Share via

Rights Management Service (RMS) for the classic client

  • Article

This article lists details about how the Rights Management (RMS) service works with the AIP classic client.

For more information, see the RMS sections of the Azure Information Protection documentation.

Manage personal data for AIP with the classic client

When you configure and use Azure Information Protection, email addresses and IP addresses are stored and used by the Azure Information Protection service. This personal data can be found in the following items for the classic client:

  • The Azure Information Protection policy

  • Templates for the protection service

  • Document tracking logs

View and update personal data that Azure Information Protection uses

For the classic client, use the Azure portal to view, update, or delete email addresses for scoped policies and for protection settings within a label configuration. For more information, see How to configure the Azure Information Protection policy for specific users by using scoped policies and How to configure a label for Rights Management protection.

For labels that are configured to apply protection from the Azure Rights Management service, email address can also be found in protection templates, by using PowerShell cmdlets from the AIPService module. This PowerShell module also lets an administrator specify users by email address to be a super user, or an administrator for the Azure Rights Management service.

You cannot update email addresses for the super users and delegated administrators. Instead, remove the specified user account, and add the user account with the updated email address.

Secure and control access to personal information

Personal data that you view and specify in the Azure portal is accessible only to users who have been assigned one of the following administrator roles from Azure Active Directory:

  • Azure Information Protection administrator

  • Compliance administrator

  • Compliance data administrator

  • Security administrator

  • Security reader

  • Global administrator

  • Global reader

Personal data that you view and specify by using the AIPService module (or the older module, AADRM) is accessible only to users who have been assigned the Azure Information Protection administrator, Compliance administrator, Compliance data administrator, or Global Administrator roles from Azure Active Directory, or the global administrator role for the protection service.

Protection templates

View a list of protection templates

Run the Get-AipServiceTemplate cmdlet to get a list of protection templates. You can use the template ID to get details of a specific template. The RightsDefinitions object displays the personal data, if any.

Example:

PS C:\Users> Get-AipServiceTemplate -TemplateId fcdbbc36-1f48-48ca-887f-265ee1268f51 | select *


TemplateId              : fcdbbc36-1f48-48ca-887f-265ee1268f51
Names                   : {1033 -> Confidential}
Descriptions            : {1033 -> This data includes sensitive business information. Exposing this data to
                          unauthorized users may cause damage to the business. Examples for Confidential information
                          are employee information, individual customer projects or contracts and sales account data.}
Status                  : Archived
RightsDefinitions       : {admin@aip500.onmicrosoft.com -> VIEW, VIEWRIGHTSDATA, EDIT, DOCEDIT, PRINT, EXTRACT,
                          REPLY, REPLYALL, FORWARD, EXPORT, EDITRIGHTSDATA, OBJMODEL, OWNER,
                          AllStaff-7184AB3F-CCD1-46F3-8233-3E09E9CF0E66@aip500.onmicrosoft.com -> VIEW,
                          VIEWRIGHTSDATA, EDIT, DOCEDIT, PRINT, EXTRACT, REPLY, REPLYALL, FORWARD, EXPORT,
                          EDITRIGHTSDATA, OBJMODEL, OWNER, admin2@aip500.onmicrosoft.com -> VIEW, VIEWRIGHTSDATA, EDIT,
                          DOCEDIT, PRINT, EXTRACT, REPLY, REPLYALL, FORWARD, EXPORT, EDITRIGHTSDATA, OBJMODEL, OWNER}
ContentExpirationDate   : 1/1/0001 12:00:00 AM
ContentValidityDuration : 0
ContentExpirationOption : Never
LicenseValidityDuration : 7
ReadOnly                : False
LastModifiedTimeStamp   : 1/26/2018 6:17:00 PM
ScopedIdentities        : {}
EnableInLegacyApps      : False
LabelId                 :

Update the protection template

Run the Set-AipServiceTemplateProperty cmdlet to update the protection template. Because the personal data is within the RightsDefinitions property, you will also need to use the New-AipServiceRightsDefinition cmdlet to create a rights definitions object with the updated information, and use the rights definitions object with the Set-AipServiceTemplateProperty cmdlet.

Next steps

Learn more about the Rights Management service and AIP in the main Azure Information Protection documentation.