Remove From My Forums

Gain/Grant access to Azure rights protected files of Ex-Employee

Question
0

Sign in to vote
Hello,

We will be soon rolling out the Azure RMS in our organization. We have our custom RMS templates to be published for the users. There is a viewer template that allows View, Reply and Reply All protection to files. An employee has some files which he has protected using this template and now he is no longer with the company. How can I(as an admin) access those files. I believe we can have full access added to the admin group for those templates. By that way admins can recover the data. However in our case we want that ex-employees manager to go through his data. He is not an admin. How can we change rights for those files so that ex-employee's manager can access them.

All i could think of was, me as an admin will have to access that file and change the rights of that file. What if there are thousands of such files. How can this be made easier in such litigation requests.

Please suggest.
- Moved by Sowmya K R Friday, April 24, 2015 3:40 PM Moving to the Appropriate Forum
Friday, April 24, 2015 12:08 PM

Answers

0

Sign in to vote
Hello,

Azure RMS, like its sibling AD RMS, has a Super User feature. A super user is able to open any content protected by that RMS server. Super users are granted that role in RMS. This does not hinge on any AD account rights or permissions.

To manage the super user functionality in Azure RMS you'll use the Azure Rights Management Cmdlets. Just search on the word "super" in the above link and you'll see the cmdlets for managing the super user.

/Steve
Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
- Proposed as answer by Neelesh Ray -MSFTMicrosoft employee Friday, April 24, 2015 6:08 PM
- Marked as answer by Neelesh Ray -MSFTMicrosoft employee Monday, April 27, 2015 5:44 AM
Friday, April 24, 2015 4:23 PM

All replies

0

Sign in to vote

Hello,

Thank you for your post. We are checking on the query and would get back to you soon on the same.

I apologize for the inconvenience and appreciate your time and patience in this matter.

Regards,

Neelesh

Friday, April 24, 2015 3:50 PM
0

Sign in to vote
Hello,

Azure RMS, like its sibling AD RMS, has a Super User feature. A super user is able to open any content protected by that RMS server. Super users are granted that role in RMS. This does not hinge on any AD account rights or permissions.

To manage the super user functionality in Azure RMS you'll use the Azure Rights Management Cmdlets. Just search on the word "super" in the above link and you'll see the cmdlets for managing the super user.

/Steve
Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
- Proposed as answer by Neelesh Ray -MSFTMicrosoft employee Friday, April 24, 2015 6:08 PM
- Marked as answer by Neelesh Ray -MSFTMicrosoft employee Monday, April 27, 2015 5:44 AM
Friday, April 24, 2015 4:23 PM
0

Sign in to vote

Thanks Steve.

I did enable the superuser feature first Enable-AadrmSuperUserFeature and then added Add-AadrmSuperUser -EmailAddress "myadmin.user@mycompany.com" as a Superuser. However I am not sure how would I proceed to recover the data using this superuser account now. Could you please guide, as i'm very new to this.

P.S - We have created an AD account in our domain for this "myadmin.user" and assigned him a mailbox on our O365 cloud tenant. Since we have AD authentication in our environment.

Thanks and Regards

Rohit Babar

Monday, April 27, 2015 6:39 AM
0

Sign in to vote

Rohit,

Once you have an account that is a super user you login to a workstation using that account. When I say logged in, your Office apps should also be logged in as that super user. Then you should be able to open anything protected by that RMS server.

/Steve
Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

Monday, April 27, 2015 1:42 PM
0

Sign in to vote

This is exactly what I tried. However still didn't work. Let me tell you what i did exactly. I logged into a computer with my domain account. I see my office apps logged in with my id: rohit.b@mycompany.com. I created an excel file on a shared drive or my computer. I went to info tab to restricted everyone to view only access. Tomorrow let's say i'm not longer with the company.

I had created a user in our domain: azure.superuser@mycompany.com and I ran those two commands using exchange online powershell command prompt. I ran those commands using one of the exchange global admin credentials.

Enable-AadrmSuperUserFeature

Add-AadrmSuperUser -EmailAddress "azure.superuser@mycompany.com"

One of the admins logged into a computer with azure.superuser domain account, opened the shared drive and tried to access the file I created. He still sees that file as View Only. He cannot change permissions to that file. The office apps are logged in as azure.superuser@mycompany.com.

Did i miss something?

Monday, April 27, 2015 7:13 PM
0

Sign in to vote

I added one more user(xyz.testadmin@mycompany.com) as SuperUser. This user is a tenant admin in O365. And also a part of a group "Azure Admins" which has Global Admin role in Azure AD.

Add-AadrmRoleBasedAdministrator -SecurityGroupDisplayName "Azure Admins"

This user was able to retain the data and change rights of other users from a workstation. So is this a requirement that SuperUser should a global admin and/or tenant admin too?

Tuesday, April 28, 2015 11:02 AM
0

Sign in to vote
I believe I found the issue. We have hybrid exchange setup in our Org. I made azure.superuser@mycompany.com as the SuperUser however the primary SMTP is azure.superuser@mycompany.onmicrosoft.com. I added this email address to superusers in aadrm, and it worked.

Thanks.
- Proposed as answer by Philippe SignoretMicrosoft employee Monday, May 4, 2015 6:14 PM
Wednesday, April 29, 2015 10:18 AM

Answered by:

Gain/Grant access to Azure rights protected files of Ex-Employee

Question

Answers

All replies