Press "Enter" to skip to content

Don´t be confused – Microsoft Security Tools past, present and future

It is more and more difficult to understand the terms, tools and functions and to keep them apart. In addition, there is a lot of movement in the subject, so I will write a short explanation:

Differences in terms

It is important to understand where the differences are and what is suitable for which application scenarios and how. I was with Clemens in Hamburg at the Office 365 Meetup and we talked about these topics for a whole evening. In this article we’ll take up a few details again.

Link to the presentation (OneDrive for Business)

Password for the file: MIP2019+

Right Management Services (RMS)

RMS is the basis for the encryption of documents at Microsoft since Office 2003. Since then it serves mainly for the protection of and documents and email. From the very beginning, it was possible to prevent content from being copied or forwarded – assuming the appropriate backend infrastructure was in place. The naming of the backend has changed from time to time since then.

There are currently three effective variants:

Active Directory Rights Management (ADRMS)
is – apart from occasional name changes since 2003 – the basis for RMS on Premise.
Azure Active Directory Rights Management (AADRMS)
is the corresponding implementation that has been available for several years as Software as a Service (SaaS) from Microsoft in Office 365 Business and Enterprise Subscriptions.
Office Message Encryption (OME)
Email and document encryption has not only been available to business and enterprise customers since 2018, but can also be actively used by Office 365 staff or home subscribers. It is also based on the established RMS platform.

In all cases you can also share documents, email etc. with partners, customers etc. in encrypted form. The permissions are stored – also encrypted – in a policy in the document and evaluated by the corresponding RMS service and the client. With Microsoft or Google accounts, these can be used to access protected content. In other cases, the original recipient receives a one-time password for access. The announced Apple ID should also be supported.

Documents and email: Encryption, no labeling or classification

Forecast: will merge into MIP, remains as basis of encryption – also for consumer 

Information Right Management (IRM)

Information Right Management or IRM is the second longest existing tool and is an integration with SharePoint. Since Microsoft Office SharePoint Server 2007, libraries can be secured for certain file types such as Office documents and the individual permissions and guidelines of the library can be anchored in the document.

It also works in SharePoint Online, but – apart from the possibilities offered by O365 and Azure as SaaS – it has not changed significantly for end users and (SharePoint) administrators since 2007.

The document library is equipped with IRM, but the files are only encrypted with RMS when they are downloaded. These can then only be opened by authorized user accounts and then only with view or editing rights.

Currently, this variant is still a simple and efficient way to ensure document security on a broad basis without major effort – especially if users are accustomed to working with SharePoint.

Documents: Encryption, no labeling or classification

Forecast: if merged into MIP, a valid solution for certain scenarios remains at present


Azure Information Protection (AIP, Azure-IP)

Azure Information Protection is a cloud-based solution that helps an organization classify its documents and emails and optionally protect them with stickers. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or in a combination that recommends users. Azure Information Protection combines technologies such as RMS with associated technologies/companies such as Secure Island.

Even if you have defined document classes within the framework of data protection guidelines in your company, you still have to think about how these can and must be broken down into different user groups.

Furthermore – even with existing data protection guidelines – users must accept that they have to think about classification when saving documents.

While there is also recognition in Premium Plans of word and character combinations that either suggest or force classification, this method also involves a great deal of analysis and implementation effort.

In comparison, IRM (see above) is (even) easier to implement, as it is “only” oriented to the storage location.

Documents: Labeling, Classifying, Encrypting

Forecast: will merge into MIP and probably expire in the future

Licenses: EM+S E3, E5 ; MIP E3 and E5; AIP P1 or P2;

Microsoft Information Protection (MIP)

As a framework, Microsoft Information Protection is the future of information security from labeling to classification and encryption. In addition, there are innovations ranging from the classification of SharePoint online sites, teams and groups to the use without a client in Office Apps (already today) to desktop apps such as Word.

With MIP, there is now a cross platform, cross software and device solution for the classification, labeling and encryption of data, as well as SharePoint sites and environments (e.g. Groups/Teams/Yammer) linked with retention and DLP.

Especially the integration with teams and SharePoint online, which provides a complete classification of sites etc. and their contents and is currently only available as private preview, will enable a replacement of the outdated IRM and more.

Documents: Labeling, Classification, Encryption, Retention and DLP

SharePoint and Groups: Classify

Forecast: Future (complete solution)

Licenses: Microsoft 365 E5, E3 

unified labeling

Details on Unified Labeling (UL) are already described above under Microsoft Information Protection. Put simply, it is a simplification and relocation of administration (see below). However, it also offers some new possibilities and better integration with other services and applications.

Classifying and protecting PDFs has been possible for a long time, but it has always been somewhat cumbersome to use. With Unified Labeling, Adobe has also implemented a new PDF ISO standard together with Microsoft, so that Acrobat can also handle classified and RMS-protected PDFs.

If you start with classification and RMS protection, you should rely on Unified Labling right from the start – even if it is still in development.

The “classic” AIP client (version 1.4.x) is only being developed a little further at the moment and the gaps between it and the UL client (2.x.x) are getting smaller with the current release cycles of about three months.

Since an appropriate solution – especially user group-based encryption – is not introduced overnight, the migration to Unified Labeling does not cause any headaches later on.

Forecast: Future

Licenses: Microsoft 365 E5, E3 


Classification of data from Office 365 Security & Compliance Center (SCC)

The previous possibility to guarantee classification and labelling via the SCC will be the main model in the future. AIP and this possibility will be combined and only one common solution.

Forecast: will be merged into MIP, the migration of AIP & classification from the SCC already starts and is possible.

Encryption – MS – BYOK – HYOK – S/Mime

In addition to the history of name and platform changes, encryption can bring some more confusion.

Previously there was only ADRMS and S/Mime encryption (the one with the certificates – you know, right?) in Outlook, which both still have a right to exist today. Today there is also AADRMS, which not only provides another encryption infrastructure and different possibilities of key management.

Let’s start this time simply and not historically:

Microsoft Managed Key (MMK) 
The master key for RMS for an organization is managed by Microsoft. This is initially the case for OME and AADRMS for all customers, whether consumer or corporate. Each business or enterprise customer initially receives its own AADRMS key from Microsoft for its organization.

Bring Your Own Key (BYOK)  
You manage your organization key for AADRMS yourself in an Azure Keyvault:
If you are already using ADRMS and want to switch to AADRMS, you can take your organization key with you under certain conditions.
If you want to manage your organization key yourself, you can create it under certain conditions on Premise and import it into Azure or create it directly in Azure.

Hold Your Own Key (HYOK) 
Either one keeps the existing on Premise ADRMS infrastructure or sets one up, because one wants to let certain crown jewels at documents come a special protection to good.

S/Mime is known for encryption and signing of email and is based on the public and private part of a certificate. This requires a private key infrastructure that issues and manages these certificates.

With AADRMS as encryption basis you can decide if you want to keep the key from MS or switch to BYOK. A mix is not possible in an organization.

With AIP or MIP you can decide for each classification – assuming Premium Plan 2 – whether S/Mime, ADRMS or AADRMS (MMK or BYOK) should be used for encryption.


Clemens von Bluecher, Raphael Kölllner

Thank you very much for Clemens and his Imput!