Skip to content

Enterprise Mobility + Security


A few months ago we announced the preview of Azure RMS Departmental Templates, a feature that allows organizations to define different policies that will be deployed to different departments (or roles) for their use in documents and emails.

We are pleased to announce that this feature is being officially released today, alongside with the incorporation of native support for this feature in Office 2013.

With Departmental templates organizations can define specialized templates that meet the needs of users in specific departments, roles or divisions. This is done through an additional parameter for each template, its scope, where you can designate the groups that will receive this template. This is separate from the rights in a template, which apply to the content protected with the template. The scope controls not which users can view content protected with the template, but which users will see the template listed when they want to protect new content.

This can be used in a variety of scenarios, such as where an organization may want to define a set of templates for each of their departments.

For example, let’s imagine a fictional organization Contoso, which has three departments on which they want to enable specialized RMS policies: Marketing, HR and Engineering. They want these templates to align with their classification taxonomy, which calls for Confidential and Strictly Confidential content, in addition to company-wide internal content.

In order to implement this model Contoso would want to create the following templates:

An administrator would archive the two default templates and then create the seven custom templates defined above (for the first one, copying the default Contoso Confidential template is probably the easiest approach, as it would allow them to change its name and any other property they may want to modify from the default values).

Each of the marketing, HR and Engineering templates would limit access to content to people within those departments in addition to upper management, with rights according to the sensitivity of the material: Confidential templates grant the team Co-Author rights to content with no expiration and limited offline access, while the Strictly Confidential templates grant the same people View Only rights, with no offline access and a one-year expiration setting.

Since even with just three departments (and most organizations have many more) asking users to pick from a list of seven templates each time they want to protect content could result in confusion and errors, Contoso decides to make the templates that are specific to HR, Marketing and Engineering departmental templates by specifying a scope that includes the corresponding departments.

Let’s see how Contoso would define the Marketing Confidential template.

On the Rights option they would add the Marketing and Executive Board groups, granting those groups Co-Author rights so they have flexibility in managing the content:

On the template configuration, they would enter no expiration and a one-day offline access policy for the content protected with the template.

And finally, they would navigate to the Scope section where they would specify the groups that will see this template:

Selecting the Marketing group they indicate that only people at the Marketing team will see this template listed in the policy options.

The administrator would follow similar steps for each of the other templates in the list.

Once these templates are created, published and deployed to clients, members of each department would see only the templates pertinent to them.

A member of the Marketing group using Office 2013 would see the following policy templates:

While a user in the Engineering group would see the following policies:

As you can see, this keeps the list of policy options very short and easy to navigate so users can choose the right policy without hesitation, while offering them the options they need.

This feature can also be used to define templates for users in specific employee roles, groups within the organization (e.g. “Executive Board Confidential”), projects or customers. A departmental template can be assigned to anything that can be defined via a group or list of groups in Azure Active Directory.

In order to be able to display Departmental templates, an application needs to support this feature. Office 2013 has been refreshed with the latest updates to support this new feature so no further action is needed for these clients to properly display departmental templates. The RMS Sharing app, mobile applications and several third party applications already support departmental templates as well.

Since Office 2010 does not download policy templates itself, but it relies on an external task to do it, you can bring departmental templates to this application by deploying the templates via a script or task that supports these templates, such as the Enhanced Template Deployment Script available in Microsoft Connect (you will need to sign in to Microsoft Connect first to download this script).

With this feature you can also break through the practical limitations in the number of templates you can create, since you can now define as many templates as your organization needs, and selectively display only a subset of them to individual users according to their needs.

You can learn more about departmental templates from our Azure RMS Custom Templates documentation.