KC Plug-InManage IdentitiesAdd Identity

Add Identity

Add the identity of a user, such as name and mail ID, for reading the RPMSG messages.

Prerequisites

Following is the minimum set of Azure Rights Management Services (RMS) permissions required to be configured in the client applications.

To decrypt an RPMSG message, the identity must be part of the label's user list in the Microsoft Compliance portal, with at least "View," and "Copy and Extract" permissions granted. Extra permissions can be granted based on business requirements.

  1. Open the KC Plug-In window and click the Identities tab.
  2. On the Identity tasks menu, click Add Identity.

    The Identity pop-up window is displayed.

  3. Do the following:

    • In the Identity box, enter a unique name for the Rights Management Identity.

    • In the Username box, enter the mail ID of the user who is authorized to read an RPMSG message.

    • Click OK to close the Identity pop-up window.

    The Configure OAuth dialog box is displayed.

  4. Configure OAuth settings to get the OAuth token for the rights management user. For more information, see OAuth settings.

    Make sure to enter the following value in the Scopes box to provide permission for accessing the Azure AD Rights Management (AADRM) resource:

    • For Authorization Code grant: https://aadrm.com/.default offline_access

    • For Client Credentials grant: https://aadrm.com/.default

  5. Click Authorize to get the OAuth tokens.

    RPMSG message processing is currently supported for Client Credentials and Authorization Code grants only.

    A confirmation message is displayed if authorization is successful.

  6. Click OK to close the message pop-up window and then click OK to close the Configure OAuth dialog box.

    An access token is added to the "OAuth2TokenCache.cache" file in the C:\ProgramData\Kofax\KIC-ED\KCPlugIn\config folder. The access token can be identified from the "Identity name" provided while adding the identity.

    The newly added identity is listed in the Identities tab.

    • If for some reason authorization fails, make sure to click the Cancel button in the Configure OAuth dialog box, so that a new row is not added to the Identities tab.

    • If authorization fails and the OK button is clicked, a new row is added highlighting the entry in red.

Configuring external identities for decrypting cross-tenant RPMSG messages

You can use the External Identities feature in Microsoft 365 admin center to acquire Azure RMS (Rights Management Services) tokens for decrypting the RPMSG messages from an external tenant.

For instance, if a customer ‘A’ receives RPMSG messages from his clients ‘B’ and ‘C’, then customer A requires a mail ID to be registered with clients B and C as an external identity. Also, customer A must be added to the data protection label permissions list created by clients B and C (in Microsoft compliance portal), respectively.

Clients B and C must share the details of their tenant ID, client ID, and redirect URI (from mobile and desktop application platforms in Azure portal) to customer A. Customer A can use these details to log in to the respective client’s tenant using customer A's mail ID and request RMS access tokens to decrypt RPMSG messages.

Use the following Microsoft link to configure B2B collaboration cross-tenant access.

Configure B2B collaboration cross-tenant access - Microsoft Entra External ID | Microsoft Learn

Ensure the following while fetching the RMS (Rights Management Services) token for an external user:

  • RMS token is fetched using a customer's mail ID registered with the respective client as an external user.

  • Only Authorization Code grant is used for fetching RMS tokens from the client.

  • The customer needs to be provided with Client Secret to use Client Credentials grant.

  • The client's tenant ID is entered in the Tenant ID box.

  • The client's application ID that has required permissions for RPMSG message decryption is entered in the Client ID box.

  • Redirect URI of mobile/desktop applications platform is entered in the Redirect URI box.

  • The Client Secret box is left empty.

Once the above steps are verified, click the Authorize button in the OAuth configuration window.

Provide the customer's credentials in the pop-up window for fetching the RMS token.

Proxy server is supported while fetching the RMS token. However the proxy server is not supported at the time of RPMSG message decryption in the Message Connector.

Example of OAuth configuration details for external user.

Configure destination for Rights Management Identity

A Rights Management Identity must be selected in the destination configuration in KC Plug-In for sending the corresponding access token to Message Connector for decrypting the RPMSG message.

  1. In the KC Plug-In window, select the destination configuration you want to modify and click Edit Destination.

    The Destination configuration screen is displayed.

  2. Click the Advanced conversion and import tab.
  3. In the Import options section, select the relevant Rights Management Identity from the list.
  4. Click OK.
  5. Restart the KC Plug-In service.

    • The identities which are displayed in red in the Identities tab are not displayed in the Rights Management Identity box.

    • While importing an RPMSG email, the rights management access token is passed to Message Connector. This token is used by the RpmsgDecryptor tool for decrypting the RPMSG message into a .msg file, which is later processed for conversion.