0
# Content Protection
1

2
Comprehensive content protection capabilities through content key policies, encryption configurations, and DRM integration. Supports multiple encryption schemes including PlayReady, Widevine, FairPlay, and AES envelope encryption with token-based access control and license delivery services.
3

4
## Capabilities
5

6
### Content Key Policy Management
7

8
Create and manage content key policies that define encryption and access control rules for protected content.
9

10
```python { .api }
11
def list(resource_group_name: str, account_name: str) -> Iterable[ContentKeyPolicy]:
12
    """
13
    List all content key policies in a media service account.
14
    
15
    Parameters:
16
    - resource_group_name: Name of the resource group (str)
17
    - account_name: Name of the media service account (str)
18
    
19
    Returns:
20
    Iterable of ContentKeyPolicy objects with encryption configuration
21
    """
22

23
def get(
24
    resource_group_name: str,
25
    account_name: str,
26
    content_key_policy_name: str
27
) -> ContentKeyPolicy:
28
    """
29
    Get a specific content key policy with complete configuration.
30
    
31
    Parameters:
32
    - resource_group_name: Name of the resource group (str)
33
    - account_name: Name of the media service account (str)
34
    - content_key_policy_name: Name of the content key policy (str)
35
    
36
    Returns:
37
    ContentKeyPolicy object with encryption and access control settings
38
    """
39

40
def create_or_update(
41
    resource_group_name: str,
42
    account_name: str,
43
    content_key_policy_name: str,
44
    parameters: ContentKeyPolicy
45
) -> ContentKeyPolicy:
46
    """
47
    Create or update a content key policy.
48
    
49
    Parameters:
50
    - resource_group_name: Name of the resource group (str)
51
    - account_name: Name of the media service account (str)
52
    - content_key_policy_name: Name for the content key policy (str)
53
    - parameters: Content key policy configuration (ContentKeyPolicy)
54
    
55
    Returns:
56
    Created or updated ContentKeyPolicy object
57
    """
58

59
def update(
60
    resource_group_name: str,
61
    account_name: str,
62
    content_key_policy_name: str,
63
    parameters: ContentKeyPolicy
64
) -> ContentKeyPolicy:
65
    """
66
    Update an existing content key policy.
67
    
68
    Parameters:
69
    - resource_group_name: Name of the resource group (str)
70
    - account_name: Name of the media service account (str)
71
    - content_key_policy_name: Name of the content key policy (str)
72
    - parameters: Updated content key policy configuration (ContentKeyPolicy)
73
    
74
    Returns:
75
    Updated ContentKeyPolicy object
76
    """
77

78
def delete(
79
    resource_group_name: str,
80
    account_name: str,
81
    content_key_policy_name: str
82
) -> None:
83
    """
84
    Delete a content key policy.
85
    
86
    Parameters:
87
    - resource_group_name: Name of the resource group (str)
88
    - account_name: Name of the media service account (str)
89
    - content_key_policy_name: Name of the content key policy (str)
90
    
91
    Returns:
92
    None
93
    """
94
```
95

96
### Policy Secret Access
97

98
Retrieve content key policy configuration including sensitive information like encryption keys.
99

100
```python { .api }
101
def get_policy_properties_with_secrets(
102
    resource_group_name: str,
103
    account_name: str,
104
    content_key_policy_name: str
105
) -> ContentKeyPolicyProperties:
106
    """
107
    Get content key policy with sensitive information included.
108
    
109
    Parameters:
110
    - resource_group_name: Name of the resource group (str)
111
    - account_name: Name of the media service account (str)
112
    - content_key_policy_name: Name of the content key policy (str)
113
    
114
    Returns:
115
    ContentKeyPolicyProperties with complete policy configuration including secrets
116
    """
117
```
118

119
### Content Key Management
120

121
Retrieve content keys for streaming locators with encryption configurations.
122

123
```python { .api }
124
def list_content_keys(
125
    resource_group_name: str,
126
    account_name: str,
127
    streaming_locator_name: str
128
) -> ListContentKeysResponse:
129
    """
130
    List content keys for an encrypted streaming locator.
131
    
132
    Parameters:
133
    - resource_group_name: Name of the resource group (str)
134
    - account_name: Name of the media service account (str)
135
    - streaming_locator_name: Name of the streaming locator (str)
136
    
137
    Returns:
138
    ListContentKeysResponse containing content encryption keys
139
    """
140
```
141

142
## Data Types
143

144
```python { .api }
145
class ContentKeyPolicy:
146
    """Content protection policy with encryption and access control."""
147
    name: str
148
    description: str
149
    options: List[ContentKeyPolicyOption]
150
    policy_id: str
151
    created: str
152
    last_modified: str
153
    
154
class ContentKeyPolicyOption:
155
    """Individual policy option with configuration and restrictions."""
156
    policy_option_id: str
157
    name: str
158
    configuration: ContentKeyPolicyConfiguration
159
    restriction: ContentKeyPolicyRestriction
160
    
161
class ContentKeyPolicyProperties:
162
    """Content key policy properties including sensitive data."""
163
    policy_id: str
164
    created: str
165
    last_modified: str
166
    description: str
167
    options: List[ContentKeyPolicyOption]
168

169
# Policy Configurations
170
class ContentKeyPolicyConfiguration:
171
    """Base class for content key policy configurations."""
172
    pass
173

174
class ContentKeyPolicyPlayReadyConfiguration(ContentKeyPolicyConfiguration):
175
    """PlayReady DRM configuration."""
176
    licenses: List[ContentKeyPolicyPlayReadyLicense]
177
    response_custom_data: str
178
    
179
class ContentKeyPolicyWidevineConfiguration(ContentKeyPolicyConfiguration):
180
    """Widevine DRM configuration."""
181
    widevine_template: str
182
    
183
class ContentKeyPolicyClearKeyConfiguration(ContentKeyPolicyConfiguration):
184
    """Clear key configuration for testing."""
185
    pass
186
    
187
class ContentKeyPolicyFairPlayConfiguration(ContentKeyPolicyConfiguration):
188
    """FairPlay DRM configuration."""
189
    ask: str
190
    fair_play_pfx_password: str
191
    fair_play_pfx: str
192
    rental_and_lease_key_type: str
193
    rental_duration: int
194
    offline_rental_configuration: ContentKeyPolicyFairPlayOfflineRentalConfiguration
195
    
196
class ContentKeyPolicyUnknownConfiguration(ContentKeyPolicyConfiguration):
197
    """Unknown or unsupported configuration type."""
198
    pass
199

200
# Policy Restrictions  
201
class ContentKeyPolicyRestriction:
202
    """Base class for content key policy restrictions."""
203
    pass
204
    
205
class ContentKeyPolicyOpenRestriction(ContentKeyPolicyRestriction):
206
    """Open access without restrictions."""
207
    pass
208
    
209
class ContentKeyPolicyTokenRestriction(ContentKeyPolicyRestriction):
210
    """Token-based access restriction."""
211
    issuer: str
212
    audience: str
213
    primary_verification_key: ContentKeyPolicyRestrictionTokenKey
214
    alternative_verification_keys: List[ContentKeyPolicyRestrictionTokenKey]
215
    required_claims: List[ContentKeyPolicyTokenClaim]
216
    restriction_token_type: str  # ContentKeyPolicyRestrictionTokenType enum
217
    open_id_connect_discovery_document: str
218
    
219
class ContentKeyPolicyUnknownRestriction(ContentKeyPolicyRestriction):
220
    """Unknown or unsupported restriction type."""
221
    pass
222

223
# Token Keys and Claims
224
class ContentKeyPolicyRestrictionTokenKey:
225
    """Base class for token verification keys."""
226
    pass
227
    
228
class ContentKeyPolicySymmetricTokenKey(ContentKeyPolicyRestrictionTokenKey):
229
    """Symmetric key for token verification."""
230
    key_value: str
231
    
232
class ContentKeyPolicyRsaTokenKey(ContentKeyPolicyRestrictionTokenKey):
233
    """RSA public key for token verification."""
234
    exponent: str
235
    modulus: str
236
    
237
class ContentKeyPolicyX509CertificateTokenKey(ContentKeyPolicyRestrictionTokenKey):
238
    """X.509 certificate for token verification."""
239
    raw_body: str
240
    
241
class ContentKeyPolicyTokenClaim:
242
    """Required claim in access tokens."""
243
    claim_type: str
244
    claim_value: str
245

246
# PlayReady License Configuration
247
class ContentKeyPolicyPlayReadyLicense:
248
    """PlayReady license configuration."""
249
    allow_test_devices: bool
250
    begin_date: str
251
    expiration_date: str
252
    relative_begin_date: str
253
    relative_expiration_date: str
254
    grace_period: str
255
    play_right: ContentKeyPolicyPlayReadyPlayRight
256
    license_type: str  # ContentKeyPolicyPlayReadyLicenseType enum
257
    content_key_location: ContentKeyPolicyPlayReadyContentKeyLocation
258
    content_type: str  # ContentKeyPolicyPlayReadyContentType enum
259
    
260
class ContentKeyPolicyPlayReadyPlayRight:
261
    """PlayReady play right configuration."""
262
    first_play_expiration: str
263
    scms_restriction: int
264
    agc_and_color_stripe_restriction: int
265
    explicit_analog_television_output_restriction: ContentKeyPolicyPlayReadyExplicitAnalogTelevisionRestriction
266
    digital_video_only_content_restriction: bool
267
    image_constraint_for_analog_component_video_restriction: bool
268
    image_constraint_for_analog_computer_monitor_restriction: bool
269
    allow_passing_video_content_to_unknown_output: str
270
    uncompressed_digital_video_opl: int
271
    compressed_digital_video_opl: int
272
    analog_video_opl: int
273
    compressed_digital_audio_opl: int
274
    uncompressed_digital_audio_opl: int
275

276
# Content Keys Response
277
class ListContentKeysResponse:
278
    """Response containing content encryption keys."""
279
    content_keys: List[StreamingLocatorContentKey]
280
    
281
class StreamingLocatorContentKey:
282
    """Content key for encrypted streaming."""
283
    id: str
284
    type: str  # StreamingLocatorContentKeyType enum
285
    label_reference_in_streaming_policy: str
286
    value: str
287
    policy_name: str
288
    tracks: List[TrackSelection]
289
```
290

291
## Usage Examples
292

293
### Create Token-Based Content Key Policy
294

295
```python
296
from azure.mgmt.media import AzureMediaServices
297
from azure.mgmt.media.models import (
298
    ContentKeyPolicy, ContentKeyPolicyOption,
299
    ContentKeyPolicyPlayReadyConfiguration, ContentKeyPolicyTokenRestriction,
300
    ContentKeyPolicySymmetricTokenKey, ContentKeyPolicyTokenClaim,
301
    ContentKeyPolicyPlayReadyLicense, ContentKeyPolicyPlayReadyPlayRight,
302
    ContentKeyPolicyRestrictionTokenType, ContentKeyPolicyPlayReadyLicenseType
303
)
304
from azure.identity import DefaultAzureCredential
305
import secrets
306

307
client = AzureMediaServices(
308
    credential=DefaultAzureCredential(),
309
    subscription_id="your-subscription-id"
310
)
311

312
# Generate symmetric key for token verification
313
token_key = secrets.token_bytes(32).hex()
314

315
# Configure token restriction
316
verification_key = ContentKeyPolicySymmetricTokenKey(key_value=token_key)
317

318
required_claims = [
319
    ContentKeyPolicyTokenClaim(
320
        claim_type="urn:microsoft:azure:mediaservices:contentkeyidentifier",
321
        claim_value=None  # Will be set automatically
322
    )
323
]
324

325
token_restriction = ContentKeyPolicyTokenRestriction(
326
    issuer="https://sts.yourdomain.com",
327
    audience="https://media.yourdomain.com", 
328
    primary_verification_key=verification_key,
329
    required_claims=required_claims,
330
    restriction_token_type=ContentKeyPolicyRestrictionTokenType.JWT
331
)
332

333
# Configure PlayReady DRM
334
play_right = ContentKeyPolicyPlayReadyPlayRight(
335
    first_play_expiration="PT24H",  # 24 hours
336
    digital_video_only_content_restriction=False,
337
    image_constraint_for_analog_component_video_restriction=True,
338
    image_constraint_for_analog_computer_monitor_restriction=False,
339
    allow_passing_video_content_to_unknown_output="Allowed"
340
)
341

342
playready_license = ContentKeyPolicyPlayReadyLicense(
343
    allow_test_devices=False,
344
    relative_expiration_date="P30D",  # 30 days
345
    play_right=play_right,
346
    license_type=ContentKeyPolicyPlayReadyLicenseType.NON_PERSISTENT
347
)
348

349
playready_config = ContentKeyPolicyPlayReadyConfiguration(
350
    licenses=[playready_license]
351
)
352

353
# Create policy option
354
policy_option = ContentKeyPolicyOption(
355
    name="TokenRestrictedPolicyOption",
356
    configuration=playready_config,
357
    restriction=token_restriction
358
)
359

360
# Create content key policy
361
content_key_policy = ContentKeyPolicy(
362
    description="Token-restricted PlayReady policy",
363
    options=[policy_option]
364
)
365

366
created_policy = client.content_key_policies.create_or_update(
367
    resource_group_name="my-resource-group",
368
    account_name="my-media-service",
369
    content_key_policy_name="token-restricted-policy",
370
    parameters=content_key_policy
371
)
372

373
print(f"Content key policy created: {created_policy.name}")
374
print(f"Policy ID: {created_policy.policy_id}")
375
print(f"Token signing key: {token_key}")
376
```
377

378
### Create Streaming Locator with Content Protection
379

380
```python
381
from azure.mgmt.media.models import StreamingLocator
382
from datetime import datetime, timedelta
383

384
# Create streaming locator with content protection
385
protected_locator = StreamingLocator(
386
    asset_name="encoded-asset",
387
    streaming_policy_name="Predefined_MultiDrmCencStreaming",
388
    default_content_key_policy_name="token-restricted-policy",
389
    start_time=datetime.utcnow().isoformat() + "Z",
390
    end_time=(datetime.utcnow() + timedelta(days=30)).isoformat() + "Z"
391
)
392

393
created_locator = client.streaming_locators.create(
394
    resource_group_name="my-resource-group",
395
    account_name="my-media-service",
396
    streaming_locator_name="protected-streaming-locator",
397
    parameters=protected_locator
398
)
399

400
print(f"Protected streaming locator created: {created_locator.name}")
401

402
# Get content keys
403
content_keys_response = client.streaming_locators.list_content_keys(
404
    resource_group_name="my-resource-group",
405
    account_name="my-media-service",
406
    streaming_locator_name="protected-streaming-locator"
407
)
408

409
print("Content keys:")
410
for key in content_keys_response.content_keys:
411
    print(f"  ID: {key.id}")
412
    print(f"  Type: {key.type}")
413
    print(f"  Policy: {key.policy_name}")
414
```
415

416
### Generate JWT Token for Content Access
417

418
```python
419
import jwt
420
import datetime
421

422
def generate_content_token(token_key: str, content_key_id: str) -> str:
423
    """
424
    Generate JWT token for accessing protected content.
425
    
426
    Parameters:
427
    - token_key: Symmetric key used for token signing (str)
428
    - content_key_id: Content key identifier from streaming locator (str)
429
    
430
    Returns:
431
    JWT token string
432
    """
433
    # Token payload
434
    payload = {
435
        "iss": "https://sts.yourdomain.com",  # Must match policy issuer
436
        "aud": "https://media.yourdomain.com",  # Must match policy audience
437
        "exp": int((datetime.datetime.utcnow() + datetime.timedelta(hours=24)).timestamp()),
438
        "nbf": int(datetime.datetime.utcnow().timestamp()),
439
        "urn:microsoft:azure:mediaservices:contentkeyidentifier": content_key_id
440
    }
441
    
442
    # Sign token with symmetric key
443
    token = jwt.encode(
444
        payload, 
445
        bytes.fromhex(token_key), 
446
        algorithm="HS256"
447
    )
448
    
449
    return token
450

451
# Example usage
452
content_key_id = content_keys_response.content_keys[0].id
453
access_token = generate_content_token(token_key, content_key_id)
454
print(f"Access token: {access_token}")
455
```
456

457
### Create Multi-DRM Policy
458

459
```python
460
from azure.mgmt.media.models import (
461
    ContentKeyPolicyWidevineConfiguration,
462
    ContentKeyPolicyClearKeyConfiguration
463
)
464
import json
465

466
# Create policy with multiple DRM configurations
467
widevine_template = {
468
    "allowed_track_types": "SD_HD",
469
    "content_key_specs": [{
470
        "track_type": "SD",
471
        "security_level": 1,
472
        "required_output_protection": {
473
            "hdcp": "HDCP_NONE"
474
        }
475
    }],
476
    "policy_overrides": {
477
        "can_play": True,
478
        "can_persist": False,
479
        "can_renew": False
480
    }
481
}
482

483
# PlayReady option
484
playready_option = ContentKeyPolicyOption(
485
    name="PlayReadyOption",
486
    configuration=playready_config,  # From previous example
487
    restriction=token_restriction     # From previous example
488
)
489

490
# Widevine option
491
widevine_config = ContentKeyPolicyWidevineConfiguration(
492
    widevine_template=json.dumps(widevine_template)
493
)
494

495
widevine_option = ContentKeyPolicyOption(
496
    name="WidevineOption", 
497
    configuration=widevine_config,
498
    restriction=token_restriction
499
)
500

501
# Clear key option for testing
502
clear_key_config = ContentKeyPolicyClearKeyConfiguration()
503

504
clear_key_option = ContentKeyPolicyOption(
505
    name="ClearKeyOption",
506
    configuration=clear_key_config,
507
    restriction=token_restriction
508
)
509

510
# Multi-DRM policy
511
multi_drm_policy = ContentKeyPolicy(
512
    description="Multi-DRM content protection policy",
513
    options=[playready_option, widevine_option, clear_key_option]
514
)
515

516
client.content_key_policies.create_or_update(
517
    resource_group_name="my-resource-group",
518
    account_name="my-media-service",
519
    content_key_policy_name="multi-drm-policy",
520
    parameters=multi_drm_policy
521
)
522

523
print("Multi-DRM content key policy created")
524
```