Comparing Azure Rights Management and Active Directory Rights Management Services
Introduction
If you know or have previously deployed Active Directory Rights Management Services (AD RMS), you might be wondering how Azure Rights Management (Azure RMS) compares in terms of functionality and requirements. Use this document for a comparison of the features and benefits of Azure RMS and AD RMS.
Note
To make this comparison easier, some information here is repeated from Requirements for Azure Rights Management. Use that topic for more specific support and version information for Azure Rights Management.
Features
Product Support
Azure RMS: Supports information rights management (IRM) capabilities in Microsoft Online services such as Exchange Online and SharePoint Online, as well as Office 365. Also supports on-premises Microsoft server products, such as Exchange Server, SharePoint Server, and file servers that run Windows Server and File Classification Infrastructure (FCI).
AD RMS: Supports on-premises Microsoft server products such as Exchange Server, SharePoint Server, and file servers that run Windows Server and File Classification Infrastructure (FCI).
Defining Trust
Azure RMS: Enables implicit trust between organizations and users in any organization. This means that protected content can be shared between users within the same organization or across organizations when users have Microsoft Office 365, or Azure Rights Management, or users sign up for RMS for individuals.
AD RMS: Trusts must be explicitly defined in a direct point-to-point relationship between two organizations by using either trusted user domains (TUDs) or federated trusts that you create by using Active Directory Federation Services (AD FS).
Default Rights Policy Templates
Azure RMS: Provides two default rights policy templates that restrict access of the content to your own organization; one that provides read-only viewing of protected content and another template that provides write or modify permissions for the protected content. You can also create your own custom templates, which includes departmental templates that are visible to only a subset of users. For more information, see Configuring Custom Templates for Azure Rights Management. In addition, users can define their own set of permissions if the templates are not sufficient.
AD RMS: There are no default rights policy templates; you must create and then distribute these. For more information, see AD RMS Policy Template Considerations. In addition, users can define their own set of permissions if the templates are not sufficient.
Microsoft Office Support
Azure RMS: Minimum supported version of Microsoft Office is Office 2010, which requires the RMS sharing application.
AD RMS: Minimum supported version of Microsoft Office is Office 2007.
Only version 2016 of Microsoft Office for Mac is supported by both products.
Sharing
Azure RMS: Supports the RMS sharing application for Windows, Mac computers, and mobile devices. In addition, the RMS sharing application supports the following:
- Sharing with people in another organization.
- Email notification, which lets the sender know when somebody tries to open a protected attachment.
- A document tracking site for users, which includes the ability to revoke a document.
AD RMS: Supports the RMS sharing application for Windows, Mac computers, and mobile devices. However, sharing does not support sharing with people in another organization, email notification, or the document tracking site and the ability for users to revoke documents.
File types
Azure RMS and AD RMS: All file types can be protected with native or generic protection when you use the RMS sharing application. For other applications, check the client capabilities table.
Windows Client
Azure RMS: Minimum supported version of the Windows client is Windows 7.
AD RMS: Minimum supported version of the Windows client is Windows Vista Service Pack 2.
Mobile Device Support
Azure RMS: Minimum supported version of the Windows client is Windows 7.
AD RMS: Minimum supported version of the Windows client is Windows Vista Service Pack 2.
Authentication
Azure RMS: Supports multi-factor authentication (MFA) for computers and mobile devices. For more information, see the Multi-factor authentication (MFA) and Azure RMS section in the Requirements for Azure Rights Management topic.
AD RMS: Supports smart card authentication if IIS is configured to request certificates.
Cryptographic Controls
Azure Rights Management always uses RSA 2048 for all public key cryptography and SHA 256 for signing operations. In comparison, AD RMS supports RSA 1024 and RSA 2048, and SHA 1 or SHA 256 for signing operations.
Both Azure Rights Management and AD RMS use AES 128 for symmetric encryption.
Azure Rights Management is compliant with FIPS 140-2 when your tenant key is created and managed by Microsoft (the default), or if you manage your own tenant key (known as BYOK). For more information about managing your tenant key, see Planning and Implementing Your Azure Rights Management Tenant Key.
Azure RMS: Supports Cryptographic Mode 2 without additional configuration, which provides stronger security for key lengths and encryption algorithms.
AD RMS: Supports Cryptographic Mode 1 by default and requires additional configuration to support Cryptographic Mode 2 for stronger security.
For more information, see AD RMS Cryptographic Modes.
Migration
Azure RMS: Supports migration from AD RMS and if required, to AD RMS.
AD RMS: Supports migration to and from Azure RMS.
More information:
- Migrating from AD RMS to Azure Rights Management
- Decommissioning and Deactivating Azure Rights Management
Licensing
Azure RMS: Requires an RMS license to protect content. No RMS license is required to consume content that has been protected by Azure RMS (includes users from another organization). For more information, see the Cloud subscriptions that support Azure RMS section from Requirements for Azure Rights Management.
AD RMS: Requires an RMS license to protect content, and to consume content that has been protected by AD RMS. For more information about licensing for AD RMS, see Client Access Licenses and Management Licenses for general information, but contact your Microsoft partner or Microsoft representative for specific information.