How users sign up for RMS for individuals
Applies to: Azure Information Protection
To sign up for this free account, you request it by visiting the Microsoft Azure Information Protection page, and provide your work email address. The most typical way that you are directed to this sign-up page is if you receive an email message with a protected attachment. The email message contains instructions how to sign up.
When you follow these instructions, you receive an email in response from Microsoft, and you then complete the sign-up process by entering details to create your account. When this completes, the final page displays links to download the Azure Information Protection client or viewer for different devices, a link to the user guide, and a link for a current list of applications that natively support Rights Management protection.
To sign up for RMS for individuals
Using a Windows or Mac computer, or a mobile device, go to the Microsoft Azure Information Protection page.
Type in the email address that you use for your organization, such as firstname.lastname@example.org or email@example.com.
Personal email accounts are not supported, so do not enter a Microsoft account (formerly known as a Microsoft Live ID account) or another personal account that you might use at home from your Internet provider.
Click Sign up.
Microsoft uses your email address to check whether your organization already has a subscription for Azure Information Protection or an Office 365 subscription that includes data protection by using Azure Rights Management. If either of these subscriptions are found, you don’t need RMS for individuals. You are signed in immediately and the self-service sign up for RMS for individuals is canceled. If one of these subscriptions isn't found, you continue to the next step.
Wait for a confirmation email message to be sent to the address that you supplied. It will be from the Office 365 Team (firstname.lastname@example.org) and has the subject Finish signing up for Microsoft Azure Information Protection.
When you receive the email, click Yes, that's me to verify your email address and complete the sign-up process.
You now see a One last thing ... page for you to supply details for your account. Type in your first name, your last name, enter and confirm a password of your choice, and then click Start.
When your account is created, you see a new Microsoft Azure Information Protection page where you can download and install the Azure Information Protection client, or click the User guide link for how-to instructions for Windows computers.
Now your account is created, you’re ready to start protecting files and read files that others have protected. If you're prompted to sign in to protect or read protected files, enter the same email address and password that you used to create the account for RMS for the individuals.
Technical overview of the sign-up process
RMS for individuals uses a self-service sign-up process that is also used by other services that use Microsoft cloud-based technology to authenticate users.
This is what happens in the background when a user signs up for RMS for individuals and their organization does not have an Office 365 subscription or Azure subscription, and therefore, no directory in Azure to authenticate users:
When the first user from an organization requests a subscription for RMS for individuals, the domain name supplied in their email address is checked to see whether it is already associated with an Azure tenant. If there is no existing tenant, a new tenant and Azure directory is automatically created for the organization, which contains an account for this first user. Unlike a paid or trial subscription for Azure, this first account is not a global administrator, but a standard user. The new account uses the email address and password that the user supplied.
Some domain names cannot be used to create the directory and therefore cannot be used for RMS for individuals.
If an existing tenant is found, it is checked to see whether it already has a subscription for Azure Information Protection. When no subscription is found, the free RMS for individuals subscription can be added.
The organization is granted the RMS for individuals subscription. Now, this user can be authenticated by Azure and this user can then protect files and read files that others have protected by using the Azure Rights Management service. To protect and read protected files, the user must have an RMS-enlightened application, such as Office apps or the free Azure Information Protection client.
When the second user from the same organization requests an RMS for individuals subscription, a new user account is added to the previously created Azure directory, by using the organization’s RMS for individuals subscription. This second user can do everything that the first user could do (protect files and read protected files). But in addition, these two users can now more easily collaborate securely because they can quickly apply default templates to files that restrict access to accounts in their organization’s Azure directory.
Subsequent users from the same organization follow the same pattern, adding user accounts to the organization’s Azure directory when they sign up. The more accounts that are added to the directory, the more users can securely collaborate with co-workers and partners, and more easily prevent unauthorized people from reading their files when they should not have access to them.
Throughout this process, there is no charge to the organization and no work required from the IT department. However, the IT department could choose to do either of the following actions:
Manage the accounts and sign-up process: IT administrators can take ownership of the automatically created directory and accounts in Azure. They can then manage the accounts by implementing directory integration solutions such as password synchronization and single sign-on. Or, they can prevent users from creating accounts or signing up for RMS for individuals.
For more information, see How administrators can control the accounts created for RMS for individuals.
Manage Rights Management: IT administrators can convert the RMS for individuals subscription for the organization to a paid subscription that includes Azure Rights Management. When they do this, the existing Azure directory and accounts are preserved for a seamless transition for existing users who were using RMS for individuals. Any files that users protected previously are still protected with the same policies, and the people that they granted permissions to use the files are still able to use the files in the same way.
When you take this course of action, your organization benefits by being able to integrate Rights Management into its workflows, services, and data stores. In addition, you can now manage Rights Management because you have control over your organization’s tenant key for Azure Rights Management. You can now do the following actions:
Configure Exchange and SharePoint to support Azure Rights Management, even if these services are running on-premises. Exchange and SharePoint are natively supported for the online services, and they are supported by a connector for the on-premises servers. For more information, see the following:
The Exchange Online and SharePoint Online sections from Office 365: Configuration for clients and online services
Perform e-discovery on company-owned data so that authorized users and services can, if required, decrypt files that were protected. For more information, see Configuring super users for Azure Rights Management and discovery services or data recovery.
Log activity to the Rights Management service. Logging is very powerful because not only can you monitor which files are being protected and who is successfully accessing those protected files, but you can also identify potentially suspicious behavior from unauthorized people who are trying to access protected files. For more information, see Logging and analyzing usage of the Azure Rights Management service.
Provide users with the ability to track and revoke their protected documents, if these features are supported by your subscription. For more information, see Track and revoke your documents from the Azure Information Protection user guide.
Implement a bring your own key solution (BYOK) so that your tenant key for Azure Information Protection is created and managed by you. For more information, see Planning and implementing your Azure Information Protection tenant key.
Before commenting, we ask that you review our House rules.