Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Rights Management, sometimes abbreviated to Azure RMS, is the main cloud-based encryption service from Microsoft Purview Information Protection.
Azure Rights Management helps to protect items such as files and emails across multiple devices that include phones, tablets, and PCs by using encryption, identity, and authorization policies.
For example, when employees email a document to a partner company, or save a document to their cloud drive, the persistent encryption from Azure Rights Management helps secure the data.
Encryption settings remain with your data, even when it leaves your organization's boundaries, keeping your content protected both within and outside your organization.
Encryption may be legally required for compliance, legal discovery requirements, or best practices for information management.
Use Azure Rights Management with Microsoft 365 subscriptions or subscriptions for Microsoft Purview Information Protection. For more information, see the Microsoft 365 licensing guidance for security & compliance page.
Azure Rights Management ensures that authorized people and services, such as search and indexing, can continue to read and inspect the encrypted data.
Ensuring ongoing access for authorized people and services, also known as "reasoning over data", is a crucial element in maintaining control of your organization's data. This capability may not be easily accomplished with other information protection solutions that use peer-to-peer encryption.
Protection features
| Feature | Description |
|---|---|
| Encrypt multiple file types | In early implementations of Rights Management, only Office files could be encrypted, using built-in Rights Management protection. Azure Rights Management provides support for additional file types. For more information, see Supported file types. |
| Protect files anywhere | When a file is encrypted, this protection stays with the file, even if it is saved or copied to storage that is not under the control of IT, such as a cloud storage service. |
Collaboration features
| Feature | Description |
|---|---|
| Safely share information | Encrypted files are safe to share with others, such as an attachment to an email or a link to a SharePoint site. If the sensitive information is within an email message, encrypt the email, or use the Do Not Forward option from Outlook. |
| Support for business-to-business collaboration | Because Azure Rights Management is a cloud service, there’s usually no need to explicitly configure trusts with other organizations before you can share encrypted content with them. By default, collaboration with other organizations that already have a Microsoft 365 or a Microsoft Entra directory is automatically supported. Some additional configuration might be needed for advanced configurations or specialized scenarios. For organizations without Microsoft 365 or a Microsoft Entra directory, users can sign up for the free RMS for individuals subscription, or use a Microsoft account for supported applications. |
Tip
Attaching encrypted files, rather than encrypting an entire email message, enables you to keep the email text unencrypted.
For example, you may want to include instructions for first-time use if the email is being sent outside your organization. If you attach an encrypted file, the basic instructions can be read by anyone, but only authorized users will be able to open the document, even if the email or document is forwarded to other people.
Platform support features
The Azure Rights Management service supports a broad range of platforms and applications, including:
| Feature | Description |
|---|---|
| Commonly used devices not just Windows computers |
Client devices include: - Windows computers and phones - Mac computers - iOS tablets and phones - Android tablets and phones |
| On-premises services | In addition to working seamlessly with Microsoft 365, you can use Azure Rights Management with the following on-premises services when you deploy the Microsoft Rights Management connector: - Exchange Server - SharePoint Server - Windows Server running File Classification Infrastructure |
| Application extensibility | Azure Rights Management has tight integration with Microsoft 365 applications and services, and extends support for other applications by using the Microsoft Purview Information Protection client. The Microsoft Information Protection SDK provides your internal developers and software vendors with APIs to write custom applications that support the Azure Rights Management service. |
Infrastructure features
The Azure Rights Management service provides the following features to support IT departments and infrastructure organizations:
- Create simple and flexible policies
- Easy activation
- Auditing and monitoring services
- Ability to scale across your organization
- Maintain IT control over data
Note
Organizations always have the choice to stop using the Azure Rights Management service without losing access to content that was previously protected by Azure Rights Management.
For more information, see Decommission and deactivate the Azure Rights Management service.
Create simple and flexible policies
Encryption settings that are applied with sensitivity labels provide a quick and easy method for administrators to apply information protection policies, and for users to apply the correct level of protection for each item as needed.
For example, for a company-wide strategy paper to be shared with all employees, apply a read-only policy to all internal employees. For a more sensitive document, such as a financial report, restrict access to executives only.
For more information, see Restrict access to content by using sensitivity labels to apply encryption.
Easy activation
For new subscriptions, activation is automatic. For existing subscriptions, activating the Rights Management service requires just two PowerShell commands.
Auditing and monitoring services
Audit and monitor usage of your encrypted files, even after these files leave your organization’s boundaries.
For example, if a Contoso, Ltd employee works on a joint project with three people from Fabrikam, Inc, they might send their Fabrikam partners a document that's encrypted and restricted to read-only.
Azure Rights Management auditing can provide the following information:
Whether the Fabrikam partners opened the document, and when.
Whether other people, who were not specified, attempted, and failed to open the document. This might happen if the email was forwarded on, or saved to a shared location.
Administrators can track document usage and revoke access for Office files. Users can revoke access for their labeled and encrypted documents as needed.
Ability to scale across your organization
Because Azure Rights Management runs as a cloud service with the Azure elasticity to scale up and out, you don’t have to provision or deploy additional on-premises servers.
Maintain IT control over data
Organizations can benefit from IT control features, such as:
| Feature | Description |
|---|---|
| Tenant key management | Use tenant key management solutions, such as Bring Your Own Key (BYOK) or Double Key Encryption (DKE). For more information, see: - Planning and implementing your Azure Rights Management tenant key - What is Double Key Encryption (DKE)? |
| Auditing and usage logging | Use auditing and usage logging to analyze for business insights, monitor for abuse, and perform forensic analysis for information leaks. |
| Access delegation | Delegate access with the super user feature, ensuring that IT can always access encrypted content, even if a document was encrypted by an employee who then leaves the organization. In comparison, peer-to-peer encryption solutions risk losing access to company data. |
| Active Directory synchronization | Synchronize just the directory attributes that Azure RMS needs to support a common identity for your on-premises Active Directory accounts, by using a hybrid identity solution, such as Microsoft Entra Connect. |
| Single-sign on | Enable single-sign on without replicating passwords to the cloud, by using AD FS. |
| Migration from AD RMS | If you've deployed Active Directory Rights Management Services (AD RMS), migrate to the Azure Rights Management service without losing access to data that was previously encrypted by AD RMS. |
Security, compliance, and regulatory requirements
Azure Rights Management supports the following security, compliance, and regulatory requirements:
Use of industry-standard cryptography and supports FIPS 140-2. For more information, see the Cryptographic controls used by Azure RMS: Algorithms and key lengths information.
Support for nCipher nShield hardware security module (HSM) to store your tenant key in Microsoft Azure data centers.
Azure Rights Management uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia, so your keys can be used only in your region.
Certification for the following standards:
- ISO/IEC 27001:2013 (./includes ISO/IEC 27018)
- SOC 2 SSAE 16/ISAE 3402 attestations
- HIPAA BAA
- EU Model Clause
- FedRAMP as part of Microsoft Entra ID in Office 365 certification, issued FedRAMP Agency Authority to Operate by HHS
- PCI DSS Level 1
For more information about these external certifications, see the Microsoft Trust Center.
Next steps
For more technical information about how the Azure Rights Management service works, see How does Azure RMS work?.
If you're ready to make Azure Rights Management encryption an integrated part of your information protection solution, see Deploy an information protection solution with Microsoft Purview.