Active Directory Rights Management Services (AD RMS) is an on-premises information rights management solution that ships with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate emails and Microsoft Office documents, and the operations that authorized users can perform on them.
AD RMS is frequently deployed to enable Information Rights Management (IRM) in Exchange Server to protect emails and provide protected voicemails in unified messaging, and for SharePoint on-prem to protect documents.
I'll be the first to admit that designing and configuring an AD RMS solution can be a bear. You need to thoroughly map out who will access and use protected data for it to work properly. The AD RMS infrastructure requires third-party certificates and must be available to all users who access protected data to receive their use licenses. Add in multiple servers for load balancing and fault tolerance and you have quite the monster to manage. Even so, some organizations have successfully deployed it to protect their on-prem data assets.
All this is a brilliant example of how the cloud can simplify your world. Office 365 provides Azure Rights Management, which is the cloud version of RMS and the protection mechanism in Azure Information Protection (AIP). As with most cloud services, Azure Rights Management is 100% managed by Microsoft. That means you don't have to worry about load balancing, fault tolerance, certificates, or firewall rules. It also means that you can easily extend RMS to all supported workloads, including Exchange Online, SharePoint Online, OneDrive, Teams, etc.
AIP can also be leveraged by on-premises servers like Exchange Server and SharePoint Server. Doing so requires a separate server configured with the Azure Rights Management Connector (soon to be called the AIP Connector) software, which acts as a bridge between your on-premises servers and Azure RMS.
Be aware that AD RMS and Azure Rights Management are not compatible with each other. You can only use one or the other in the same organization. This brings me to the main purpose of this article. Microsoft recently announced they will be automatically enabling the protection features in AIP (Azure Rights Management) beginning August 1, 2018. See the article, "Protection features in Azure Information Protection rolling out to existing Office 365 tenants" for details. If your organization currently uses AD RMS and has hybrid coexistence with Office 365, it's important that you opt-out of this change immediately.
To opt-out, run the following cmdlet from an Exchange Online PowerShell session with global administrator permissions:
Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false
This will prevent Office 365 from automatically enabling Azure RMS in your tenant. If you are looking to migrate from AD RMS to Azure RMS, see Migrating from AD RMS to Azure Information Protection.
You can always re-enable automatic service updates later enable Azure RMS manually from the Azure Portal or run the following cmdlet in Exchange Online PowerShell:
Set-IRMConfiguration -AzureRMSLicensingEnabled $true
It can take a bit for the provisioning to complete. It should be finished within 24 hours.
Office 365 Licensing
Microsoft doesn't always do a good job explaining licensing, and the confusion is compounded by the fact that they keep changing the names of their products. I'll do my best to explain that here since you'll see various terms used in online documentation.
Office 365 Message Encryption (OME, formerly Azure RMS) is the Information Protection Management (IRM) feature in Azure Information Protection (AIP). This is what's being enabled on August 1, 2018. It is offered as part of Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3, and A5, and Office 365 G3 and G5 licenses. Currently you can use OME without AIP licenses. Each user benefiting from Office 365 Message Encryption needs to be licensed to be covered by the feature. End-users who receive or consume OME-protected data do not need a license.
AIP can apply labels to emails and documents that may or may not apply IRM protection. It is offered as part of the Enterprise Mobility + Security E3 or E5 licenses and is also available as AIP P1 or AIP P2 add-on licenses. Each user who labels a document with AIP needs to be licensed to be covered by the feature.
For further reference read:
- Comparing Azure Information Protection and AD RMS
- Set up new Office 365 Message Encryption capabilities
- Deploying the Azure Rights Management connector