Netskope Help

Support Microsoft Azure RMS Encryption

Microsoft Azure Rights Management Services (RMS) is cloud-based service which encrypts, identifies, and authorizes policies to help secure Microsoft files like Word, Excel, PowerPoint, and more. It works across multiple devices; phones, tablets, and PCs. Information is protected within your organization and outside as the encryption remains with the data. With API Data Protection, you can configure policies which can apply an RMS template to a file.

Note

RMS encryption is supported in Microsoft Office 365 OneDrive app instance only.

Prerequisites

Before setting up a OneDrive instance, the following prerequisites must be met:

  • You must enable Rights Management service on the Azure portal. For instructions how to activate the Rights Management service from the Azure portal, read this article.

  • Install the Microsoft Azure AIPService PowerShell module on your local laptop from here.

  • You need to enable RMS API for a customer AD and assign RMS super user permission. To do this, execute the following commands from Windows PowerShell:

    Install-Module -Name AIPService
    Update-Module -NameAIPService
    Import-Module AIPService
    Connect-AIPService -Verbose
    Enable-AIPService
    Enable-AipServiceDevicePlatform -All
    Enable-AipServiceSuperUserFeature
    Add-AIPServiceSuperUser -EmailAddress"<super ueser email address>"
    sleep 30
    

    In the Add-AIPServiceSuperUser -EmailAddress"<super ueser email address>" command, enter the Office 365 super user email address. Consider the following points before assigning a role of an RMS super user to an account:

    • If you have already set up a OneDrive instance in API Data Protection, then the same user account (you used to grant app access) should be assigned the role of an RMS super user.

    • For a new OneDrive instance, administrator email used to create the app instance should be assigned the role of an RMS super user.

Configure Netskope for RMS Access

Once the prerequisites are complete, you should grant RMS access to the OneDrive instance. To grant access: the OneDrive instance. To grant access:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and go to Settings > API-enabled Protection > SaaS.

  2. Select the OneDrive icon, and then click Setup Instance.

  3. The Setup Instance window opens. Enter a name for your Office 365 instance.

    For instance name, enter the fully qualified domain name (FQDN) of your Microsoft Office 365 account. For example, if you use https://domain-my.sharepoint.com to login, then specify domain-my.sharepoint.com as the FQDN in the app instance field.

    Note

    To find the FQDN of your Microsoft Office 365 account, log in to your Microsoft Office 365 account and then:

    1. Click the launch icon.

    2. Click the OneDrive app.

    3. Copy the FQDN text (remove the "https://" and the path after the FQDN text “/“)

      O365_OD_FQDN.png
  4. For Instance Type, enable the check boxes for the services you aim to use.

  5. Enter the email address of the Office 365 administrator.

  6. If you have a list of internal domains for your company, you can enter a comma separated list of internal domains. Any files shared across internal domains will be treated as internally shared.

  7. Click Save, then click Grant Access for the Office 365 app instance you just created.

  8. After clicking Grant Access, you will be prompted to log in with your Office 365 global administrator username and password, and then click Grant. When the configuration results page open, click Close.

  9. After granting access to the Office 365 app instance, you will see a Grant RMS link beside Grant Access. Click Grant RMS to grant RMS access to the OneDrive instance. You will be prompted to log in with your Office 365 global administrator username and password, and then click Grant. When the configuration results page open, click Close.

    Note

    The same Office 365 global administrator account must be used to grant Office 365 access for RMS and the API Data Protection instance.

Once you have granted RMS access to the OneDrive instance, you can configure new API Data Protection policies to apply RMS templates.

RMS Encryption Limitation

If there are multiple RMS policies matching a notification, Netskope applies the first RMS policy and stops processing proceeding policies.