Group Expansion for Federated Users

[Note -  This post assumes the reader is familiar with terms such as issuance license, rights-policy templates, and AD RMS trust policies (federated trust).  In summary, an issuance license represents the usage policy for a piece of content and contains a list of authorized users and usage rights assigned to each user. Rights-policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content. Federated trust refers to using Active Directory Federation Services to establish trust between two forests.

This blog post references Windows Server 2008 R2. The release candidate for Windows Server 2008 R2 can be downloaded at Please see the AD RMS with AD FS Identity Federation Step-by-Step Guide to learn how to configure an AD RMS server to work with Active Directory Federation Services (ADFS).]

AD RMS in Windows Server 2008 R2 can support groups that contain external, federated users. In Windows Server 2008, federated users had to be individually named in the issuance license or individually added to an AD RMS rights-policy template. Now, because group expansion for federated users is supported, it is possible to add federated users to a group and create protected content specifically for the group. This can be accomplished by creating a contact object for the federated users in Active Directory, in the forest where the AD RMS server is located, and adding that contact object to the group where you want to include the federated users.

Here’s an example:
Contoso has AD RMS and a group called Contoso has decided to collaborate with Fabrikam. must access all content that is shared with the group.  The IT administrator in Contoso can create a contact object for in Active Directory and add the new contact object as a member of 
As long as you have identity federation support configured and enabled between the two companies, has access to all the content published for

Sunitha Samuel, Lead Software Design Engineer in Test