Skip navigation
Encryption in Exchange Online Part 4

Encryption in Exchange Online Part 4

In the first three parts (Part 1, Part 2, Part 3), of this series, I’ve covered the basics of encryption, BitLocker, TLS, and Office 365 Message Encryption.  In this article I’m going to start covering Information Rights Management.

Active Directory Rights Management Services (AD RMS) is a system that allows users to apply Information Rights Management (IRM) protection to content, such as email messages and Office documents.  Once content is rights protected it can only be used by specific individuals in specific circumstances, depending on the template that is applied to the content.

For example, I can use an IRM template to protect an email message so that it cannot be forwarded by those who receive it.  Some other typical restrictions that can be applied include; making a document read-only, disabling copying of text out of an email message, disallowing users saving a copy of a document, or preventing users from printing or taking screen shots of a document.  It is important to note that while you can apply rights protection to an email message that will prevent printing or taking screen shots of that message, this rights protection will not prevent a user from using a camera phone to take a picture of their monitor. Rights management works best when it’s thought of as a way to help remind honest users of how to comply with policies, and not as a way to completely prevent users from dishonest behavior.

IRM can be confusing because of the multiple names (AD RMS, Azure RMS, IRM), and the multiple different configurations possible.  For the purposes of this article, I am going to focus on IRM in Exchange Online.  It should be noted that both on-premises Active Directory and Azure Active Directory can be used to setup RMS for IRM, but here I will only be talking about IRM setup with Azure AD RMS.

IRM works by attaching a RMS template to the message in a way that the license cannot be separated from the original message, no matter where that message goes.  If a user exports that message from their mailbox, on to a USB drive, the RMS license is still attached.  Any future use of that message will require authentication against the RMS infrastructure where that license was created. This ensures that the rights protection stays enforce with the protected message.

The default configuration of IRM within Exchange Online allows for the use of 3 pre-built templates. Those templates are

Do Not Forward: Recipients can read this message, but cannot forward, print, or copy content. The conversation owner has full permission to their message and all replies.

CompanyName - Confidential: This content is proprietary information intended for internal users only. This content can be modified but cannot be copied and printed.

CompanyName - Confidential View Only: This content is proprietary and intended for internal users only. This content cannot be modified.

The default Do Not Forward template can be applied to messages sent outside your organization, but only in limited circumstances. Messages with this template applied work across Office 365 tenants, but recipients outside Offce 365 will not be able to open these messages.

The two templates that start with CompanyName are internal only. Users who do not have accounts on the same Office 365 tenant will not be able to read these messages. The CompanyName – Confidential template allow recipients to modify the message, but not copy or forward it.  The CompanyName – Confidential View Only template, does not allow the content to be modified, in addition to the other restrictions from the CompanyName – Confidential template.

If these templates do not entirely meet the needs of an organization, it is possible to connect an on-premises AD RMS implementation to your Office 365 tenant, so that you can use your own templates. That configuration is, however, quite a lot of work and beyond the scope of this article.

IRM protected data can be consumed on your computer via standard Office applications (Outlook, Word, Excel), as well as on your phone.  IRM protected messages can be opened, read, and responded to on both iPhone and Android phones, as well as on Windows Phone.

The process of setting up IRM for your Exchange Online tenant is pretty simple and straight forward. In your Office 365 portal go into Admin > Service Settings > Rights Management and select Manage in the center dashboard. You will be redirected to an Azure website (no need to log in again) where you will see a dashboard that looks like this

As you can see, Rights management is already activated on my tenant.  If yours is not active, clicking the “activate” button will do the trick.

Before we talk about that “advanced features” button, there is a couple more quick steps we need to complete before those default templates work.

After you have activated rights management in the portal, the rest of the configuration for IRM needs to be done from PowerShell.  To do the next series of configurations, you’ll need to install Windows Azure Active Directory Module for Windows PowerShell.  Launch WAAD module for PS, and run the following commands to connect to your tenant


Once connected to WAAD, there are a couple of PowerShell commands that need to be entered to finish your IRM configuration.  First, you need to designate your IRM online key sharing location.  To do this, run one of the following commands based on the location of your Office 365 tenant.

North America: Set-IRMConfiguration -RMSOnlineKeySharingLocation

European Union: Set-IRMConfiguration -RMSOnlineKeySharingLocation

The Asia-Pacific Area: Set-IRMConfiguration -RMSOnlineKeySharingLocation

After your key sharing location is set, the next step is to import the Trusted Publishing Domain (TPD). Run the following command:

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

The final step is to activate the internal IRM licensing. Run the following command:

Set-IRMConfiguration -InternalLicensingEnabled $True

You can verify everything worked by running the Test-IRMConfiguration cmdlet’ in your Exchange Online tenant.

Now you have the three default templates available for you to use in Exchange Online.  They will work from both supported versions of Outlook and from OWA.

In the next article we’ll explore that advanced features button we saw earlier, and talk about how you can create your own customized IRM templates without having to connect your on-premises Active Directory.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.