Q&A about AES and PlayReady License service

This is the Q&A page for AES and PlayReady license service in Azure Media Services, please email yanmf@microsoft.com if you have any questions. 


  1. How can we setup a PlayReady license server in Azure Media Services?

You could either configure a license server through portal or our REST or .NET SDK. You could view the set up tutorial here.

  1. How can we manage content key in Azure? [encrypt/decrypt content]

The IContentKey interface and the ContentKeyCollection in our .Net Client SDK is used to interact with Content Keys in our system.  You can create them, delete them, get the clear key value back, etc.  There are also SDKs for other languages or a REST API if that works better for your development environment.

Our system also includes encoding as well as packaging the content for PlayReady either via static or dynamic packaging (if you are using our streaming endpoints as origin).

  1. How can we export content key for encrypting content in our server (if we want to use our own streaming server)?

You can either create the content key via our SDK (see above) and then use IContentKey.GetClearKeyValue method or you can create the content key in your environment and then specify KeyId and KeyValue when you create the content key in our system.

  1. Can we implement offline encode and encrypt servers that can work together with PlayReady Service on Azure?

Yes, you just need to use a license acquisition url pointing at Azure Media Services Key Delivery service.  You will also need to make sure that all of the needed content keys are added to your account and authorized for delivery to end user clients.  This shows how to create a Common Encyption key and configure the key’s authorization policy.

Note it assumes that you are using dynamic encryption which requires using Azure Media Services Streaming Endpoints.  This would be a good solution for you assuming you are okay with using Azure Media Services as the origin to feed your local CDN solution.  The Azure Media Services Streaming Endpoints provide both dynamic encryption and dynamic muxing capabilities (allowing a single asset to support Smooth Streaming, HLS, and DASH output).

  1. Can we encrypt contents once and use it with many key and model such as for Rental model and for Buffet Model?

There are a couple of approaches you can take here.  You can encrypt an Asset with a single content key and then issue different types of licenses depending on the business model the end user is using to access it.  For instance, if the end user rented an Asset, then you can issue them a rental license (usually a persistent license with restrictions for absolute expiration and expire after first play).  If the end user is a subscriber, then you can issue them a subscription license (usually an in memory only streaming license).  You can use different claims in your tokens to determine which type of license to issue.

If you must have separate keys for your different business models (key1 for rental, key2 for subscription) you can do that but you will need separate assets for that.

  1. Does PlayReady on Azure require Active Directory service on Azure?

No, the Azure Media Services Key Delivery Service with Microsoft PlayReady does not require Azure Active Directory.  The token based auth that the system supports today is based on Simple Web Tokens (SWT).  These can be issued via the Azure Access Control Service (ACS) or can be issued by your own Secure Token Service (STS).  We plan to support additional token formats in the future but don’t have an ETA we can share at this time.

This page (also provided above) shows how to setup a token restriction.

  1. How could I define PlayReady template?

You could configure some more common used PlayReady template fields through Azure portal. Media Services also provides APIs that let you configure your PlayReady licenses. Licenses contain the rights and restrictions that you want for the PlayReady DRM runtime to enforce when a user is trying to playback protected content. You could read more information here : http://msdn.microsoft.com/en-us/library/azure/dn783459.aspx.


  1. What kind of content protection service do you provide through Azure Media Services?

We provide multiple options to secure your media content and delivery with Microsoft PlayReady or AES-128 bit CBC encryption. You can do the encryption either during delivery (dynamic encryption) or during the content processing workflow (static encryption). These capabilities are available to everyone via the Azure.com management portal or APIs.

  1. what’s the difference between static encryption and dynamic encryption? When should I choose which?

Please read this blog for further information: http://mingfeiy.com/dynamic-encryption-vs-static-encryption-azure-media-services.

Player support:

  1. What client platform/player could I use to playback AES encrypted content?

AES decryption is an open algorithm that everyone could implement after downloading the stream. We have implement AES decryptor as plugin into the following Platform:

  1. Which player could I use to Playback PlayReady protection content?

Azure Media Services can be used to encode, download, or stream Smooth Streaming or MPEG DASH content encrypted with PlayReady. For consuming PlayReady encrypted content, client SDKs and the PlayReady Porting Kit are available under commercial licensing terms. (PlayReady clients for Windows 8.1 Store Apps can be built using the free SDK located HERE).


  1. Where could I find pricing information for AES or PlayReady license service?

You can find pricing information in http://azure.microsoft.com/en-us/pricing/details/media-services/#content-protection. And PlayReady service is charged at $0.2/100 license delivered, and AES key service is charged at $0.05/100 keys for preview.

  2. For the PAYG plan for Content Protection, there is a price of $0.20/ 100 licenses.

  a. Can you please confirm the definition of “license” in this scenario ?

The price is $0.2/100 licenses, which means you are charged based on how many PlayReady licenses are delivered through Azure Media Services License server to your client devices.

  b. Is the license in reference to issuing one license per streaming session per unique user ?

That depends on how you design it. But you could be able to use one licenses per asset, with a valid period of time. So as long as the license doesn’t expire on your client devices, you don’t need to renew it. We provide Token-based authentication on-top-of the License server, therefore, you could give out different token per unique user, and obtain the same license for the same content.

  c. If the user watches multiple contents/assets is a license required for each asset ?  Is only one license required per piece of contents ?  Or multiple licenses during viewing ?

You could design that way, which means one license multiple contents, however, it is not advised to do so, because you are essentially giving out a super key to the user. Usually the general guidance is to have unique content key for each asset, which results in a unique license for each asset. Please noted that we don’t support key-rotation for now, so multiple license per content is not a well-supported scenario.

  d. When using key-rotation for live services, does that impact the number of licenses required ?

Key-rotation for live services is not supported now.

  3. Are there any conditions for using Azure Encoding & Processing services in order to attain the Content Protection price?  (for example certain amount of minimum usage of encoding?

There is no such rules. You could use PlayReady license services alone with our encoding/streaming.

  4. Are there any conditions for using Azure Streaming services in order to attain the Content Protection price ? (for example certain amount of minimum streaming usage?)

There is no such rules. You could use PlayReady license services alone with our encoding/streaming.

  5. Is the separate PlayReady DRM licensing costs ($0.35/ client and $0.02/quarter per active client) still relevant for Silverlight players when using Azure Content Protection services?

For Silverlight player, it is free to user.

  6. Is the separate PlayReady DRM licensing costs ($0.35/ client and $0.02/quarter per active client) still relevant for other players (HLS players) when using Azure Content Protection services ?

If you are using PlayReady client for IOS and Android, yes, you need to pay for PlayReady licensing costs. If you are interested in knowing more about Client licensing cost, please contact wmla@microsoft.com.

Useful information:


Azure Media Services blog/video:

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.