Requirements for Azure Rights Management
To deploy Microsoft Azure Rights Management (Azure RMS) in your organization, make sure that you have the following prerequisites. You can then use the Azure Rights Management Deployment Roadmap to deploy Rights Management for your organization.
Req 1. A cloud subscription for RMS
- Your organization must have a cloud subscription that supports RMS.
- For licensing information, see the Cloud subscriptions that support Azure RMS section in this topic.
Req 2. Azure AD directory
- Your organization must have an Azure AD directory to support user authentication for RMS. In addition, if you want to use your user accounts from your on-premises directory (AD DS), you must also configure directory integration.
- Multi-factor authentication (MFA) is supported with Azure RMS when you have the required client software and correctly configured MFA supporting infrastructure.
- For more information, see the Azure AD directory section in this topic.
Req 3. Client devices
- Users must have a client devices (computer or mobile device) that run an operating system that supports RMS.
- For more information, see the Client devices that support Azure RMS section in this topic.
Req 4. Applications
- Users must run applications that support RMS.
- For more information, see the Applications that support Azure RMS section in this topic.
Req 5. Infrastructure that supports connectivity to the Internet and dependent cloud services
- If you have a firewall or similar intervening network devices that must be configured to allow specific connections, see Office 356 URLs and IP address ranges.
- The list of URLs and IP addresses in the Office 356 portal and identity section apply to the Office 365 portal, Azure Active Directory resources, and Azure Rights Management. Use the instructions in this article to keep up-to-date with changes to this information, by subscribing to an RSS feed.
- In addition to the information in the Office article, specific to Azure RMS:
- Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS.
- Do not use a web proxy configuration that authenticates on behalf of a user.
If you want to use Azure RMS with on-premises servers, the following products are supported:
- Exchange Server
- SharePoint Server
- Windows Server file servers that support File Classification Infrastructure
For information about the additional Azure RMS requirements for this scenario, see the On-premises servers that support Azure RMS section in this topic.
Important
As described in Migrating from AD RMS to Azure Rights Management, running AD RMS and Azure RMS side-by-side in the same organization is not supported, except during migration.
There is a supported migration path from AD RMS to Azure RMS, and from Azure RMS to AD RMS. If you deploy Azure RMS and then decide that you no longer want to use this cloud service, see Decommissioning and Deactivating Azure Rights Management.