Azure RMS allows seamless integration with ON-PREM Exchange/SharePoint and File Server and is used as part of our hybrid solution.
In order to allow a hybrid solution, we deploy a RMS connector to channel the RMS traffic to Azure RMS in the cloud.
In some scenarios a company may not want to use the Tenant Key provided by Microsoft. To solve this request, we would we recommend that we Bring Your Own Key (BOYK).
Click here to find out more how Azure RMS works.
Azure RMS (Cloud)
Azure RMS (Hybrid)
Azure Rights Management Services is a cloud service role which is enabled and configured as an office 365 subscription. When deployed, the powers of IRM is unleashed.
We use Azure RMS primarily as part of our Cloud Solutions.
Smaller companies which do not want to spend money for additional server infrastructure to install AD FS would find it difficultto go for an On-PREM solution.
Bring Your Own Key (BOYK)
When setting up Azure RMS a tenant Key is required. You have the choice to use a Microsoft managed Tenant key or to "Bring Your Own Key" .
The BOYK option is perfect for organisations that has top level security requirements.
In DPRMS we will be glad to assist you if you want to bring your own key as part of our Hybrid/Cloud solutions.
To bring your own key an ON-PREM "HSM device" is required for generating a tenant key. The generated tenant key is then installed in to Azure RMS.
Be aware that,
The key lifecycle operations is managed by Microsoft only if you use the Microsoft tenant key. This service is excluded when Bringing your own key.
As of today's date, 24/10/2015, there are restrictions with BYOK feature as Azure Exchange is not able to open protected documents in outlook. This does not affect customer with Exchange ON-PREM.
Some companies have requirement to shares information with more than 100 external partners securely, arranging to have all partners to install AD FS can be classified as an impossible task.
One of the greatest differential factors between Azure RMS and AD RMS is that allows you to share documents to partners without deploying a Federation Service.