Azure RMS is the protection technology behind Azure Information Protection (AIP). I have written many articles about Azure RMS & Azure information protection features before but how it really works? what is the technology behind it?
In high-level, I can explain the Azure RMS data protection process as following,
• When a user protects data, Azure RMS will encrypt the content of the file and attach an access policy to it. this policy decides what other users can do with the protected data.
• When other users access the file (after successful Azure AD authentication), Azure RMS will decrypt the file and apply the access policy to it.
In high-level it sounds simple, but let's go through this process in detail to understand the technology behind it.
The best way to understand the technology behind the encryption & decryption process is to go through a scenario. Rebeladmin Inc. employee Andrew is sending a document with sensitive data to another employee Selena. He does not want anyone else in the sales team to have it. So, he is going to use AIP to protect the document. This is the first time both users going to use this solution.
Since this is the first time Andrew and Selena use this AIP, they both need to go through the one-time user environment preparation process. As the first step, Andrew installs the Azure information protection client in his pc. It can be download via https://www.microsoft.com/en-gb/download/details.aspx?id=53018 .
1. Then he authenticates into AIP using his Azure Active Directory Account.
2. After successful authentication, the session will be redirected to the AIP tenant. Then it issues a certificate that will use to authenticate into Azure RMS in the future. This certificate will automatically renew after 31 days by the AIP client. Copy of this certificate will also store in Azure. If the user changes the device, Azure RMS will recreate the certificate using the same keys.
Now the user environment preparation process is done. The next step is to protect the word document.