The Evolution of AD RMS to Azure Information Protection – Part 3 – Planning The Migration

The Evolution of AD RMS to Azure Information Protection – Part 3 – Planning The Migration

Welcome to the third post in my series exploring the evolution of Active Directory Rights Management Service (AD RMS) into Azure Information Protection (AIP).  My first post provided an overview of the service and some of its usages and my second post covered how the architecture of the solution has changed as the service has shifted from traditional on-premises infrastructure to  a software-as-a-service (SaaS) offering).  Now that we understand the purpose of the service and its architecture, let’s explore what a migration will look like.

For the post I’ll be using the labs I discussed in my first post.  Specifically, I’ll be migrating lab 2 (the Windows Server 2016 lab) from using AD RMS to Azure Information Protection.  I’ve added an additional Windows 10 Professional machine to that lab for reasons I’ll discuss later in the post.  The two Windows 10 machines are named CLIENT1 and CLIENT2.  Microsoft has assembled some guidance which I’ll be referencing throughout this post and using as the map for the migration.

With the introduction done, let’s dig in.

Before we do any button pushing, there’s some planning necessary to ensure a successful migration.  The key areas of consideration are:

  • Impact to collaboration with trusted organizations
  • Tenant key storage
  • AIP Client Rollout
  • Integrated Rights Management (IRM) functionality of Microsoft Exchange Server or Microsoft SharePoint Server

Impact to collaboration with trusted organizations

Possibly most impactful to an organization is the planning that goes into how the migration will affect collaboration with partner organizations.  Back in the olden days of on-premises AD RMS, organizations would leverage the protection and control that came with AD RMS to collaborate with trusted partners.  This was accomplished through trusted user domains (TUDs) or federated trusts.  With AIP the concept of TUDs and additional infrastructure to support federated trusts is eliminated and instead replaced with the federation capabilities provided natively via Azure Active Directory.

Yes folks, this means that if you want the same level of collaboration you had with AD RMS using TUDs, both organizations will need to need to have an Azure Active Directory (Azure AD) tenant with a license that supports the Azure Rights Management Service (Azure RMS).    In a future post in the series, we’ll check out what happens when the partner organization doesn’t migrate to Azure AD and attempts to consume the protected content.

Tenant Key Storage

The tenant key can be thought to as the key to the kingdom in the AIP world.  For those of you familiar with AD RMS, the tenant key serves the same function as the cluster key. In the on-premises world of AD RMS the cluster key was either stored within the AD RMS database or on a hardware security module (HSM).

When performing a migration to the world of AIP, storage of the tenant key has a few options.  If you’re using a cluster key that was stored within the AD RMS database you can migrate the key using some simple PowerShell commands.  If you’re opted to use HSM storage for your cluster key, you’re going to be looking at the bring your own key (BYOK) scenario.  Finally, if you have a hard requirement to keep the key on premises you can explore the hold your own key option (HYOK).

For this series I’ve configured my labs with a cluster key that is stored within the AD RMS database (or software key as MS is referring to it).  The AD RMS cluster in my environment runs in cryptographic mode 1, so per MS’s recommendation I won’t be migrating to cryptographic mode 2 until after I migrate to AIP.

AIP Client Rollout

Using AIP requires the AIP Client be installed.  The AD RMS Client that comes with pre-packaged with Microsoft Office can protect but can’t take advantage of the labels and classification features of AIP.   You’ll need to consider this during your migration process and ensure any middleware that uses the AD RMS Client is compatible with the AIP Client.  The AIP Client is compatible with on-premises AD RMS so you don’t need to be concerned with backwards compatibility.

As I mentioned above, I have two Windows 10 clients named CLIENT1 and CLIENT2.  In the next post I’ll be migrating CLIENT2 to the AIP Client and keeping CLIENT1 on the AD RMS Client.  I’ll capture and break down the calls with Fiddler so we can see what the differences are.

Integrated Rights Management (IRM) functionality of Microsoft Exchange Server or Microsoft SharePoint Server

If you want to migrate to AIP but still have a ways to go before you can migrate Exchange and SharePoint to the SaaS counterparts, have no fear.  You can leverage the protection capabilities of AIP (aka Azure RMS component) by using the Microsoft Rights Management Service Connector.  The connector requires some light weight infrastructure to handle the communication between Exchange/SharePoint and AIP.

I probably won’t be demoing the RMS Connector in this series, so take a read through the documentation if you’re curious.

We’ve covered an overview of AIP, the different architectures of AD RMS and AIP, and now have covered key planning decisions for a migration.  In the next post in my series we’ll start getting our hands dirty by initiating the migration from AD RMS to AIP.  Once the migration is complete, I’ll be diving deep into the weeds and examining the behavior of the AD RMS and AIP clients via Fiddler captures and AD RMS client debugging (assuming it still works with the AIP client).

See you next post!

The Evolution of AD RMS to Azure Information Protection – Part 2 – Architecture

The Evolution of AD RMS to Azure Information Protection – Part 2 – Architecture

Hi there.  Welcome to the second post in my series exploring the evolution of Active Directory Rights Management Service (AD RMS) into Azure Information Protection (AIP).  In the first post of the series I gave an brief overview of the important role AIP plays in Microsoft’s Cloud App Security (CAS) offering.  I also covered the details of the lab I will be using for this series.  Take a few minutes to read the post to familiarize yourself with the lab details because it’ll be helpful as we progress through the series.

I went back and forth as to what topic I wanted to cover for the second post and decided it would be useful to start at the high level comparing the components in a typical Windows AD RMS implementation to those used when consuming AIP.  I’m going to keep the explanation of each component brief to avoid re-creating existing documentation, but I will provide links to official Microsoft document for each component I mention.  With that intro, let’s begin.

The infrastructure required in an AD RMS implementation is pretty minimal but the complexity is in how all of the components work together to provide the solution.  At a very high level it is similar to any other web-based application consisting of a web server, application code, and a data backend.   The web-based application integrated with a directory to authenticate users and get information about the user that is used in authorization decisions.  In the AD RMS world the components map to the following products:

  • Web Server – Machine running Windows Server with Microsoft Internet Information Services and Microsoft Message Queuing Service
  • Application Code – Code installed onto the machine after adding the AD RMS role to a machine running Windows Server
  • Data Backend – Machine running Windows Server with Microsoft SQL Server running on it hosting configuration and logging database (optionally Windows Internal Database (WID) for test environments)
  • Directory – Windows Active Directory provides authentication, user information used for authorization, and stores additional AD RMS configuration data (Service Connection Point)

Nodes providing the AD RMS service are organized into a logical container called an AD RMS Cluster. Like most web applications AD RMS can be scaled out by adding more nodes to the cluster to improve performance and provide high availability (HA).  If using MS SQL for the data backend, traditional methods of HA can be used such as SQL clustering, database mirroring, and log shipping.  You can plop your favorite load balancer in front of the solution to help distribute the application load and keep track of the health of the nodes providing the service.

Beyond the standard web-based application components we have some that are specific to AD RMS.  Let’s take a deeper look at them.

  • AD RMS Cluster Key

    The AD RMS cluster key is the most critical part of an AD RMS implementation, the “key to the kingdom”, as it is used to sign the Server Licensor Certificate (SLC) which contains the corresponding public key.  The SLC is used to sign certificates created by AD RMS that allow for consumption of AD RMS-protected content as well as being used by AD RMS clients to encrypt the content key when a document is newly protected by AD RMS.

    The AD RMS cluster key is shared by all nodes that are members of the AD RMS cluster.  It can be stored within the MS SQL database/WID or on a supported hardware security module for improved security.

  • AD RMS Client / AD RMS-Integrated Server Applications

    Applications are great, but you need a method to consume them.  Once content is protected by AD RMS it can only be consumed by an application capable of communicating with AD RMS.  In most cases this is accomplished by using an application that has been written to use the AD RMS Client.  The AD RMS Client comes pre-installed on Windows Vista and up desktop operating systems and Windows Server 2008 and up server operating systems.

    The AD RMS client performs tasks such as bootstrapping (sometimes referred to as activation).  I won’t go into the details because I wouldn’t do near as well job as Dan does in the bootstrapping link.  In short it generates some keys and obtains some certificates from the AD RMS service that facilitate protecting and consuming content.

    AD RMS-integrated server applications such as Microsoft SharePoint Server and Microsoft Exchange Server provide server-level services that leverage the capabilities provided by AD RMS to protect data such as files stored in a SharePoint library or emails sent through Microsoft Exchange.

  • AD RMS Policy Templates

    While not a component of the system architecture, AD RMS Policy Templates are an AD RMS concept that deserves mention in this discussion.  The templates can be created by an organization to provide a standard set of use rights applicable to a type of data.  Common use cases are having multiple templates created for different data types.  For example, you may want one data type that allows trusted partners to view the document but not print or forward it while another template may restrict view rights to the accounting department.

    In AD RMS the policies are stored in the AD RMS database but are accessible via a call to the web service.  Optionally they can be exported from the database and distributed in other means like a Windows file share.

As you can see there are a lot of moving parts to an on-premises Windows AD RMS implementation.  Some of the components mentioned above can get even more complicated when the need to collaborate across organizations or support mobile devices arises.

How does AIP compare?  For the purposes of this post, I’m going to focus that comparison on Azure RMS which provides the protection capability of AIP.  Azure RMS is a software-as-a-service (SaaS) offering from Microsoft replaces (yes Microsoft, let’s be honest here) AD RMS.  It is licensed on a per user basis via a stand-alone, Enterprise Mobility + Security P1/P2, or qualifying Office 365 license.

The architecture of Azure RMS is far more simple than what existed for AD RMS.  Like most SaaS services, there is no on-premises infrastructure required except in very specific scenarios such as hold-your-own-key (HYOK) or integrating Azure RMS with an on-premises Microsoft Exchange Server, Microsoft SharePoint Server, or servers running Windows Server and File Classification Infrastructure (FCI) using the RMS Connector.   This means you won’t be building any servers to hold the RMS role or SQL Servers to host configuration and logging information.  The infrastructure is now managed by Microsoft and the RMS service provided over HTTP/HTTPS.

Azure RMS shifts its directory dependency to Azure Active Directory (AAD).  It uses the tenant in which the Azure RMS licenses are associated with for authentication and authorization of users.  As with any AAD use case, you can still authenticate users against your on-premises Windows Active Directory if you’ve configured your tenant for federated authentication and source data from an on-premises directory using Azure Active Directory Connect.

The cluster key, client, integrated applications, and policies are still in place and work similar to on-premises AD RMS with some changes to both function and names.

  • Azure Information Protection Tenant Key

    The AD RMS Cluster key has been renamed to the Azure Information Protection tenant key.  The tenant key serves the same purpose as the AD RMS Cluster and is used to sign the SLC certificate and decrypt information sent to Azure RMS using the public key in the SLC.  The differences between the two are really around how the key is generated and stored.  By default the tenant key is generated (note that Microsoft generates a 2048-bit key instead of a 1024-bit like was done with new installations of AD RMS) by Microsoft and is associated with your Azure Active Directory tenant.  Other options include bring-your-own-key (BYOK), HYOK, and a special instance where you are migrating from AD RMS to Azure RMS.  I’ll cover HYOK and the migration instance in future posts.

  • Azure Information Protection Client

    The AD RMS client is replaced with the Azure Information Protection Client.  The client performs the same functions as the AD RMS Client but allowing for integration with either on-premises AD RMS or Azure RMS.  In addition, the client introduces functionality around Azure Information Protection including adding a classification bar for Microsoft Office, Do Not Forward button to Microsoft Outlook, option in Windows File Explorer to classify and protect files, and PowerShell modules that can be used to bulk classify and protect files.  In a future post in this series I’ll be doing a deep dive of the client behavior including analysis of its calls to the Azure Information Protection endpoints via Fiddler.

    Unlike the AD RMS client of the past, the Azure Information Protection Client is supported on mobile operating systems such as iOS and Android.  Additionally, it supports a wider variety of file types than the AD RMS client supported.

  • Azure RMS-Integrated Server Applications

    Like its predecessor Azure RMS can be consumed by server applications such as Microsoft Exchange Server and Microsoft SharePoint Server with the RMS Connector.  There is native integration with Office 365 products including Exchange Online, SharePoint Online, OneDrive for Business, as well as being extensible to third-party applications via Cloud App Security (I’ll demonstrate this after I complete this series).  Like all good SaaS, there is also an API that can be leveraged to add the functionality to custom developed applications.

  • Rights Management Templates

    Azure RMS continues to use concepts of rights management templates like its predecessor.  Instead of being stored in a SQL database, the templates are stored in Microsoft’s cloud.  Templates created in AD RMS can also be imported into Azure RMS for continued use.  I’ll demonstrate how that process in a future post in this series.  Classification labels in AIP are backed by templates whenever a label applies protection with a pre-defined set of rights.  I’ll demonstrate this in a later post.

Far more simple in the SaaS world isn’t it?  In addition to simplicity Microsoft delivers more capabilities, tighter integration with its collaboration tools, and expansion of the capabilities to third party applies through a robust API and integration with Cloud App Security.

See you next post!