Azure RMS setup


  • Hi, In the process of setting up Azure RMS in my corp whiuch is included in our E3 subscription. (EMS)
    Ive read some articles on best practices for this, especially as we currently have a nhybrid exchange environment (which we plan to move all users to the cloud in the next few months)
    Ive setup the tenancy, activated RM in Azure, and installed the connector on a new server (vm).
    My question is, how will the RMS service run on the server? is there a need to create a dedicated 'service' (eg. serviceRMS) account? As i understand the account needed to run the admin tool needs to be a o365 global admin and i don't think it makes sense to have a o365 global admin called ServiceRMS pureley for this case. Is it common practise to use your own global admin account?
    Also i was looking into installing the azure rms powershell module to setup the serviceRMS account with minimal rights. is this the way forward?

    also how will this change once exchange is migrated to the cloud?

    Tuesday, April 4, 2017 7:17 AM

All replies

  • Greetings!

    I am assuming the questions are around the RMS connector and how it interacts with Azure RMS.

    When you install/configure the connector you log in as a tenant admin. A serviceprincipal is created in Azure for the connector to use. Your tenant admin account is not what the service runs as.

    When you authorize groups/account to use the connector serviceprincipals are created in Azure for them. You don't need to create anything manually.

    Use the Azure RMS PowerShell module to run the Get-AadrmAdminLog command. You'll see the service principals in use and returned in the GetConnectorAuthorizations call.


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, April 5, 2017 1:15 PM
  • Thanks. before i have read the response i had already created an additional 'service' account (synced from the local AD to Azure). when configuring the connector i use this account as i had moved it to a security group that has "connector administrartor" role.

    Is it safe to say this is not needed as the only users that will configure this are global admins already.

    Monday, April 10, 2017 10:22 AM
  • No, you are fine. If you use the Add-AadrmRoleBasedAdministrator PowerShell cmdlet in the AADRM module to create a connector administrator that is great! That is a non-privileged account that may be used to configure your connector and add/remove authorizations in it.

    Please feel free to use your connector admin account to manage your connectors. I was only talking about you didn't need to manually create and Azure AD service principal accounts as the connector does that part. But you creating a connector admin account to manage the connector administration tasks is fine.


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, April 14, 2017 12:13 PM
  • Hi,

    Had to put this project on hold to allow to complete the mailbox migration to the cloud.

    Issue I have at the moment is that when I try to use the 'Microsoft RMS connector administration tool', I ge the error 'That user name and password combination is not correct'.

    I have tried with the 'service' account (that has the connectorAdministrator role), my own account (that is a o365 global admin), and even the administrator for o365 (also a global admin).

    when running the following:

    Get-AadrmRoleBasedAdministrator -Role ConnectorAdministrator

    I can see the service account and my account under the connectoradministrator role.

    where can i check to see a log specific to this? the username and password are correct.

    any suggestions?

    Tuesday, August 1, 2017 3:00 PM