Reprotecting effectively creates a new version of the document, and therefore a new use license for the user. Alternatively, if you have already configured a group for the required permissions, you can change the group membership to include or exclude users and there is no need to change the label or template. There might be a small delay before the changes take effect because group membership is cached by the Azure Rights Management service.
If the document was protected by using custom permissions, you cannot change the permissions for the existing document. You must protect the document again and specify all the users and all the usage rights that are required for this new version of the document.
To reprotect a protected document, you must have the Full Control usage right. Absolutely, and the nice thing is, users are able to seamlessly protect and consume protected emails and attachments across the two Exchange deployments. No, you always remain in control of your data and can continue to access it, even if you decide to no longer use the Azure Rights Management service. For more information, see Decommissioning and deactivating Azure Rights Management.
Yes, the Azure Rights Management service has user onboarding controls for this scenario. For more information, see the Configuring onboarding controls for a phased deployment section in the Activating the protection service from Azure Information Protection article. One of the biggest benefits of using the Azure Rights Management service for data protection is that it supports business-to-business collaboration without you having to configure explicit trusts for each partner organization, because Azure AD takes care of the authentication for you.
There is no administration option to prevent users from securely sharing documents with specific organizations. For example, you want to block an organization that you don't trust or that has a competing business.
Preventing the Azure Rights Management service from sending protected documents to users in these organizations wouldn't make sense because your users would then share their documents unprotected, which is probably the last thing you want to happen in this scenario.
For example, you wouldn't be able to identify who is sharing company-confidential documents with which users in these organizations, which you can do when the document or email is protected by the Azure Rights Management service. By default, the Azure Rights Management service uses an Azure Active Directory account and an associated email address for user authentication, which makes business-to-business collaboration seamless for administrators.
If the other organization uses Azure services, users already have accounts in Azure Active Directory, even if these accounts are created and managed on-premises and then synchronized to Azure. If the organization has Microsoft , under the covers, this service also uses Azure Active Directory for the user accounts.
If the user's organization doesn't have managed accounts in Azure, users can sign up for RMS for individuals , which creates an unmanaged Azure tenant and directory for the organization with an account for the user, so that this user and subsequent users can then be authenticated for the Azure Rights Management service. The authentication method for these accounts can vary, depending on how the administrator in the other organization has configured the Azure Active Directory accounts.
For example, they could use passwords that were created for these accounts, federation, or passwords that were created in Active Directory Domain Services and then synchronized to Azure Active Directory. If you protect an email with an Office document attachment to a user who doesn't have an account in Azure AD, the authentication method changes.
The Azure Rights Management service is federated with some popular social identity providers, such as Gmail. If the user's email provider is supported, the user can sign in to that service and their email provider is responsible for authenticating them. If the user's email provider is not supported, or as a preference, the user can apply for a one-time passcode that authenticates them and displays the email with the protected document in a web browser.
Azure Information Protection can use Microsoft accounts for supported applications. Currently, not all applications can open protected content when a Microsoft account is used for authentication.
More information. The protection settings that you can configure in the Azure portal let you add permissions to users and groups from outside your organization, and even all users in another organization. You might find it useful to reference the step-by-step example, Secure document collaboration by using Azure Information Protection.
Note that if you have Azure Information Protection labels, you must first convert your custom template to a label before you can configure these protection settings in the Azure portal. See also: Office Applications Service Description. The following Office client suites support protecting files and emails on Windows computers by using the Azure Rights Management service:.
Office apps , for the versions listed in the table of supported versions for Microsoft Apps by update channel , from Microsoft Apps for Business or Microsoft Business Premium, when the user is assigned a license for Azure Rights Management also known as Azure Information Protection for Office These editions of Office are included with most but not all subscriptions that include data protection from Azure Information Protection.
You'll also find this information in the Azure Information Protection datasheet. If you are using the classic client on a Mac computer, you might find the following FAQ useful: How do I configure a Mac computer to protect and track documents? This app can also open rights-protected PDF files, and pictures and text files that are rights-protected. If your iOS and Android devices are enrolled by Microsoft Intune, users can install the app from the Company Portal and you can manage the app by using Intune's app protection policies.
Download the unified labeling client installation from the Microsoft Azure Information Protection page. If you have not yet upgraded, you may still have the legacy Azure Information Protection classic client deployed. It can also protect image files, but not other files.
In addition to the applications listed above, any application that supports the APIs for the Azure Rights Management service can be integrated with Azure Information Protection. After making the configuration changes on these servers, you must restart them if they are running Exchange or SharePoint, and were previously configured to use AD RMS.
There is no need to restart these servers if you are configuring them for Rights Management for the first time. You must always restart the file server that is configured to use File Classification Infrastructure after you make these configuration changes. Edit your registry settings automatically, by using the server configuration tool for Microsoft RMS connector. The prerequisites are automatically checked for you but not automatically remediated if you run it locally. Disadvantages include : When you run the tool, you must make a connection to a server that is already running the RMS connector.
Advantages include : No connectivity to a server running the RMS connector is required. Save the GenConnectorConfig. If you will run the tool locally, this must be the server that you want to configure to communicate with the RMS connector. Otherwise, you can save it on any computer. This tool configures the servers that will communicate with the RMS connector and that are listed at the beginning of this section. Do not run this tool on the servers that run the RMS connector.
Start Windows PowerShell with the Run as an administrator option, and use the Get-help command to read instructions how to the use the tool for your chosen configuration method:. The tool then uses that URL to contact the servers running the RMS connector and obtain other parameters that are used to create the required configurations.
When you run this tool, make sure that you specify the name of the load-balanced RMS connector for your organization and not the name of a single server that runs the RMS connector service. Configuring an Exchange server to use the connector. Configuring a SharePoint server to use the connector. Configuring a file server for File Classification Infrastructure to use the connector. When to install client applications on separate computers, which are not configured to use the connector.
After these servers are configured to use the connector, client applications that are installed locally on these servers might not work with RMS. When this happens, it is because the applications try to use the connector rather than use RMS directly, which is not supported. How your phone number or email address is used. Microsoft will use your phone number or email address only for this one-time transaction.
Standard SMS rates may apply. Work with anyone Share your documents with anyone and work together in real-time. Start using Word for free. Learn more about Word. Start using Excel for free. Learn more about Excel. Start using PowerPoint for free.
0コメント