How to secure data in Microsoft’s enterprise cloud – Part 2

Hello and welcome to part 2 of my series about security in Microsoft’s enterprise cloud. In my previous blog post you learned about how to implement Azure Multi-Factor Auth in your cloud scenario. Today I’m going to show you how to protect your files against being duplicated, altered, printed or accessed by persons who are not authorized.

In most customer environments you will find files saved on Windows file servers or in SharePoint libraries. In order to protect these files against unauthorized access, there ideally are Active Directory groups in place in which user accounts are members of. These groups then are given read or read/write file system access rights so the users can access their data using their accounts. Now, if one of these users having read access rights copies one of those files to a location every enterprise user may access, your data security is compromised! If this was your cafeteria’s menu for next month, it might be a minor problem. But if it’s your CIO’s employment contract being published to every employee or – even worse – a patent draft being sent to a rival company, you will have an epic failure in your system and an even bigger problem with your boss.

Now, what’s this all got to do with cloud computing? You will have realized that the major problem of losing control of your files exists in both, cloud environments and pure on-premise infrastructures. The feature that can help you at this point is Azure Rights Management. With Azure Rights Management you are given possibilities to protect your files themselves, not only the directories your files reside in. You might ask why you should use Azure Rights Management instead of Active Directory Rights Management Services (AD RMS). The answer would be: because you can not only protect your local workloads and server systems just as Exchange Server or SharePoint Server, but you can also use Azure Rights Management to integrate into IRM-features for your online services as there are Exchange Online or Office 365.

How is it implemented? Well, first of all you will have to sign up for an Azure RMS subscription or try it for free with a test subscription and then activate Rights Management for your directory.

RMS_ActiveAfter activating Azure Rights Management for your Azure AD Directory you can click the directory’s name and realize that there are already two preconfigured templates which can not be edited. The names of those templates are – Confidential and – Confidential View Only.

RMS_templatesYou can apply those templates to your files, directories or SharePoint document libraries or you can create custom templates with custom rights so you can satisfy your enterprise’s compliance regulations.

RMS_CustomRightsNow, if you’ve created a custom template and apply it to your files, you can restrict a user’s access to these files. For instance, you can prevent him or her from printing a confidential document.

How can you protect your files? First of all, a user can apply templates to documents of his or her choice. Nevertheless, the document’s creator will always have full access rights to this document in terms of Azure Rights Management.

After starting your Microsoft Office application, you have to make sure that you are signed in with an account Azure Rights Management knows. That means that it must either be a federated account from your on-premise Active Directory which is replicated via Azure AD Sync or it must be an Azure AD account which means that the account is cloud-based only.

RMS_UserAccountAfter you apply any of your Azure Rights Management templates to the document, you will realize that the document is marked with an information bar showing the name and description of the chosen template.

RMS_TemplateAppliedWith a click on View Permission you can see what permissions you are given in the document. Remember that the creator will always have full control permissions.

RMS_PermsOkay, so let’s open the document with different credentials. Firstly we try to open the document as locally signed in Administrator. Since this account is neither synced via Azure AD Sync nor cloud-based, we are informed about not having permission to open this document.


So we click yes and enter Ben’s credentials. Please remember: If you have enabled Azure Multi-Factor Auth for this account, you need to enter the app password, not the user password at this point. I’d love to show you what the document looks like now or demonstrate that Ben is not able to print, save, share or export the document – but I’m not even able to take a screen shot of the rights protected document.

So as you see (or should I say don’t see?), the protection works!

Author: Tom Janetscheck

Cloud Security Enthusiast | Security Advocate

One thought on “How to secure data in Microsoft’s enterprise cloud – Part 2”

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: