emory rights management


As a part of Emory’s Office 365 service, Microsoft’s Azure Rights Management Service (Azure RMS) is provided at no additional cost.  This service is enabled in order to allow functionality of Office 365 Message Encryption (OME)

Azure RMS is a cloud-based protection service that uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization’s boundaries.

Azure RMS allows you identify confidential or sensitive data, as well as forces expiration of access to the data.  Expiration is extremely useful where outdated information has more risk than access to the old data.  Expiration does not affect the document owner or email sender, they will always retain access to that data.

Azure RMS also allows users to remove access to documents.


User creates spreadsheet with sensitive data
User applies Azure RMS to restrict it to Confidential, and allows only coworker abc123 and coworker xyz456 to access the document

Issue 1:

User accidently sends the spreadsheet via email to a listserv list
Because RMS is applied, those recipients cannot access the spreadsheet

Issue 2:

Coworker xyz456 changes departments, and needs to have access removed. 
User can modify the RMS permissions and remove all access for xyz456
If xyz456 made a copy of the spreadsheet (home computer), they would still be unable to access the data


What templates / usage rights are currently deployed?

  • Unrestricted Access - Default selection; Applies to Email and Office documents.  Allows unrestricted / normal access
  • Restricted Access – Applies to Office documents only. Allows user to define access (and level of permission) by individual users.  Users can remove access here as well.
  • Encrypt / Encrypt-Only – Applies to Email only. Encrypts the individual email message and attachment(s) and has the recipient validate their identity (via Oauth or One Time Passcode)
  • Do Not Forward – Applies to Email and Office documents. Prevents forwarding, copy/paste, printing.
  • Emory University - Confidential – Allows View, Open, Read; Save As, Export; Copy; View Rights; Change Rights; Allow Macros; Print; Forward; Reply; Reply All; Save; Edit Content, Edit; Full Control
  • Emory University - Confidential View Only – Allows View, Open, Read; Copy; View Rights; Allow Macros; Print; Forward; Reply; Reply All; Save; Edit Content, Edit
  • Expire in 14 days – Applies to Email and Office documents. Expires content after 14 days.  This only affects recipients of the email or document.


More detailed information will be coming on this.  Please also refer to this Microsoft link for more information on permissions:  Microsoft link on permissions

If you are in need of a particular template or configuration, please send a request to the LITS Messaging Team to see if we can help accommodate your request.

What problems does Azure RMS solve?   Azure RMS problems it resolves

How does it work behind the scenes?  Azure how does it work


How do you enable Azure RMS?

Email – Users can send emails by performing the options listed here with the following link OME Send 

Office Documents – See below


Go to the File Tab, and choose Protect Document:  RMSPic1


Under the Protect Document menu, you will see Restrict Access:



When choosing Restricted Access, you can then restrict who can Read or Change the document: