Microsoft Azure Rights Management Service

The Microsoft Rights Management Service (RMS) allows you to classify and optionally encrypt documents. This service forms the rights management part of Microsoft Azure Information Protection (AIP).

For many of the files that Azure RMS can classify and encrypt, KeyView can identify whether they have been encrypted with RMS encryption. It can also extract metadata (including the RMS classification) and XrML associated with the document.

For the KeyView HTML Export C SDK, you can provide the credentials required to access protected files by using the fpConfigureRMS function (see fpConfigureRMS()). This function allows the HTML Export and File Extraction API functions to operate on the protected data of the file.

When you use Azure RMS decryption, consider the following notes: 

  • Azure RMS decryption is licensed as an additional product. If your license does not allow for Azure RMS decryption, this function returns the extended error code KVError_ReaderUsageDenied.

  • To access the protected content, KeyView must make an HTTP request. The time required to do so means that KeyView processes protected files slower than unprotected files.

  • By default, KeyView uses the system proxy when it makes HTTP requests to obtain the key. You can also specify the proxy manually in the configuration file. See Configure the Proxy for RMS.

  • This function is supported only on certain platforms, see RMS Decryption in the platform differences section.

CAUTION: When HTML Export or File Extraction API functions access the protected contents of Azure RMS-protected files, KeyView may place decrypted contents into the temporary directory. If you want to manage the security of such files, you might want to change the temporary directory, by using KVHTMLConfig().

RMS Credentials

For KeyView to access the protected contents of Microsoft Azure Rights Management System (RMS) protected files, your end-user application must be registered on the relevant Azure domain. For more information about how to register an app, refer to the Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.

After you register an application, you can find the client and tenant IDs in the Azure Portal, in the Overview section. You can find the client secret in the Certificates & Secrets section.

CAUTION: This information is linked to the domain itself, rather than to a specific user. Providing this information allows KeyView to access the contents of all files protected by this domain. Therefore you must handle these three pieces of information securely.