Configure servers for the Rights Management connector - AIP (2022)

  • Article
  • 10 minutes to read

Use the following information to help you configure your on-premises servers that will use the Azure Rights Management (RMS) connector. These procedures cover step 5 from Deploying the Microsoft Rights Management connector.

Prerequisites: Before you begin, make sure that you have:- Installed and configured the RMS connector- Checked any prerequisites relevant for the servers that will use the connector.

Configuring servers to use the RMS connector

After you have installed and configured the RMS connector, you are ready to configure the on-premises servers that will connect to the Azure Rights Management service, and use this protection technology by using the connector.

This means configuring the following servers:

EnvironmentServers to configure
Exchange 2013Client Access Servers and Mailbox Servers
Exchange 2016 and Exchange 2019Mailbox Servers (includes Client Access and Hub Transport server roles)
SharePointFront-end SharePoint webservers, including those hosting the Central Administration server
File Classification InfrastructureWindows Server computers that have installed File Resource Manager

This configuration requires registry settings, with the following options:

  • Edit registry settings automatically
  • Edit registry settings manually

Important

In both cases, you must manually install any prerequisites and configure Exchange, SharePoint, and File Classification Infrastructure to use Rights Management.

Note

For most organizations, automatic configuration by using the server configuration tool for Microsoft RMS connector will be the better option, because it provides greater efficiency and reliability than manual configuration.

After making the configuration changes on these servers, you must restart them if they are running Exchange or SharePoint, and were previously configured to use AD RMS. There is no need to restart these servers if you are configuring them for Rights Management for the first time.

You must always restart the file server that is configured to use File Classification Infrastructure after you make these configuration changes.

Edit registry settings automatically - advantages and disadvantages

Edit your registry settings automatically, by using the server configuration tool for Microsoft RMS connector.

Advantages include:

  • No direct editing of the registry. This is automated for you by using a script.

  • No need to run a Windows PowerShell cmdlet to obtain your Microsoft RMS URL.

  • The prerequisites are automatically checked for you (but not automatically remediated) if you run it locally.

Disadvantages include: When you run the tool, you must make a connection to a server that is already running the RMS connector.

For more information, see How to use the server configuration tool for Microsoft RMS connector.

Edit registry settings manually - advantages and disadvantages

Advantages include: No connectivity to a server running the RMS connector is required.

(Video) Enable Azure RMS Connector and Integration with SharePoint

Disadvantages include:

  • More administrative overheads that are error-prone.

  • You must obtain your Microsoft RMS URL, which requires you to run a Windows PowerShell command.

  • You must always make all the prerequisites checks yourself.

How to use the server configuration tool for Microsoft RMS connector

  1. If you haven't already downloaded the script for the server configuration tool for Microsoft RMS connector (GenConnectorConfig.ps1), download it from the Microsoft Download Center.

  2. Save the GenConnectorConfig.ps1 file on the computer where you will run the tool.

    If you will run the tool locally, this must be the server that you want to configure to communicate with the RMS connector. Otherwise, you can save it on any computer.

  3. Decide how to run the tool:

    MethodDescription
    LocallyRun the tool interactively, from the server to be configured to communicate with the RMS connector.

    Tip: This is useful for a one-off configuration, such as a testing environment.

    Software deploymentRun the tool to produce registry files, which you then deploy to one or more relevant servers.

    Deploy the registry files using a systems management application that supports software deployment, such as System Center Configuration Manager.

    Group policyRun the tool to produce a script that you give to an administrator who can create Group Policy objects for the servers to be configured.

    This script creates one Group Policy object for each server type to be configured, which the administrator can then assign to the relevant servers.

    Note

    This tool configures the servers that will communicate with the RMS connector and that are listed at the beginning of this section. Do not run this tool on the servers that run the RMS connector.

  4. Start Windows PowerShell with the Run as an administrator option, and use the Get-help command to read instructions how to the use the tool for your chosen configuration method:

    Get-help .\GenConnectorConfig.ps1 -detailed

To run the script, you must enter the URL of the RMS connector for your organization.

Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that you defined in DNS for the load balanced address of your connector. For example, https:\//connector.contoso.com.

The tool then uses that URL to contact the servers running the RMS connector and obtain other parameters that are used to create the required configurations.

Important

When you run this tool, make sure that you specify the name of the load-balanced RMS connector for your organization and not the name of a single server that runs the RMS connector service.

Use the following sections for specific information for each service type:

(Video) Configure Information Rights Management Service ( IRMS ) in Exchange 2016 ( Prevent forward email )

  • Configuring an Exchange server to use the connector

  • Configuring a SharePoint server to use the connector

  • Configuring a file server for File Classification Infrastructure to use the connector

When to install client applications on separate computers, which are not configured to use the connector

After these servers are configured to use the connector, client applications that are installed locally on these servers might not work with RMS. When this happens, it is because the applications try to use the connector rather than use RMS directly, which is not supported.

You must install the client applications on separate computers that are not configured to use the connector. They will then correctly use RMS directly.

Configuring an Exchange server to use the connector

The following Exchange roles communicate with the RMS connector:

  • For Exchange 2016 and Exchange 2013: Client access server and mailbox server

  • For Exchange 2019: Client access server and hub transport server

To use the RMS connector, these servers running Exchange must be running one of the following software versions:

You will also need on these servers, a version 1 of the RMS client (also known as MSDRM) that includes support for RMS Cryptographic Mode 2. All Windows operating systems include the MSDRM client but early versions of the client did not support Cryptographic Mode 2. If your Exchange servers are running at least Windows Server 2012, no further action is required because the RMS client installed with these operating systems natively supports Cryptographic Mode 2.

Important

If these versions or later versions of Exchange and the MSDRM client are not installed, you will not be able to configure Exchange to use the connector. Check that these versions are installed before you continue.

To configure Exchange servers to use the connector

  1. Make sure that the Exchange servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section.

    This configuration is required so that Exchange can use the RMS connector.

  2. On the Exchange server roles that communicate with the RMS connector, do one of the following:

    • Run the server configuration tool for Microsoft RMS connector.

      For more information, see How to use the server configuration tool for Microsoft RMS connector.

      (Video) Setup Azure Information Protection

      For example, to run the tool locally to configure a server running Exchange 2016 or Exchange 2013:

      .\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013
    • Make manual registry edits. For more information, see Registry settings for the RMS connector.

  3. Enable IRM functionality for Exchange by using the Exchange PowerShell cmdlet Set-IRMConfiguration. Set InternalLicensingEnabled $true and ClientAccessServerEnabled $true.

Front-end SharePoint webservers, including those hosting the Central Administration server, communicate with the RMS connector.

To use the RMS connector, these servers running SharePoint must be running one of the following software versions:

  • SharePoint Server 2019

  • SharePoint Server 2016

  • SharePoint Server 2013

A server running SharePoint 2019, 2016 or SharePoint 2013 must also be running a version of the MSIPC client 2.1 that is supported with the RMS connector.

To make sure that you have a supported version, download the latest client from the Microsoft Download Center.

Warning

There are multiple versions of the MSIPC 2.1 client, so make sure that you have version 1.0.2004.0 or later.

You can verify the client version by checking the version number of MSIPC.dll, which is located in \Program Files\Active Directory Rights Management Services Client 2.1. The properties dialog box shows the version number of the MSIPC 2.1 client.

  1. Make sure that the SharePoint servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section.

    This configuration is required so that your SharePoint servers can use the RMS connector.

  2. On the SharePoint servers that communicate with the RMS connector, do one of the following:

  3. Enable IRM in SharePoint.When you follow these instructions, you must configure SharePoint to use the connector by specifying Use this RMS server, and then enter the load-balancing connector URL that you configured.

    (Video) Intro to Azure RMS (Rights Management)

    Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that you defined in DNS for the load balanced address of your connector.

    For example, if your connector name is https:\//connector.contoso.com, your configuration will look like the following picture:

    Configure servers for the Rights Management connector - AIP (1)

    After IRM is enabled on a SharePoint farm, you can enable IRM on individual libraries by using the Information Rights Management option on the Library Settings page for each of the libraries.

Configuring a file server for File Classification Infrastructure to use the connector

To use the RMS connector and File Classification Infrastructure to protect Office documents, the file server must be running one of the following operating systems:

  • Windows Server 2016

  • Windows Server 2012 R2

  • Windows Server 2012

To configure file servers to use the connector

  1. Make sure that the file servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section.

    This configuration is required so that your file servers can use the RMS connector.

  2. On the file servers configured for File Classification Infrastructure and that will communicate with the RMS connector, do one of the following:

    • Run the server configuration tool for Microsoft RMS connector

      For more information, see How to use the server configuration tool for Microsoft RMS connector.

      For example, to run the tool locally to configure a file server running FCI:

      .\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetFCI2012
    • Make manual registry edits by using the information in Registry settings for the RMS connector to manually add registry settings on the servers.

  3. Create classification rules and file management tasks to protect documents with RMS Encryption, and then specify an RMS template to automatically apply RMS policies.

    For more information, see File Server Resource Manager Overview in the Windows Server documentation library.

Next steps

Now that the RMS connector is installed and configured, and your servers are configured to use it, IT administrators and users can protect and consume email messages and documents by using the Azure Rights Management service.

To make this easy for users, deploy the Azure Information Protection client, which installs an add-on for Office and adds new right-click options to File Explorer.

For more information, see the Azure Information Protection client administrator guide.

Note that if you configure departmental templates that you want to use with Exchange transport rules or Windows Server FCI, the scope configuration must include the application compatibility option such that the Show this template to all users when the applications do not support user identity check box is selected.

You can use the Azure Information Protection deployment roadmap to check whether there are other configuration steps that you might want to do before you roll out Azure Rights Management to users and administrators.

(Video) Azure Information Protection (AIP or RMS) Setup and Demo

To monitor the RMS connector, see Monitor the Microsoft Rights Management connector.

FAQs

Which feature is automatically enabled if you configure the Rights Management Connector for Exchange Server? ›

All accounts that you specify for the Exchange Server role in the connector configuration are granted the super user role in Azure RMS, which gives them access to all content for this RMS tenant. The super user feature is automatically enabled at this point, if necessary.

What is RMS connector server? ›

The RMS connector is a small-footprint service that you install on-premises, on servers that run Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. In addition to running the connector on physical computers, you can also run it on virtual machines, including Azure IaaS VMs.

How do I enable AIP service? ›

Run Get-AipService to confirm whether the protection service is activated. A status of Enabled confirms activation; Disabled indicates that the service is deactivated. To activate the service, run Enable-AipService.

How do I set up Azure Rights Management? ›

How to activate Azure rights management
  1. Search for Azure Information Protection and select Azure Information Protection.
  2. Select Protection activation from the Manage menu options.
  3. Click on the Activate option and then confirm the activation.
Aug 7, 2021

How do I set up RMS? ›

To configure your devices go to the RMS web page, Left sidebar panel, (Management → Devices) and click on Devices submenu. Scroll your mouse pointer to the Top control Configuration menu and select Configure device (Configuration → Configure device).

How do you check if AD RMS is enabled? ›

Step Verify the Ad Rms Functionality
  1. Log on to the Windows Vista workstation (userl@yourcompany.com).
  2. Launch Microsoft Word 2007.
  3. Click OK on the User Name dialog box.
  4. Type in few lines of text.
  5. Click the Microsoft Office button > Prepare > Restrict Permission, and then click Restricted Access.
Mar 18, 2022

What is the minimum number of connectors that you must install? ›

We recommend that each connector group has at least two connectors to provide high availability and scale. Having three connectors is optimal in case you may need to service a machine at any point. In general, the more users you have, the larger a machine you'll need.

What is Azure Rights Management license? ›

Azure Rights Management (Azure RMS) is the cloud-based protection technology used by Azure Information Protection. Azure RMS helps to protect files and emails across multiple devices, including phones, tablets, and PCs by using encryption, identity, and authorization policies.

What is Microsoft information protection? ›

Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution to protect sensitive data in documents and emails across your organization.

How do I enable AIP in Outlook? ›

Enable the following options in the organization settings of your Office 365 account. Activate the Data Protection and the Unified labeling options in AIP. Configure the labels in the Classification settings of AIP. Add and enable the PolicySensitivityLabelsEmailClassification key in the Workspace ONE UEM console.

How do I activate Information Rights Management? ›

If you're not already taken to the Office 365 Admin center, click the App Launcher on the top left, then click the Admin tile. Under Service Settings, click Rights Management. Click Manage, under Protect your information. Click Activate again.

How do you know if the AIP Azure Information Protection has been installed? ›

Once you have installed Azure Information Protection, you will see the AIP Classification menu below the Office Ribbon menu.

How do I configure my AIP scanner? ›

To configure and install your scanner:
  1. Start with PowerShell closed. ...
  2. Open a Windows PowerShell session with the Run as an administrator option.
  3. Run the Install-AIPScanner command to install your scanner on your SQL server instance, with the Cluster parameter to define your cluster name.
Aug 1, 2022

How do I enable Azure in Outlook? ›

How-to Activate Azure Rights Management for Office 365. Navigate to the Office 365 Admin Center. From the left menu, choose Settings > Services & add-ins. In the list of apps on the right, choose Microsoft Azure Information Protection.

How do I enable RMS template in Office 365? ›

Enabling Azure AD RMS Online for Office 365 tenant level
  1. Since the RMS is being serviced from Azure Portal, click on the Link to enable the services.
  2. Now, it gets navigated to Azure rights management Portal and click on Activate.
  3. Confirm once again by clicking on Activate.
  4. Now, RMS Online has been activated successfully.
Jun 23, 2019

How do I open Azure Information Protection? ›

Open the protected file (for example, by double-clicking the file or attachment, or by clicking the link to the file). If you are prompted to select an app, select Azure Information Protection Viewer. If you see a page to Sign in or Sign up: Click Sign in and enter your credentials.

Videos

1. What is Office 365 Message Encryption (OME) | How to send encrypted emails in O365 | OME - Part 1
(Office 365 Concepts)
2. Integrate RMS in Exchange Organization
(AMTC)
3. 5. RMS Connector
(First Due)
4. Configuring and deploying Microsoft Information Protection solutions
(Microsoft Tech Community)
5. Azure Service Spotlight: Azure Information Protection (AIP)
(A Cloud Guru)
6. Managing Azure RMS with Departmental Templates
(SynergyAdvisors)

Top Articles

Latest Posts

Article information

Author: Terrell Hackett

Last Updated: 12/23/2022

Views: 6164

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Terrell Hackett

Birthday: 1992-03-17

Address: Suite 453 459 Gibson Squares, East Adriane, AK 71925-5692

Phone: +21811810803470

Job: Chief Representative

Hobby: Board games, Rock climbing, Ghost hunting, Origami, Kabaddi, Mushroom hunting, Gaming

Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.