locked
Azure AD RMS RRS feed

  • Question

  • There are two domains in office365 portal .They are synchronized to the same Active Directory in azure portal automatically.

    I have some questions: 

    1.Does AD correspond to only Azure rms service? 

    2.Are two domains assigned to different AD? If ok,how to operate? I have a try by deleting one domain in azure portal,and do not display in office365 portal at the same time. Then add it to another AD in azure portal,this domain can not be synchronized to office 365.A domain user assigned global admin role to can not operate auzre portal.

    3.Whether one tenant can have two azure rms services.

    Tuesday, January 26, 2016 9:40 AM

Answers

  • Greetings,

    I was able to view the picture. I am not clear about some of your scenario but let me share what I can with what you've shown so far.

    First, you get one Azure RMS instance per tenant. Let's say I have SupportSteve.onmicrosoft.com as my O365 tenant. I may add many domains to my tenant. I'll add contoso.com and fabrikam.com to my tenant. I'll even verify them in O365.

    With this in place I'll activate/enable Azure RMS in O365. If I have an E3 or E4 tenant Azure RMS licenses are included. Otherwise I'll need to get a standalone RMS subscription or some other one that has Azure RMS in it.

    Users signing in to any of the three domains, SupportSteve, Contoso, or Fabrikam will be able to use Azure RMS. In cases I've worked with customers they usually have a lot of domains in their tenants and their users synchronized to O365 have proxyAddress attributes for multiple domains for a single user. In this case my account would have steve@supportsteve.onmicrosoft.com, steve@contoso.com, and steve@fabrikam.com for his user account. As long as there is a verified domain in O365 for each email suffix that address is a valid identity that my be used to send and receive protected content.

    The above is all related to one O365 tenant with multiple verified domains in it.

    Now, to your Azure portal diagram. I am not sure how the O365 environment above would appear in the AD section of the portal. However your screenshots look like my Azure AD where I have two different ADs. One AD is my O365 one and another is the freebie one I get from my MSDN subscription. These are two separate domains, not related to each other. Azure RMS would be enabled separately for each. Although I have .onmicrosoft.com, contoso.com, and fabrikam.com domains in my O365 tenant in my Azure portal that shows as only one AD.

    Since I own both the ADs in my Azure Portal I can add users between them. However only users that exist in the O365 tenant are able to create RMS protected content using that Azure RMS server.

    I hope this made some sense.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by lptian Thursday, January 28, 2016 6:14 AM
    Wednesday, January 27, 2016 1:44 PM

All replies

  • Hi,

    On 1. and 2. I can't understand your question, please try to explain better.

    On 3.: Only one Azure RMS Service can be used. But you can configure based on Groups, which Users (or Domains) will receive their corresponding RMS Templates. Same is true for the Permissions.


    Blog Twitter

    Tuesday, January 26, 2016 2:08 PM
  • Please look at the below illustration.

    Illustration 1:show two ads,which contain different domains.By default,all domains are synchronized to one ad obscured in illulstation from office365 portal.I created ad called 'Test'.If I want to add one domain to 'Test' ad,first this domain and users in this domain should be deleted from ad obscured in illulstation,at the same time this domain does not display in office 365 portal.I add this domain to 'Test' ad.This domain can not be synchronized to office365 portal,because this domain has been verified in azure.I only create user assigned gloal admin in auzre,but the user cannot use resources in azure. What permissions and licenses does this user need? By the way,do you know domain synchronization mechanism between office365 and azure?

    Illustration 2:click 'Rights Management' button in ribbon,one ad seems to correspond to one azure rms service from design.If one tenant has two domains,seems to have two azure rms service.I active 'Test' ad using another domain user ,an error occurs

    "Cannot detect Rights Management (RMS) support for Test. To use RMS with this tenant, you must have a subscription that supports RMS.
    To get a subscription, sign in as a global administrator using your work or school account for Test, and then activate RMS."

    I am not allowed to post picture.Can you leave your email?

    I upload picture into onedrive and share them.I don't confirm whether you can open.You have a try .  Link can not be posted either.

    http protocol  +   onedrive.live.com/redir?resid=4AF16AFA0335921A!112&authkey=!ABTkqskl6kXQj7Q&ithint=folder%2cPNG





    • Edited by lptian Wednesday, January 27, 2016 9:34 AM
    Wednesday, January 27, 2016 8:11 AM
  • Greetings,

    I was able to view the picture. I am not clear about some of your scenario but let me share what I can with what you've shown so far.

    First, you get one Azure RMS instance per tenant. Let's say I have SupportSteve.onmicrosoft.com as my O365 tenant. I may add many domains to my tenant. I'll add contoso.com and fabrikam.com to my tenant. I'll even verify them in O365.

    With this in place I'll activate/enable Azure RMS in O365. If I have an E3 or E4 tenant Azure RMS licenses are included. Otherwise I'll need to get a standalone RMS subscription or some other one that has Azure RMS in it.

    Users signing in to any of the three domains, SupportSteve, Contoso, or Fabrikam will be able to use Azure RMS. In cases I've worked with customers they usually have a lot of domains in their tenants and their users synchronized to O365 have proxyAddress attributes for multiple domains for a single user. In this case my account would have steve@supportsteve.onmicrosoft.com, steve@contoso.com, and steve@fabrikam.com for his user account. As long as there is a verified domain in O365 for each email suffix that address is a valid identity that my be used to send and receive protected content.

    The above is all related to one O365 tenant with multiple verified domains in it.

    Now, to your Azure portal diagram. I am not sure how the O365 environment above would appear in the AD section of the portal. However your screenshots look like my Azure AD where I have two different ADs. One AD is my O365 one and another is the freebie one I get from my MSDN subscription. These are two separate domains, not related to each other. Azure RMS would be enabled separately for each. Although I have .onmicrosoft.com, contoso.com, and fabrikam.com domains in my O365 tenant in my Azure portal that shows as only one AD.

    Since I own both the ADs in my Azure Portal I can add users between them. However only users that exist in the O365 tenant are able to create RMS protected content using that Azure RMS server.

    I hope this made some sense.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by lptian Thursday, January 28, 2016 6:14 AM
    Wednesday, January 27, 2016 1:44 PM
  • Thanks very much! I see!

    I have another question.

    What I understand from "their users synchronized to O365 have proxyAddress attributes for multiple domains for a single user" is that let's say I have a user of steve@fabrikam.com whose proxyAddress attributes may be set to a set of  steve@contoso.com, and steve@fabrikam.com .Is it correct? If this is the case,how to assign value to proxyAddress attributes?From GUI or powshell?

    I create 'Test' AD manually. What is scenario of using multiply ADs?

    Thursday, January 28, 2016 6:14 AM
  • I do RMS support so I don't have full expertise with the O365/Identity stuff. :)

    I believe you set the proxyAddresses attribute values on the AD user that is synchronized to the cloud.

    Users have UPN, mail, and proxyAddresses attributes that may contribute email address for that user.

    Remember, just because you have an address in your proxyAddresses attribute does not mean that address is valid for Azure RMS purposes. For Azure RMS to grant that address licenses you must verify the domain for that address, in O365 (or however you verify the domain in Azure AD).

    In our example you'd probably have fabrikam.com verified since it's your primary address. You could have @contoso.com for a proxyAddresses value. However you would not be able to open content sent to the user's @contoso.com address unless you have contoso.com verified in your tenant.

    /Steve


    Steve L [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, January 28, 2016 1:15 PM