Many organizations are using Azure RMS for email and document protection capabilities and we tried to migrate from Azure RMS Template based protection to Microsoft Information Protection Unified Label based protection. I have shared the details on how I have migrated RMS based templates to Unified Labels.
Introduction about my Environment:
On-Premise: AD / Exchange 2016 / ADFS / ADFS Proxy / Two Windows 10 Client with Office 365 Pro Plus. It is a Hybrid Exchange environment.
Office 365: Azure Subscription / Office 365 E3 Plan / Enterprise Mobility + Security E5.
All the Virtual Machines hosted in Azure. I have 2 mailboxes User1 and User2 in Exchange Online.
Azure RMS Configuration: Currently I have below three Azure RMS templates in Azure Information Protection. Those are RMS Protection Templates
- SHC Confidential_Do not Edit – Recipient cannot edit the protected content.
- SHC Confidential_View Only – Recipient can only view the protected content.
- SHC General_Do Not Reply All – Recipient cannot Reply All an email but can Reply Email.
Exchange Online IRM configuration has the settings like below. Make a not that the PDF encryption, Encryption option and Do Not Forward options enabled.
Steps for Migration:
- Review the RMS Templates in use
- Convert the Azure RMS Templates to Azure Information Protection Labels and do no publish any labels
- Enabled Unified Labelling
- Migrate the AIP classic labels to Unified Label
- Publish the required Labels
- Roll out Unified Labelling Clients to endpoints
Test case with Azure RMS:
Before converting the RMS Templates to Azure Information Protection Classic Labels, performing a test case with existing RMS Templates.
User 2 using Office 365 Pro Plus configures his outlook and can see the Protection Templates available in tenant.
User2 is using Azure Information Protection Classic Client
View Only Template applied to a new email and sent to User1.
User 1 using Office 365 Pro Plus able to open the protected email. User1 able to view the emails but the option to forward, reply and reply all are disable as per the protection templates applied.
User 1 sending a new email with View only protection template in OWA. Similar to Outlook, user is able to see the same protection in OWA.
User 2 able to view the protected emails from OWA. Make a note, since the PDF Protection enabled in EXO IRM configuration, the PDF attached to the email will automatically applied with the protection capabilities.
Note: PDF protection capabilities works only in Outlook Web Access.
Sample Protected emails with PDF attachment showing as protected in Outlook as well.
Same protected email showing as protected in Outlook Web Access as well.
If we compare the Protection Template status in other Microsoft office application like word where the Azure RMS classic client is installed, it is showing as connected to AIP service.
In addition, the templates are available to apply on documents. To save time, I am skipping the steps to show the demo on protecting the Office documents using Azure RMS Templates.
We will the see the test cases when converting the RMS templates to Azure Information Protection classic label on the second part of this article.