- Article
- 10 minutes to read
Use the information below to configure your on-premises servers that use the Azure Rights Management (RMS) connector. These procedures cover step 5Implementing the Microsoft Rights Management Connector.
previous requirements: Before you begin, make sure you have: - installed and configured the RMS connector - checked everythingprevious requirementsrelevant to servers using the connector.
Configure Servers to Use the RMS Connector
After installing and configuring the RMS connector, you can configure on-premises servers that connect to the Azure Rights Management service and use this protection technology through the connector.
This means you configure the following servers:
| Surroundings | Servers to configure |
|---|---|
| Exchange 2013 | Client Access Server and Mailbox Server |
| Exchange 2016 e Exchange 2019 | Mailbox servers (including Client Access and Hub Transport server roles) |
| SharePoint | SharePoint front-end web servers, including those hosting the central administration server |
| File Classification Infrastructure | Windows Server computers with File Resource Manager installed |
This configuration requires registry settings with the following options:
- Automatically edit registry settings
- Manually edit registry settings
Important
In either case, you must manually install prerequisites and configure Exchange, SharePoint, and file classification infrastructure to use Rights Management.
To use
For most organizations, automatic configuration using the Microsoft RMS Connector Server Configuration Tool is the best option because it is more efficient and reliable than manual configuration.
After making configuration changes to these servers, you must restart them if they are running Exchange or SharePoint and were previously configured to use AD RMS. You do not need to restart these servers when configuring them for Rights Management for the first time.
You must always restart the file server that is configured to use file class infrastructure after making these configuration changes.
Automatically edit registry settings: pros and cons
Edit your registry settings automatically with the Microsoft RMS Connector Server Configuration Tool.
The benefits include:
No direct editing of the registry. This is automated for you through the use of a script.
You don't need to run a Windows PowerShell cmdlet to get the Microsoft RMS URL.
Prerequisites are automatically checked (but not automatically fixed) when you run it locally.
Disadvantages includeNote: When running the tool, you must connect to a server that is already running the RMS connector.
For more information, seeHow to Use the Server Configuration Tool for the Microsoft RMS Connector.
Manually Edit Registry Settings: Pros and Cons
The benefits include: A connection to a server running the RMS connector is not required.
Disadvantages include:
Increased administrative overhead that is prone to errors.
You need to get your Microsoft RMS URL, which requires running a Windows PowerShell command.
You should always run all prerequisite checks yourself.
How to Use the Server Configuration Tool for the Microsoft RMS Connector
If you haven't already downloaded the Microsoft RMS Connector Server Configuration Tool script(GenConnectorConfig.ps1), download it fromMicrosoft-Downloadcenter.
save theGenConnectorConfig.ps1File on the computer where you will run the tool.
If you are running the tool locally, this must be the server you want to configure to communicate with the RMS connector. If not, you can save it to any computer.
Decide how to run the tool:
Method Description And hide Run the tool interactively on the server that will be configured to communicate with the RMS connector. Advice: This is useful for a one-time setup, eg. B. a test environment.
software delivery Run the tool to create log files, which you publish to one or more relevant servers. Deploy the log files using a systems management application that supports software deployment, such as B. System Center Configuration Manager.
group policy Run the tool to create a script that provides an administrator with which to create GPOs to configure the servers. This script creates a Group Policy Object for each type of server to be configured, which the administrator can assign to the appropriate servers.
To use
This tool configures the servers that communicate with the RMS connector listed at the beginning of this section. Do not run this tool on servers running the RMS connector.
Start Windows PowerShell with theExecute as administratoroption and use theget helpCommand to read instructions on how to use the tool for the chosen configuration method:
Get help .\GenConnectorConfig.ps1 -verbose
To run the script, you must enter the URL of your organization's RMS connector.
Enter the protocol prefix (HTTP:// or HTTPS://) and connector name that you defined in DNS for your connector's load balancer address. For example,https:\//connector.contoso.com.
The tool uses this URL to communicate with the servers running the RMS Connector and retrieve other parameters used to create the necessary configurations.
Important
When running this tool, be sure to specify the name of the load balanced RMS Connector for your organization and not the name of an individual server running the RMS Connector service.
Use the following sections for information specific to each type of service:
Configure an Exchange Server to Use the Connector
Configure a SharePoint Server to Use the Connector
(Video) 08 Azure Rights Management RM - Microsoft Office 365 full course tutorialConfigure a file classification infrastructure file server to use the connector
When installing client applications on separate computers that are not configured to use the connector
After configuring these servers to use the connector, client applications installed locally on these servers may not work with RMS. In this case, applications try to use the connector instead of using RMS directly, which is not supported.
You must install client applications on separate computers that are not configured to use the connector. Then they will use RMS correctly directly.
Configure an Exchange Server to Use the Connector
The following Exchange roles communicate with the RMS Connector:
For Exchange 2016 and Exchange 2013: Client Access Server and Mailbox Server
For Exchange 2019: Client Access Servers and Hub Transport Servers
To use the RMS connector, these servers running Exchange must be running one of the following software versions:
Exchange-Server 2016
Exchange Server 2013 with Cumulative Update 3 for Exchange 2013
Exchange-Server 2019
On these servers, you will also need an RMS version 1 client (also known as MSDRM) that includes support for RMS Cryptographic Mode 2. All Windows operating systems include the MSDRM client, but previous versions of the client did not support Cryptographic Mode 2. If your Exchange servers are running at least Windows Server 2012, then no further action is required as the RMS client installed with these operating systems natively supports cryptographic mode 2.
Important
If these or later versions of Exchange and the MSDRM client are not installed, you will not be able to configure Exchange to use the connector. Make sure these versions are installed before proceeding.
How to Configure Exchange Servers to Use the Connector
Make sure the Exchange servers are authorized to use the RMS Connector using the RMS Connector Administration Tool and theAuthorize Servers to Use the RMS ConnectorSection.
This setting is required for Exchange to use the RMS connector.
For Exchange server roles that communicate with the RMS connector, do one of the following:
Run the Microsoft RMS Connector Server Configuration Tool.
For more information, seeHow to Use the Server Configuration Tool for the Microsoft RMS Connector.
For example, to run the tool locally to configure a server running Exchange 2016 or Exchange 2013:
.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013Make manual registry changes. For more information, seeRegistry Settings for the RMS Connector.
(Video) SharePoint Information Rights Management
Enable IRM functionality for Exchange using the Exchange PowerShell cmdletIRM Configuration Settings. lower
InternalLicensingEnabled $truejClientAccessServerEnabled $true.
Front-end SharePoint web servers, including those hosting the central administration server, communicate with the RMS connector.
To use the RMS connector, those servers running SharePoint must be running one of the following software versions:
Servidor SharePoint 2019
SharePoint-Server 2016
SharePoint-Server 2013
A server running SharePoint 2019, 2016, or SharePoint 2013 must also be running an MSIPC 2.1 client version that supports the RMS Connector.
To ensure you have a compatible version, download the latest client fromMicrosoft-Downloadcenter.
Notice
There are several versions of the MSIPC 2.1 client, so make sure you have version 1.0.2004.0 or higher.
You can verify the client version by checking the Msipc.dll version number located at\Programmarchive\Active Directory Rights Management Services Client 2.1. The properties dialog box displays the version number of the MSIPC 2.1 client.
Make sure the SharePoint servers are authorized to use the RMS connector using the RMS connector administration tool and RMS connector information.Authorize Servers to Use the RMS ConnectorSection.
This configuration is required for your SharePoint servers to use the RMS connector.
On SharePoint servers that communicate with the RMS connector, do one of the following:
Run the Microsoft RMS Connector Server Configuration Tool
For more information, seeHow to Use the Server Configuration Tool for the Microsoft RMS Connector.
For example, to run the tool locally to configure a server running SharePoint 2019, 2016 or SharePoint 2013:
.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013If you are using SharePoint 2019, 2016 or SharePoint 2013, make manual registry changesusing the information inRegistry Settings for the RMS Connectorto manually add registry settings on servers.
Enable IRM on SharePoint. If you follow these instructions, you must configure SharePoint to use the connector by specifying the followingUse this RMS serverand enter the URL of the load balancer connector that you configured.
Enter the protocol prefix (HTTP:// or HTTPS://) and connector name that you defined in DNS for your connector's load balancer address.
For example, if your connector name is
https:\//connector.contoso.com, your configuration will look like the following image:(Video) Azure Information Protection (AIP or RMS) Setup and Demo
After enabling IRM on a SharePoint farm, you can enable IRM on individual libraries using theInformation rights managementoption onlibrary settingspage for each of the libraries.
Configure a file classification infrastructure file server to use the connector
To use the RMS connector and file classification infrastructure to protect Office documents, the file server must be running one of the following operating systems:
Windows Server 2016
Servidor Windows 2012 R2
Windows Server 2012
How to Configure File Servers to Use the Connector
Make sure the file servers are authorized to use the RMS Connector using the RMS Connector Administration Tool and the RMS Connector information.Authorize Servers to Use the RMS ConnectorSection.
This setting is required for your file servers to use the RMS connector.
On file servers configured for file classification infrastructure that communicate with the RMS connector, do one of the following:
Run the Microsoft RMS Connector Server Configuration Tool
For more information, seeHow to Use the Server Configuration Tool for the Microsoft RMS Connector.
For example, to run the tool locally to configure a file server running FCI:
.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetFCI2012Make manual registry changesusing the information inRegistry Settings for the RMS Connectorto manually add registry settings on servers.
Create classification rules and file management tasks to protect documents with RMS encryption, then specify an RMS template to automatically apply RMS policies.
For more information, seeFile Server Resource Manager Overviewin the Windows Server documentation library.
Next steps
Now that the RMS connector is installed and configured, and your servers are configured to use it, IT administrators and users can protect and use email messages and documents with the Azure Rights Management service.
To simplify this task for your users, deploy the Azure Information Protection client, which installs an Office add-in and adds new right-click options to File Explorer.
For more information, seeAzure Information Protection Customer Administrator Guide.
Note the following: If you are configuring department templates that you plan to use with Exchange or Windows Server FCI transport rules, the scope configuration must include the Application Compatibility option so that theShow this template to all users when apps don't support user identityThe checkbox is checked.
you can use the...Roadmap for deploying Azure Information Protectionto verify that you want to perform additional configuration steps before implementing Azure Rights Management for users and administrators.
For information on how to monitor the RMS port, seeMonitore o conector do Microsoft Rights Management.
FAQs
How to configure AIP in Office 365? ›
- Confirm your subscription and assign user licenses.
- Prepare your tenant to use Azure Information Protection.
- Configure and deploy classification and labeling.
- Prepare for data protection.
- Configure labels and settings, applications, and services for data protection.
From the left menu, choose Settings > Services & add-ins. In the list of apps on the right, choose Microsoft Azure Information Protection. (Formerly it was Microsoft Azure Rights Management). This will bring up a blade containing a link to Manage Microsoft Azure Rights Management settings, follow it.
Which feature is automatically enabled if you configure the Rights Management Connector for Exchange Server? ›All accounts that you specify for the Exchange Server role in the connector configuration are granted the super user role in Azure RMS, which gives them access to all content for this RMS tenant. The super user feature is automatically enabled at this point, if necessary.
What is required for RMS connector? ›A minimum of two member computers on which to install the RMS connector: - A 64-bit physical or virtual computer running one of the following operating systems: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. - At least 1 GB of RAM. - A minimum of 64 GB of disk space.
How do I enable AIP service? ›The Enable-AipService cmdlet activates the protection service from Azure Information Protection so that all users in your tenant can protect documents and emails. You can also do this action in a management portal. For more information, see Activating the protection service from Azure Information Protection.
How do I connect to AIP service? ›This is the simplest way to connect to the service, by running the cmdlet with no parameters. You are prompted for your user name and password. If your account is configured to use multi-factor authentication, you are then prompted for your alternative method of authentication, and then connected to the service.
How do I enable AIP in Azure? ›From a PowerShell session, run Connect-AipService, and when prompted, provide the Global Administrator account details for your Azure Information Protection tenant. Run Get-AipService to confirm whether the protection service is activated.
How do I enable AIP in Outlook? ›- Sign in to the Azure portal. ...
- Enable the following options in the organization settings of your Office 365 account. ...
- Activate the Data Protection and the Unified labeling options in AIP.
In the left pane, choose Admin centers > SharePoint admin center. In the left pane, choose settings, and then choose classic settings page. In the Information Rights Management (IRM) section, choose Use the IRM service specified in your configuration, and then choose Refresh IRM Settings.
How do I enable rights management feature? ›If you're not already taken to the Office 365 Admin center, click the App Launcher on the top left, then click the Admin tile. Under Service Settings, click Rights Management. Click Manage, under Protect your information. Click Activate again.
What is the purpose of a connector in Exchange server? ›
Connectors are used to control inbound and outbound mail flow in Microsoft Exchange Server 2013. With connectors, you can route mail to and receive mail from recipients outside of your organization, a partner through a secure channel, or a message-processing appliance.
What are the benefits of AD RMS? ›AD RMS allows individuals and administrators through IRM policies to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people.
What is RMS configuration? ›The RMS-CONFIG software is an executable (.exe) software that is required to setup RMS devices before adding them to the RMS software. Within the RMS-CONFIG software, the user can define the device IP settings as well as the Web service settings.
What is RMS protocol? ›Specifies the Rights Management Services (RMS) Client-to-Server Protocol, a SOAP protocol used to obtain and issue certificates and licenses used for creating and working with protected content.
What is RMS application? ›RMS stands for Ray Media Server and it is a feature that provides your application the ability to stream media using some of its modules – for example video chat, instant messaging, video, and audio players, photo modules and video commenting.
How does AIP work in Office 365? ›AIP lets organizations set up role-based access to sensitive information. You control everything from which users can view specific documents to who can send them out via email transmission. If someone leaves the company or moves into a different role, AIP lets you revoke that user's document permissions.
How does AIP work Azure? ›The Azure Information Protection on-premises scanner enables administrators to scan their on-premises file repositories for sensitive content that must be labeled, classified, and/or protected.
How do you know if the Azure information protection has been installed? ›Confirm that the installation was successful by checking the install log file, which by default is created in the %temp% folder. In this log file, search for the following string: Product: Microsoft Azure Information Protection -- Installation completed successfully.
What is AIP server? ›The AIP scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores: UNC paths for network shares that use the SMB or NFS (Preview) protocols. SharePoint document libraries and folder for SharePoint Server 2019 through SharePoint Server 2013.
How do you use AIP protocol? ›During this phase, foods like grains, legumes, nuts, seeds, nightshade vegetables, eggs, and dairy are completely avoided. Tobacco, alcohol, coffee, oils, food additives, refined and processed sugars, and certain medications, such as non-steroidal anti-inflammatory drugs (NSAIDs) should also be avoided ( 1 ).
How to install AIP PowerShell module? ›
- Connect-AipService (AIPService) ...
- Prepare the environment for Azure RMS and AD RMS.
- Activating the protection service from Azure Information Protection (AIP)
- Activate rights management in the admin center - Microsoft 365 Enterprise.
- AIPService Module.
Select Azure Active Directory > App registrations, and then select your client application. Select API permissions > Add a permission > Microsoft Graph > Application permissions.
How do I enable Azure Authentication? ›Enable Azure Active Directory in your App Service app. Sign in to the Azure portal and navigate to your app. Select Authentication in the menu on the left. Click Add identity provider.
How do I fix IMAP server in Outlook? ›- Method 1: Check Internet Connectivity. ...
- Method 2: Check Outlook Email Account Settings. ...
- Method 3: Disable the Installed Antivirus Program. ...
- Method 4: Clear all the Messages Stuck in Outbox. ...
- Method 5: Change the Server Timeout. ...
- Method 6: Start Outlook in Safe Mode.
- Click the File tab.
- Click Account Settings, and then click Delegate Access.
- Click the name of the delegate for whom you want to change permissions, and then click Permissions. ...
- Change the permissions for any Outlook folder that the delegate has access to.
- Find the Outlook.exe file on your computer. ...
- Right-click the Outlook.exe file, choose Properties, and then choose the Compatibility tab.
- If any of the boxes on the Compatibility tab are checked, uncheck them, then choose Apply > OK.
- Restart Outlook.
In the Admin Center, go to Settings > Org Settings > Security & Privacy > Privileged access. Select Manage access policies and requests. Select Configure policies and select Add a policy. Select Create and then Close.
How do I enable RMS template in Office 365? ›- Select Modify the message security.
- Select Apply Office 365 Message Encryption and rights protection.
- Select Encrypt from the RMS template list.
- Select Save.
- Select OK.
IRM generally encrypts files in order to enforce access policies. Once encrypted, additional IRM rules can be applied to a document to allow/deny specific activities. In some cases, this means a document can only be viewed and the user cannot copy/paste the content within the document.
How do I grant rights to manage services in Windows 10? ›In the console tree, click System Services. In the right pane, double-click the service whose permissions you want to change. Click to select the Define this policy in the database check box, and then click Edit Security. To configure permissions for a new user or group, click Add.
How do I enable IRM in OWA? ›
Per-Outlook Web App virtual directory: To enable or disable IRM in Outlook Web App for an Outlook Web App virtual directory, use the Set-OWAVirtualDirectory cmdlet and set the IRMEnabled parameter to $false or $true (default).
How do I require a connection to verify a user's permission? ›Require a connection to verify permissions
On the Review tab, under Protection, select Permissions, and then select Restricted Access. select More Options, and then select Require a connection to verify permissions .
Electrical connectors are classified into three types based on their termination ends: board-to-board connectors, cable/wire-to-cable/wire connectors, and cable/wire-to-board connectors.
Why do we need a connector? ›Connectors are used to join subsections of circuits together. Usually, a connector is used where it may be desirable to disconnect the subsections at some future time: power inputs, peripheral connections, or boards which may need to be replaced.
How do I check my Exchange connectors? ›- Sign in to the Exchange admin center. ...
- Select Mail flow, and then select Connectors.
- If you don't recognize any connectors listed, select a connector, and then select. ...
- To delete the connector, select Confirm.
AD RMS servers generate rights account certificates (RACs) that associate users with specific computers. AD RMS servers issue end-user licenses. An end-user license enables AD RMS client-enabled applications to access protected content within the user restrictions set by the content publisher.
How to configure AD RMS in server 2016 step by step? ›Install the AD RMS Role on the desired Windows Server 2016 deployment. After installation completes, select the link to Perform additional configuration. Select Join an existing AD RMS cluster and click Next. On the Select Configuration Database page, enter the CNAME specified in the DNS for the 2016 SQL server (FQDN).
How does Microsoft RMS work? ›Azure RMS simply makes the data in a document unreadable to anyone other than authorized users and services: The data is encrypted at the application level and includes a policy that defines the authorized use for that document.
What is RMS AIP? ›RMS is the protection component of AIP, that can encrypt and set rights in documents, that persist wherever the document ends up (email, uploaded, copied etc.). Azure Rights Management is included in some Office 365 plans as well. You can compare all these offerings here.
What is RMS and why is it important? ›“RMS” stands for root-mean-square, which is a calculation used to determine the equivalent DC value of an AC waveform. For example, a 120VAC signal applied to a resistor and a 120VDC battery applied to the same resistor should both heat the resistor to the same temperature.
Should RMS be high or low? ›
In general, a lower RMSD is better than a higher one. However, comparisons across different types of data would be invalid because the measure is dependent on the scale of the numbers used. RMSD is the square root of the average of squared errors.
How do I enable Microsoft Azure information protection in Outlook? ›- Log into the Office 365 admin console and navigate to Settings -> Services & Add-ins.
- Click on Microsoft Azure Information Protection.
- Click the link to Manage Microsoft Azure Information Protection settings.
In Outlook Web App, on the toolbar, select Settings. > Mail > POP and IMAP. The POP3, IMAP4, and SMTP server name and other settings you may need to enter are listed on the POP and IMAP settings page.