Skip to content

Enterprise Mobility + Security


Hi Everyone,

We’re excited to announce an update to use license caching for Azure RMS. Shubha Pratiwadibhayankar is a PM on the team and she’ll talk about these updates in more detail.

Hello, this is Shubha.

Today, we’re making available an Azure RMS feature that you’ve all been asking for – a smaller default value for the use license cache validity period.

In the past, by default, use licenses never expired. We have changed this default to be 30 days. Any new content published will now require recipients to re-authenticate themselves every 30 days (this doesn’t mean users will see an authentication prompt, it just means that the application will connect to Azure RMS to get a new license. If the user already has a cached authentication token, then there will be no prompt).This also applies to new content created using an existing template which had no use license expiration set, or a use license expiration set to greater than 30 days.

The smaller default is more secure. A document that has expired or has changed usage rights causing the user to lose access will not be accessible by the user after the cache becomes invalid. Having control over the use license also provides support for document revocation, a soon-to-be released new feature.

Along with this change, we’re also providing you the ability to change the license cache validity period for your organization. You can use these two new PowerShell cmdlets which are now part of the Azure RMS Administration Tool.

Set-AadrmMaxUseLicenseValidityTime: This cmdlet sets the maximum validity time for use licenses that Azure RMS grants for your organization when it protects files and email messages. The default value is 30 days.

Get-AadrmMaxUseLicenseValidityTime: This cmdlet gets the maximum validity time, in days, for Azure RMS use licenses in your organization. The default value is 30 days.

Your organization can choose to override this tenant-level setting by using a more restrictive setting in a rights policy template as before. Less restrictive values will not override the tenant-level setting.

Take note: When you change the default value by using this cmdlet, you’re making a tradeoff between security and the ability to have offline access for longer periods. Choose a maximum value that best suits your organization:

— With a low value, users will be required to authenticate more often; this is more secure, and means they will be quickly prevented from accessing protected documents whose rights may have changed. Again, this doesn’t mean users will see an authentication prompt. If a valid token is available, authentication will be silent.

–With a high value, users will be required to authenticate less often; however, this is less secure, and means that they will continue to have access to a protected document whose rights may have changed.

 

If you have any questions, you can reach us at askipteam@microsoft.com

Cheers!

Shubha, on behalf of the RMS team