If you are migrating from AD RMS to Azure RMS, or fully on Azure RMS, you may end up in issue when protecting a content or when trying to open a protected content, here we will see the troubleshooting steps for Azure RMS.
Note 1: Identify the User.
During the AD RMS to Azure RMS migration, few users will be migrated as Azure ARMS users and few may still pointing to AD to have IRM functionality. If a user is complaining that, he is not able to protect or consume a content. You need to identify whether the user is AD RMS user or Azure RMS users first. It will help you to know which logs (Azure RMS or AD RMS) you have to look at.
Note 2: Basic things to validate
- User should reach the respective service. AD RMS user should have access to AD RMS server and Azure RMS user should have internet access to consume to Azure RMS service hosted in cloud.
- If user is Azure RMS user, ensure the required registry settings are properly set using Azure RMS analyzer
- Office should be updated with recent updates
- Azure Information Protection client to be latest Generally Available one.
Ensure the below sites are added as trusted sites in IE.
If the user is using Office 2013, ensure the Office is ADAL compliant
If the user is using Office 2010, ensure the Microsoft Online Services Sign in Assistant installed
Note 3: Validate the IRM Configuration
Use Test-IRMConfiguration command after connecting to Exchange Online PowerShell or on On-Premise Exchange Management Shell. Overall list should show as PASS like below.
Test-IRMConfiguration -Sender User1@superhybridcloud.com –Recipient User2@superhybrid.com
Note 4: User is not able to protect a content
If the user is not able to protect a content, there will be only 2 possible reasons
User machine not properly initialized to use the service, in other words not bootstrapped. Or
User is not part of the on-boarding controlling policy or not enabled with Azure RMS license to protect the contents
Note 5: User not able to open a protected content
If the user is unable to consume a protected content, check the below things.
Check whether he is able to protect a document, if not check the things mentioned in Note 3.
Ensure user opening the protected content is having permission on the template that was used to protect the content
Note 6: User RMS Analyzer to check the perquisites.
For Issue related to Azure RMS, you can user RMS Analyzer to validate the Prerequisites. RMS Analyzer prompts you to choose a role before starting the perquisites check like below
If it showing Microsoft Online Sign on Assistant not installed or the SCP not registered like below, you can ignore those steps.
You can continue to check the settings that will show the things that are configured as part of bootstrapping.
For any reason if you are not able to identify the issue, you can reset the settings using RMS Analyzer and the reconfigure the device with Azure RMS settings.
Note 7: Collect the Logs
You validated all the settings mentioned above still an issue, you can use the logging option on the RMS Analyzer utility and share the logs with Microsoft support to analyse the issue.
Note 8: AADRM User Log
Always good to looks at Aadrmuser log which will show the details on which stage the user not able to protect or consume a protected content.
You can connect to Azure RMS PowerShell and run the below command to get the logs. You can read the logs on your own. Few things to be analysed only by Microsoft support, you can share the logs with them.
Get-AadrmUserLog -ForDate 1/22/2018 -Path c:\temp
Hope this post is useful for troubleshooting the Azure RMS related issues.