Welcome to the third post in my series exploring the evolution of Active Directory Rights Management Service (AD RMS) into Azure Information Protection (AIP). My first post provided an overview of the service and some of its usages and my second post covered how the architecture of the solution has changed as the service has shifted from traditional on-premises infrastructure to a software-as-a-service (SaaS) offering). Now that we understand the purpose of the service and its architecture, let’s explore what a migration will look like.
For the post I’ll be using the labs I discussed in my first post. Specifically, I’ll be migrating lab 2 (the Windows Server 2016 lab) from using AD RMS to Azure Information Protection. I’ve added an additional Windows 10 Professional machine to that lab for reasons I’ll discuss later in the post. The two Windows 10 machines are named CLIENT1 and CLIENT2. Microsoft has assembled some guidance which I’ll be referencing throughout this post and using as the map for the migration.
With the introduction done, let’s dig in.
Before we do any button pushing, there’s some planning necessary to ensure a successful migration. The key areas of consideration are:
- Impact to collaboration with trusted organizations
- Tenant key storage
- AIP Client Rollout
- Integrated Rights Management (IRM) functionality of Microsoft Exchange Server or Microsoft SharePoint Server
Impact to collaboration with trusted organizations
Possibly most impactful to an organization is the planning that goes into how the migration will affect collaboration with partner organizations. Back in the olden days of on-premises AD RMS, organizations would leverage the protection and control that came with AD RMS to collaborate with trusted partners. This was accomplished through trusted user domains (TUDs) or federated trusts. With AIP the concept of TUDs and additional infrastructure to support federated trusts is eliminated and instead replaced with the federation capabilities provided natively via Azure Active Directory.
Yes folks, this means that if you want the same level of collaboration you had with AD RMS using TUDs, both organizations will need to need to have an Azure Active Directory (Azure AD) tenant with a license that supports the Azure Rights Management Service (Azure RMS). In a future post in the series, we’ll check out what happens when the partner organization doesn’t migrate to Azure AD and attempts to consume the protected content.
Tenant Key Storage
The tenant key can be thought to as the key to the kingdom in the AIP world. For those of you familiar with AD RMS, the tenant key serves the same function as the cluster key. In the on-premises world of AD RMS the cluster key was either stored within the AD RMS database or on a hardware security module (HSM).
When performing a migration to the world of AIP, storage of the tenant key has a few options. If you’re using a cluster key that was stored within the AD RMS database you can migrate the key using some simple PowerShell commands. If you’re opted to use HSM storage for your cluster key, you’re going to be looking at the bring your own key (BYOK) scenario. Finally, if you have a hard requirement to keep the key on premises you can explore the hold your own key option (HYOK).
For this series I’ve configured my labs with a cluster key that is stored within the AD RMS database (or software key as MS is referring to it). The AD RMS cluster in my environment runs in cryptographic mode 1, so per MS’s recommendation I won’t be migrating to cryptographic mode 2 until after I migrate to AIP.
AIP Client Rollout
Using AIP requires the AIP Client be installed. The AD RMS Client that comes with pre-packaged with Microsoft Office can protect but can’t take advantage of the labels and classification features of AIP. You’ll need to consider this during your migration process and ensure any middleware that uses the AD RMS Client is compatible with the AIP Client. The AIP Client is compatible with on-premises AD RMS so you don’t need to be concerned with backwards compatibility.
As I mentioned above, I have two Windows 10 clients named CLIENT1 and CLIENT2. In the next post I’ll be migrating CLIENT2 to the AIP Client and keeping CLIENT1 on the AD RMS Client. I’ll capture and break down the calls with Fiddler so we can see what the differences are.
Integrated Rights Management (IRM) functionality of Microsoft Exchange Server or Microsoft SharePoint Server
If you want to migrate to AIP but still have a ways to go before you can migrate Exchange and SharePoint to the SaaS counterparts, have no fear. You can leverage the protection capabilities of AIP (aka Azure RMS component) by using the Microsoft Rights Management Service Connector. The connector requires some light weight infrastructure to handle the communication between Exchange/SharePoint and AIP.
I probably won’t be demoing the RMS Connector in this series, so take a read through the documentation if you’re curious.
We’ve covered an overview of AIP, the different architectures of AD RMS and AIP, and now have covered key planning decisions for a migration. In the next post in my series we’ll start getting our hands dirty by initiating the migration from AD RMS to AIP. Once the migration is complete, I’ll be diving deep into the weeds and examining the behavior of the AD RMS and AIP clients via Fiddler captures and AD RMS client debugging (assuming it still works with the AIP client).
See you next post!
Another great post Matt 🙂
Thanks for your continued support Ernest! I’m working through a cold right now, but once it’s cleared away I’ll get to the really nerdy stuff. I’m very curious to dig into the calls the different client apps make.