In the mobile world that we live in today, everyone can use a personal device to access corporate data, e-mail, LOB apps, and other sensitive information—from any place and at any time. A huge amount of data can be exposed to and accessed by unauthorized people, whether from the loss or theft of a device, or even when a user doesn’t follow the right procedures to protect a device and the data on it.

It is very important to have information and content protection solutions to make sure that data is always protected and only accessed by the right people. Usually, rights management solutions allow you to encrypt and protect files by simply defining the rights of each user (e.g., read-only, edit, copy, paste, print, forward, etc.).

This chapter discusses Microsoft Azure Rights Management Services (RMS) and how to configure, manage, and maintain it using PowerShell.

Azure Rights Management Services

You can think of Azure RMS as the second generation of Microsoft RMS. Actually, RMS is not something new to Microsoft. RMS has been available as Active Directory Rights Management Services (AD RMS) since Windows Server 2003; it is used to help protect sensitive corporate data and information.

AD RMS isn’t popular for several reasons: it only works on the Windows operating system; it only protects Microsoft Office files; it requires third parties to protect PDF files; it is not possible to share protected content with people working in another organization unless there is federation trust between both organizations; and the most important reason is the implementation complexity.

The good news is that Microsoft has overcome all of AD RMS’s limitations and has even added interesting capabilities in Azure RMS.

Azure RMS is a cross-platform solution; it works on Windows, Windows Phone, Mac OS, iOS, and Android. It can protect any file, not just Microsoft Office files. It’s a cloud service that relies on Azure Active Directory (AD), which means that all encryption keys management and exchange are stored over there. It’s reachable from any place and on any device, making it possible to share protected files with anyone, whether an internal employee or an external customer/partner, and without the need for AD federation.

You can read more about the differences between AD RMS and Azure RMS in the article at https://technet.microsoft.com/en-us/library/jj739831.aspx.

Azure RMS also allows features like document tracking, which keeps the file owner aware of who successfully accessed or failed to access a protected file. There is even a feature that permits immediate access revocation. You can read more about the Azure RMS document tracking portal in the article at http://blogs.technet.com/b/rms/archive/2015/05/04/doctracking.aspx.

Although Azure RMS is a cloud service, it can still integrate with on-premises servers such as Exchange Server, SharePoint Server, and file servers. This integration is done through an Azure RMS connector that allows these on-premises services to communicate with Azure RMS.

Before moving to the next section, make sure that you have a subscription to Azure RMS. If you don’t have one, you can get it by subscribing to an Office 365 Enterprise E3 trial at https://products.office.com/en/business/compare-more-office-365-for-business-plans.

Azure RMS and PowerShell

Azure RMS has its own PowerShell module: Azure Active Directory Rights Management (AADRM). The AADRM PowerShell module comes as part of the Azure Rights Management Administration Tool that you download from http://go.microsoft.com/fwlink/?LinkId=257721.

AADRM PowerShell modules require at least PowerShell v2.0 and .NET Framework 4.5, so if you are running Windows 8.0 or Windows Server 2012, you are good to go without any extra steps. Also, it requires the Microsoft Online Services Sign-in Assistant, similar to the Azure AD module for PowerShell. Thus, if you followed the installation of the Azure AD module in the previous chapter, then nothing else is required from your side.

As of this writing, 2.2.0.0 is the current version of the AADRM module; you can always check your module’s version by using the following command.

## Check AADRM Module Version
Import-Module AADRM

(Get-Module aadrm).Version

Major  Minor  Build  Revision
-----  -----  -----  --------
2      2      0      0

To begin managing Azure RMS via PowerShell, you need to connect to Azure RMS. It is similar to the Azure AD PowerShell module. Do you remember the Connect-MsolService cmdlet? The equivalent cmdlet in the AADRM module is the Connect-AadrmService cmdlet; it also has the -Credential parameter. The credential you pass should be one of the Azure RMS administrators.

#Connecting to Azure RMS Serivce
Connect-AadrmService -Credential (Get-Credential admin@<YOUR_TENANT>.onmicrosoft.com)

You can disconnect from the Azure RMS using the Disconnect-AadrmService cmdlet.

Now that you are connected to the Azure RMS, let’s have a look at the configuration of the Azure RMS tenant. To achieve this task, use the Get-AadrmConfiguration cmdlet.

#Get Azure RMS Configuration
Get-AadrmConfiguration

BPOSId                                    : 7b0d20e9-f930-7777-8888-e8572a9caf93
RightsManagementServiceId                 : 284fd103-dd93-3333-4444-bca2ba2e66c9
LicensingIntranetDistributionPointUrl     : https:// 284fd103-dd93-3333-4444-bca2ba2e66c9.rms.eu.aadrm.com/_wmcs/licensing

LicensingExtranetDistributionPointUrl     : https:// 284fd103-dd93-3333-4444-bca2ba2e66c9.rms.eu.aadrm.com/_wmcs/licensing

CertificationIntranetDistributionPointUrl : https:// 284fd103-dd93-3333-4444-bca2ba2e66c9.rms.eu.aadrm.com/_wmcs/certification

CertificationExtranetDistributionPointUrl : https:// 284fd103-dd93-3333-4444-bca2ba2e66c9.rms.eu.aadrm.com/_wmcs/certification

AdminConnectionUrl                        : https://admin.eu.aadrm.com/admin/admin.svc/Tenants/284fd103-dd93-3333-4444-bca2ba2e66c9

AdminV2ConnectionUrl                      : https://admin.eu.aadrm.com/adminV2/admin.svc/Tenants/284fd103-dd93-3333-4444-bca2ba2e66c9

OnPremiseDomainName                       :
Keys                                      : {284fd103-dd93-3333-4444-bca2ba2e66c9}
CurrentLicensorCertificateGuid            : 284fd103-dd93-3333-4444-bca2ba2e66c9
Templates                                 : {7ad4e974-e616-7777-88888-50583c202233, dba93e31-77dd-2222-9ea2-58cdbdb833e0, 2fa3ddce-21ee-5555-8abd-1826cbe974ca,
                                            56ee69a5-40bb-42f2-bffa-54d4c855cfa2...}
FunctionalState                           : Enabled
SuperUsersEnabled                         : Disabled
SuperUsers                                : {}
AdminRoleMembers                          : {}
KeyRolloverCount                          : 0
ProvisioningDate                          : 9/11/2014 3:32:23 PM
IPCv3ServiceFunctionalState               : Enabled
DevicePlatformState                       : {Windows -> True, WindowsStore -> True, WindowsPhone -> True, Mac -> True...}
FciEnabledForConnectorAuthorization       : True

As mentioned earlier, Azure RMS integrates with on-premises services such as Exchange Server and SharePoint Server. It also integrates with the Windows Server File Classification Infrastructure (FCI). This integration happens via a component called the Azure RMS connector; thus, the preceding configuration with the FciEnabledForConnectorAuthorization property indicates that the Azure RMS tenant is enabled for FCI integration.

Now you know the Azure RMS tenant configuration. Let’s activate the RMS service. If you don’t know whether the Azure RMS is already activated or not, use the Get-Aadrm cmdlet. To activate Azure RMS, use the Enable-Aadrm cmdlet; of course, you use the Disable-Aadrm cmdlet to deactivate it.

#Activating Azure RMS
If((Get-Aadrm) -eq ’Disabled’)
{
         Enable-Aadrm
}
Else
{
        "Azure RMS is aleady enabled."
}

Azure RMS is cross platform and supports different operating systems. So, you can use PowerShell to limit Azure RMS’s capabilities on those platforms.

First, for Azure RMS to work on mobile devices, you need to make sure that the MSIPCv3 platform is enabled. To achieve this task, you can use the Get-AadrmIPCv3Service cmdlet. This service should be enabled by default; but if you find it disabled for any reason, then use the Enable-AadrmIPCv3Service cmdlet to enable it again.

#Enable MS IPC v3 Platform
Enable-AadrmIPCv3Service

By design, Azure RMS is enabled for all device platforms. You can easily verify this by using the Get-AadrmDevicePlatform cmdlet along with the -All parameter to show the current status of all available platforms. You can also get the support status of a specific operating system by using right parameters, such as -Windows to get the status of Windows or -Android to get the status of Android, and so on.

#Get Azure RMS support status for Devices
Get-AadrmDevicePlatform -All

Key                                     Value
---                                     -----
Windows                                 True
WindowsStore                            True
WindowsPhone                            True
Mac                                     True
iOS                                     True
Android                                 True
Web                                     True

To enable or disable Azure RMS support for a specific platform, use the Enable-AadrmDevicePlatform and Disable-AadrmDevicePlatform cmdlets. Both cmdlets use the same parameters as the Get-AadrmDevicePlatform cmdlet. You can use -All to enable or disable all platforms at once, or you can specify the parameter of each platform that you want to control.

For example, to disable Azure RMS support for Android and Windows Store, you use the Disable-AadrmDevicePlatform cmdlet along with the -Android and -WindowsStore parameters.

#Disable Azure RMS for specific platform
Disable-AadrmDevicePlatform -WindowsStore -Android
Specified device platform for Rights management IPC v3 service has been successfully disabled.

#Get Azure RMS support status for Devices
Get-AadrmDevicePlatform -All

Key                                     Value
---                                     -----
Windows                                 True
WindowsStore                            False
WindowsPhone                            True
Mac                                     True
iOS                                     True
Android                                 False
Web                                     True

So far, so good. You had Azure RMS activate and support all platforms. Now it’s time to do some configuration and build a couple of templates.

Working with Rights Policy Templates

The RMS template defines how the documents are protected and which rights are assigned to which users. Figure 11-1 shows all the policy templates available for an Azure tenant on the Azure portal.

To get the templates shown in Figure 11-1, log in to the Azure portal and follow these steps:

1. In the left pane, click ACTIVE DIRECTORY.
2. From the Active Directory page, click RIGHTS MANAGEMENT.
3. Select the directory to manage Rights Management.

The rights policy templates can be managed and configured from the Azure portal or from PowerShell. You can learn more about configuring custom templates for Azure RMS in the article at https://technet.microsoft.com/library/dn642472.aspx.

From PowerShell, the AADRM has a set of cmdlets for templates configuration and management. You can get the list of these cmdlets using the following command.

#Get AADRM Templates Cmdlets
Get-Command -Module AADRM -Noun *Template* | Select Name

Name
----
Add-AadrmTemplate
Export-AadrmTemplate
Get-AadrmTemplate
Get-AadrmTemplateProperty
Import-AadrmTemplate
Remove-AadrmTemplate
Set-AadrmTemplateProperty

For the purpose of creating a policy template using PowerShell, use the Add-AadrmTemplate cmdlet. The Add-AadrmTemplate cmdlet contains the following parameters:

• -Names: Specifies a name for the template; you can define multiple names for multiple locale IDs.
• -ContentExpirationOption: Specifies when the content protected by this template expires. The options are Never, OnDate, AfterDays.
• -ContentExpirationDate: Specifies the date on which the content will expire. Use this parameter if the Content Expiration option is set to OnDate.
• -ContentValidityDuration: Specifies the number of days that the content will be valid after the first day of protection; then it expires. Use this parameter if the contact expiration option is set to AfterDays.
• -Descriptions: Specifies a description for the template; you can define multiple descriptions for multiple locale IDs.
• -LicenseValidityDuration: Specifies the number of days that protected content is available offline after a use license is acquired without need to Internet connectivity. To make the content always require an Internet connection, use the value 0. Also keep in mind that LicenseValidityDuration is an organization-wide policy; by default, 30 days. So the LicenseValidityDuration cannot exceed 30 days unless you change this by using the Set-AadrmMaxUseLicenseValidityTime cmdlet.
• -Status: Specifies the status of the template: Archived or Published. If not specified, the default value is archived.
• -RightsDefinitions: Specifies the list of rights granted to users or groups to access the contents protected by this template. The rights definition object is created using the New-AadrmRightsDefinition cmdlet. Table 11-1 shows the list of available rights.

• -ScopedIdentities: Specifies the users or groups that can see and select these templates. If you are using the Azure portal, these are known as departmental templates. To use ScopedIdentities, the applications must support departmental templates. Otherwise, you have to set the -EnableInLegacyApps parameter to true.
• -EnableInLegacyApps: Allows the departmental templates to be accessed by applications that don’t support it. In that case, all users are able to see and select. If set to false, then no one is able to see or select the templates from these applications, even if they have rights.

Now you know the cmdlets and the parameters. Let’s create the first template. The template that you are about to create allows read-only access to the content protected by it. This template will also have multiple locale IDs (English and French).

#Create Read-Only Policy Template
#Define Policy Template Names (English & French)
$Names = @{}
$Names[1033] = "Company123 - Confidential Content"
$Names[1036] = "Company123 - Content Confedential"

#Define Policy Template Descriptions (English & French)
$Descriptions = @{}
$Descriptions[1033] = "The content protected by this template is read-only"
$Descriptions[1036] = "Le contenu protégé par ce modèle est en lecture seule"

#Rights Definitions
$RD1 = New-AadrmRightsDefinition –EmailAddress [email protected] -Rights "VIEW","EXPORT"

$RD2 = New-AadrmRightsDefinition –EmailAddress [email protected] -Rights "OWNER"

#Creating Policy Template
Add-AadrmTemplate -Name $Names -Descriptions $Descriptions -RightsDefinitions $RD1,$RD2 -ContentExpirationOption AfterDays -ContentValidityDuration 14 -LicenseValidityDuration 0

A template with ID 5d538fc3-95a6-4f69-88f0-551a64c35c48 was added to the list of templates for the Rights management service.

TemplateId  : 5d538fc3-95a6-4f69-88f0-551a64c35c48
Name        : Company123 - Confedential Content
Description : The content protected by this template is read-only

The preceding code created a template and defined almost everything, but the template was not published, which means that the template is there but no one can use or see it.

To change any of the template’s properties after creating it, you use the Set-AadrmTemplateProperty cmdlet along with the -TemplateId parameter (which the last command returned) to define the template to update, and the property that you want to change, which is -Status in this case.

#Update Template Property
Set-AadrmTemplateProperty -TemplateId 5d538fc3-95a6-4f69-88f0-551a64c35c48 -Status Published

Template with ID 5d538fc3-95a6-4f69-88f0-551a64c35c48 was successfully updated for the Rights management service.

TemplateId  : 5d538fc3-95a6-4f69-88f0-551a64c35c48
Name        : Company123 - Confidential Content
Description : The content protected by this template is read-only

You can list all the templates under Azure RMS using the Get-AadrmTemplate cmdlet; you can remove a template using the Remove-AadrmTemplate cmdlet. Also, you can list the templates’ properties using the Get-AadrmTemplateProperty cmdlet along with the –TemplateId parameter and the name of the property that you want to get. For example, to get the template names and status, you specify the –Names and –Status parameters.

#Get Template Property
Get-AadrmTemplateProperty -TemplateId 5d538fc3-95a6-4f69-88f0-551a64c35c48 -Status -Name

Key                         Value
---                         -----
Names                       {1033 -> Company123 – Confidential Content}
Status                             Published

Moreover, the policy templates can be exported and imported using the Export-AadrmTemplate and Import-AadrmTemplate cmdlets.

The following code exports all available Azure RMS policy templates to XML files; each file has a name that represents the English name of the template.

#Export All Azure RMS Templates
$Templates = Get-AadrmTemplate

ForEach($t in $Templates)
{
    Export-AadrmTemplate -TemplateId $t.TemplateId -Path ("C:AzureRMSTemplates" + $t.Names[0].Value + ".xml")
}

Now, delete one of the templates that you have and then import it from the XML files that were exported in the previous code. If you didn’t remove the template before executing the import cmdlet, then the existing template will be overwritten by the template that you are importing.

#Import Azure RMS Template
Import-AadrmTemplate -Path ’C:AzureRMSTemplatesCompany123 - Content Confedential.xml’

The template file was uploaded successfully to the Rights management service and a template with ID 87145634-1bf9-4b71-8587-e71b9fe06be3 was created or updated.

TemplateId  : 87145634-1bf9-4b71-8587-e71b9fe06be3
Name        : Company123 - Confedential Content
Description : The content protected by this template is read-only

Ta-da! The template has been restored successfully. Notice that the imported template status is archived, so don’t forget to change it to published if you want to keep users seeing it.

It’s very important to use the export feature as a backup option so that you have a reference of the template in the event that is deleted by mistake.

Azure RMS Super User

The Azure RMS super-user features allow authorized persons and services to access and inspect protected contents, and to remove or change the applied protections.

Popular scenarios for using the super-user feature include when you have antimalware products that need to inspect files or when Exchange Server needs to index mailboxes for search operations. Another scenario is when you need to allow auditors or the legal department to have access to specific documents.

By default, the super-user feature is not enabled and no users are assigned this role. However, it is enabled automatically if you configure the rights management connector for Exchange Server.

To determine the status of the super-user feature for your organization, use the Get-AadrmSuperUserFeature cmdlet. You use the Enable-AadrmSuperUserFeature cmdlet to enable it and the Disable-AadrmSuperUserFeature cmdlet to disable it.

#Enable Azure RMS Super User Feature
Enable-AadrmSuperUserFeature

The super user feature is enabled for the Rights management service.

Once you enable the super-user feature, you need to add users to this role. You can only add a user to super-user list; groups are not supported. This makes perfect sense. Of course, you don’t want to add a group that anyone could join and get super-user privileges.

To add a user to a super-user list, use the Add-AadrmSuperUser cmdlet along with the -EmailAddress parameter.

#Add Azure RMS Super User
Add-AadrmSuperUser -EmailAddress [email protected]

[email protected] was added to the list of super users for the Rights management service.

To remove a user from the super-user list, use the Remove-AadrmSuperUser cmdlet along with the same -EmailAddress parameter. Also, you can get the list of super users using the Get-AadrmSuperUser cmdlet.

The super-user feature is a double-edged sword. Please be careful when you deal with it and make sure to have as few users as possible.

Configuring Azure RMS Role-Based Admins

The Azure RMS allows you to delegate RMS component administration tasks. By default, Azure RMS has two role-based administration roles:

• RMS Global Administrator: The users and groups assigned to this role have full administrative privileges on the Azure RMS tenant.
• RMS Connector Administrator: The users and groups assigned to this role have the rights to install and administer the RMS connector for the organization.

To grant a user administrative rights on the Azure RMS tenant, you use the Add-AadrmRoleBasedAdministrator cmdlet. Use the -Role parameter to specify the role type, either GlobalAdministrator or ConnectorAdministrator. Use the -EmailAddress parameter to specify the e-mail address of the user. However, if you want to grant admin rights to a group, then you replace the -EmailAddress parameter with the -SecurityGroupDisplayName parameter.

The following example shows how to grant admin rights to a user.

#Grant Admin. Rights to User
Add-AadrmRoleBasedAdministrator -Role GlobalAdministrator -EmailAddress [email protected]

[email protected] was added to the list of administrators for the Rights management service.

Also, you can list all the role-based administrators using the Get-AadrmRoleBasedAdministrator cmdlet; you can remove them using the Remove-AadrmRoleBasedAdministrator cmdlet.

Azure RMS Usage Logging

When you grant users administrative or super-user rights, it’s very important to keep track of how these rights are being used. Logging is one of the important ways to keep an eye on this in solutions such as Azure RMS. In this section, you learn how to enable, configure, and download Azure RMS usage logging.

Azure RMS uses Azure storage to save the log, so before you start, you need to make sure that you have an Azure storage account. Make sure to create the Azure storage account in the same location as your Azure RMS tenant.

Afterward, you use the Set-AadrmUsageLogStorageAccount cmdlet to define the log storage settings.

#Setting Log Storage Account
$AccessKey = ConvertTo-SecureString "<Storage_Account_Access_Key>" -AsPlainText -Force

Set-AadrmUsageLogStorageAccount -AccessKey $AccessKey -StorageAccount "<Storage_Account_Name>"

<Storage_Account_Name> was set as the storage account for the usage log feature for the Rights management service.

Once you set the log storage account, you can enable the usage log features. To do so, use the Enable-AadrmUsageLogFeature cmdlet.

#Enable Usage Log Feature
Enable-AadrmUsageLogFeature

The usage log feature is enabled for the Rights management service.

You can disable the usage log feature using the Disable-AadrmUsageLogFeature cmdlet. There are two logs that you can generate using PowerShell. The first log type is the admin log, which generates logs for all Azure RMS administrative commands. You can get this log using the Get-AadrmAdminLog cmdlet. You choose a specific period using the -FromTime and -ToTime parameters.

#Get Azure RMS Admin Log
Get-AadrmAdminLog -Path "C:AzureRMSLogsAdminAdminLog.log" -FromTime "06/01/2015 08:00:00" -ToTime "06/10/15 07:00:00"

The Get-AadrmAdminLog cmdlet is very important for monitoring the global administrators of the Azure RMS tenant. These global administrators can enable the super-user feature and assign themselves as super users, and potentially decrypt all the files that your organization protects.

The second log type is the usage log, which downloads logs about Azure RMS usage to the local storage. You get the usage log using the Get-AadrmUsageLog cmdlet.

#Get Azure RMS Usage Log
Get-AadrmUsageLog –Path "C:AzureRMSLogsUsageLog"

The usage log can be used to monitor and track the activities of super users, including the decryption of files.

The previous two log cmdlets help you get the log files, but not read them. If you don’t have experience with reading Azure RMS logs and parsing them, read the TechNet article at https://technet.microsoft.com/library/dn529121.aspx.

The RMS Protection Tool

The RMS protection tool is a set of PowerShell cmdlets designed to help script the bulk protect and unprotect processes of the files, whether using AD RMS or Azure RMS. It can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=47256.

To use the RMS protection tool, you first need to use Service-to-Service (S2S) authentication. For this task, use the Set-RMSServerAuthentication cmdlet along with three identifiers: BposTenantId, AppPrincipalId, and SymmetricKey.

You can get the BposTenantId using the Get-AadrmConfiguration cmdlet, as shown in the following example.

# Get BPOS Tenant Id
(Get-AadrmConfiguration).BPOSId

Guid
-----
7b0d20e9-f930-7777-8888-e8572a9caf93

You can create the AppPrincipalId and SymmetricKey values by using the New-MsolServicePrincipal cmdlet in the Azure AD PowerShell module.

# Create Service Principal
$Cred = Get-Credential [email protected]
Connect-MSOLService -Credential $Cred

New-MsolServicePrincipal -DisplayName ’AzureRMSPrincipal’

The following symmetric key was created as one was not supplied OfJmfLbu+kCytVwkN888JE5rwBPXKC2qqB0sZxt4QgY=

DisplayName           : AzureRMSPrincipal
ServicePrincipalNames : {dbf65047-3df7-40bb-9be5-87c1fe51ada8}
ObjectId              : 0821e96e-32b3-4316-b0dc-1d40beb4fe43
AppPrincipalId        : dbf65047-3df7-40bb-9be5-87c1fe51ada8
TrustedForDelegation  : False
AccountEnabled        : True
Addresses             : {}
KeyType               : Symmetric
KeyId                 : 8596ed76-dafb-48d6-9f17-12f76a920f6f
StartDate             : 9/18/2015 5:04:08 AM
EndDate               : 9/18/2016 5:04:08 AM
Usage                 : Verify

Now you have the parameters needed for the Set-RMSServerAuthentication cmdlet. Let’s connect to the server.

# Set RMS Server Authentication
$Key = ’OfJmfLbu+kCytVwkN888JE5rwBPXKC2qqB0sZxt4QgY=’
$AppPrincipalId = ’dbf65047-3df7-40bb-9be5-87c1fe51ada8’
$TenantId = 7b0d20e9-f930-7777-8888-e8572a9caf93

Set-RMSServerAuthentication –Key $Key -AppPrincipalId $AppPrincipalId -BposTenantId $TenantId

The RmsServerAuthentication is set to ON

Once the RMS server authentication is on, you are connected to the server hosting the RMS service. The next step is to protect the files.

Protecting and Unprotecting Files

To protect and unprotect files, there are three cmdlets: Protect-RMSFile to protect content, Unprotect-RMSFile to unprotect a protected file, and Get-RMSFileStatus to get the current protection status of a file.

Let’s start with protecting files. To achieve this task, you use the Protect-RMSFile cmdlet along with the following parameters:

• -File: Specifies the path of the file to protect.
• -Folder: Specifies the path of a folder in which all stored files are protected in one shot.
• -Recurse: Use this parameter with the –Folder parameter to protect the files in subfolders.
• -OutputFolder: Specifies the folder in which you store the protected versions of your files without affecting the original files.
• -OwnerEmail: Specifies a different owner for the protected file instead of the user who is currently protecting the files. By default, if not used, your e-mail address identifies you as the owner.
• -TemplateId: Specifies the ID of template that is used to protect the files. You can get the templates and their IDs using the Get-RMSTemplate cmdlet.
• -License: Specifies an ad hoc rights policy rather than using one of the existing templates. The ad hoc rights policy is created using the New-RMSProtectionLicense cmdlet.
• -DoNotPresistEncryptionKey: Use this to prevent offline access to protected content. The user must be authenticated each time the file is accessed and the policy is checked for any changes. The available values are Disk, License, and All.

#Listing RMS Templates
Get-RMSTemplate

ID      Name
-----   ------------
10001   Company 123 - Confidential
10002   Company 123 - Confidential View only
10003   Company 123 - Do Not Forward or Print

#Protect RMS File
Protect-RMSFile –File C:DocumentsMyCompanySecret.docx –TemplateId 10003

InputFile                                EncryptedFile
---------                                -------------
C:DocumentsMyCompanySecret.docx        C:DocumentsMyCompanySecret.docx

To unprotect a protected file, you use the Unprotect-RMSFile cmdlet with the following parameters:

• -File: Specifies the path of the file to unprotect.
• -Folder: Specifies the path of a folder in which all stored files are unprotected in one shot.
• -Recurse: Use this parameter with the –Folder parameter to unprotect the files in subfolders.
• -OutputFolder: Specifies the folder in which you store the unprotected versions of your files without affecting the protected files.

#Unprotect RMS File
Unprotect-RMSFile –File C:DocumentsMyCompanySecret.docx

InputFile                                DecryptedFile
---------                                 -------------
C:DocumentsMyCompanySecret.docx        C:DocumentsMyCompanySecret.docx

Ad Hoc Rights Policy

Sometimes you want to protect a document or file with different rights, and the rights you are looking for are not implemented in any of the templates you have. Also, you may need this customized policy for one-time use and there is no need to create a permanent policy for it. For that purpose and similar situations, the RMS protection tool allows you create an ad hoc rights policy using the New-RMSProtectionLicense cmdlet along with the following parameters:

• -OwnerEmail: Specifies the owner of the rights policy. It could be a user or a group (a distribution list or an e-mail-enabled security group).
• -UserEmail: Specifies the user(s) who have access to the files protected by the ad hoc rights policy.
• -Permission: Specifies the usage rights of the ad hoc rights policy. The available permissions are VIEW, EDIT, PRINT, EXPORT, COMMENT, VIEWRIGHTSDATA, EDITRIGHTSDATA, EXTRACT, and OWNER.
• -ValidForDays: Specifies the expiry period (in days) for the content protected by the ad hoc rights policy.

## Protect a File using Ad-Hoc Rights Policy

# Creating Ad-Hoc rights policy
$License = New-RMSProtectionLicense –OwnerEmail ’[email protected]’ –UserEmail ’[email protected]’ –Permission ’VIEW’, ’COMMENT’ –ValidForDays 10

# Protect File
Protect-RMSFile –File C:DocumentsMyCompanySecret.docx –License $License

The preceding example created an ad hoc rights policy that allows only view and comment rights with a validity of 10 days, starting when the policy is applied to the file(s). These rights are assigned only to [email protected], while the ownership is assigned to [email protected]. The Protect-RMSFile cmdlet was used along with the –License parameter to protect the MyCompanySecret.docx Word document with the new ad hoc rights policy.

Summary

In this chapter, you learned about information and the content protection component in Azure, which is Azure Rights Management Services (RMS). You started with Azure RMS features and its advantages over AD RMS. You also learned about the Azure RMS module for PowerShell.

Next, you created RMS policy templates and you learned about rights definition, configuring super-user features, managing role-based administrators, and enabling and managing Azure RMS logging. Moreover, you learned how to bulk protect and unprotect content via the RMS protection tool.

The next chapter spotlights a fashionable IT trend known as big data. It covers a Microsoft implementation of big data: HDInsight. Using PowerShell, you will learn how to build and configure HDInsight clusters from A to Z.