Managing Azure Active Directory Rights Management

Posted on Leave a commentPosted in 2013, aadrm, dirsync, encryption, IAmMEC, journal, journaling, licence, mcm, mcsm, MVP, Office 365, rms, transport agent

This article is the third in a series of posts looking at Microsoft’s new Rights Management product set. In the previous post we looked at turning on the feature in Office 365 and in this post we will look at how to manage the service in the cloud.

In this series of articles we will look at the following:

The items above will get lit up as the articles are released – so check back or leave a comment to the first post in the series and I will let you know when new content is added.

Once you have signed up for the Azure Active Directory Rights Management (AADRM) Service there are a few things that you need to manage. These are:

  • The service itself
  • Users who are allowed to create RMS protected content
  • Enable and configure Super User rights if required.

Managing AADRM

There is not a lot to do in the Office 365 admin web pages with regard to the management of the service apart from enabling it, which we covered in the previous post and disabling it. Disabling the service involves the same steps as enabling it – you just click the big deactivate button!

AADRM can be further managed with PowerShell though. There are lots of blog posts on connecting to Office 365 using PowerShell, and some of those include the cmdlets to connect to Exchange Online etc. as well. The code below adds to this, and loads the AADRM module and connects to AADRM service in the cloud.

$cred = Get-Credential

write-host "Username: " $cred.username

Connect-MsolService -Credential $cred

Write-Host "...connected to Office 365 Windows Azure Active Directory"

$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection

$importresults = Import-PSSession $s -Verbose

Write-Host "...connected to Exchange Online"

Import-Module AADRM

Connect-AadrmService -Verbose -Credential $cred

If you save the above PowerShell code as a text file with a .ps1 extension then you can run the script and easily connect to Office 365 with the credentials you enter. Then connect to Exchange Online with the same set of credentials and finally to AADRM with, of course, the same credentials. This allows you to manages users, email and security from a single session.

To get the AADRM PowerShell module on your computer (so that Import-Module AADRM works) you need to download the Rights Management PowerShell administration module from http://go.microsoft.com/fwlink/?LinkId=257721 and then install it.

To install you need to have already installed the Microsoft Online Services Sign-In Assistant 7.0 and PowerShell 2.0. The PowerShell config file needs some settings adding to it, though I found on my Windows 8 PC that these had already been done. See the instructions at http://technet.microsoft.com/en-us/library/jj585012.aspx for this change to the config file.

  1. Run a PowerShell session and load the module with
    1. Import-Module AADRM
    2. Connect-AadrmService -Verbose
  2. Login when prompted with a user with Global Admin rights in Office 365.
  3. Or, use the script above to do Office 365, Exchange Online and AADRM in a single console.
  4. Run Get-Aadrm to check that the service is enabled

Enabling Super User Rights

Super Users in RMS are accounts that have the ability to decrypt any content protected with that RMS system. You do not need Super User rights to use RMS, nor do you need anyone who has Super User rights to use the product. But there are times when it might be required. One example would be during a discovery or compliance process. At this time it might be required that someone is able to open any RMS protected document to look for hits on the compliance issue in question. Super User gives that right, but would be needed just for the duration of the task that requires these rights. Rights to be Super User would be granted as needed and very importantly removed as needed.

Another example for the use of Super User is when a process needs to see content in its unprotected form. The common use case for this is Exchange Server and its transport decryption process. In Exchange Server you have agents that run against each message looking for something and then acting if that something is found. For example you would not want an virus to bypass the built in AV features of Exchange Server 2013 by protecting it with RMS! Or if you had a disclaimer transport rule or agent, you would not want the disclaimer or DLP feature to not see the content and act upon it because the content was encrypted. The same goes for journaling and the ability to journal a clear text copy of the message as well as the encrypted one if you wish.

To do all this in Exchange Server, the RMS Super User feature needs to be enabled and we will come back in a later post on the specifics of doing that for Exchange, but first we need to enable it in AARMS and set the users who will be Super Users and then, when we are finished with whatever required Super User, we need to turn it off again.

The Rights Management super users group is a special group that has full control over all rights-protected content managed by the Rights Management service. Its members are granted full owner rights in all use licenses that are issued by the subscriber organization for which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it for content previously protected within that organization.

By default, the super users feature is not enabled and no groups or users are assigned membership to it. To turn on the feature run Enable-AadrmSuperUserFeature from the AADRM PowerShell console. The opposite cmdlets exists to turn the feature off again – Disable-AadrmSuperUserFeature!

Once it is enabled you can set Office 365 users as Super Users. To do this run Add-AadrmSuperUser –EmailAddress user@domain.com where the user is either a cloud only Office 365 account or one that you have pushed to Office 365 using DirSync from your on-premises Active Directory. You can add more than one user, each user is added as a separate running of the cmdlets.

To see your list of Super Users, run Get-AadrmSuperUser. To remove users either take them out one by one (Remove-AadrmSuperUser –EmailAddress user@tenant.onmicrosoft.com) or just turn off the Super User feature with Disable-AadrmSuperUserFeature.

Adding AADRM Licences to Users

Once you have AADRM activated you can give your users the rights to create protected content. This is done in the licencing page of the Office 365 web admin portal or via PowerShell. The steps for adding user licences in the shell are discussed at http://c7solutions.com/2011/07/assign-specific-licences-in-office-365-html. That article was written some time ago, so the following are the changes for AADRM:

  • The SkuPartNumber for AADRM is RIGHTSMANAGEMENT_ADHOC
  • The Service Plan for the AADRM SKU is RMS_S_ADHOC

Assign Specific Licences in Office 365 Via PowerShell

Posted on 18 CommentsPosted in 2010, exchange, exchange online, federation, licence, mcm, Office 365

 

To add specific licences to users in Office 365 without using the portal, and to assign subsets of the licences available requires two things. First you need to enumerate the licences and licence service plans, then you need to assign the new plan you have created to your users. This can be performed in bulk and is repeatable unlike when using the portal.
First, enumerate the licence plans and create your own licence:

  1. Open Microsoft Online Services Module for Windows PowerShell and connect to the service
    • $cred = Get-Credential
    • Connect-MsolService -Credential $cred
  2. Get-MsolAccountSku | Format-Table AccountSkuId, SkuPartNumber
    • The second column in this list is referenced in the next command as [SkuPartNumber]
  3. $ServicePlans = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq “[SkuPartNumber]”}
  4. $ServicePlans.ServiceStatus
    • This returns all the service plans
  5. $MyO365Sku = New-MsolLicenseOptions -AccountSkuId [tenantname:AccountSkuId] -DisabledPlans Comma_Seperated_List_From_ServicePlans_Output

Secondly you need to assign the licence to the user(s):

  1. Set-MsolUser -UserPrincipalName user@domain.com -UsageLocation GB
  2. Set-MsolUserLicense -UserPrincipalName user@domain.com -AddLicenses [tenantname:AccountSkuId] -LicenseOptions $MyO365Sku
  3. Repeat for any other licences you want to apply for other users or other licence options you want to apply to this user.

For reference, the SkuPartNumber’s that we discovered are:

Inside ENTERPRISEPREMIUM_NOPSTNCONF (E5 without PSTN Conferencing) Sku:

  • EQUIVIO_ANALYTICS
  • LOCKBOX_ENTERPRISE
  • EXCHANGE_ANALYTICS
  • SWAY
  • ATP_ENTERPRISE
  • MCOEV
  • BI_AZURE_P2
  • INTUNE_O365
  • PROJECTWORKMANAGEMENT
  • RMS_S_ENTERPRISE
  • YAMMER_ENTERPRISE
  • OFFICESUBSCRIPTION
  • MCOSTANDARD
  • EXCHANGE_S_ENTERPRISE
  • SHAREPOINTENTERPRISE
  • SHAREPOINTWAC

Inside ENTERPRISEPREMIUM (E5) Sku:

  • EQUIVIO_ANALYTICS
  • LOCKBOX_ENTERPRISE
  • EXCHANGE_ANALYTICS
  • SWAY
  • ATP_ENTERPRISE
  • MCOEV
  • BI_AZURE_P2
  • INTUNE_O365
  • PROJECTWORKMANAGEMENT
  • RMS_S_ENTERPRISE
  • YAMMER_ENTERPRISE
  • OFFICESUBSCRIPTION
  • MCOSTANDARD
  • EXCHANGE_S_ENTERPRISE
  • SHAREPOINTENTERPRISE
  • SHAREPOINTWAC
  • MCOMEETADV (PSTN Conferencing)
  • BPOS_S_TODO_2 (To Do)
  • FLOW_O365_P2 (Flow)
  • FORMS_PLAN_E3
  • POWERAPPS_O365_P3
  • STREAM_O365_E3
  • TEAMS1

Inside ENTERPRISEPACK (E3) Sku:

  • YAMMER_ENTERPRISE (Yammer – though you cannot apply this individually or disable it individually, so ignore it for the purposes of this script)
  • OFFICESUBSCRIPTION (this is Office Professional Plus)
  • MCOSTANDARD (this is Skype for Business Online)
  • SHAREPOINTWAC (this is Office Web Apps)
  • SHAREPOINTENTERPRISE
  • EXCHANGE_S_ENTERPRISE (Exchange Plan 2)
  • RMS_S_ENTERPRISE (Azure Rights Management)
  • INTUNE_O365 (Mobile Device Management for Office 365)
  • SWAY
  • BPOS_S_TODO_2 (To Do)
  • FLOW_O365_P3 (Flow)
  • FORMS_PLAN_E5
  • POWERAPPS_O365_P3
  • STREAM_O365_E5
  • TEAMS1
  • MCOEV
  • LOCKBOX_ENTERPRISE
  • BI_AZURE_P2
  • THREAT_INTELLIGENCE
  • EQUIVIO_ANALYTICS

Inside Enterprise Mobility Pack (EMS)

  • RMS_S_PREMIUM
  • INTUNE_A
  • RMS_S_ENTERPRISE
  • AAD_PREMIUM
  • MFA_PREMIUM

Inside ENTERPRISEPACKWITHOUTPROPLUS sku

  • YAMMER_ENTERPRISE
  • SHAREPOINTWAC
  • SHAREPOINTENTERPRISE
  • RMS_S_ENTERPRISE
  • MCOSTANDARD
  • EXCHANGE_S_ENTERPRISE
  • INTUNE_O365

Inside DESKLESSWOFFPACK Sku:

  • SHAREPOINTWAC
  • SHAREPOINTDESKLESS
  • EXCHANGE_S_DESKLESS

Inside EXCHANGESTANDARD sku

  • INTUNE_O365
  • EXCHANGE_S_STANDARD

Inside EXCHANGEENTERPRISE sku

  • INTUNE_O365
  • EXCHANGE_S_ENTERPRISE

Inside EXCHANGEARCHIVE Sku

  • EXCHANGE_S_ARCHIVE

Inside P1 (Small Business) Tenants

  • MCOLITE
  • SHAREPOINTLITE
  • EXCHANGE_L_STANDARD

Inside K1 – DESKLESSPACK

  • SHAREPOINTDESKLESS
  • EXCHANGE_S_DESKLESS

Inside K2 – DESKLESSWOFFPACK

  • SHAREPOINTWAC
  • SHAREPOINTDESKLESS
  • EXCHANGE_S_DESKLESS

Inside P1 – LITEPACK

  • MCOLITE
  • SHAREPOINTLITE
  • EXCHANGE_L_STANDARD

Inside E1 – STANDARDPACK

  • MCOSTANDARD
  • SHAREPOINTSTANDARD
  • EXCHANGE_S_STANDARD

Inside E4 – ENTERPRISEWITHSCAL

  • YAMMER_ENTERPRISE
  • OFFICESUBSCRIPTION
  • MCOSTANDARD
  • SHAREPOINTWAC
  • SHAREPOINTENTERPRISE
  • EXCHANGE_S_ENTERPRISE
  • RMS_S_ENTERPRISE

Inside PowerBI Standalone (POWER_BI_STANDALONE)

  • YAMMER_ENTERPRISE
  • SQL_IS_SSIM
  • BI_AZURE_P1
  • SHAREPOINTENTERPRISE

Inside Project Online (PROJECTONLINE_PLAN_1)

  • SWAY
  • SHAREPOINT_PROJECT
  • SHAREPOINTWAC
  • SHAREPOINTENTERPRISE

Inside Project Lite (PROJECTESSENTIALS)

  • SWAY
  • SHAREPOINTWAC
  • SHAREPOINTENTERPRISE
  • PROJECT_ESSENTIALS

Inside Academic A2 Plans

  • SHAREPOINTWAC_EDU
  • MCOSTANDARD
  • SHAREPOINTSTANDARD_EDU
  • EXCHANGE_S_STANDARD

Inside Medium Business Sku (contoso:MIDSIZEPACK)

  • SHAREPOINTWAC
  • OFFICESUBSCRIPTION
  • EXCHANGE_S_STANDARD_MIDMARKET
  • SHAREPOINTENTERPRISE_MIDMARKET
  • MCOSTANDARD_MIDMARKET

PowerBI Standard (POWER_BI_STANDARD)

  • BI_AZURE_P0

Visio Pro for Office 365

  • VISIOCLIENT

Project Pro for Office 365

  • PROJECTCLIENT

Skype for Business PSTN Conferencing

  • MCOMEETADV

Skype for Business PSTN Domestic and International Calling

  • MCOPSTN2

Skype for Business Cloud PBX

  • MCOEV

Microsoft Dynamics CRM Online internal use rights (IUR) benefit for MPN members

  • CRMIUR

Windows 10 Enterprise E5

  • WIN10_PRO_ENT_SUB
  • WINDEFATP

 

With thanks to Donte Henry (Avanade) and Tim Heeney (Microsoft). Discovered during the Office 365 MCM Class for Exchange 2010 MCM’s.

Updated June 2014 with the findings of some of those who added comments below. Note that some comments say you need to have an array for disabled plans – this is not what I find when I run the above.

Updated Feb 2015 with more licence pack data.

Updated June 2015 with more licence pack data (INTUNE_O365)

Updated Dec 2015 with E5/NOPSTN and new standalone licence skus

Updated Feb 2016 with E5 and PSTN Conferencing

Updated May 2016 with Skype for Business Cloud PBX and some Dynamics CRM