RMS protection is great for preventing Snowden-like data loss, as long as your organization does not collaborate with external partners. What happens if you want to use the same RMS protection for sharing content with third parties? In fact, this is where the protection features would seem to truly shine.

Involving users outside your enterprise requires several things:

  • Connectivity – Users need to connect to your RMS instance to request access to protected content
  • Identity – Users need to have an identity that your RMS instance trusts to use as a ‘key’ to open protected content
  • Compatibility – Users need to have compatible client software to open and consume protected content

Your RMS enterprise architecture has definite impact on these items; the biggest difference being cloud (Azure RMS) vs. on-premise (AD RMS). The table below summarizes the key points for end users to be able to collaborate with your enterprise using RMS-protected documents.

AD RMS (On-Premise) Azure RMS (Cloud)
Connectivity AD RMS needs to be externally published (reverse proxy, etc.) Azure RMS is Internet-facing
Identity  Provision and manage identities in your AD for external users Office 365MT tenants are federated by default
Compatibility  Be prescriptive with the client software your partners must have available or provide them with managed endpoints, virtual or physical Office 365MT subscription ensures auto-updated OfficeProPlus

For cloud, it is critical to understand your use case for RMS-protected external sharing, as the solution requirements and user experience can change dramatically.
Clearly, Microsoft is focused on removing barriers to collaboration in their cloud offering. It is easier to require external partners to have their own Office 365MT tenant (or even grant them licenses in your tenant) than to manage everything locally.

  • Is your use case for view only, one-way sharing of protected content? Think read-only library, compliance or financial reporting, or proposals/bids.
  • Or do you require true bidirectional collaboration? Think JV or partnership developing Intellectual Property.

Azure RMS-protected documents can be read view only on any device using Office Online server-side rendering in the browser by users with free Microsoft accounts. However, protected documents can only be edited in native Office applications by users with paid Office 365MT organizational accounts. The minimum O365MT licensing tier required is something to check with your Microsoft representative and have tested end-to-end in your specific environment.

Recommendations for simple and secure external sharing using the cloud Azure RMS architecture:

  • Set up a SPO Site with non-anonymous external sharing enabled – ensure that it is well-known that external entities have access to all content at the Site-level (do not attempt to get more granular with permissions because of the pitfalls there)
  • Enable RMS for all document libraries on the Site; the policy should have content and use license expirations set as described in the Revocation article
  • Grant access to external users through SharePoint permissions, preferably managed in groups
  • For true collaboration/content editing, all external users must have an Office 365MT account in their own tenant; otherwise they will be restricted to browser view only access

For on-premise, there is much more configuration possible, thus the greater need for expert guidance and consultation.

Client software compatibility 

A quick word on baseline client software compatibility and minimum requirements:

  • Windows 7+ with Office ProPlus for MFA Modern Authentication
  • Windows 7+ with Office 2010+ and the RMS Sharing Application for non-MFA scenarios
  • For ad hoc sharing, the RMS Sharing Application alone is useful, though it only works for external sharing if the organizational policy allows it