Step 2: Software-protected key to software-protected key migration

Applies to: Active Directory Rights Management Services, Azure Information Protection, Office 365

These instructions are part of the migration path from AD RMS to Azure Information Protection, and are applicable only if your AD RMS key is software-protected and you want to migrate to Azure Information Protection with a software-protected tenant key.

If this is not your chosen configuration scenario, go back to Step 4. Export configuration data from AD RMS and import it to Azure RMS and choose a different configuration.

Use the following procedure to import the AD RMS configuration to Azure Information Protection, to result in your Azure Information Protection tenant key that is managed by Microsoft.

To import the configuration data to Azure Information Protection

  1. On an Internet-connected workstation, use the Connect-AadrmService cmdlet to connect to the Azure Rights Management service:

    Connect-AadrmService
    

    When prompted, enter your Azure Rights Management tenant administrator credentials (typically, you will use an account that is a global administrator for Azure Active Directory or Office 365).

  2. Use the Import-AadrmTpd cmdlet to upload each exported trusted publishing domain (.xml) file. For example, you should have at least one additional file to import if you upgraded your AD RMS cluster for Cryptographic Mode 2.

    To run this cmdlet, you will need the password that you specified earlier for each configuration data file.

    For example, first run the following to store the password:

     $TPD_Password = Read-Host -AsSecureString
    

    Enter the password that you specified to export the first configuration data file. Then, using E:\contosokey1.xml as an example for that configuration file, run the following command and confirm that you want to perform this action:

    Import-AadrmTpd -TpdFile E:\contosokey1.xml -ProtectionPassword $TPD_Password -Verbose
    
  3. When you have uploaded each file, run Set-AadrmKeyProperties to identify the imported key that matches the currently active SLC key in AD RMS. This key will become the active tenant key for your Azure Rights Management service.

  4. Use the Disconnect-AadrmService cmdlet to disconnect from the Azure Rights Management service:

    Disconnect-AadrmService
    

You’re now ready to go to Step 5. Activate the Azure Rights Management service.

Comments

Before commenting, we ask that you review our House rules.