Set-AadrmSuperUserGroup -GroupEmailAddress <String> [<CommonParameters>]
The Set-AadrmSuperUserGroup cmdlet specifies a group to use as the super user group for your Azure Rights Management service. Members of this group are then super users, which means they become a Rights Management owner for all content that is protected by your organization. These super users can decrypt this protected content and remove protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.
You can specify any group that has an email address, but be aware that for performance reasons, group membership is cached. For information about group requirements, see Preparing users and groups for Azure Information Protection.
If a super user group already exists, running this cmdlet overwrites it. This cmdlet does not affect users that are individually assigned as super users with the Add-AadrmSuperUser cmdlet.
An organization can have only one super user group in addition to multiple users who are assigned the privilege individually, but you can nest groups.
You must use PowerShell to configure super users; you cannot do this configuration by using a management portal.
For more information about super users, see Configuring super users for Azure Rights Management and discovery services or data recovery.
Example 1: Set the super user group
PS C:\>Set-AadrmSuperUserGroup -GroupEmailAddress "SuperUserGroup@contoso.com"
This command sets the super user group for the organization to SuperUserGroup@contoso.com.
Specifies the group email address for the super user group.
GroupEmailAddress can specify a group that contains individual users or other nested groups. It must be a valid group email address for an existing group in the organization.
|Accept pipeline input:||False|
|Accept wildcard characters:||False|