Skip to content

Enterprise Mobility + Security


We’re happy to announce that the document tracking preview is now available worldwide.

Currently, this is in English only. We are working on making the site available in other languages over the next several weeks.

Stay tuned for updates. 

In addition, if you want to disable document tracking on your tenant, you can follow instructions at https://msdn.microsoft.com/library/azure/mt548471.aspx

If you have any questions, you can reach us at AskIPTeam@microsoft.com

Hi Everyone,

Today, we’re announcing another major update to Azure Rights Management services. No one RMS topic has garnered more smiles that this one! It’s the public preview for the feature we simply call document tracking. If you only have 1 minute and 52 seconds to give us, then watch this quick video and you too will smile at the possibilities!

Let’s give you the full tour but, before we get started, we’d like to offer thanks to the many of you who provided feedback during the early days. For the others, we welcome you to be a part of our extended design team by joining our advisory board.

The premise here is simple: You, the IT professional, have very little understanding of what constitutes good sharing, bad sharing, or even abuse of a sensitive document. It’s true. Many like you have said that you do not sit in front of monitors all day watching the several hundred documents leaving your organizations per hour (or second)! Don’t laugh, some vendors are in fact focused on building consoles for the IT staff where they show “document ABC.XLS was opened on an iPad by user Jane”. While most of you perform data loss prevention (DLP) and monitoring (SIEM) in the broader parametric domain, you can’t monitor the specific flows of all documents.

The good news is that the users in your organization, those doing the sharing, are actually very well equipped to know both the intent and possible abuse of the documents they share. They are the ones – the only ones – that know which documents were meant for limited use but are being over-circulated (abused).

Simply stated, today we’ve extended our base document protection promise to now be these 4 core points:

  1. Your users can protect documents and share them both internally as well as with other businesses.
  2. They can limit who gets access to their documents and can set a document expiration date.
  3. The sender can (now) monitor the use, and thus abuse, of each of these documents shared using a variety of views.
  4. If the senders does not like what they see, they can (now) revoke access to the document regardless of where it is stored.

The last two promises are new as of today while the first two are the Azure RMS offer that has been in market for a while now.

Details: A day in the life of a sensitive document

First, we’re going to send a document to a large set of people. Here this is an Excel Spreadsheet but it could be any file type.


After the Share Protected action, each of these users will open their document. We’ve covered these steps in detail here so we’ll not repeat them here today. In short, they got an email with both an XLS and a PPDF (protected PDF) that can be consumed on iOS, Android, Windows, and Mac devices.

At this juncture the sender will now get a Document Tracking email. This new emails look like this:


Visiting the enclosed link will bring the user to the web hosted document tracking site. Here the user will see a list of all prior sharing sessions and can pick any one of them.


Picking one, we’ll now see a summary of all document sharing activity. Here you see a carrier pigeon with a document to indicate that the document is still ‘in flight’. You’ll see relevant info including successful use and possible abuse.


Looking at the other views…
Here we have a list view with sortable columns.


Here we have a graph view showing historical trends. Columns can be selected to narrow down the list.


Here we have a map view showing the location of the users. This is generated via IP address so it has all the good and the bad of such offers. In time we expect location services to get better via a variety of means.


Now, should you not like what you see in terms of use / abuse, the user can revoke access to the document. This means it will no longer be accessible. Revoke is a two set process. First, pressing the above button offers this confirmation page. Here you’ll optionally be able to send an email to all recipients with text of your choice. With that typed in, you can CONFIRM revocation. That’s it – the doc is now inaccessible.


You’ll notice there was a disclaimer type statement about a duration of continued access. The RMS IT leaders will be creating templates. These templates have policy about offline use. Offline use is merely a license that has an NN day duration set on it. Revoking a document means that the RMS services will no long issue new licenses but some of your users (on specific devices) may already have one of these NN day licenses. Those users will be able to use the document for a while longer. This brings us back to the option in the RMS Sharing application to “Allow me to instantly revoke access to these documents”. When set, offline access is disabled but instant revocation is gained.

At this point the summary view has the carrier pigeon replaced with a REVOKED banner. The document is no long usable.


Tracking (as well as protection) can be invoked from several locations. We’ve updated the RMS sharing application to support templates (a topic for a future post) and to integrate tracking.

In Outlook, there is now a Track Usage button:


From and Outlook mail message, and a Word, Excel, PowerPoint document the add-on offers this new split button behavior:


From the Windows File Explorer. Here we took the opportunity to clean up a bit. We nested all the action under one Protect with RMS action. Here’s what it now looks like in the new RMS sharing application:

  

In Summary

With today’s preview announcement, you can begin to experience the benefits of our document tracking feature. This offer will be generally available (GA) in all worldwide geographies this summer. For now, setup an E3 test tenant and learn about it, give us feedback, and get your organization ready to really be in control of how your sensitive data is used. If you’re on AD RMS and want to migrate to Azure RMS, learn about the migration toolkit or contact us for help.

To get the latest updates please follow us on twitter as @TheRMSguy. We’ll share details about when we’ll be in EU/APAC geographies as well as when we add the new control features (disable tracking of internal users for EU workers council, etc). If you want to be more involved in crafting RMS for the need of your organization, then please join our advisory board.

Finally, it almost goes without saying, you don’t need to wait for the document tracking features to be released to get Azure RMS piloted, deployed and otherwise used in your company. We recommend you get started on protecting yourself against your next data leak… we know plenty of companies who wish they did before they experienced their very painful leaks!

If you have any questions or feedback, please post it below. You’ll likely hear from Shubha, our document tracking PM leader. If you want to learn more, visit our FAQ at https://technet.microsoft.com/en-us/dn947488

Thanks,
Dan, Shubha, and Gagan on behalf of the RMS team
@TheRMSGuy