Deploying the Azure Rights Management connector

Carol Bailey

Applies to: Azure Rights Management, Windows Server 2012, Windows Server 2012 R2

Use this information and instructions to deploy the Azure Rights Management (RMS) connector. This connector provides data protection for existing on-premises deployments that use Microsoft Exchange Server, SharePoint Server, or file servers that run Windows Server and File Classification Infrastructure (FCI).


For a high-level example scenario with screenshots, see the Automatically protecting files on file servers running Windows Server and File Classification Infrastructure section in the Azure RMS in action article.

Overview of the Microsoft Rights Management connector

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations.

You can use this connector even if some of your users are connecting to online services, in a hybrid scenario. For example, some users' mailboxes use Exchange Online and some users' mailboxes use Exchange Server. After you install the RMS connector, all users can protect and consume emails and attachments by using Azure RMS, and information protection works seamlessly between the two deployment configurations.

The RMS connector is a small-footprint service that you install on-premises, on servers that run Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. In addition to running the connector on physical computers, you can also run it on virtual machines, including Azure IaaS VMs. After you install and configure the connector, it acts as a communications interface (a relay) between the on-premises servers and the cloud service.

If you manage your own tenant key for Azure RMS (the bring your own key, or BYOK scenario), the RMS connector and the on-premises servers that use it do not access the hardware security module (HSM) that contains your tenant key. This is because all cryptographic operations that use the tenant key are performed in Azure RMS, and not on-premises.

RMS connector architecture overview

The RMS connector supports the following on-premises servers: Exchange Server, SharePoint Server, and file servers that run Windows Server and use File Classification Infrastructure to classify and apply policies to Office documents in a folder. If you want to protect all file types using File Classification Infrastructure, do not use the RMS connector, but instead, use the RMS Protection cmdlets.


For supported versions of these on-premises servers, see On-premises servers that support Azure RMS.

Use the following information to help you plan for, install, and configure the RMS connector. You must then do some post installation configuration so that your servers can use the connector.

Prerequisites for the RMS connector

Before you install the RMS connector, make sure that the following requirements are in place.

Requirement More information
The Rights Management (RMS) service is activated Activating Azure Rights Management
Directory synchronization between your on-premises Active Directory forests and Azure Active Directory After RMS is activated, Azure Active Directory must be configured to work with the users and groups in your Active Directory database.

Important: You must do this directory synchronization step for the RMS connector to work, even for a test network. Although you can use Office 365 and Azure Active Directory by using accounts that you manually create in Azure Active Directory, this connector requires that the accounts in Azure Active Directory are synchronized with Active Directory Domain Services; manual password synchronization is not sufficient.

For more information, see the following resources:

Integrating your on-premises identities with Azure Active Directory

Hybrid Identity directory integration tools comparison
Optional but recommended:

Enable federation between your on-premises Active Directory and Azure Active Directory
You can enable identity federation between your on-premises directory and Azure Active Directory. This configuration enables a more seamless user experience by using single sign-on to the RMS service. Without single sign on, users are prompted for their credentials before they can use rights-protected content.

For instructions to configure federation by using Active Directory Federation Services (AD FS) between Active Directory Domain Services and Azure Active Directory, see the Checklist: Use AD FS to implement and manage single sign-on in the Windows Server library.
A minimum of two member computers on which to install the RMS connector:

- A 64-bit physical or virtual computer running one of the following operating systems: Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.

- At least 1 GB of RAM.

- A minimum of 64 GB of disk space.

- At least one network interface.

- Access to the Internet via a firewall (or web proxy) that does not require authentication.

- Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector.
For fault tolerance and high availability, you must install the RMS connector on a minimum of two computers.

Tip: If you are using Outlook Web Access or mobile devices that use Exchange ActiveSync IRM and it is critical that you maintain access to emails and attachments that are protected by Azure RMS, we recommend that you deploy a load-balanced group of connector servers to ensure high availability.

You do not need dedicated servers to run the connector but you must install it on a separate computer from the servers that will use the connector.

Important: Do not install the connector on a computer that runs Exchange Server, SharePoint Server, or a file server that is configured for file classification infrastructure if you want to use the functionality from these services with Azure RMS. Also, do not install this connector on a domain controller.

Next steps

Go to Installing and configuring the Azure Rights Management connector.