Rights Management Service (RMS) for the classic client
This article lists details about how the Rights Management (RMS) service works with the AIP classic client.
For more information, see the RMS sections of the Azure Information Protection documentation.
Manage personal data for AIP with the classic client
When you configure and use Azure Information Protection, email addresses and IP addresses are stored and used by the Azure Information Protection service. This personal data can be found in the following items for the classic client:
The Azure Information Protection policy
Templates for the protection service
Document tracking logs
View and update personal data that Azure Information Protection uses
For the classic client, use the Azure portal to view, update, or delete email addresses for scoped policies and for protection settings within a label configuration. For more information, see How to configure the Azure Information Protection policy for specific users by using scoped policies and How to configure a label for Rights Management protection.
For labels that are configured to apply protection from the Azure Rights Management service, email address can also be found in protection templates, by using PowerShell cmdlets from the AIPService module. This PowerShell module also lets an administrator specify users by email address to be a super user, or an administrator for the Azure Rights Management service.
You cannot update email addresses for the super users and delegated administrators. Instead, remove the specified user account, and add the user account with the updated email address.
Secure and control access to personal information
Personal data that you view and specify in the Azure portal is accessible only to users who have been assigned one of the following administrator roles from Azure Active Directory:
Azure Information Protection administrator
Compliance administrator
Compliance data administrator
Security administrator
Security reader
Global administrator
Global reader
Personal data that you view and specify by using the AIPService module (or the older module, AADRM) is accessible only to users who have been assigned the Azure Information Protection administrator, Compliance administrator, Compliance data administrator, or Global Administrator roles from Azure Active Directory, or the global administrator role for the protection service.
Protection templates
View a list of protection templates
Run the Get-AipServiceTemplate cmdlet to get a list of protection templates. You can use the template ID to get details of a specific template. The RightsDefinitions
object displays the personal data, if any.
Example:
PS C:\Users> Get-AipServiceTemplate -TemplateId fcdbbc36-1f48-48ca-887f-265ee1268f51 | select *
TemplateId : fcdbbc36-1f48-48ca-887f-265ee1268f51
Names : {1033 -> Confidential}
Descriptions : {1033 -> This data includes sensitive business information. Exposing this data to
unauthorized users may cause damage to the business. Examples for Confidential information
are employee information, individual customer projects or contracts and sales account data.}
Status : Archived
RightsDefinitions : {admin@aip500.onmicrosoft.com -> VIEW, VIEWRIGHTSDATA, EDIT, DOCEDIT, PRINT, EXTRACT,
REPLY, REPLYALL, FORWARD, EXPORT, EDITRIGHTSDATA, OBJMODEL, OWNER,
AllStaff-7184AB3F-CCD1-46F3-8233-3E09E9CF0E66@aip500.onmicrosoft.com -> VIEW,
VIEWRIGHTSDATA, EDIT, DOCEDIT, PRINT, EXTRACT, REPLY, REPLYALL, FORWARD, EXPORT,
EDITRIGHTSDATA, OBJMODEL, OWNER, admin2@aip500.onmicrosoft.com -> VIEW, VIEWRIGHTSDATA, EDIT,
DOCEDIT, PRINT, EXTRACT, REPLY, REPLYALL, FORWARD, EXPORT, EDITRIGHTSDATA, OBJMODEL, OWNER}
ContentExpirationDate : 1/1/0001 12:00:00 AM
ContentValidityDuration : 0
ContentExpirationOption : Never
LicenseValidityDuration : 7
ReadOnly : False
LastModifiedTimeStamp : 1/26/2018 6:17:00 PM
ScopedIdentities : {}
EnableInLegacyApps : False
LabelId :
Update the protection template
Run the Set-AipServiceTemplateProperty cmdlet to update the protection template. Because the personal data is within the RightsDefinitions
property, you will also need to use the New-AipServiceRightsDefinition cmdlet to create a rights definitions object with the updated information, and use the rights definitions object with the Set-AipServiceTemplateProperty
cmdlet.
Next steps
Learn more about the Rights Management service and AIP in the main Azure Information Protection documentation.