Microsoft Azure Rights Management Service

The Microsoft Rights Management Service (RMS) classifies and optionally encrypts documents. This service forms the rights management part of Microsoft Azure Information Protection (AIP).

For many of the files that Azure RMS can classify and encrypt, File Content Extraction can identify whether they have been encrypted with RMS encryption. It can also extract metadata (including the RMS classification) and XrML associated with the document.

To decrypt and access the content of protected files, you must provide some credentials. For information about credentials, see RMS Credentials.

When you use Azure RMS decryption, consider the following notes: 

  • Azure RMS decryption is licensed as an additional product.
  • If your license does not allow for Azure RMS decryption, fpConfigureRMS() returns the error code KVError_ReaderUsageDenied.

  • To access the protected content, File Content Extraction must make an HTTP request. The time required to do so means that protected files take longer to process than unprotected files.

  • By default, File Content Extraction uses the system proxy when it makes HTTP requests to obtain the key. You can also specify the proxy manually in the configuration file. See Configure the Proxy for RMS.

  • This function is supported only on certain platforms, see RMS Decryption in the platform differences section.

CAUTION: When XML Export or File Extraction API functions access the protected contents of Azure RMS-protected files, File Content Extraction may place decrypted contents into the temporary directory. If you want to manage the security of such files, you might want to change the temporary directory. For information about how to configure the location of the temporary directory, see Protect the Temporary Directory.

RMS Credentials

To access the protected contents of Microsoft Azure Rights Management System (RMS) protected files, your end-user must register an application on the relevant Azure domain. For more information about how to register an app, refer to the Microsoft documentation.

After they register an application, they can find their client and tenant IDs in the Azure Portal, in the Overview section. They must then add a client secret, in the Certificates & Secrets section.

CAUTION: This information is linked to the domain itself, rather than to a specific user. Providing this information allows File Content Extraction to access the contents of all files protected by this domain. Therefore you must handle these three pieces of information securely.

You can provide the credentials required to access protected files by calling fpConfigureRMS(). This allows File Content Extraction to operate on the protected data of the file.