Set Up and Manage Information Rights Management in Exchange Online


Applies to: Office 365 for enterprises, Live@edu

Topic last modified: 2013-05-22

People often use email to exchange sensitive information, such as financial data, legal contracts, confidential product information, sales reports and projections, patient health information or customer and employee information. As a result, mailboxes can become repositories for large amounts of potentially sensitive information, and information leakage can become a serious threat to your organisation.

To help prevent information leakage, Exchange Online includes Information Rights Management (IRM) functionality that provides online and offline protection of email messages and attachments. IRM protection can be applied by users in Microsoft Office Outlook or Outlook Web App, and it can be applied by administrators using transport rules or Outlook protection rules. IRM helps you and your users control who can access, forward, print or copy sensitive data within an email.

How IRM works in Exchange Online

Exchange Online IRM uses Active Directory Rights Management Services (AD RMS), an information protection technology in Windows Server 2008. IRM protection is applied to email by applying an AD RMS rights policy template to an email message. Usage rights are attached to the message itself, so that protection occurs online and offline, and inside and outside your organisation's firewall.

Users can apply a template to an email message to control what permissions recipients have on a message. Actions, such as forwarding, extracting information from a message, saving a message or printing a message, can be controlled by applying an RMS template to the message.

Top of page

Before you begin

Before you can implement IRM for your cloud-based email organisation, you must have Windows Server 2008 and an AD RMS server running in your on-premises organisation. You use this on-premises AD RMS server to manage the RMS templates for your cloud-based organisation. Outlook also relies on the AD-RMS server to enable users to apply IRM protection to messages they send.

For information about how to deploy AD RMS, see Installing an AD RMS Cluster.


Step 1: Export a trusted publishing domain (TPD) from an AD RMS server

The first step is to export a trusted publishing domain (TPD) from the on-premises AD RMS server to an XML file. The TPD contains the settings needed to use RMS features: the server licensor certificate (SLC) used for signing and encrypting certificates and licences, the URLs used for licensing and publishing, and the RMS templates that were created with the specific SLC for that TPD. When you import the TPD, it is stored and protected in Exchange Online.

Here's how you export a TPD:

  1. Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster.

  2. In the console tree, expand Trust Policies and then click Trusted Publishing Domains.

  3. Select the certificate for the domain you want to export in the results pane.

  4. Click Export Trusted Publishing Domain in the Actions pane.

  5. In the Publishing domain file box, click Save As to save the file to a specific location on the local computer. Type a file name and be sure to specify the .xml file name extension, and then click Save.

  6. In the Password and Confirm Password boxes, type a strong password that will be used to encrypt the trusted publishing domain file. You will have to specify this password when you import the TPD to your cloud-based email organisation.

  7. Click Finish.

Step 2: Import the TPD to Exchange Online

After the TPD is exported to an XML file, you have to import it to Exchange Online. When a TPD is imported, your organisation's templates from AD RMS are also imported. When the first TPD is imported, it becomes the default TPD for your cloud-based organisation. If you import another TPD, you can use the Default switch to make it the default TPD that is available to users.

To import the TPD, run the following command in Windows PowerShell:

Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path <path to exported TPD file> -ReadCount 0)) -Name "<name of TPD>" -ExtranetLicensingUrl <URL> -IntranetLicensingUrl <URL>

You can obtain the values for the ExtranetLicensingUrl and IntranetLicensingUrl parameters in the Active Directory Rights Management Services console. Select the AD RMS cluster in the console tree. The URLs for the licensing are displayed in the results pane. These URLs are used by email clients when content has to be decrypted and when Exchange Online needs to determine which TPD to use.

When you run this command, you are prompted for a password. Enter the password that you specified when you exported the TPD from your AD RMS server.

Example   The following command imports the TPD, named Exported TPD, using the XML file that you exported from your AD RMS server and saved to the desktop of the Administrator account. The Name parameter is used to specify a name to the TPD.

Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path C:\Users\Administrator\Desktop\ExportTPD.xml -ReadCount 0)) -Name "Exported TPD" -ExtranetLicensingUrl -IntranetLicensingUrl https://rmsserver/_wmcs/licensing

Top of page

Step 3: Distribute an RMS template

After you import the TPD, you have to make sure an RMS template is distributed. A distributed template is visible to Outlook Web App users, who can then apply the templates to an email message.

To see a list of all templates contained in the default TPD, run the following command:

Get-RMSTemplate -Type All | fl

If the value of the Type parameter is Archived, the template isn't visible to users. Only distributed templates in the default TPD are available in Outlook Web App.

To distribute a template, run the following command:

Set-RMSTemplate -Identity "<name of the template>" -Type Distributed

Example   The following command imports the Company Confidential template:

Set-RMSTemplate -Identity "Company Confidential" -Type Distributed
The Do Not Forward template

When you import the default TPD from your on-premises organisation into Exchange Online, one RMS template is imported. It's called the Do Not Forward template. This template is distributed, by default, when you import the default TPD. You can't modify the Do Not Forward template using the Set-RMSTemplate cmdlet.

When the Do Not Forward template is applied to a message, only the recipients addressed in the message can read the message. Additionally, recipients can't do the following:

  • Forward the message to another person.

  • Copy content from the message.

  • Print the message.

Important   The Do Not Forward template can't prevent information in a message from being copied with third-party screen capture programs, cameras or users manually transcribing the information

You can create additional RMS templates on the AD RMS server in your on-premises organisation to meet your IRM protection requirements. If you create additional RMS templates, you have to export the TPD from the on-premises AD RMS server again and refresh the TPD in the cloud-based email organisation. For more information, see Update Exchange Online with new RMS templates.

Top of page

Step 4: Enable IRM

After you import the TPD and distribute an RMS template, you have to enable IRM for your cloud-based email organisation by running the following command:

Set-IRMConfiguration -InternalLicensingEnabled $true
What happens after you enable IRM?

After you enable IRM, IRM protection can be applied to email messages as follows:

  • Users can manually apply a template using Outlook and Outlook Web App   Users can use the Permissions drop-down list to select a rights policy template to apply to the email message. When users send an IRM-protected message, any files attached to the message that use a supported format also receive the same IRM protection as the message. IRM protection is applied to files associated with Microsoft Office Word, Excel and PowerPoint, as well as .xps files and attached email messages.

  • Administrators can use transport rules to apply IRM protection automatically to both Outlook and OWA   You can create transport rules to IRM-protect messages. Configure the transport rule action to apply an RMS template to messages that meet the rule condition. After you enable IRM, your organisation's RMS templates are available to use with the transport rule action called Apply rights protection to the message with. Here's how:

  • Administrators can create Outlook protection rules   Outlook protection rules automatically apply IRM-protection to messages in Outlook 2010, not Outlook Web App, based on message conditions that include the sender's department, who the message is sent to and whether recipients are inside or outside your organisation. To create Outlook protection rules, administrators use the New-OutlookProtectionRule cmdlet. Here's how: Create Outlook Protection Rules.

Top of page

Manage IRM

Now let's look at some optional tasks you can use to manage IRM in your cloud-based organisation:

Change the default TPD

When the first TPD is imported, it will be marked as the default TPD. You may want to change the default TPD to distribute a different set of RMS templates for your cloud-based organisation.

To set a different TPD as the default, run the following command:

Set-RMSTrustedPublishingDomain -Identity "<name of TPD>" -Default
Create a new RMS template

You can create additional RMS templates on the AD RMS server in your on-premises organisation to meet your IRM protection requirements. Exchange Online supports up to 20 templates per TPD.

If you create additional RMS templates, you have to export the TPD from the on-premises AD RMS server again and refresh the TPD in the cloud-based email organisation, as described in the "Update Exchange Online with new RMS templates" section.

For more information about how to create an RMS template, see Create a New Rights Policy Template.

Update Exchange Online with new RMS templates

When RMS templates are created, deleted or changed in your on-premises organisation, you can run the Import-RMSTrustedPublishingDomain cmdlet to refresh the templates in your cloud-based email organisation. After you export the TPD, as previously described in step 1, run the following commands:

$data = [byte[]](Get-Content -Encoding byte -Path <Path to exported TPD> -ReadCount 0)
Import-RMSTrustedPublishingDomain -FileData $data -Name "<name of TPD>" -RefreshTemplates

Example   Let's say that you created a new RMS template in your on-premises organisation. And now you want to make that template available to your cloud-based users. After you export the TPD to a file named RevisedTPD.xml, run the following command:

$data = [byte[]](Get-Content -Encoding byte -Path C:\Users\Administrator\Desktop\RevisedTPD.xml -ReadCount 0)
Import-RMSTrustedPublishingDomain -FileData $data -Name "Exported TBD" -RefreshTemplates

Note   The name of the TPD must match the name of the previously imported TPD. When you are prompted for a password, enter the password that you specified when you exported the revised TPD to create a new XML file.

After the import, run the Get-RMSTemplate -Type All | fl command to display a list of available templates after you refresh the TPD. If a new template should be visible to users, mark it as Distributed, as described in step 3.

If a template was removed as a result of the refresh, make sure that it isn't referenced by a transport rule. An NDR will result if a deleted template is referenced in a transport rule.

Tip   Run the following command to determine if any of your organisation's transport rules have an action that applies an RMS template:

Get-TransportRule | fl Name,ApplyRightsProtectionTemplate
Disable IRM in Exchange Online

To temporarily stop using the TPD in your cloud-based organisation, you can disable IRM so that Outlook Web App users can't IRM-protect email messages.

To disable IRM, run the following command:

Set-IRMConfiguration -InternalLicensingEnabled $false
Remove TPDs

You can also permanently remove TPDs from your Exchange Online organisation. However, you can't remove the default TPD until all non-default TPDs are removed.

To remove all non-default TPDs, run the following command:

Get-RMSTrustedPublishingDomain | ?{ $_.Default -eq $false } | Remove-RMSTrustedPublishingDomain

After all non-default TPDs are removed, run the following command to remove the default TPD:

Get-RMSTrustedPublishingDomain | Remove-RMSTrustedPublishingDomain -Force

Top of page

Related help topics
No resources were found.