People often use email to exchange sensitive information, such as financial data, legal contracts, confidential product information, sales reports and projections, patient health information, or customer and employee information. As a result, mailboxes can become repositories for large amounts of potentially sensitive information, and information leakage can become a serious threat to your organization.
To help prevent information leakage, Exchange Online includes Information Rights Management (IRM) functionality that provides online and offline protection of email messages and attachments. IRM protection can be applied by users in Microsoft Office Outlook or Outlook Web App, and it can be applied by administrators using transport protection rules or Outlook protection rules. IRM helps you and your users control who can access, forward, print, or copy sensitive data within an email.
- IRM in Exchange Online
- Before you begin
- Step 1: Export a trusted publishing domain (TPD) from an AD RMS server
- Step 2: Import the TPD to Exchange Online
- Step 3: Distribute an AD RMS rights policy template
- Step 4: Enable IRM
- What happens after you enable IRM?
- Manage IRM
How IRM works in Exchange Online
Exchange Online IRM uses Active Directory Rights Management Services (AD RMS), an information protection technology in Windows Server 2008. IRM protection is applied to e-mail by applying an AD RMS rights policy template to an e-mail message. Usage rights are attached to the message itself, so that protection occurs online and offline, and inside and outside of your organization’s firewall.
Users can apply a template to an e-mail message to control what permissions that recipients have on a message. Actions, such as forwarding, extracting information from a message, saving a message, or printing a message, can be controlled by applying an AD RMS rights policy template to the message.
Before you begin
Before you can implement IRM for your cloud-based e-mail organization, you must have Windows Server 2008 and an AD RMS server running in your on-premises organization. You use this on-premises AD RMS server to manage the AD RMS rights policy templates for your cloud-based organization. Outlook also relies on the AD-RMS server to enable users to apply IRM protection to messages they send.
For information about how to deploy AD RMS, see Installing an AD RMS Cluster. To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.
Step 1: Export a trusted publishing domain (TPD) from an AD RMS server
The first step is to export a trusted publishing domain (TPD) from the on-premises AD RMS server to an XML file. The TPD contains the settings needed to use RMS features: the server licensor certificate (SLC) used for signing and encrypting certificates and licenses, the URLs used for licensing and publishing, and the AD RMS rights policy templates that were created with the specific SLC for that TPD. When you import the TPD, it is stored and protected in Exchange Online.
Here’s how you export a TPD:
- Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster.
- In the console tree, expand Trust Policies and then click Trusted Publishing Domains.
- Select the certificate for the domain you want to export in the results pane.
- Click Export Trusted Publishing Domain in the Actions pane.
- In the Publishing domain file box, click Save As to save the file to a specific location on the local computer. Type a file name and be sure to specify the .xml file name extension, and then click Save.
- In the Password and Confirm Password boxes, type a strong password that will be used to encrypt the trusted publishing domain file. You will have to specify this password when you import the TPD to your cloud-based e-mail organization.
- Click Finish.
Step 2: Import the TPD to Exchange Online
After the TPD is exported to an XML file, you have to import it to Exchange Online. When a TPD is imported, your organization’s templates from AD RMS are also imported. When the first TPD is imported, it becomes the default TPD for your cloud-based organization. If you import another TPD, you can use the Default switch to make it the default TPD that is available to users.
To import the TPD, run the following command in Windows PowerShell:
Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path
You can obtain the values for the ExtranetLicensingUrl and IntranetLicensingUrl parameters in the Active Directory Rights Management Services console. Select the AD RMS cluster in the console tree. The URLs for the licensing are displayed in the results pane. These URLs are used by e-mail clients when content has to be decrypted and when Exchange Online needs to determine which TPD to use.
When you run this command, you are prompted for a password. Enter the password that you specified when you exported the TPD from your AD RMS server.
Example The following command imports the TPD, named Exported TPD, using the XML file that you exported from your AD RMS server and saved to the desktop of the Administrator account. The _Name_parameter is used to specify a name to the TPD.
Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path C
.xml -ReadCount 0)) -Name “Exported TPD” -ExtranetLicensingUrl https://corp.contoso.com/\_wmcs/licensing -IntranetLicensingUrl https://rmsserver/\_wmcs/licensingStep 3: Distribute an AD RMS rights policy template
After you import the TPD, you have to make sure an AD RMS rights policy template is distributed. A distributed template is visible to Outlook Web App users, who can then apply the templates to an e-mail message.
To see a list of all templates contained in the default TPD, run the following command:
Get-RMSTemplate -Type All | fl
If the value of the Type parameter is Archived, the template isn’t visible to users. Only distributed templates in the default TPD are available in Outlook Web App.
To distribute a template, run the following command:
Set-RMSTemplate -Identity "
Example The following command imports the Company Confidential template: Set-RMSTemplate -Identity “Company Confidential” -Type Distributed
The Do Not Forward template
When you import the default TPD from your on-premises organization into Exchange Online, one AD RMS rights policy template is imported. It’s called the Do Not Forward template. This template is distributed, by default, when you import the default TPD. You can’t modify the Do Not Forward template using the Set-RMSTemplate cmdlet.
When the Do Not Forward template is applied to a message, only the recipients addressed in the message can read the message. Additionally, recipients can’t do the following:
- Forward the message to another person.
- Copy content from the message.
- Print the message.
Important The Do Not Forward template can’t prevent information in a message from being copied with third-party screen capture programs, cameras, or users manually transcribing the information
You can create additional AD RMS rights policy templates on the AD RMS server in your on-premises organization to meet your IRM protection requirements. If you create additional AD RMS rights policy templates, you have to export the TPD from the on-premises AD RMS server again and refresh the TPD in the cloud-based e-mail organization. For more information, see Update Exchange Online with new AD RMS rights policy templates.
Top of page
Step 4: Enable IRM
After you import the TPD and distribute an AD RMS rights policy template, you have to enable IRM for your cloud-based e-mail organization by running the following command:
Set-IRMConfiguration -InternalLicensingEnabled $true
What happens after you enable IRM?
After you enable IRM, IRM protection can be applied to e-mail message as follows:
- Users can manually apply a template using Outlook and Outlook Web App Users can use the Permissions drop-down list to select a AD RMS rights policy template to apply to the e-mail message. When users send an IRM-protected message, any files attached to the message that uses a supported format also receive the same IRM protection as the message. IRM protection is applied to files associated with Microsoft Office Word, Excel, and PowerPoint, as well as .xps files and attached e-mail messages.
- Administrators can use transport protection rules to apply IRM protection automatically to both Outlook and OWA You can create transport protection rules to IRM-protect messages. Configure the transport protection rule action to apply an AD RMS rights policy template to messages that meet the rule condition. After you enable IRM, your organization’s AD RMS rights policy templates are available to use with the transport protection rule action called Apply rights protection to the message with. Here’s how:
- Create a New Rule
- Actions for Transport Rules
- Administrators can create Outlook protection rules Outlook protection rules automatically apply IRM-protection to messages in Outlook 2010, not Outlook Web App, based on message conditions that include the sender’s department, who the message is sent to, and whether recipients are inside or outside of your organization. To create Outlook protection rules, administrators use the New-OutlookProtectionRule cmdlet. Here’s how: Create Outlook Protection Rules.
Manage IRM
Now let’s look at some optional tasks you can use to manage IRM in your cloud-based organization:
- Change the default TPD
- Create a new AD RMS rights policy template
- Update Exchange Online with new AD RMS rights policy templates
- Disable IRM in Exchange Online
- Remove TPDs
Change the default TPD
When the first TPD is imported, it will be marked as the default TPD. You may want to change the default TPD to distribute a different set of AD RMS rights policy templates for your cloud-based organization.
To set a different TPD as the default, run the following command:
Set-RMSTrustedPublishingDomain -Identity "
Create a new AD RMS rights policy template
You can create additional AD RMS rights policy templates on the AD RMS server in your on-premises organization to meet your IRM protection requirements. Exchange Online supports up to 20 templates per TPD.
If you create additional AD RMS rights policy templates, you have to export the TPD from the on-premises AD RMS server again and refresh the TPD in the cloud-based e-mail organization, as described in the “Update Exchange Online with new AD RMS rights policy templates” section.
For more information about how to create an AD RMS rights policy template, see Create a New Rights Policy Template.
Update Exchange Online with new AD RMS rights policy templates
When AD RMS rights policy templates are created, deleted, or changed in your on-premises organization, you can run the Import-RMSTrustedPublishingDomain cmdlet to refresh the templates in your cloud-based e-mail organization. After you export the TPD, as previously described in step 1, run the following commands:
$data = [byte[]](Get-Content -Encoding byte -Path
Import-RMSTrustedPublishingDomain -FileData $data -Name "
Example Let’s say that you created a new AD RMS rights policy template in your on-premises organization. And now you want to make that template available to your cloud-based users. After you exported the TPD to a file named RevisedTPD.xml, run the following command:
$data = [byte[]](Get-Content -Encoding byte -Path C
.xml -ReadCount 0) Import-RMSTrustedPublishingDomain -FileData $data -Name “Exported TBD” -RefreshTemplatesNote The name of the TPD must match the name of the previously imported TPD. When you are prompted for a password, enter the password that you specified when you exported the revised TPD to create a new XML file.
After the import, run the Get-RMSTemplate -Type All | fl command to display a list of available templates after you refreshed the TPD. If a new template should be visible to users, mark it as Distributed, as described in step 3.
If a template was removed as a result of the refresh, make sure that it isn’t referenced by a transport protection rule. An NDR will result if a deleted template is referenced in a transport protection rule.
Tip Run the following command to determine if any of your organization’s transport rules have an action that applies an AD RMS rights policy template: Get-TransportRule | fl Name,ApplyRightsProtectionTemplate
Disable IRM in Exchange Online
To temporarily stop using the TPD in your cloud-based organization, you can disable IRM so that Outlook Web App users can’t IRM-protect e-mail messages.
To disable IRM, run the following command:
Set-IRMConfiguration -InternalLicensingEnabled $false
Remove TPDs
You can also permanently remove TPDs from your Exchange Online organization. However, you can’t remove the default TPD until all non-default TPDs are removed.
To remove all non-default TPDs, run the following command:
Get-RMSTrustedPublishingDomain | ?{ $_.Default -eq $false } | Remove-RMSTrustedPublishingDomain
After all non-default TPDs are removed, run the following command to remove the default TPD:
Get-RMSTrustedPublishingDomain | Remove-RMSTrustedPublishingDomain –Force
Read the beta documentation @> http://207.46.16.237/en-us/140/gg597271.aspx
Looking for a trusted Microsoft consultant? Please check us out for your Managed Service or Cloud Consulting needs.
Published on: .