Download - O365 WorkBook-2014

Cluster AGS

Agencies:DCS

GOER / DCB

OGS

DVA

Cluster BHC

New ID is DA

Agencies:OFA

OPWDD

DDPC

JUSTICE

Cluster EEC

Agencies:AGM

DEC/APA

OPR

DPS

Cluster FRG

Agencies:DOB

DFS

GAMING

DTF

Cluster GGC

Agencies:BOE

OIG

JCOPE

SLA

DOS/ABO

DMV

WCB

Cluster HLT

Agencies:DOH

OMIG

OMH

OASAS

Cluster HSC

Agencies:OCFS/CCF

DHR

DOL

OTDA

COUTIES & VA

HESC

Cluster PSC

Agencies:DOCCS

SCOC

DCJS/BESO

OPVD

DHSES

IOLA

ILS

SCJC

DSP/NYSP

DMNA

OVS

Cluster TED

Agencies:ESD

DHCR

DOT

Clusters to Agencies

Zscaler

(proxy)0365 Cloud

NYSE-MAIL

O365

ITS Data Center

Secure VPN (IPSEC)

2 Way AD Trust

FIM Service

DC

Agency Data

Center

ADFS

(responsible for single user login)

I-Ports

New Data Center

CNSE

Svc.ny.gov

ADFS 3.0


3rd

party information

security cloud based

company

Services:Web filtering

AV

spyware

From Agency

If UsedDisable SSL

inspections

ADFS 3.0

ADFS 2.0

To be Retired

AD work Quick View

Extend scheme for source anchor

Create & lockdown service account _fimagent

Add SMTP domains to forest

Populate UPN field

Make firewall changes / test and verify

Validate trust

Initial FIM sync

Configure co-location dc’s

Create IPSEC policy

2 Way AD Trust

Secure VPN (IPSEC)

Non-Sync Folder

Initial Sync location

Sync Folder

Pre cloud location

ADFS 3.0

Agency’s Co-Located DC

Agency will perform an

initial sync to the

NYSemail Non-Sync

folder

The accounts will be

moved to a sync folder

in preparation to syncing

to the cloud

Connectivity Overview of

Agency to Data Centers

BES

Blackberry

BES communicates to

the agency’s DC. Needs

to have IP addresses of

those DC’s

DC’s communicates to the

data center’s BES for

Blackberry service

FIM Sync

DIRSYNC

During the Dir-Sync the

source anchor gets written

back to the customers AD

afterwards mail gets written

back to customer

Physical Fiber Network

NYENET

0365 Cloud

DOMAIN

SVC.NY.GOV

Enterprise Services

ADFS 3.0

DOMAIN

NYSEMAIL.NYENET

Legacy

ADFS 2.0 / FIM

DOMAIN

AGENCY.NY.GOV

DOMAIN

AGENCY.NY.GOV

DOMAIN

AGENCY.NY.GOV

DOMAIN

AGENCY.NY.GOV

2 Way Trust

2 Way Trust

DOMAIN

FS.SVC.NY.GOV

10.108.16.25

10.64.27.149

Review

Prerequisites

Check List

Read Play Book

Assign Tasks

Review and Fill

out Checklist

Review AD

Checklist

Document

Needed

Changes

Document

Needed

Changes

Document

Work to be

performed

Perform Needed

Changes

Schedule Dates

Assign tasks

Create test mail

boxes in cloud

Migrate user

contact Setup test users

Change MX

records

premigration

Migrate user

calendar

Migrate user

mail / delta

Migrate user mail

precut over

Initial process flow / Agency

Mail process flow / ITS

Monitor users for

issues

Resolve any

issuesTest

functionality

AD work Quick ViewExtend scheme for source anchor



Populate UPN field


Build 2 trust / CNSE & NYSe

Validate trust

Initial FIM sync to NYSe

Configure co-location dc’s / CNSE

Create IPSEC policy

Resolve any issues

Create Live mail

boxes in cloud

INTERNET

O365

Zscaler

Web Proxy

Information security

cloud based company

Agency

Server Server Server

Basic Design of Zscaler

Web Filtering

Antivirus

Spyware

UserUserUser

Browser is NOT set to use specific port

Transparent Proxy

Stores copy of content on proxy

Browser is set to use specific port ex:3128

Normal Proxy

Stores copy of content on proxy

Sits on port 80, 443

Only difference is that NO browser configuration is needed

Listens on specific port

Web Server

User

Static cacheable content stored on proxy

Dynamic NON- cacheable content

Reverse Proxy

Reverse Proxy

Transparent Proxy

Normal Proxy

Used on web server side to accelarate

Proxy Server Decsriptions

O365 Cloud Services

Migration Server

Quest Tool

Migration Server

Quest Tool

Migration Server

Quest Tool GroupWise

Mail Server

GroupWise Migration Work

Flow using Migration Servers

Can have as many migration

servers as you want

In VM create and configure your

first machine and then clone it

Open ports and add IP’s in firewall

allowing O365 cloud connectivity

Open ports for the migration servers

Ports: 443, 5985 and 5986

Migration servers must have an Outlook

client and Domain Admin Account

Configure migration software (Quest

Tool) as per the technical instructions

Shared mail boxes come over as user

mail box Must be converted

CVS files are created and manipulated

before cloud placement

It is very important that you Follow the

supplied instructions for both the firewall

configuration and the migration server

setup for this process to work properly

O365 Cloud Services

Migration Server

Quest Tool

Migration Server

Quest Tool

Migration Server

Quest Tool

Lotus Notes

Mail Server

Lotus Notes Migration Work

Flow using Migration Servers


servers as you want

Quest migration tool uses a

SQL instance, you can either

use an exsisting SQL server or

the cut version supplied with

the Quest tool












TSV files are created

Files can be exported altered and then

imported back into SQL




setup for this process to work properlySQL

Database Server

O365 Cloud Services

MRS 1

MRS 2

MRS 3

Exchange Server

Exchange Migration Work Flow

Using Migration Servers (MRS)


servers as you want















setup for this process to work properly

Office 365

Cloud Services

GW AD

OMH

GroupWise / Notes

IMAP Migration Option

1- Create empty user mail boxes on

the Office 365 cloud

2- User will connect to both the cloud

mail box and the existing GW mail box

through the Outlook client utilizing

IMAP

3- User will migrate their mail over to

the cloud mail box with in a specified

amount time

4- All global contacts and calendars

will be migrated over User User User

User using Outlook client utilizing

the IMAP functionality

Notes

Internet

0365 Cloud

DLP

Lotus Notes

Or

GroupWise

Mail Server

Primary Domain

Example

Agency.ny.gov

Sub Domain

Example:

SUB.Agency.ny.gov Current Mail Flow

MX

Record

Current

MX

Record

Changed

Forwarders are put in place

which will forward mail to the

sub domain all transparent to

the end user

Day of cutover the

forwards are removed

mail then will reside in

the cloud only

Current MX record

points back to primary

domain

Changed MX record points

back to the O365 cloud

What does this accomplish:

1- MX record change done and propagated

2- Easier cut-over

3- Early licensing

4- Mail accounts are prepopulated

Utilization of a Sub Domain in Lotus

Notes or GroupWise

Agency MUST supply us

with the SMTP server IP

and or server Name also an

NYENet routable IP address for

an SMTP server

Internal Information:In cloud create a mail flow connector

Create contact with address

[email protected]

[email protected]

MB forwarded to contact

0365 Cloud

SMTP.NYSEMAIL.NYENET

10.65.32.73 (port 2525)

NYSEmail

Secure VPN (IPSEC)

2 Way AD Trust

ADFS 3.0


ADFS 3.0

2 Way AD Trust

Secure VPN (IPSEC)

TLS Encryption to

Cloud

SMTP RELAY FROM

AGENCY to CLOUD

Agency

DLP function is executed in the

cloud thru transport rules

DLP requirements are supplied

by the agency

Point your SMTP server to


10.64.32.73 (port 2525)

TLS sets up a encrypted

connection between our servers

and cloud

Encryption functions are performed in

the cloud when sending (subject line =

encryption:) and is also capable of

decryption

SMTP

Server

6 clustered / redundant SMTP servers

being monitored through the System Center

Operations Manager (SCOM) monitoring

tool

Applications Using SMTP Mailing

Features

By default mail stored in the

cloud is encrypted

By default the cloud try’s

TLS first

By default O365

applies TLS first

TLS can not be guaranteed through an

emails entire path to destination. After our

environment and cloud we have NO way of

knowing if the servers in the remaining path

are using TLS

Opportunistic TLS

By default in & out

Encryption types currently from Microsoft

Office 365

Recipient retrieves

message

Sender types in encrypt:

in the subject line of the

emailEmail goes out with

a SS #

Recipient is prompted to

login to Voltage services

Rule is enforced

Transverses to

Policy Filter

Tenant config data

& key database

Email is deliveredReceived Email sign

in

Message viewing

portal

DLP Rules (EOP)

Encrypt: in subject

(voltage)

May have to create login

if new to service

1

2 3

4

5

6

7

Email is delivered

User sends Email

0365 Cloud

DLP

Check for sensitive data

Transport RulesKey word match

Dictionary match

Regular expression

Specific count

User may get policy tip

Warning

Blocked

OverrideTransport queue deletes

messages after 48 hours by

default

Action rules are quite extensive and

will be created to meet the business

requirements of the agency

Message may get forwarded to

transport queue for further review

Transport

Queue

DLP Data Flow

Transport Rules Components

Conditions

Exceptions

Actions

Enforce

Test with Policy Tips

Test without Policy Tips

Transport Rules Mode

Processing of Rule (by agent)

Rule 1Conditions

En

force

Test w

ith P

olicy

Tip

s

Test w

itho

ut

Po

licy Tip

s

Example:Rule 1 conditions are met

Rule 2Exceptions

En

force

Test w

ith P

olicy

Tip

s

Test w

itho

ut

Po

licy Tip

s

Example:Rule 2 exceptions are met

Rule 3Actions

En

force

Test w

ith P

olicy

Tip

s

Test w

itho

ut

Po

licy Tip

s

Example:Rule 3 actions are met

How rule will be implimented



DLP Transport Rules Process

There are several types of messages that pass through an organization. Based on the message type, a message can be processed slightly different by the Transport rules agent.

Mail Sent

Deliver MailCheck Exception

Meets condition Rule

YESNo

Meets Exception Rule

YES No

Deliver Mail Check Actions Rule

YES

Implement Rule

En

force

Test w

ith P

olicy

Tip

s

Test w

itho

ut P

olicy

Tip

s


DLP Transport Rule

Flow Chart

Deliver Mail

0365 Cloud

MFA

User’s Cell Phone

User’s Password

Biometric Scanner

Multi-Factor Authentication

The following is a list of the basic steps:

Enable MFA for end user(s): first we need to enable MFA for one or more Office 365 users;

Send e-mail to end users to notify them about MFA: next, we send users an e-mail notifying them about MFA;

Have a user sign-in and complete the registration process: once we have enabled the account(s) for MFA, users can sign-in and complete the registration process;

Configure app passwords for non-browser apps: after the registration process has been completed, users can setup application passwords for non-browser apps such as Outlook or Lync. This is required because these apps do not natively support MFA and users will be unable to use them unless an app password is configured

The user can use a cell phone to receive a call back or a text message to verify the authentication in addition to their password , there is also an app for the android OS

OR

AND

0365 Cloud


(port 2525)

NYSEmail

TLS Encryption to

Cloud



and cloud

6 clustered / redundant SMTP servers being

monitored through the System Center

Operations Manager (SCOM) monitoring tool

Agency

Point your SMTP server to


(port 2525)

SMTP

Server


Features (port 25 or 2525)

Secure VPN (IPSEC)

2 Way AD Trust


(port 2525)


(port 2525)

SMTP Relay From Agency to NYSE With

the Use of a Local Agency SMTP Server

SMTP Server Cluster

TLS Encryption from agency to SMTP

cluster if the agency is evoking it. If

not it is still secure due to the fact that

the traffic is going through a secure

VPN tunnel from agency to NYSE

SMTP server sending out only on port

2525 to SMTP.NYSEMAIL.NYENET





are using TLS

Opportunistic TLS

By default in & out

By default O365

applies TLS first

0365 Cloud


(port 2525)

NYSEmail

TLS Encryption to

Cloud



and cloud




Agency

Application are pointing directly to the SMTP.NYSEMAIL.NYENET (port 2525)


Features (port 2525)

Secure VPN (IPSEC)

2 Way AD Trust


(port 2525)


(port 2525)

SMTP Relay From Agency to NYSE

SMTP Cluster Without the use of an

SMTP Agency Relay Server

SMTP Server Cluster

By default O365

forces TLS





are using TLS

Opportunistic TLS

By default in & out

0365 Cloud


(port 2525)

NYSEmail

TLS Encryption to

Cloud




Agency

Point your SMTP servers to


(port 2525)

SMTP

Server


Features (port 25 or 2525)


(port 2525)


(port 2525)

SMTP Relay From Agency to NYSE With

the Use of a Local Agency SMTP Server

SMTP Server Cluster

SMTP server sending out only on port

2525 to SMTP.NYSEMAIL.NYENET





are using TLS

Opportunistic TLS

By default in & out

DNS Resolver Cache

Q1

A1

Hosts File

DNS ServerDNS Server

DNS Server

DNS ServerQ2

A2

Zones

Q3

A3

DNS Server Cache

A4

Q4

Q5

A5

Client to

ServerDNS Client

(resolver)

DNS Server to

Server (recursion)

Root hints File

Cache.dns

Other DNS Servers

AD work Quick View

Extend scheme for source anchor



Populate UPN field


Validate trust

Initial FIM sync

Configure co-location dc’s

Create IPSEC policy

Create &

lockdown

service account

Extend Scheme

Active Directory Work

Quick Overview

Add SMTP

domains to

forest

Populate UPN

field

Make firewall

changes

Validate trusts Initial FIM Sync

Create trusts

Work may run in

parallel to AD work

Based on firewall

template

Build co-lo DC’s

AD ObjectsFirst Name.Last Name = UPN = Email Address

Post AD and Trust

Work Process Flow

Create test mail

box in cloud

FIM-Sync to test

OU

Check mail flow

in the cloud

Remove

forwarders

Pre-Migrate data

Migrate delta

Verify Contents

Verify test mail is

routing correctly

Dir-Sync AD

objects to cloud

(pre-licensed)

Add forwarders

to accounts

Change MX

record to point

to cloud O365

License mail

boxes

Move to Dir-Sync

OU

Day of Cut-Over

Client side setup

autodiscovery

Test Outlook

Login & Function

Test OWA

Login & Function

Re-sync hand

held devices

URL

Autodiscover.agency.ny.gov

Resolve issues

Work may run

parallel

Fully test mail

box in cloud

Synchronization TimesFIM = every hourDir = every 1.5 hours AD Objects

First Name.Last Name - UPN - Email AddressDir sync uses first and last name to create email address in the cloud environment

Post AD and Trust

Work Process Flow

Create test mail

box in cloud

FIM-Sync to test

OU

Check mail flow

in the cloud

Pre-Migrate data

Migrate delta

Verify Contents

Verify test mail is

routing correctly

Dir-Sync AD

objects to cloud

(pre-licensed)Add MX record

to point to cloud

O365

License mail

boxes

Move to Dir-Sync

OU

Day of Cut-Over

Client side setup

autodiscovery

Test Outlook

Login & Function

Test OWA

Login & Function

Re-sync hand

held devices

URL

Autodiscover.agency.ny.gov

Resolve issues

Work may run

parallel

Fully test mail

box in cloud

Synchronization TimesFIM = every hourDir = every 1.5 hours AD Objects

First Name.Last Name - UPN - Email AddressDir sync uses first and last name to create email address in the cloud environment

Remove MX for

old Domain

Time Based Hold Policy

In Place Holds

How Long to Hold For

Query Based Hold Policy

Indefinate Hold Policy

What to Hold

In Place Holds vs Litigation Hold

Litigation Holds

litigation hold only allows you to place all items on hold indefinitely, specify the litigation hold duration for a mailbox or until hold is removed

When an item is placed on one or more In-Place Holds and litigation hold at the same time, all items are held indefinitely or until the holds are removed. If you remove litigation hold and the user is still placed on one or more In-Place Holds, items matching the In-Place Hold criteria are held for the period specified in the hold settings

Hold Policies

De

lete

d

Item

s

Deleted Mail Goes to the Deleted Items Folder First

Recoverable Items

Deleting the Deleted Items (soft delete) Places the Items in the Recoverable Folder for 24-36 hours unless it in litigation or in place hold

Sub-Folders and behavior of Recoverable Items

Deletions This subfolder contains all items deleted from the Deleted Items folder. This subfolder is exposed to users Versions If In-Place Hold, litigation hold, or single item recovery is enabled, this subfolder contains the original and modified copies of the deleted items. This folder isn't visible to end users. Purges If either litigation hold or single item recovery is enabled, this subfolder contains all items that are hard deleted. This folder isn't visible to end users.Discovery Holds If In-Place Hold is enabled, this subfolder contains all items that meet the hold query parameters and are hard deleted .Audits If mailbox audit logging is enabled for a mailbox, this subfolder contains the audit log entries. Calendar Logging This subfolder contains calendar changes that occur within a mailbox. This folder isn’t available to users.

Stage 1:Accepting Claims

Stage 2:Authorizing Claims Stage 3:

Issuing Claims

Acceptance Rules

AuthorizationRules

Issurance Rules

Inco

mm

ing

Cla

im

DENY

Ou

tgo

ing

Cla

im

Claims Provider

Relying Party Trust

ADFS Claims Pipeline

Permit

ADFS Agency AD

AuthenticationPlatform

Exchange or Sharepoint

Authentication Logging on With a Web Application

Online (O365)

1

2

34

5Verify Token

Ask to authentic Gets token

Looks at UPN (ADFS)

The users hits the web based app.

The web based app says that you need to authenticate and it returns URL to the Authentication Platform

The Authentication Platform then takes the domain/UPN the users typed in and knows if it a federated domain/UPN, so it returns another URL to the client that points to the ADFS server.

The ADFS server will ask the user to authenticate via Kerberos or NTLM and when the user is authenticated , the ADFS server gives the user an SAML token including the claims: UPN and Source User ID (ImmutableID).

The client embeds this token in the old URL and sends it of to the Authentication Platform

The .Authentication Platform verifies the token and converts it to an Auth token, which contain the UPN and now Unique ID from the Authentication Platform. This Auth. token can now be used for login

So it gets back to the client and then off to the web app.

URL to Platform

Return URL to ADFS

Authentication Steps:

2 Way Trust

= Resource

= User

Organizational Forest Model

= Forest

1 Way Trust

Resource Forest Model

1 Way Trust

= Service Account

Restricted Forest Model

No trust separate forest with no connectivity to any other forest

3 Types of Forest Models

Resources are located in their own forest containing the resource and needed service accounts

First Name Last Name UPNMust Match

Email Address

Equals

The Email address is created during the DIR sync to the cloud from the first name, last and middle initial fields if needed based on the recipient policy

The first and last name must match the UPN entry

[email protected]

Non-Sync OU

Initial Sync location

Dir Sync OU

Pre cloud location

DC

Agency Data

Center FIM SYNC from the agency to NYSEMAIL

Objects are reviewed with agency

Once objects are verified they are moved to DIR Sync OU

DIR Sync to cloud creates cloud accounts and writes back to AD creating the Email address based on the first name, last and middle initial if needed

Agency dictates what OU to sync from and what attributes to sync

Apply recipient policy

License accounts to activate

Middle

Example:[email protected]

Example with middle initial:[email protected]

O365Azure AD

FIM SYNC – DIR SYNC

Example with duplicates:[email protected]@[email protected]

AD Work

Trusts

FIM Sync

Validation

Firewall

Proxy

SMTP

Claims Rules

Encryption

DLP

Litigation Hold

Shared Mail Boxes

DL’s

Naming Convention

Key Topics to Verify for Completion of Mail Migration

Blackberry Devices List Serve

CSV FilesMigration Strategy

Non-Split DNS

Split DNS

Internet

Local DNS

(DNS) NS1.widget.com

Web Server(www.widget.com)

External UserInternal User

Xyz.local – 192.168.0.x

WWW – 65.104.3.x

FTP – 65.104.3.x

WWW – 65.104.3.x

FTP – 65.104.3.x

Split - DNSInternal and

External DNS Zones

External DNS Zones Only

You will add the external zones to your internal DNS server but never add your internal zone to the external DNS server

SharePoint SiteURL:

In-Place Hold

Ediscovery Query In Hold

Export Data to a PST

Ediscovery Center Officers

Discovery List of sources Ediscovery Work Flow

Discovery Management – Scope – Distribution List

AD account used for

loginAdded role

DL used to map email

access

Exchange Email

SharePoint Owner Site (permissions)

Ediscovery Center Manager

Based on Result

Yes / No

Active Directory Active Directory Active Directory

On Premise Active Directory Farm

Active Directory

Active Directory

FIM SyncRuns every hour

Agency AD

Azure Active Directory

AD Sync’s (DIR) to the Azure Active DirectoryRuns every 1.5 hours

Active Directory

Agency Co-Lo AD

Replication

Active Directory Flow

State Police Personnel

State Police Address Book ONLY

ITS Personnel located at State Police

GAL (minus) State Police Address Book

State Police OnlyOR

TAX Personnel

TAX Address Book ONLY

ITS Personnel located at TAX

GAL (minus) SP Address Book

Entire Office 365 Tenant

GAL (minus) State Police

State Police has their own address book without the ability to see the entire GAL

1) ITS personnel stationed at State Police can see Only the GAL minus the SP address book, or2) They can view Only the SP address book

Default GAL Settings (Global)

Address Book ScenariosState Police / Tax and Finance Exceptions

Only visible to state police personnel

Tax has their own address book without the ability to see the entire GAL

ITS personnel stationed at Tax can see Only the GAL minus the SP address book

Division of State Police

Department of Tax and Finance

All Other Agencies

Web Server 1 Web Server 2 Web Server 3 Web Server 4

Router 2

Router 1

Load Balancer 2Standby

Load Balancer 1Active

Carrier Location 2

Carrier Location 1

Primary Path

Secondary Path

Fail Over Path

Fail Over with Load Balancers

VRRP

10.10.65.110.10.65.210.10.65.4 10.10.65.3

10.10.65.5

10.10.65.6

172.166.215.22

Vlan 1 10.10.65.x

Vlan 2 10.10.66.x10.10.66.6

10.10.66.5

10.10.66.4 10.10.66.3

10.10.67.15

10.10.66.210.10.66.1 178.126.245.21

10.10.67.1610.10.67.17

10.10.67.18

Vlan 3 10.10.67.x

192.168.1.2192.168.1.6

192.168.1.5 192.168.1.1

192.168.1.3

192.168.1.4

192.168.1.7

192.168.1.10

192.168.1.9

192.168.1.8

192.168.1.11

192.168.1.12

192.168.10.15 192.168.10.16 192.168.10.17 192.168.10.18

Vlan 4 192.168.1.x

Vlan 5 192.168.10.x

215.215.67.67

218.56.44.200

Router 1

Firewall

Load Balancer 1Active

Carrier Location 1

Web Server 1 Web Server 2 Web Server 3 Web Server 4

172.166.215.2210.10.65.110.10.65.2

10.10.65.310.10.65.410.10.65.5

10.10.65.6

192.168.10.15 192.168.10.16 192.168.10.17 192.168.10.18

Vlan 1 10.10.65.x

Vlan 2 192.168.10.xLoad Balancer No Fail Over

AD RMS Server

Database Server AD Server

Information Author2

Information Consumer5

1

3

4

1 - Acquire certificates that enroll his or her computer and

domain user account into the AD RMS certificate hierarchy.

2 - After activated, an individual who wants to publish protected

content uses their IRM-supported application to create an issuance

license, also referred to as a publishing license, that specifies who

can use the content and the terms of that use

3 - The encrypted content and the signed issuance license are

then made available for distribution to appropriate consumers

4 - Once activated user has retrieved the signed issuance license, the

IRM-supported application uses it to request an end-user license,

known as a use license, from the AD RMS licensing service

specified in the issuance license. The end-user license contains a list

of rights and conditions that apply to the requesting user.

5 - The IRM-supported application binds to, and enforces,

the rights enumerated in the end-user license and uses the

public key in the issuance license to decrypt the protected

content.

Information Rights Management (IRM)

Restrictions applied to an email message or

documents

Cant copy

Cant save copy

Read only

No printing

Terminology

SLC – server licensor certificate, created when the

AD-RMS role is installed and configured on the 1st

server.

CLC – client licensor certificate, created by cluster

for client request. It gives rights to publish right

protected content.

Machine certificate – this is created on the machine

the 1st time a AD-RMS application is used.

RAC – rights account certificate, establishes the user

ID in the AD-RMS system.

Publishing license – this is created by the client when

content is saved with rights protection.

User license – this specifies the rights that apply to

right protected content.

IRM Process Flow

AD RMS Cluster KeyProtected by crypto service provider

User requests document

Protector for file type ?

Construct issuance license:

Add WSS and user plus library GUID

Is file already protected

Protector creates protected file stream,

accessing RMS encryption via WSS if necessary

Protector creates protected file stream

Protector adds IL and EUL to file stream

Abort downloadSend document to user with current

protection

Send protected file to user

Send file to user in unprotected format

Protector successful ?

YES

YES

NO YES (Integrated)YES (Autonomous)

Major Error

NO

YES

O365 TenantAzure Active Directory

File Server

SharePoint

Exchange

AD Services

ADFS 3.0

Azure AD Directory Sync Tool

Azure RMS

RMS Activated

RMS to Azure AD in Cloud

RMS Connector

AD RMS Server

Database Server AD Server

Information Author

Information Consumer

User License

User License

Publishing License

Publishing License

User License

Use License

Use License

Cluster KeyProtected by crypto service provider

Download - O365 WorkBook-2014

Top Related