RMS – Rights Management Service
Rights Management definition is that it is a protection mechanism that uses encryption, identity, authentication to protect your emails and documents from unauthorized access. Imagine, that your emails and documents is the Hamster and Rights Management is the Hamster’s protective ball, the Hamster is inside the Ball and if you are not the owner of the hamster and you wish to touch it I doubt that it won’t bite you.
IRM- Information Rights Management
IRM stands for Information Rights Management/Azure Rights Management, let’s talk about a history of IRM.
IRM is the older version RMS, you could only find it at Office 365 portal, and now with AIP available, IRM has become a component within the AIP. I think Microsoft has plans to slowly decommissioning/move away IRM, because I’ve noticed that the usual modification method of IRM templates has closed since January,2018. The usual method to modify IRM templates was from the old portal of Microsoft Azure. Now the only way to modify the templates are through PowerShell.
Anyway, it also has it own separated activation via GUI;
- For exchange online IRM you have to activate from office 365 portal > admin > settings > services & add-ins > Rights Management/ Azure Information Protection
- For SharePoint online, activate it from office 365 portal > admin > admin center > SharePoint > Settings > Select Use the IRM service specified in your organization > Refresh IRM settings
Or you could just make use of PowerShell to activate IRM (Make sure you got all requirements ready);
- Connect to AADRM services
- Type in the PowerShell “Enable-Aadrm”
Yea, so the steps are actually not brain surgery. What I like about PowerShell is that its code is understandable just by looking at it. If you compare PowerShell and C++, than you know what I mean.
- IRM can’t protect documents that are not Office Apps
- IRM can’t provide you much tracking details of your protected documents
- Exchange Online IRM and SharePoint Online IRM has different IRM management
- SharePoint Online IRM, is based on a site not the whole SharePoint Online
- SharePoint Online IRM, you can apply IRM on its list or library
- No longer using GUI to configure IRM templates
- IRM needs manual activation
- License requires are Microsoft Enterprise E3 or E5
- Doesn’t support mobile
- Longer propagation to end users (make take to 2 hours (same goes to DLP labeling))
- End Users has to select “Connect to Rights Management” in the outlook
AIP – Azure Information Protection
AIP is the new advanced technology/mechanism of RMS, it broke through the limitation of IRM capabilities. You can only see and management AIP in Microsoft Azure Portal (Yes, you still can see it as “Advanced feature” in Services & add-ins in Office 365 portal). The capability of AIP I could tell you is quite mind-blowing for me. It combines the IRM and DLP’s sensitive information mechanism to produce an advanced method to protect data.
To understand how to use AIP for me (hope it helps you too), you must understand steps to deploy and implement AIP 6 major points;
- Label – Parent Label? or Sub Label?
- Permission – View Only? Read Only?
- DLP Sensitive Information – Trigger label automatic?
- Apply to – Sales Department? External parties?
- Policy – Who will hold this label as admin?
- Label Admin – Sales Admin hold this label as admin
The minor points would be the notification, policy tips, access expiration date and so on.
Sadly, AIP doesn’t provide the capability to prevent data leak. Wait! Why not integrate AIP with DLP block policy function? Yes, you could do that and that is what the recommendation from Microsoft. DLP is Data Leak Protection (License of Microsoft Enterprise E3 or E5)
Minimum you could get AIP Plan 1 license for your global admins and users, to have the permission to use AIP. Once you buy AIP license and apply for the license, AIP will automatically activate for your organization (Exchange Online, OneDrive, and SharePoint Online). (Chill this won’t impact your users yet)
- AIP can be apply to non-office apps documents too
- AIP users needs an AIP application to be install on their devices to be visible to the users to use it (PC or mobile or both, you could deploy Intune to push the application executable file into intune policy and than force apply the policy to user’s devices, just make sure user’s devices are intune managed )
- With AIP users can track their documents, where is it, whom has it, whom open it, whom trying to access it, AIP users whom applied the AIP label has the permission to revoke access of a document from a user(s), also can track when has this document open and etc..
- Faster propagation to end users (Less than 5 minutes)
- Easy to manage for Global admins
- A lot of automation action than IRM
*Note for RMS (IRM & AIP)
- Office web apps don’t support opening protected RMS documents
- Office web apps don’t support apply RMS
Choose Either one to deploy IRM or AIP. Don’t Activate both in a production environment!