Requirements for Azure Rights Management

Carol Bailey

Applies to: Azure Rights Management, Office 365

To deploy Microsoft Azure Rights Management (Azure RMS) in your organization, make sure that you have the following prerequisites. You can then use the Azure Rights Management deployment roadmap to deploy Rights Management for your organization.

Requirement More information
A cloud subscription for RMS Your organization must have a cloud subscription that supports RMS.

For licensing information, see Cloud subscriptions that support Azure RMS.
Azure AD directory Your organization must have an Azure AD directory to support user authentication for RMS. In addition, if you want to use your user accounts from your on-premises directory (AD DS), you must also configure directory integration.

Multi-factor authentication (MFA) is supported with Azure RMS when you have the required client software and correctly configured MFA supporting infrastructure.

For more information, see Azure AD directory.
Client devices Users must have a client devices (computer or mobile device) that run an operating system that supports RMS.

For more information, see Client devices that support Azure RMS.
Applications Users must run applications that support RMS.

For more information, see Applications that support Azure RMS.
Infrastructure that supports connectivity to the Internet and dependent cloud services If you have a firewall or similar intervening network devices that must be configured to allow specific connections, see the information for Azure Rights Management (RMS) in the Office 365 portal and shared section from the following Office article: Office 365 URLs and IP address ranges.

Use the instructions in this Office article to keep up-to-date with changes to this information, by subscribing to an RSS feed.

In addition to the information in the Office article, specific to Azure RMS:

- Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS.

- If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user’s Active Directory logon credentials.

If you want to use Azure RMS with on-premises servers, the following products are supported:

  • Exchange Server

  • SharePoint Server

  • Windows Server file servers that support File Classification Infrastructure

For information about the additional Azure RMS requirements for this scenario, see On-premises servers that support Azure RMS.


The following deployment scenario is not supported:

There is a supported migration path from AD RMS to Azure RMS, and from Azure RMS to AD RMS. If you deploy Azure RMS and then decide that you no longer want to use this cloud service, see Decommissioning and deactivating Azure Rights Management.