Azure Information Protection (Azure RMS) is an enterprise information protection solution for any organization. Azure RMS provides classification, labeling, and protection of organization’s data.
Note: This deployment also enables Azure B2B access for the Published Applications in Azure AD.
Azure Prerequisites
- A subscription that includes Azure Information Protection. For example, PAYG, EA or E5
- A global administrator account (@domain.onmicrosoft.com) to sign in to the Azure portal
Minimum On-premises Prerequisites
- An operational Active Directory Federation Services
- An operational Azure Active Directory Connect
- An Active Directory Domain Controller
- An RMS Connector Server
- RMS Client version 2.1 or above installed on the SharePoint or File Server or Exchange Server
- Azure Information Protection for Microsoft Office 2016
- A matching UPN (dmain.com) which has been federated to Azure AD
- Publicly routable domains name (domain.com)
- Publicly routable DNS Records (spirm.domain.com, sts.domain.com)
- Public certificates with SAN or an wild card certificate
- Public certificate must have private key or PFX format
- An operational SharePoint or File Server or Exchange Server to be protected by Azure RMS
Deploy On-prem Infrastructures:
- Register and verify domain.com to Azure ARM Portal
- Install and configure Active Directory Federation Services
- Install and configure Web Application Proxy Server
- Install and configure Azure Active Directory Connect. AAD Connect installation pretty straight forward. To use Azure RMS you have to select three extra steps in AAD Connect. Either you can modify existing configuration to the below or if you are installing from scratch then you have to select an additional features. To provide the RMS functionality to synced users, Azure RMS has been selected in AAD Connect Wizard along with the Azure AD Apps.
- On the AAD Connect Installation Page, click Customize to start a customized settings installation.
- On User Signin Page Select Federation With ADFS.
- On the Optional feature Page, Select Azure AD App and Attribute Filtering. Make sure you select all features which include Azure RMS
- Activate Azure RMS
- Sign to Azure Portal using a Global Admin user (@domain.onmicrosoft.com)
- Open Azure Information Protection, Click RMS Settings, Click Activate.
- If you are protecting SharePoint Server then you have to the additional steps on ADFS Server and SharePoint Server mentioned below.
Internal CNAME DNS record:
- domain.com pointed to ADFS Server
- domain.com pointed to SP Server
- domain.com pointed to RMS Connector Server
ADFS Configuration:
Add a Claim Provider Trust using Wizard, type the name of the Claim Provider as “AzureAD” Select the URL to import metadata from https://login.microsoftonline.com/domain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml
Right Click on the the Azure AD Claim Provider, Edit Claim Rule and Add a custom claim rule
c:[] => issue(claim = c);
Add SharePoint 2013/2016 as a Relying Party Trust with the below properties:
Method to Add RP: Manual
Name: SP
RP Identifier: urn:sharepoint:domain
Enable WS-Federation and provide the following passive reply url: https://spirm.domain.com /_trust/
Add two Claim Rules
UPN Claim Rule
c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”%5D
=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
B2B User Claim Rule
c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”%5D
=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
Specify AzureAD as SharePoint 2013 Claim Provider
Set-AdfsRelyingPartyTrust -TargetName “SP” -ClaimsProviderName @(“AzureAD”)
Specify Claim Provider for Internal Users:
Set-AdfsProperties -IntranetUseLocalClaimsProvider $true
Add Azure Web Application:
Log on to portal.azure.com, Click Azure AD, On the App registration section, Register an Azure Web Application using the below parameter:
- App ID URI: http://sts.domain.com/adfs/services/trust
- Reply URL: https://sts.domain.com/adfs/ls
- Signin URL or Home Page: https://spirm.domain.com
- Permission: Windows Azure AD
Grant Access to Azure AD user and B2B User to this Application
- Sign in to the Azure Active Directory admin center with an account that’s a global admin for the directory.
- Select Azure Active Directory and then Users and groups.
- On the Users and groups blade, select All users, and then select New Guest user.
- Go back to newly registered App, Assign access permission to the guest user
Assign RMS Licenses to Azure B2B users:
Connect-MsolService
$AccountSkuId = “domain:ENTERPRISEPACK”
$UsageLocation = “AU”
$Users = Import-Csv c:\temp\userlist.csv
$Users | ForEach-Object {
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId
}
Where userlist.csv contain userprincipal name or B2B username in first column. Further references.
Azure Licenses for B2B user https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-licensing
Configure Right Management Connector
- Download Rights Management Connector on the server where you are going to install the Connector.
- Create a Service account in Windows Active Directory with federated UPN SVCRMS@domain.com
- SVCRMS@domain.com is AAD Synced Account.
- Open AD users and Computers, Add SVCRMS@domain.com as a member of domain admins group.
- Sign into Azure Portal, Assign SVCRMS@domain.com as global admin, Azure RightsManagement global administrator
- On the computer on which you want to install the RMS connector, run exe with Administrator privileges. When prompted for credential use SVCRMS@domain.com account and alphanumeric password.
Note: do not install RMS connector on Exchange, File and SharePoint Server.
SharePoint Specific Configuration: Reference1 and reference2
Add-PSSnapIn Microsoft.SharePoint.PowerShell
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:\ADFSCertificates\STSTokenSigning.cer”)
New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming
$realm = “urn:sharepoint:dealdocs”
$signInURL = “https://sts.dealdocs.com/adfs/ls/”
$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS” -Description “AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl “https://sts.dealdocs.com/adfs/ls/” -IdentifierClaim $emailClaimmap.InputClaimType
Download and run GenConnectorConfig.ps1 the below command on SP Server. This command automate changes in registry values.
.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013
Configure RMS Connector for SharePoint Server
- On the SharePoint Central Administration Web site, in the Quick Launch, click Security.
- On the Security page, in the Information Policy section, click Configure information rights management.
- On the Information Rights Management page, in the Information Rights Management section, select Use this RMS server type https://rmsconnector.domain.com).
- Click OK.
- Next step Add users to SharePoint Library
For Exchange Server, Download and run GenConnectorConfig.ps1 on Exchange Server
.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013
Run the below command in Exchange Server
Set-IRMConfiguration -InternalLicensingEnabled $true
For File Server Download and run GenConnectorConfig.ps1 on File Server
.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetFCI2012
Create classification rules and file management tasks to protect documents with RMS Encryption.
Testing:
- Download Azure Information Protection and protect a document for B2B user
- Upload the document into SharePoint Library
- Request the B2B user to access from the invitation you have sent.
