Server 2010 Service Pack 1

9 Exchange Online IRM (no on-premise Exchange)
Contoso Inc. AD RMS Server Embedded RMS Server Outlook Exchange Online OWA and Mobile Exchange Online: Uses embedded RMS Server for encrypting and decrypting Requires on-premise for managing RMS templates

10 Configuring RMS in Exchange Online
How to enable RMS in Office 365

11 Today’s demo: Enabling RMS in Exchange Online
We want to enable information workers to send rights-protected content with Exchange Online Four steps: 1. Configure on-premise RMS server, export TPD 2. Import TPD in Exchange Online 3. Make templates visible to users 4. Enable IRM in Exchange Online

12 Waving my hand – Configuring RMS Templates
Step 1: Configure on-premise RMS, create RMS templates Great documentation Two key concepts RMS Templates Options end-users can select to protect mail Defines usage rights E.g. “All Microsoft FTE – Read Only” Trusted Publishing Domain 10k-foot view: this is the tenant’s private key for encrypting content Only step is to export it: Assume you followed the guides with on-premise RMS and have your TPD

13 Connect to PowerShell in Exchange Online
Guide: $LiveCred = Get-Credential -Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

14 Connecting to PowerShell

15 Step 2: Import TPD in Exchange Online
Run Import-RMSTrustedPublishingDomain Must be used for each TPD you need to import Also imports RMS templates Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., c:\tpd.xml>" -ReadCount 0)) -Name "TPD Name“ -ExtranetLicensingUrl rms cluster hostname>/_wmcs/licensing -IntranetLicensingUrl rms cluster hostname>/_wmcs/licensing The documentation for this is not yet public

16 Importing the TPD

17 Step 3: Make templates visible to users
By default templates are “Archived” and not visible. To see all templates: Get-RMSTemplate -Type:All To make our new template “Distributed” (i.e. visible) Set-RMSTemplate -Identity <template identity> -Type:Distributed Note: Do Not Forward is Exchange and Outlook-specific – it cannot be modified

18 Step 4: Enable IRM in Exchange Online
Simply flip the IRM switch: Set-IRMConfiguration -InternalLicensingEnabled $true

19 End users immediately see the changes in OWA

20 Sending the sensitive message

21 Recipient Experience

22 Replying to a Message

23 More Information Using Exchange PowerShell in Office 365 RMS Overview
RMS Overview

24 Microsoft Confidential

25 Appendix Extra commands for other common configuration steps and marketing slides

26 Notes on Import-RMSTrustedPublishingDomain
When prompted for a password, enter the password used during export of the TPD from AD RMS. When a TPD is imported, the corresponding templates from AD RMS are also imported. The TPD contains the templates that were created with the specific SLC contained within the TPD. Exchange will support up to 20 templates per TPD. The URLs that are specified when importing will be used by Outlook clients and will also be used when content needs to be decrypted and Exchange needs to figure out which TPD to use. In order to ensure the right TPD is used these URLs must match the configuration in your on-premise AD RMS cluster.

27 Changing the default TPD
The first TPD is assumed the default (which is why we didn’t configure it). If you want to change the default TPD, use cmdlet: Set-RMSTrustedPublishingDomain -Identity <TPD ID> -Default Users only see templates from the default TPD, but they can decrypt content from any TPD

28 Updating Exchange Online with new TPD
Same Import-RMSTrustedPublishingDomain cmdlet, just with –RefreshTemplates switch $data = [byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., c:\tpd.xml>" -ReadCount 0) Import-RMSTrustedPublishingDomain -FileData $data -Name "TPD Name" -RefreshTemplates

29 Transport Protection Rules
Automatically apply IRM Apply RMS policies automatically using Transport Rules Situation Information Rights Management (IRM) has been easy to apply by a user in Outlook. But users often forget to apply the appropriate protection. Slide objective Show how transport protection rules make it easy to apply IRM-protection automatically by policy. Talking points When used with Active Directory® Rights Management Services (AD RMS), transport protection rules enable an administrator to automatically apply IRM protection to (including Office and XPS attachments) after a message is sent. Along with the standard list of conditions that can be applied to all rules, transport protection rules also give us the option of various Rights Management Services (RMS) templates. This enables us to specify exactly how a message can be handled by authorized users, whether it can be copied, forwarded and so on. Apply “Do Not Forward” or custom RMS templates IRM protection can be triggered based on sender, recipient, content and other conditions Office 2003, 2007, and 2010 attachments also protected

30 Outlook Protection Rules
Provide users for IRM protection options Adding recipient or distribution list can trigger IRM protection automatically before sending Situation Not all may require IRM-protection. Slide objective Show how Outlook Protection Rules combined the benefit of automatic application of IRM-protection with the option to disable protection when appropriate. Talking points Outlook Protection Rules automatically trigger Outlook to apply an RMS template based on sender or recipient identities before it is sent. With Outlook Protection Rules, administrators can also enable users to turn off protection for non- sensitive . Also, since the messages are protected at the desktop before being sent out to Exchange, Outlook Protection Rules allow your organization to block third-party service providers or onsite Exchange administrators from viewing sensitive content that is sent between your employees. User can be granted option to turn off rule for non-sensitive IRM protection can still be applied manually

31 Access protected messages online
IRM in Outlook Web App Protect Access protected messages online Native support for IRM in Outlook Web App eliminates need for Internet Explorer Rights Management add-on Access to standard and custom RMS templates Situation Previous version of Exchange did not include support for IRM in Outlook Web App. Slide objective Discuss how new native support for IRM in Outlook Web App extends the ability of organizations to leverage IRM-protection. Talking points Support for IRM in Outlook Web App enables users to read and reply to (as well as reply all, forward, block print, cut/copy) IRM-protected messages natively, just like in Outlook. IRM-protected messages in Outlook Web App can be accessed through Windows® Internet Explorer®, Firefox, and Safari (no plug-in required) and includes full-text search, conversation view and preview pane. Eliminates the need for IE Rights Management Add-on Cross-Browser support enables Firefox and Safari users to create/consume RMS protected messages Mac users can create/consume RMS protected messages Conduct full-text search on RMS protected messages in Outlook Web App With additional support for WebReady Document Viewing for IRM-protected messages, recipients can view protected attachments without having to install or start the associated application (such as Microsoft Word, Microsoft PowerPoint®, Adobe Acrobat, etc.) Protected messages can be viewed as WebReady Documents Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages

32 Index and search protected items
IRM Search Protect Index and search protected items Conduct full-text search of IRM-protected mail in Outlook (online), Outlook Web App, and multi-mailbox search Situation IRM protection gets in the way of system access to protected messages. This breaks essential parts of organizational infrastructure such as searching of IRM protected messages. Slide objective Discuss native support for IRM search. Talking points Conduct full-text search of IRM-protected mail and attachments in Outlook (online) and Outlook Web App IRM Search enables indexing and searching of IRM-protected messages, including headers, subject, body, and attachments Also applies to multi-mailbox search Content within protected attachments can also be searched Protected voic

33 Prevent forwarding of voicemail
Protected Voic Protect Prevent forwarding of voic Protect All messages or only messages marked Private Situation With the ability to forward voic messages comes new potential for data leaks. Objective Information Rights Management can be applied to voic messages to prevent unwanted forwarding of messages Talking points Using Active Directory Rights Management Services, it can apply Do Not Forward permissions to voice messages that are designated either by the sender (by marking the message as private) or by administrative policy. This prevents the forwarding of protected voic s in a playable form to unauthorized persons, regardless of the mail client used. Multi-media playback restriction prevents voic from being transferred to desktop “Do Not Forward” template Integration with AD RMS and Exchange Unified Messaging Permissions designated by sender (by marking the message as private) or by administrative policy

Download ppt "Joe Schulman Program Manager, Forefront For Office"

Similar presentations

Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Name | Title | Microsoft Corporation

Name | Title | Microsoft Corporation
Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.
Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
03 | Administering Office 365 Anthony Steven | Principal Technologist, Content Master Martin Coetzer | Portfolio Architect, Microsoft.

03 | Administering Office 365 Anthony Steven | Principal Technologist, Content Master Martin Coetzer | Portfolio Architect, Microsoft.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.

What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.
Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.

Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Session 1.

Session 1.
Built by Developers for Developers…. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Built by Developers for Developers…. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Similar presentations

Ads by Google