Applies to: Azure Rights Management, Office 365
You are always in control of whether your organization protects content by using Azure Rights Management (Azure RMS), and if you decide you no longer want to use this information protection solution, you have the assurance that you won’t be locked out of content that was previously protected. If you don’t need continued access to previously protected content, you simply deactivate the service and you can let your subscription for Azure Rights Management expire. For example, this would be appropriate for when you have completed testing Azure Rights Management before you deploy it in a production environment.
However, if you have deployed Azure Rights Management in production, make sure that you have a copy of your Azure Rights Management tenant key before you deactivate the service and do this before your subscription expires, because this will ensure that you can retain access to content that was protected by Azure Rights Management after the service is deactivated. If you used the bring your own key solution (BYOK) where you generate and manage your own key in an HSM, you will already have your Azure Rights Management tenant key. But if it was managed by Microsoft (the default), see the instructions for exporting your tenant key in Operations for your Azure Rights Management tenant key article.
Even after your subscription expires, your Azure Rights Management tenant remains available for consuming content for an extended period. However, you will no longer be able to export your tenant key.
When you have your Azure Rights Management tenant key, you can deploy Rights Management on premises (AD RMS) and import your tenant key as a trusted publishing domain (TPD). You then have the following options for decommissioning your Azure Rights Management deployment:
|If this applies to you …||… do this:|
|You want all users to continue using Rights Management, but use an on-premises solution rather than using Azure RMS →||Use the Set-AadrmMigrationUrl cmdlet to direct existing users to your on-premises deployment when they consume content protected after this change. Users will automatically use the AD RMS installation to consume the protected content.
For users to consume content that was protected before this change, redirect your clients to the on-premises deployment by using the LicensingRedirection registry key for Office 2016 or Office 2013, as described in the service discovery section in the RMS client deployment notes, and the LicenseServerRedirection registry key for Office 2010, as described in Office Registry Settings.
|You want to stop using Rights Management technologies completely →||Grant a designated administrator super user rights and give this person the RMS Protection Tool.
This administrator can then use the tool to bulk-decrypt files in folders that were protected by Azure Rights Management so that the files revert to being unprotected and can therefore be read without a Rights Management technology such as Azure RMS or AD RMS. This tool can be used with both Azure RMS and AD RMS, so you have the choice of decrypting files before or after you deactivate Azure RMS, or a combination.
|You are not able to identify all the files that were protected by Azure RMS, or you want all users to be able to automatically read any protected files that were missed →||Deploy a registry setting on all client computers by using the LicensingRedirection registry key for Office 2016 and Office 2013, as described in the service discovery section in the RMS client deployment notes, and the LicenseServerRedirection registry key for Office 2010, as described in Office Registry Settings.
Also deploy another registry setting to prevent users from protecting new files by setting DisableCreation to 1, as described in Office Registry Settings.
|You want a controlled, manual recovery service for any files that were missed →||Grant designated users in a data recovery group super user rights and give them the RMS Protection Tool so that they can unprotect files when requested by standard users.
On all computers, deploy the registry setting to prevent users from protecting new files by setting DisableCreation to 1, as described in Office Registry Settings.
For more information about the procedures in this table, see the following resources:
For information about AD RMS and deployment references, see Active Directory Rights Management Services Overview.
For instructions to import your Azure RMS tenant key as a TPD file, see Add a Trusted Publishing Domain.
To install the Windows PowerShell module for Azure RMS, to set the migration URL, see Installing Windows PowerShell for Azure Rights Management.
When you are ready to deactivate the Azure RMS service for your organization, use the following instructions.
Deactivating Rights Management
Use one of the following procedures to deactivate Azure Rights Management.
You can also use the Windows PowerShell cmdlet, Disable-Aadrm, to deactivate Rights Management.
To deactivate Rights Management from the Office 365 admin center
Sign in to Office 365 with your work or school account that is an administrator for your Office 365 deployment.
If the Office 365 admin center does not automatically display, select the app launcher icon in the upper-left and choose Admin. The Admin tile appears only to Office 365 administrators.
For admin center help, see About the Office 365 admin center - Admin Help.
In the left pane, expand SERVICE SETTINGS.
Click Rights Management.
On the RIGHTS MANAGEMENT page, click Manage.
On the rights management page, click deactivate.
When prompted Do you want to deactivate Rights Management?, click deactivate.
You should now see Rights Management is not activated and the option to activate.
To deactivate Rights Management from the Azure classic portal
Sign in to the Azure classic portal.
In the left pane, click ACTIVE DIRECTORY.
From the active directory page, click RIGHTS MANAGEMENT.
Select the directory to manage for Rights Management, click DEACTIVATE, and then confirm your action.
The RIGHTS MANAGEMENT STATUS should now display Inactive and the DEACTIVATE option is replaced with ACTIVATE.