How Office applications and services support Azure Rights Management

Applies to: Azure Information Protection, Office 365

End-user Office applications and Office services can use the Azure Rights Management service from Azure Information Protection to help protect your organization’s data. These Office applications are Word, Excel, PowerPoint, and Outlook. The Office services are Exchange and SharePoint. The Office configurations that support the Azure Rights Management service often use the term information rights management (IRM).

Office applications: Word, Excel, PowerPoint, Outlook

These applications natively support Azure Rights Management and let users apply protection to a saved document or to an email message to be sent. Users can apply templates to apply the protection. Or, for Word, Excel, and PowerPoint, users can choose customized settings for access, rights, and usage restrictions.

For example, users can configure a Word document so that it can be accessed only by people in your organization. Or, control whether an Excel spreadsheet can be edited, or restricted to read-only, or prevent it from being printed. For time-sensitive files, an expiration time can be configured for when the file can no longer be accessed. This configuration can be made directly by users or by applying a template. For Outlook, users can also choose the Do Not Forward option to help prevent data leakage.

In addition to native Office support for Azure Rights Management, these applications also support the Azure Information Protection bar that is installed with the Azure Information Protection client. This bar displays labels that makes it easier for users to automatically apply protection to documents and emails that contain sensitive data.

If you are ready to configure Office apps and the Azure Information Protection client:

Exchange Online and Exchange Server

When you use Exchange Online or Exchange Server, you can configure information rights management (IRM) options that support Azure Rights Management. This configuration lets Exchange provide the following protection solutions:

  • Exchange ActiveSync IRM so that mobile devices can protect and consume protected email messages.

  • Email protection support for Outlook on the web, which is implemented similarly to the Outlook client. This configuration lets users protect email messages by using templates or by specifying individual options. Users can read and use protected email messages that are sent to them.

  • Protection rules for Outlook clients that an administrator configures to automatically apply protection templates to email messages for specified recipients. For example, when internal emails are sent to your legal department, they can only be read by members of the legal department and cannot be forwarded. Users see the protection applied to the email message before sending it, and by default, they can remove this protection if they decide it is not necessary. Emails are encrypted before they are sent. For more information, see Outlook Protection Rules and Create an Outlook Protection Rule in the Exchange library.

  • Transport rules that an administrator configures to automatically apply protection templates to email messages. These rules are based on properties such as sender, recipient, message subject, and content. These rules are similar in concept to protection rules but do not let users remove the protection. The rules can be applied to Outlook on the web and to emails that are sent by mobile devices. In addition, these rules do not encrypt email messages before they are sent from the client. For more information, see Create a Transport Protection Rule in the Exchange library.

  • Data loss prevention (DLP) policies that contain sets of conditions to filter email messages, and take actions to help prevent data loss for confidential or sensitive content. Examples of confidential or sensitive content include personal information or credit card information. Policy Tips can be used when sensitive data is detected, to alert users that they might need to apply protection. For more information, see Data loss prevention in the Exchange library.

  • Office 365 Message Encryption that supports sending a protected email message and protected Office documents as attachments to any address on any device. For user accounts that don't use Azure AD, a web experience supports social identity providers or a one-time passcode. For more information, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection from the Office website.

If you use Exchange on-premises, you can use the IRM features with the Azure Rights Management service by deploying the Azure Rights Management connector. This connector acts as a relay between your on-premises servers and the Azure Rights Management service.

If you are ready to configure Exchange for IRM:

SharePoint Online and SharePoint Server

When you use SharePoint Online or SharePoint Server, you can protect documents by using the SharePoint information rights management (IRM) feature. This feature lets administrators protect lists or libraries so that when a user checks-out a document, the downloaded file is protected so that only authorized people can view and use the file according to the information protection policies that you specify. For example, the file might be read-only, disable the copying of text, prevent saving a local copy, and prevent printing the file.

Word, PowerPoint, Excel, and PDF documents support this SharePoint IRM protection. By default, the protection is restricted to the person who downloads the document. You can change this default with a configuration option that extends the protection to all users who have access to the document on SharePoint, or to a group that you specify.

For SharePoint lists and libraries, this protection is always configured by an administrator, never an end user. You set the permissions at the site level, and these permissions, by default, are inherited by any list or library in that site. If you use SharePoint Online, users can also configure their OneDrive for Business library for IRM protection.

For more fine-grained control, you can configure a list or library in the site to stop inheriting permissions from its parent. You can then configure IRM permissions at that level (list or library) and they are then referred to as "unique permissions." However, permissions are always set at the container level; you cannot set permissions on individual files.

The IRM service must first be enabled for SharePoint. Then, you specify IRM permissions for a library. For SharePoint Online and OneDrive for Business, users can also specify IRM permissions for their OneDrive for Business library. SharePoint does not use rights policy templates, although there are SharePoint configuration settings that you can select that match some settings that you can specify in the templates.

If you use SharePoint Server, you can use this IRM protection by deploying the Azure Rights Management connector. This connector acts as a relay between your on-premises servers and the Rights Management cloud service. For more information, see Deploying the Azure Rights Management connector.

Note

Currently, there are some limitations when you use SharePoint IRM:

  • You cannot use the default or custom templates that you manage in the Azure portal.

  • Files that have a .ppdf file name extension for protected PDF files are not supported. Files that have .pdf file name extension and that have been natively protected by Rights Management are supported when you use a PDF reader that natively supports Rights Management.

  • Co-authoring is not supported. Because you must check out and download a document in an IRM-protected library, one person can edit it at a time.

For libraries that are not IRM-protected, if you protect a file that you then upload to SharePoint or OneDrive, the following do not work with this file: Co-authoring, Office Online, search, document preview, thumbnail, eDiscovery, and data loss prevention (DLP).

When you use SharePoint IRM protection, the Azure Rights Management service applies usage restrictions and data encryption for documents when they are downloaded from SharePoint, and not when the document is first created in SharePoint or uploaded to the library. For information about how documents are protected before they are downloaded, see Data Encryption in OneDrive for Business and SharePoint Online from the SharePoint documentation.

Although no longer new, the following post from the Office blog has some additional information that you might find useful: What’s New with Information Rights Management in SharePoint and SharePoint Online

If you are ready to configure SharePoint for IRM:

Next steps

If you have Office 365, you might be interested in reviewing File Protection Solutions in Office 365, which provides recommended capabilities for protecting files in Office 365.

To see how other applications and services support the Azure Rights Management service from Azure Information Protection, see How applications support the Azure Rights Management service.

If you are ready to start deployment, which includes configuring these applications and services, see the Azure Information Protection deployment roadmap.

Comments

Before commenting, we ask that you review our House rules.