1. RMS Architecture EMS Partner Bootcamp TechReady 18 9/17/2018
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Rights Management Today
Active Directory
Authentication and collaboration
Integration
Rights Management
Mobile endpoints
Rights Management Services
Client integration
Client integration
Connectors
User
Authentication
Integration
BYO Key
Key Management
Active Directory

3. Architecture – Azure RMS
Overview of Azure RMS Components
Service dependencies
Pre-requisites
RMS On-Premises infrastructure is pretty simple. You need at a minimum:
Active Directory Domain Services
AD RMS server role installed on a member server
SQL Server, installed on the AD RMS server as bare minimum or for availability. We recommend deploying SQL Server on a separate server or fail over cluster
Client components (AD RMS Client and RMS-enabled applications)
The AD RMS server itself is an ASP.NET application running on IIS
If you choose to install the AD RMS role via UI or PS the required IIS features will be installed automatically.
AD RMS in Windows Server 2008 will also require MSMQ for logging purposes
© Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Windows Azure RMS Built on Azure Several “Roles”
SMSG Readiness
9/17/2018
Windows Azure RMS
Built on Azure
Service is completely built on Azure
Utilizes compute, storage, sync and Azure core monitoring infrastructure
Service currently deployed to 2 datacenters in each region with redundancy on read operations.
Several “Roles”
RMS Web Services – All core RMS endpoints
Includes the “core” web service endpoints (Certify, GetCLC, AcquireLicense, AcquireTemplates, REST endpoints for mobile clients)
STS – Responsible for authenticating users to endpoints
KMS – Responsible for cryptography operations
Windows Azure RMS is a service that’s equivalent to AD RMS but run from the cloud. As such it runs on Windows Azure, and integrates tightly with Azure AD. Its internal details are of little relevance to our customers since all they see are the end points we present, but the fact that is built on Azure means it is highly available highly redundant and highly scalable, things our customers DO care about.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Azure RMS architecture
SMSG Readiness
9/17/2018
Azure RMS architecture
Windows Azure:
Commerce/AAD/OrgID
We can see that Azure RMS sits in the cloud in a position similar to AD RMS does on-premises. It talks to Azure AD for all its authentication and group membership evaluation needs, and integrates with cloud services such as Exchange Online and SharePoint online. One internal detail that IS relevant to customers needs is that Exchange Online, unlike SharePoint online, does not talk *directly* to Azure RMS, but through a small RMS engine running inside EXO, that provides licensing support to EXO without having to make calls to Azure RMS. This is due to historical reasons and may change in the future. The consequence of this is that the feature set available through Azure RMS may not be 100% exposed through the Exchange functionality. For example, Bring your own Key and IRM logging capabilities are not integrated with Exchange Online. Speaking of ByoK, we see that RMS relies on a separate service called Key Management Service which handles all public key cryptography operations for RMS (e.g. key storage, key creation, signing and decryption of symmetric keys, etc.). This service abstracts all crypto capabilities from RMS so it can obtain new features (such as Bring your own Key, discussed later) with little impact to RMS itself. We will discuss KMS in due time.
Exchange
Online
RMS
SharePoint Online
RAP
KMS
Outlook/Office
Web Access Companion
OWA/EAS
Client
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Service dependencies Azure Azure AD Office 365
SMSG Readiness
9/17/2018
Service dependencies
Azure
Azure AD
Commercial customer needs AAD tenant
Individuals (consumers) get “unclaimed tenants” automatically for their domain
Tenant created automatically with Azure RMS or Office 365 signup
address, group membership and authentication need to work (Dirsync/Federation)
Office 365
Not a strict requirement, but integrated
As you can imagine, Azure RMS relies on Windows Azure, but the customer does not have to provision Azure machines by themselves, this is all transparently managed by the RMS offering. They DO have to set up an Azure AD tenant and configure it adequately, so Azure RMS can work with the customer’s identities. This means performing dirsync with the cloud so Azure RMS can perform group expansion and either setting up password hash sync or federation so users can authenticate seamlessly.
Office 365 is not a requirement for Azure RMS, but it is integration is very tight and highly streamlined.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Requirements Customer must have AAD setup Clients
SMSG Readiness
9/17/2018
Requirements
Customer must have AAD setup
AADSync with minimal attributes
Password hash sync OR federation
Group membership MUST be synced
Clients
Windows 7+
Office 2010+
RMS sharing app (optional if using Office 2013)
Windows Phone, RT, iOS or Android devices must have RMS app
As said, customer must have Azure AD deployed and configured.
Customer must also be running recent versions of their clients and servers, in general anything with a 2010 or higher number works. Minimum client OS is Windows 7.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.