Configure IRM to use an on-premises AD RMS server
Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement and the What is Microsoft Purview? article.
For use with on-premises deployments, Information Rights Management (IRM) in Exchange Online uses Active Directory Rights Management Services (AD RMS), an information protection technology in Windows Server 2008 and later. IRM protection is applied to email by applying an AD RMS rights policy template to an email message. Rights are attached to the message itself so that protection occurs online and offline and inside and outside of your organization's firewall.
This topic shows you how to configure IRM to use an AD RMS server. For information about using Microsoft Purview Message Encryption with Azure Active Directory and Azure Rights Management, see the Message encryption FAQ.
To learn more about IRM in Exchange Online, see Information Rights Management in Exchange Online.
What do you need to know before you begin?
Estimated time to complete this task: 30 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Information Rights Management" entry in the Messaging policy and compliance permissions topic.
The AD RMS server must be running Windows Server 2008 or later. For details about how to deploy AD RMS, see Installing an AD RMS Cluster.
For details about how to install and configure Windows PowerShell and connect to the service, see Connect to Exchange Online PowerShell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts for the Exchange admin center in Exchange Online.
How do you do this?
Step 1: Use the AD RMS console to export a trusted publishing domain (TPD) from an AD RMS server
The first step is to export a trusted publishing domain (TPD) from the on-premises AD RMS server to an XML file. The TPD contains the following settings needed to use RMS features:
The server licensor certificate (SLC) used for signing and encrypting certificates and licenses
The URLs used for licensing and publishing
The AD RMS rights policy templates that were created with the specific SLC for that TPD
When you import the TPD, it's stored and protected in Exchange Online.
Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster.
In the console tree, expand Trust Policies, and then click Trusted Publishing Domains.
In the results pane, select the certificate for the domain you want to export.
In the Actions pane, click Export Trusted Publishing Domain.
In the Publishing domain file box, click Save As to save the file to a specific location on the local computer. Type a file name, making sure to specify the
.xmlfile name extension, and then click Save.
In the Password and Confirm Password boxes, type a strong password that will be used to encrypt the trusted publishing domain file. You will have to specify this password when you import the TPD to your cloud-based email organization.
Step 2: Use the Exchange Management Shell to import the TPD to Exchange Online
After the TPD is exported to an XML file, you have to import it to Exchange Online. When a TPD is imported, your organization's AD RMS templates are also imported. When the first TPD is imported, it becomes the default TPD for your cloud-based organization. If you import another TPD, you can use the Default switch to make it the default TPD that is available to users.
To import the TPD, run the following command in Exchange Online PowerShell:
Import-RMSTrustedPublishingDomain -FileData ([System.IO.File]::ReadAllBytes('<path to exported TPD file>')) -Name "<name of TPD>" -ExtranetLicensingUrl <URL> -IntranetLicensingUrl <URL>
You can obtain the values for the ExtranetLicensingUrl and IntranetLicensingUrl parameters in the Active Directory Rights Management Services console. Select the AD RMS cluster in the console tree. The licensing URLs are displayed in the results pane. These URLs are used by email clients when content has to be decrypted and when Exchange Online needs to determine which TPD to use.
When you run this command, you'll be prompted for a password. Enter the password that you specified when you exported the TPD from your AD RMS server.
For example, the following command imports the TPD named Exported TPD using the XML file that you exported from your AD RMS server and saved to the desktop of the Administrator account. The Name parameter is used to specify a name to the TPD.
Import-RMSTrustedPublishingDomain -FileData ([System.IO.File]::ReadAllBytes('C:\Users\Administrator\Desktop\ExportTPD.xml')) -Name "Exported TPD" -ExtranetLicensingUrl https://corp.contoso.com/_wmcs/licensing -IntranetLicensingUrl https://rmsserver/_wmcs/licensing
For detailed syntax and parameter information, see Import-RMSTrustedPublishingDomain.
How do you know that you successfully imported the TPD?
To verify that you have successfully imported the TPD, run the Get-RMSTrustedPublishingDomain cmdlet to retrieve TPDs in your Exchange Online organization. For details, see the examples in Get-RMSTrustedPublishingDomain.
Step 3: Use the Exchange Management Shell to distribute an AD RMS rights policy template
After you import the TPD, you must make sure an AD RMS rights policy template is distributed. A distributed template is visible to Outlook on the web (formerly known as Outlook Web App) users, who can then apply the templates to an email message.
To return a list of all templates contained in the default TPD, run the following command:
Get-RMSTemplate -Type All | fl
If the value of the Type parameter is
Archived, the template isn't visible to users. Only distributed templates in the default TPD are available in Outlook on the web.
To distribute a template, run the following command:
Set-RMSTemplate -Identity "<name of the template>" -Type Distributed
For example, the following command imports the Company Confidential template.
Set-RMSTemplate -Identity "Company Confidential" -Type Distributed
The Do Not Forward template
When you import the default TPD from your on-premises organization into Exchange Online, one AD RMS rights policy template named Do Not Forward is imported. By default, this template is distributed when you import the default TPD. You can't use the Set-RMSTemplate cmdlet to modify the Do Not Forward template.
When the Do Not Forward template is applied to a message, only the recipients addressed in the message can read the message. Additionally, recipients can't do the following:
- Forward the message to another person.
- Copy content from the message.
- Print the message.
The Do Not Forward template can't prevent information in a message from being copied with third-party screen capture programs, cameras, or users manually transcribing the information
You can create additional AD RMS rights policy templates on the AD RMS server in your on-premises organization to meet your IRM protection requirements. If you create additional AD RMS rights policy templates, you have to export the TPD from the on-premises AD RMS server again and refresh the TPD in the cloud-based email organization.
How do you know that you successfully distributed the AD RMS rights policy template?
To verify that you have successfully distributed and AD RMS rights policy template, run the Get-RMSTemplate cmdlet to check the template's properties. For details, see the examples in Get-RMSTemplate.
Step 4: Use the Exchange Management Shell to enable IRM
After you import the TPD and distribute an AD RMS rights policy template, run the following command to enable IRM for your cloud-based email organization.
Set-IRMConfiguration -InternalLicensingEnabled $true
For detailed syntax and parameter information, see Set-IRMConfiguration.
How do you know that you successfully enabled IRM?
To verify that you have successfully enabled IRM, run the Get-IRMConfiguration cmdlet to check IRM configuration in the Exchange Online organization.
How do you know this task worked?
To verify that you have successfully imported the TPD and enabled IRM, do the following:
Use the Test-IRMConfiguration cmdlet to test IRM functionality. For details, see "Example 1" in Test-IRMConfiguration.
Compose a new message in Outlook on the web and IRM-protect it by selecting Set permissions option from the extended menu ().
Submit and view feedback for