Follow me on Twitter @AntonioMaio2

Sunday, December 2, 2012

Understanding Information Rights Management in Microsoft SharePoint 2013

An interesting SharePoint feature that helps organizations to protect against leaks of sensitive documents is the Information Rights Management capabilities (IRM). One session I attended at SPC12 covered this feature and this blog post is going to cover the highlights and what’s new for SharePoint 2013. In this article I’m going to focus on the on-premise deployment of Information Rights Management in SharePoint 2013, but there will be the occasional mention of SharePoint Online.

This feature existed in SharePoint Server 2010 and continues to be enhanced with some additional capabilities in SharePoint Server 2013. This feature is now also available for SharePoint Online (which is awesome) where it is known as Windows Azure AD Rights Management (AADRM). It is available only as part of Office365 Enterprise Plan 3 or Plan 4, and Academic Plan 3 or Plan 4. This feature is not activated by default, and must be configured (this applies for both on-premise and SharePoint Online.

Enabling AADRM in SharePoint Online
In SharePoint Online to enable AADRM you need to be a tenant admin and you need to first enable it for your tenancy. You can do this by clicking Refresh IRM Settings on the Tenant Settings page and then navigating to the Rights Management page. You can also access this page through the Information Protection menu in the Office365 Admin page.

Another method to enable AADRM is through PowerShell. This can be done as follows:

  • Access the Windows Azure AD Rights Management administration module for PowerShell (this is WindowsAzureADRightsManagementAdministration.exe and may need to be downloaded from Running this file will install the Rights Management module on your computer.

  • Once installed, open PowerShell and run the following script:

Import-Module AADRM
Connect-AadrmService -Verbose

  • Enter the Office365 tenant admin credentials when prompted and then run the following script:


Enabling IRM in SharePoint 2013 On-Premise

As with the previous release, enabling IRM in SharePoint 2013 is done by associating a pre-installed/configured Active Directory Rights Management Services (ADRMS) server role with the SharePoint farm. Once you have an ADRMS server setup and running, associating a SharePoint farm to it must be done by a SharePoint Farm Admin in Central Admin on the Information Rights Management page. Typically an ADRMS server is identified through Active Directory, and you can configure the SharePoint farm to use this, or you can configure the SharePoint farm to point to a particular ADRMS server that is not identified in Active Directory.

The Information Rights Management page has the following radio button options:
  • Do not use IRM on this server
  • Use the default RMS server specified in Active Directory
  • Use this RMS server (and then you must specify the path to the server)
There is an additional checkbox option on this page titled:

Check this box in multi-tenant configurations to allow tenants to configure tenant level IRM settings

Setting IRM to specific SharePoint on-premise subscriptions in a multi-tenant deployment requires this check box to be checked on, and then PowerShell is used to set the specific RMS server URL for each tenant. However, multi-tenant configurations is beyond the scope of this article.

Note: SharePoint 2013 on-premise can only target on-premises RMS servers, and SharePoint Online can only target AADRM.

Configuring Document Library Level IRM Settings
Once IRM or AADRM has been enabled, then site collection administrators can configure individual document libraries to use IRM to protect documents.

“Some Things Change while Some Things Stay the Same”


Capabilities from SharePoint 2010 that are the same in SharePoint 2013
As with the previous version, the following capabilities of IRM in SharePoint have not changed in 2013:
  • IRM settings are configured on individual document libraries
  • Once IRM settings are configured for a document library these settings will be applied to every (supported) document in the library
  • It is still not possible to configure different IRM settings for different documents in the same library
  • Once IRM settings are configured, only supported document formats are protected and those documents are protected (encrypted with embedded usage rights) when they are downloaded from SharePoint – supported documents still include only the Microsoft Office document formats (Word, Excel, PowerPoint)
  • Documents within IRM protected document libraries are not protected while they are sitting “at rest” in SharePoint – this is done to allow the search crawler to index the contents of documents
  • IRM within SharePoint will only protect documents in document libraries, and attachments to list items – it will not protect the list items themselves
  • Within the detailed IRM usage rights for a document library, only ad-hoc settings can be specified – you cannot configure it to use an ADRMS template
  • When a document is protected upon downloading/opening it from SharePoint it can be protected for the individual downloading it so that only they can open it or print it

New IRM Capabilities in SharePoint 2013
The following capabilities are new or enhanced in SharePoint 2013:
  • The configuration user interface for IRM settings has been improved slightly – you can now create a permission policy with a title and description, and then specify detailed usage rights for it
  • The detailed options and usage rights include the previous options from SharePoint 2010, along with a few new options:
    • Enable users to print the document
    • Run scripts to enable screen readers
    • Enable users to write/save on a copy of the document locally
    • Set an expiration date, after which the document can no longer be opened
    • Automatically stop protecting the document library with IRM after a certain date
    • Do not permit unsupported documents (document formats not supported by IRM) to be added to the document library
    • Control whether Office Web Apps can display documents from the library in the browser
  • You can now specify in the IRM usage policy if documents will be protected for an AD group
  • PDF files are now a supported IRM document format (woohoo!)
    • This is an extension to the PDF format however, and you’ll need to ensure your PDF reader can support it; he PDF reader from Foxit already supports this feature
  • A number of PowerShell interfaces are now available to programmatically control and configure IRM in SharePoint 2013

Protecting Files for a Group
This last option is really powerful – in the past and by default in SharePoint 2013, each file type that is supported will be encrypted and rights restricted by IRM to the authenticated user who downloaded the document. Other users who had rights to the same library always had to download their own copy from the library. Now in SharePoint 2013 (and Office 2013) if documents are IRM protected in a document library for an AD group, when I download that document I can share that document between members of the AD group. The document is no longer only protected for me. This feature is also supported in SharePoint Online with AADRM.

Prevent Opening Documents in the BrowserRegarding the setting for ‘controlling whether Office Web Apps can display documents from the library in the browser’, Office Web Apps in 2013 are now able to render and display protected documents in the web browser. So, if a user does not have Microsoft Office client applications installed they can still view a read-only copy of the document through the Office Web Apps in their web browser. However, there are a couple of security notes about this:

  • When viewing a copy of a protected document in the web browser through the Office Web Apps, IRM and the Office Web Apps do not prevent screen capturing (just to be clear, you can take screen captures of a document in this case). The Microsoft Office client applications do prevent screen capturing of IRM protected documents.
  • When you are done viewing a protected document in the Office Web Apps, the document information is cleared from the web browser’s cache (at least!)

So, if being able to screen capture protected documents when they are viewed through the Office Web Apps is a serious security hole, its recommended that you check on the Prevent opening documents in the browser for this Document Library option in the detailed IRM usage rights. In doing so, this will prevent the Office Web Apps from opening the documents.

PowerShell Scripting and Programmability for IRM in SharePoint
A great new feature in SharePoint 2013 is the following PowerShell scripts that are now available:

Set-SPIRMSettings -IrmEnabled -UseActiveDirectoryDiscovery

Enable IRM for the farm and configure it to use the default RMS server that is configured in Active Directory.

Set-SPIRMSettings -IrmEnabled -CertificateServerUrl http://RMS_Server

Enable IRM for the farm and specify the URL of the RMS server to use.

Set-SPIRMSettings –IrmEnabled -SubscriptionScopeSettingsEnabled

Enable IRM for the specified tenant and specify the URL of the RMS server to use. For example:

$site = Get-SPSite http://myspserver
$subscription = $site.SiteSubscription
Set-SPSiteSubscriptionIrmConfig -Identity
$subscription -IrmEnabled -CertificateServerUrl http://RMS_Server

Set-SPIRMSettings -IrmEnabled:$false

Disable IRM for the farm.

As well, there are a number of APIs available in the object model to configure similar settings programmatically. You can learn more about this here:

Client Support Matrix
The following matrix from Microsoft details which client applications support IRM Protected documents:

App​ SharePoint 2013 SharePoint Online 2013​ RMS Server RMS Online
​Word, PowerPoint, Excel 2013 (windows)  ​Yes ​Yes ​Yes ​Yes
​Word, PowerPoint, Excel 2013 RT ​Yes ​Yes ​Yes ​Yes
​Word, PowerPoint, Excel 2010   ​Yes ​Yes (After you install the Office 365 sign-on assistant.) ​Yes ​Yes
​Office for Mac 2010   ​Yes ​ No   ​Yes ​No
​Outlook on Windows Phone 7 ​NR   ​NR  ​Yes ​No
​Word on Windows Phone 7   ​Yes ​No  ​Yes ​No
​Foxit PDF reader on Windows ​Yes ​Yes (After you install the Office 365 sign-on assistant.) ​Yes ​Yes



IRM for SharePoint is a great way to protect sensitive documents and list item attachments in SharePoint from leaking out of the organization or from being shared inappropriately within the organization (an example of this is emailing a spreadsheet with executive salaries widely within a company). Some additional options have been added to SharePoint 2013 to make this feature a bit more flexible and easier to use.

That said, this feature is still not fine grained enough for many organizations I’ve spoken to due the fact that all documents within a library get the same IRM settings. As well, this feature is still a bit too limiting for those organizations because only the main Microsoft Office files are supported (Word, Excel and PowerPoint). PDF files are now supported, which is a great addition, but organizations need to ensure that have a supported PDF reader to open and read protected PDF files.

Now, what happens when you want to share an IRM protected document with someone outside the organization? This is the classic issue with AD RMS. Does anyone have a solution to that challenge?


  1. Hey , Antonio Maio

    Your blog decorated on '' Rights Management '' that I followed your blog . This blog given us a lot of information about this . Truly , I supported your blog . Although you may want forms for rental properties helping you select and decide on the buy of a residence, you should also perform your own analysis for your financial commitment programs. By doing aspects on your own, you preserve from needless pressure to buy even before you have discovered the most ideal residence. Making cautious choices based on what you prefer and your programs best can be carried out if you take an impartial strategy to all the qualities that are within your making an investment capacity which will be limited by whether you anticipate to handle it (be a landlord) or seek the services of someone or a control organization to look after it for you.

    Thank you for your Popular Blog .

  2. I Will Provide Seo Blog Comment Service. & niche relevant blog comment service we provide a quality service with 100% Buyer satisfaction and My team Believed in Quality work not Quantity Contact me Now 24/7.

  3. As the name suggests, Dynamix Solutions IT page is expert in giving feasible solutions to its clients and IT students.

  4. A monitoring just bundle is the minimum costly and slightest successful of any oversaw services approach. It likely ought not be considered overseen services, be that as it may, numerous MSP's utilization it as a passage level service with ease.convert pdf to ppt

  5. However, obtaining information technology support from an external company with experienced people can make the process much more rewarding, less expensive and more reliable.

  6. Not exclusively did it bring forth new enterprises and items, yet it produced other progressive advancements - transistor technology, incorporated circuit technology, chip technology.wordsaw story outline

  7. Information technology preparing can enable supervisors to decide the effect of new advances and how to adjust their business forms. Hire freelance software tester software testing

  8. With tablet PC you can edit records in MS Word, Excel, Powerpoint, read PDF document, and many application programs and gave a web program. pdf form filler

  9. To oversee and convey technology in a viable way, all business Organizations would require information laborers. technology in restaurant business

  10. A quality "turn-key" promoting firm can give pros in all showcasing disciplines just as vertical industry specialists.

  11. What this also means is there are many users who are not 'Tech Savvy' i.e. the moment some technical jargon; detailed instructions, too much technology appear we throw up our hands in despair!reset windows 10 password

  12. Besides, such courses of action can exploit the time contrasts with the goal that critical tasks can be taken a shot at about nonstop Hier vindt je meer

  13. It is imperative to discover contamination free option in contrast to fuel controlled cars before it overwhelms the economy. The best answer for arrangement with rising fuel expenses is by going for the water vehicle innovation. car dealerships near me

  14. As tracking programming propels, more highlights are executed to further streamline your work process that enables you to concentrate more on structure your business.

  15. Good and useful article on SharePoint! I will suggest one name, Code Creators is an expert in providing its customers with viable solutions and SharePoint services.

  16. they would speak with cohorts to examine the likelihood for the appropriate response before class. This enables them to go to class arranged. top reason to know why your business needs customized software

  17. Cell Site Simulators are used by law enforcement and government agencies to track and locate the targeted cell phones with greater accuracy than telephone companies. Drone Jammer

  18. Chris O’Donnell, Dy. Asst. Defense Secretary for weapon portfolio and platform management stated that industry leaders, academia, several government agencies operating within the department & combatant commanders were all unaware of who they were reporting to. CUAS System

  19. To the extent IT being a science, even that returns similar to the most punctual endeavors to convey and store information. Furthermore, that is basically what data innovation is: the correspondence and capacity of data, alongside the capacity to process and utilize the data put away. information technology

  20. Exercise restriction, and abstain from risking your lawful situation to utilize SMS Messaging as a future showcasing apparatus. SMS API Service

  21. . Before you swipe your credit card, tell these people what you expect to get from them and put everything into cursos de ti

  22. Armed with their skills, your writer should also have a good grasp on the topic at hand. Most of the time, Helphub

  23. SEO (Search Engine Optimization) is a process that helps the web page to appear more frequently and even stands on the first page in the results of the search engine. Jasa SEO

  24. There were additionally a lot of thumps on the way that it didn't have a quad-center processor like the S4 or HTC One which were evaluated correspondingly. What they neglected to get a handle on is that whether the producer utilized 1, 2, 4, or 8 centers at long last has no effect as long as the telephone can convey a serious (or even best of class) highlight set, usefulness, cost, and client experience. best microphone for streaming

  25. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. advertising

  26. Today, I was just browsing along and came upon your blog. Just wanted to say good blog and this article helped me a lot, due to which I have found exactly I was looking. 2ms office 2016 product key

  27. Thank you so much for the post you do. I like your post and all you share with us is up to date and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job. ms office 2016 free download full version with product key

  28. Hi! This is my first comment here so I just wanted to give a quick shout out and say I genuinely enjoy reading your blog posts. Can you recommend any other Beauty Guest Post blogs that go over the same topics? Thanks a ton!

  29. Here are some suggestions to easily apply glitter: Craft glitter bulk

  30. Really interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    Data Science Course Training in Hyderabad

  31. I feel very grateful for the information provided it was very useful and top quality blog thanks for sharing.
    Data Analytics Course Online

  32. When property owners and managers fail to keep their premises safe for those who live on them or enter as guests (such as customers or clients), any ensuing accidents can lead to negligent security claims. Such claims can be brought by those who are injured in accidents caused by the unsafe conditions or who have been injured by criminal activity (due to inadequate security measures). If you’ve been injured as a result of a property owner or manager’s negligent security, it’s time to consult with an experienced Los Angeles personal injury attorney.