Microsoft 365:線上服務的設定以使用 Azure Rights Management 服務Microsoft 365: Configuration for online services to use the Azure Rights Management service

適用于 *Azure 資訊保護Office 365****Applies to*: Azure Information Protection, Office 365

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

使用下列章節可協助您設定 Exchange Online、Microsoft SharePoint 和 Microsoft OneDrive,以使用 Azure 資訊保護的 Azure Rights Management 服務。Use the following sections to help you configure Exchange Online, Microsoft SharePoint, and Microsoft OneDrive to use the Azure Rights Management service from Azure Information Protection.

Exchange Online:IRM 設定Exchange Online: IRM Configuration

如需有關 Exchange Online 如何與 Azure Rights Management 服務搭配運作的詳細資訊,請參閱Office 應用程式和服務如何支援 azure Rights ManagementExchange Online 和 exchange Server一節。For information about how Exchange Online works with the Azure Rights Management service, see the Exchange Online and Exchange Server section from How Office applications and services support Azure Rights Management.

可能已啟用 Exchange Online 以使用 Azure Rights Management 服務。Exchange Online might already be enabled to use the Azure Rights Management service. 請執行下列命令進行檢查:To check, run the following commands:

  1. 如果這是您第一次在電腦上使用 Windows PowerShell for Exchange Online,則必須將 Windows PowerShell 設定為執行已簽署的指令碼。If this is the first time that you have used Windows PowerShell for Exchange Online on your computer, you must configure Windows PowerShell to run signed scripts. 使用 [以系統管理員身分執行] 選項來啟動 Windows PowerShell 工作階段,然後輸入:Start your Windows PowerShell session by using the Run as administrator option, and then type:

    Set-ExecutionPolicy RemoteSigned
    

    Y 以確認。Press Y to confirm.

  2. 在您的 Windows PowerShell 工作階段中,使用可存取遠端殼層的帳戶登入 Exchange Online。In your Windows PowerShell session, sign in to Exchange Online by using an account that is enabled for remote Shell access. 根據預設,Exchange Online 中建立的所有帳戶都可存取遠端殼層,但只要使用 Set-User <UserIdentity> -RemotePowerShellEnabled 命令就能停用 (啟用) 此存取權。By default, all accounts that are created in Exchange Online are enabled for remote Shell access but this can be disabled (and enabled) by using the Set-User <UserIdentity> -RemotePowerShellEnabled command.

    若要登入,請先鍵入:To sign in, first type:

    $Cred = Get-Credential
    

    然後,在 [ Windows PowerShell 認證要求 ] 對話方塊中,提供您 Microsoft 365 的使用者名稱和密碼。Then, in the Windows PowerShell credential request dialog box, supply your Microsoft 365 user name and password.

  3. 連線到 Exchange Online 服務之前,請先設定下列變數:Connect to the Exchange Online service by first setting a variable:

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
    

    然後,執行下列命令:Then run the following command:

    Import-PSSession $Session
    
  4. 執行 Get-IRMConfiguration 命令來檢視保護服務的 Exchange Online 設定:Run the Get-IRMConfiguration command to view your Exchange Online configuration for the protection service:

    Get-IRMConfiguration
    

    在輸出中找出 AzureRMSLicensingEnabled 值:From the output, locate the AzureRMSLicensingEnabled value:

    • 如果 AzureRMSLicensingEnabled 設為 True,則代表已經為 Azure Rights Management 服務啟用 Exchange Online。If AzureRMSLicensingEnabled is set to True, Exchange Online is already enabled for the Azure Rights Management service.

    • 若 AzureRMSLicensingEnabled 設為 False,請執行下列命令為 Azure Rights Management 服務啟用 Exchange Online:Set-IRMConfiguration -AzureRMSLicensingEnabled $trueIf AzureRMSLicensingEnabled is set False, run the follow command to enable Exchange Online for the Azure Rights Management service: Set-IRMConfiguration -AzureRMSLicensingEnabled $true

  5. 若測試 Exchange Online 是否已設定成功,請執行以下命令:To test that Exchange Online is configured successfully, run the following command:

    Test-IRMConfiguration -Sender <user email address>
    

    例如: >get-irmconfiguration-Sender adams @ contoso.comFor example: Test-IRMConfiguration -Sender adams@contoso.com

    此命令會執行一系列檢查,包含驗證服務的連線、擷取組態、擷取 Uri、授權,以及任何範本。This command runs a series of checks that includes verifying connectivity to the service, retrieving the configuration, retrieving URIs, licenses, and any templates. 在 Windows PowerShell 工作階段中,您會在結束時看到每一項的結果,如果所有項目都通過這些檢查的話: 整體結果:通過In the Windows PowerShell session, you will see the results of each and at the end, if everything passes these checks: OVERALL RESULT: PASS

當允許 Exchange Online 使用 Azure Rights Management 服務時,您可以設定自動套用資訊保護的功能,例如郵件流程規則資料外洩防護 (DLP) 原則,以及受保護的語音郵件 (整合通訊)。When Exchange Online is enabled to use the Azure Rights Management service, you can configure features that apply information protection automatically, such as mail flow rules, data loss prevention (DLP) policies, and protected voice mail (Unified Messaging).

Microsoft 365 中的 SharePoint 和 OneDrive: IRM 設定SharePoint in Microsoft 365 and OneDrive: IRM Configuration

如需有關 SharePoint IRM 如何與 Azure Rights Management service 搭配運作的詳細資訊,請參閱本檔的 Rights Management 保護] 區段 中 Microsoft 365 和 sharepoint Server 中的 sharepointFor information about how SharePoint IRM works with the Azure Rights Management service, see SharePoint in Microsoft 365 and SharePoint Server from the Rights Management protection section of this documentation.

若要在 Microsoft 365 和 OneDrive 中設定 SharePoint 以支援 Azure Rights Management 服務,您必須先使用 SharePoint 系統管理中心來啟用資訊版權管理 (IRM) service for SharePoint。To configure SharePoint in Microsoft 365 and OneDrive to support the Azure Rights Management service, you must first enable the information rights management (IRM) service for SharePoint by using the SharePoint admin center. 然後,網站擁有者可以使用 IRM 保護其 SharePoint 清單和文件庫,而使用者可以使用 IRM 保護其 OneDrive 程式庫,讓儲存在該處並與他人共用的檔自動受到 Azure Rights Management 服務的保護。Then, site owners can IRM-protect their SharePoint lists and document libraries, and users can IRM-protect their OneDrive library so that documents that are saved there, and shared with others, are automatically protected by the Azure Rights Management service.

注意

Microsoft 365 與 OneDrive 中適用于 SharePoint 的 IRM 保護程式庫,需要最新版本的新 OneDrive 同步處理用戶端 ( # A0) ,以及 Microsoft 下載中心的 RMS 用戶端版本。IRM-protected libraries for SharePoint in Microsoft 365 and OneDrive require the latest version of the new OneDrive sync client (OneDrive.exe), and the version of the RMS client from the Microsoft Download Center. 即使您已安裝 Azure 資訊保護用戶端,也請安裝此 RMS 用戶端版本。Install this version of the RMS client even if you have installed the Azure Information Protection client. 如需有關此部署案例的詳細資訊,請參閱在企業環境中部署新版 OneDrive 同步處理用戶端For more information about this deployment scenario, see Deploy the new OneDrive sync client in an enterprise environment.

若要啟用資訊版權管理 (IRM) service for SharePoint,請參閱 Office 檔中的下列指示:To enable the information rights management (IRM) service for SharePoint, see the following instructions from the Office documentation:

這項設定是由 Microsoft 365 系統管理員完成。This configuration is done by the Microsoft 365 administrator.

設定程式庫和清單的 IRMConfiguring IRM for libraries and lists

啟用 SharePoint 的 IRM 服務之後,網站擁有者可以使用 IRM 保護其 SharePoint 文件庫和清單。After you have enabled the IRM service for SharePoint, site owners can IRM-protect their SharePoint document libraries and lists. 如需指示,請參閱 Office 網站的下列資訊:For instructions, see the following from the Office website:

此設定是由 SharePoint 網站系統管理員完成。This configuration is done by the SharePoint site administrator.

設定 OneDrive 的 IRMConfiguring IRM for OneDrive

在您啟用 SharePoint 的 IRM 服務之後,就可以設定使用者的 OneDrive 文件庫或個別資料夾來 Rights Management 保護。After you have enabled the IRM service for SharePoint, users' OneDrive document library or individual folders can then be configured for Rights Management protection. 使用者可以使用自己的 OneDrive 網站來設定此選項。Users can configure this for themselves by using their OneDrive website. 雖然系統管理員無法使用 SharePoint 管理中心來為使用者設定此保護,但您可以使用 Windows PowerShell 來設定。Although administrators cannot configure this protection for them by using the SharePoint admin center, you can do this by using Windows PowerShell.

注意

如需設定 OneDrive 的詳細資訊,請參閱 onedrive 檔集。For more information about configuring OneDrive, see the OneDrive documentation.

使用者的設定Configuration for users

提供下列指示給使用者,讓他們可以設定 OneDrive 來保護其商務檔案。Give users the following instructions so that they can configure their OneDrive to protect their business files.

  1. 使用您的工作或學校帳戶登入 Microsoft 365,然後移至 OneDrive 網站Sign in to Microsoft 365 with your work or school account and go to the OneDrive website.

  2. 在瀏覽窗格中的底部,選取 [回到傳統版 OneDrive]。In the navigation pane, at the bottom, select Return to classic OneDrive.

  3. 選取 設定 圖示。Select the Settings icon. 在 [設定] 窗格中,如果 [功能區] 設定為 [關閉],請選取此設定來開啟功能區。In the Settings pane, if the Ribbon is set to Off, select this setting to turn the ribbon on.

  4. 若要將所有 OneDrive 檔案設定為受保護,請從功能區選取 [ 媒體 櫃] 索引標籤,然後選取 [ 媒體櫃設定]。To configure all OneDrive files to be protected, select the LIBRARY tab from the ribbon, and then select Library Settings.

  5. 在 [文件] > [設定] 頁面上,於 [權限與管理] 區段中,選取 [資訊版權管理]。On the Documents > Settings page, in the Permissions and Management section, select Information Rights Management.

  6. 在 [資訊版權管理設定] 頁面上,選取 [限制在此文件庫下載的權限] 核取方塊。On the Information Rights Management Settings page, select Restrict permissions on this library on download check box. 為權限指定您所選擇的名稱和描述,並可選擇性地按一下 [顯示選項] 來設定選擇性的設定,然後按一下 [確定]。Specify your choice of name and a description for the permissions, and optionally, click SHOW OPTIONS to configure optional configurations, and then click OK.

    如需有關設定選項的詳細資訊,請參閱 Office 文件的將資訊版權管理套用至清單或程式庫中的指示。For more information about the configuration options, see the instructions in Apply Information Rights Management to a list or library from the Office documentation.

因為此設定會依賴使用者而非系統管理員來保護其 OneDrive 檔案,所以請教育使用者有關保護其檔案的優點,以及如何進行這項操作。Because this configuration relies on users rather than an administrator to IRM-protect their OneDrive files, educate users about the benefits of protecting their files and how to do this. 例如,說明當他們從 OneDrive 共用檔時,只有他們所授權的人員可以使用其設定的任何限制來存取它,即使檔案已重新命名並複製到其他地方也一樣。For example, explain that when they share a document from OneDrive, only people they authorize can access it with any restrictions that they configure, even if the file is renamed and copied somewhere else.

系統管理員的設定Configuration for administrators

雖然您無法使用 SharePoint 系統管理中心來設定使用者 OneDrive 的 IRM,但您可以使用 Windows PowerShell 來進行這項作業。Although you cannot configure IRM for users' OneDrive by using the SharePoint admin center, you can do this by using Windows PowerShell. 若要啟用這些程式庫的 IRM,請遵循下列步驟:To enable IRM for these libraries, follow these steps:

  1. 下載並安裝 SharePoint 用戶端元件 SDKDownload and install the SharePoint Client Components SDK.

  2. 下載並安裝 SharePoint 管理命令介面。Download and install the SharePoint Management Shell.

  3. 複製下列指令碼的內容,並將您電腦上的檔案命名為 Set-IRMOnOneDriveForBusiness.ps1。Copy the contents of the following script and name the file Set-IRMOnOneDriveForBusiness.ps1 on your computer.

    **免責聲明**:所有 Microsoft 標準支援計畫或服務皆不支援此範例指令碼。**Disclaimer**: This sample script is not supported under any Microsoft standard support program or service. 此範例指令碼係依「現況」提供,不提供任何形式的擔保。This sample script is provided AS IS without warranty of any kind.

    # Requires Windows PowerShell version 3
    
    <#
      Description:
    
        Configures IRM policy settings for OneDrive and can also be used for SharePoint libraries and lists
    
     Script Installation Requirements:
    
       SharePoint Client Components SDK
       https://www.microsoft.com/download/details.aspx?id=42038
    
       SharePoint Management Shell
       https://www.microsoft.com/download/details.aspx?id=35588
    
    ======
    #>
    
    # URL will be in the format https://<tenant-name>-admin.sharepoint.com
    $sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com"
    
    $tenantAdmin = "admin@contoso.com"
    
    $webUrls = @("https://contoso-my.sharepoint.com/personal/user1_contoso_com",
                 "https://contoso-my.sharepoint.com/personal/user2_contoso_com",
                 "https://contoso-my.sharepoint.com/personal/user3_contoso_com")
    
    <# As an alternative to specifying the URLs as an array, you can import them from a CSV file (no header, single value per row).
       Then, use: $webUrls = Get-Content -Path "File_path_and_name.csv"
    
    #>
    
    $listTitle = "Documents"
    
    function Load-SharePointOnlineClientComponentAssemblies
    {
        [cmdletbinding()]
        param()
    
        process
        {
            # assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI
            try
            {
                Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null
    
                return $true
            }
            catch
            {
                if($_.Exception.Message -match "Could not load file or assembly")
                {
                    Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038"
                }
                else
                {
                    Write-Error -Exception $_.Exception
                }
                return $false
            }
        }
    }
    
    function Load-SharePointOnlineModule
    {
        [cmdletbinding()]
        param()
    
        process
        {
            do
            {
                # Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell
                $spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue
    
                if(-not $spoModule)
                {
                    try
                    {
                        Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
                        return $true
                    }
                    catch
                    {
                        if($_.Exception.Message -match "Could not load file or assembly")
                        {
                            Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588"
                        }
                        else
                        {
                            Write-Error -Exception $_.Exception
                        }
                        return $false
                    }
                }
                else
                {
                    return $true
                }
            }
            while(-not $spoModule)
        }
    }
    
    function Set-IrmConfiguration
    {
        [cmdletbinding()]
        param(
            [parameter(Mandatory=$true)][Microsoft.SharePoint.Client.List]$List,
            [parameter(Mandatory=$true)][string]$PolicyTitle,
            [parameter(Mandatory=$true)][string]$PolicyDescription,
            [parameter(Mandatory=$false)][switch]$IrmReject,
            [parameter(Mandatory=$false)][DateTime]$ProtectionExpirationDate,
            [parameter(Mandatory=$false)][switch]$DisableDocumentBrowserView,
            [parameter(Mandatory=$false)][switch]$AllowPrint,
            [parameter(Mandatory=$false)][switch]$AllowScript,
            [parameter(Mandatory=$false)][switch]$AllowWriteCopy,
            [parameter(Mandatory=$false)][int]$DocumentAccessExpireDays,
            [parameter(Mandatory=$false)][int]$LicenseCacheExpireDays,
            [parameter(Mandatory=$false)][string]$GroupName
        )
    
        process
        {
            Write-Verbose "Applying IRM Configuration on '$($List.Title)'"
    
            # reset the value to the default settings
            $list.InformationRightsManagementSettings.Reset()
    
            $list.IrmEnabled = $true
    
            # IRM Policy title and description
    
                $list.InformationRightsManagementSettings.PolicyTitle       = $PolicyTitle
                $list.InformationRightsManagementSettings.PolicyDescription = $PolicyDescription
    
            # Set additional IRM library settings
    
                # Do not allow users to upload documents that do not support IRM
                $list.IrmReject = $IrmReject.IsPresent
    
                $parsedDate = Get-Date
                if([DateTime]::TryParse($ProtectionExpirationDate, [ref]$parsedDate))
                {
                    # Stop restricting access to the library at <date>
                    $list.IrmExpire = $true
                    $list.InformationRightsManagementSettings.DocumentLibraryProtectionExpireDate = $ProtectionExpirationDate
                }
    
                # Prevent opening documents in the browser for this Document Library
                $list.InformationRightsManagementSettings.DisableDocumentBrowserView = $DisableDocumentBrowserView.IsPresent
    
            # Configure document access rights
    
                # Allow viewers to print
                $list.InformationRightsManagementSettings.AllowPrint = $AllowPrint.IsPresent
    
                # Allow viewers to run script and screen reader to function on downloaded documents
                $list.InformationRightsManagementSettings.AllowScript = $AllowScript.IsPresent
    
                # Allow viewers to write on a copy of the downloaded document
                $list.InformationRightsManagementSettings.AllowWriteCopy = $AllowWriteCopy.IsPresent
    
                if($DocumentAccessExpireDays)
                {
                    # After download, document access rights will expire after these number of days (1-365)
                    $list.InformationRightsManagementSettings.EnableDocumentAccessExpire = $true
                    $list.InformationRightsManagementSettings.DocumentAccessExpireDays   = $DocumentAccessExpireDays
                }
    
            # Set group protection and credentials interval
    
                if($LicenseCacheExpireDays)
                {
                    # Users must verify their credentials using this interval (days)
                    $list.InformationRightsManagementSettings.EnableLicenseCacheExpire = $true
                    $list.InformationRightsManagementSettings.LicenseCacheExpireDays   = $LicenseCacheExpireDays
                }
    
                if($GroupName)
                {
                    # Allow group protection. Default group:
                    $list.InformationRightsManagementSettings.EnableGroupProtection = $true
                    $list.InformationRightsManagementSettings.GroupName             = $GroupName
                }
        }
        end
        {
            if($list)
            {
                Write-Verbose "Committing IRM configuration settings on '$($list.Title)'"
                $list.InformationRightsManagementSettings.Update()
                $list.Update()
                $script:clientContext.Load($list)
                $script:clientContext.ExecuteQuery()
            }
        }
    }
    
    function Get-CredentialFromCredentialCache
    {
        [cmdletbinding()]
        param([string]$CredentialName)
    
        #if( Test-Path variable:\global:CredentialCache )
        if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue )
        {
            if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName))
            {
                Write-Verbose "Credential Cache Hit: $CredentialName"
                return $global:O365TenantAdminCredentialCache[$CredentialName]
            }
        }
        Write-Verbose "Credential Cache Miss: $CredentialName"
        return $null
    }
    
    function Add-CredentialToCredentialCache
    {
        [cmdletbinding()]
        param([System.Management.Automation.PSCredential]$Credential)
    
        if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue))
        {
            Write-Verbose "Initializing the Credential Cache"
            $global:O365TenantAdminCredentialCache = @{}
        }
    
        Write-Verbose "Adding Credential to the Credential Cache"
        $global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential
    }
    
    # load the required assemblies and Windows PowerShell modules
    
        if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return }
    
    # Add the credentials to the client context and SharePoint service connection
    
        # check for cached credentials to use
        $o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin
    
        if(-not $o365TenantAdminCredential)
        {
            # when credentials are not cached, prompt for the tenant admin credentials
            $o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Microsoft 365 admin"
    
            if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 )
            {
                Write-Error -Message "Could not validate the supplied tenant admin credentials"
                return
            }
    
            # add the credentials to the cache
            Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential
        }
    
    # connect to Office365 first, required for SharePoint cmdlets to run
    
        Connect-SPOService -Url $sharepointAdminCenterUrl -Credential $o365TenantAdminCredential
    
    # enumerate each of the specified site URLs
    
        foreach($webUrl in $webUrls)
        {
            $grantedSiteCollectionAdmin = $false
    
            try
            {
                # establish the client context and set the credentials to connect to the site
                $script:clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($webUrl)
                $script:clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password)
    
                # initialize the site and web context
                $script:clientContext.Load($script:clientContext.Site)
                $script:clientContext.Load($script:clientContext.Web)
                $script:clientContext.ExecuteQuery()
    
                # load and ensure the tenant admin user account if present on the target SharePoint site
                $tenantAdminUser = $script:clientContext.Web.EnsureUser($o365TenantAdminCredential.UserName)
                $script:clientContext.Load($tenantAdminUser)
                $script:clientContext.ExecuteQuery()
    
                # check if the tenant admin is a site admin
                if( -not $tenantAdminUser.IsSiteAdmin )
                {
                    try
                    {
                        # grant the tenant admin temporary admin rights to the site collection
                        Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $true | Out-Null
                        $grantedSiteCollectionAdmin = $true
                    }
                    catch
                    {
                        Write-Error $_.Exception
                        return
                    }
                }
    
                try
                {
                    # load the list orlibrary using CSOM
    
                    $list = $null
                    $list = $script:clientContext.Web.Lists.GetByTitle($listTitle)
                    $script:clientContext.Load($list)
                    $script:clientContext.ExecuteQuery()
    
                    # **************  ADMIN INSTRUCTIONS  **************
                    # If necessary, modify the following Set-IrmConfiguration parameters to match your required values
                    # The supplied options and values are for example only
                    # Example that shows the Set-IrmConfiguration command with all parameters: Set-IrmConfiguration -List $list -PolicyTitle "Protected Files" -PolicyDescription "This policy restricts access to authorized users" -IrmReject -ProtectionExpirationDate $(Get-Date).AddDays(180) -DisableDocumentBrowserView -AllowPrint -AllowScript -AllowWriteCopy -LicenseCacheExpireDays 25 -DocumentAccessExpireDays 90
    
                    Set-IrmConfiguration -List $list -PolicyTitle "Protected Files" -PolicyDescription "This policy restricts access to authorized users"  
                }
                catch
                {
                    Write-Error -Message "Error setting IRM configuration on site: $webUrl.`nError Details: $($_.Exception.ToString())"
                }
           }
           finally
           {
                if($grantedSiteCollectionAdmin)
                {
                    # remove the temporary admin rights to the site collection
                    Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $false | Out-Null
                }
           }
        }
    
    Disconnect-SPOService -ErrorAction SilentlyContinue
    
  4. 檢閱指令碼並進行下列變更:Review the script and make the following changes:

    1. 搜尋 $sharepointAdminCenterUrl 並將範例值取代為您自己的 SharePoint 管理員中心 URL。Search for $sharepointAdminCenterUrl and replace the example value with your own SharePoint admin center URL.

      當您進入 SharePoint 系統管理中心時,您會發現此值為基底 URL,其格式如下: HTTPs://< tenant_name >-admin.sharepoint.comYou'll find this value as the base URL when you go into the SharePoint admin center, and it has the following format: https://<tenant_name>-admin.sharepoint.com

      例如,如果租使用者名稱是 "contoso",您將指定: https://contoso-admin.sharepoint.comFor example, if the tenant name is "contoso", then you would specify: https://contoso-admin.sharepoint.com

    2. $tenantAdmin使用您自己的完整全域管理員帳戶來搜尋並取代範例值,以進行 Microsoft 365。Search for $tenantAdmin and replace the example value with your own fully qualified global administrator account for Microsoft 365.

      此值與您用來以全域系統管理員身分登入 Microsoft 365 系統管理中心的值相同,且具有下列格式: user_name@< 租使用者功能變數名稱 >.comThis value is the same as the one you use to sign in to the Microsoft 365 admin center as the global administrator and has the following format: user_name@<tenant domain name>.com

      例如,如果 "contoso.com" 租使用者網域的 Microsoft 365 全域管理員使用者名稱是 "admin",您將指定: admin@contoso.comFor example, if the Microsoft 365 global administrator user name is "admin" for the "contoso.com" tenant domain, you would specify: admin@contoso.com

    3. 搜尋 $webUrls 範例值並將其取代為您使用者的 OneDrive Web url,並依您的需要新增或刪除任意數量的專案。Search for $webUrls and replace the example values with your users' OneDrive web URLs, adding or deleting as many entries as you need.

      或者,請參閱指令碼中的註解,了解如何將包含您必須設定的所有 URL 的 .CSV 檔案匯入此陣列中。Alternatively, see the comments in the script about how to replace this array by importing a .CSV file that contains all the URLs you need to configure. 我們提供了另一個範例指令碼,以自動搜索和擷取 URL 來填入此 .CSV 檔案。We've provided another sample script to automatically search for and extract the URLs to populate this .CSV file. 當您準備好要執行此動作時,請使用 [其他腳本將所有 OneDrive url 輸出至。CSV 檔案] 區段,緊接在這些步驟之後。When you're ready to do this, use the Additional script to output all OneDrive URLs to a .CSV file section immediately after these steps.

      使用者 OneDrive 的 web URL 採用下列格式: HTTPs://< 租使用者名稱 >-my.sharepoint.com/personal/< user_name > _ 租使用者 < 名稱 > _comThe web URL for the user's OneDrive is in the following format: https://<tenant name>-my.sharepoint.com/personal/<user_name> _ <tenant name> _com

      例如,如果 contoso 租使用者中的使用者具有 "rsimone" 的使用者名稱,您將指定: https://contoso-my.sharepoint.com/personal/rsimone_contoso_comFor example, if the user in the contoso tenant has a user name of "rsimone", you would specify: https://contoso-my.sharepoint.com/personal/rsimone_contoso_com

    4. 因為我們使用腳本來設定 OneDrive,所以請勿變更變數的 $listTitleBecause we are using the script to configure OneDrive, do not change the value of Documents for the $listTitle variable.

    5. 搜尋 ADMIN INSTRUCTIONSSearch for ADMIN INSTRUCTIONS. 如果您未對此區段進行任何變更,則會針對具有「受保護的檔案」原則標題的 IRM 設定使用者的 OneDrive,以及「此原則會限制授權使用者的存取」的描述。If you make no changes to this section, the user's OneDrive will be configured for IRM with the policy title of "Protected Files" and the description of "This policy restricts access to authorized users". 不會設定任何其他 IRM 選項,這可能適用於大部分的環境。No other IRM options will be set, which is probably appropriate for most environments. 不過,您可以變更建議的原則標題和描述,並新增適用於您環境的任何其他 IRM 選項。However, you can change the suggested policy title and description, and also add any other IRM options that are appropriate for your environment. 請參閱指令碼中的註解範例,以協助您建構自己的 Set-IrmConfiguration 命令參數集。See the commented example in the script to help you construct your own set of parameters for the Set-IrmConfiguration command.

  5. 儲存指令碼並加以簽署。Save the script and sign it. 如果未簽署指令碼 (較安全),就必須在您的電腦上設定 Windows PowerShell,才能執行未簽署的指令碼。If you do not sign the script (more secure), Windows PowerShell must be configured on your computer to run unsigned scripts. 若要這樣做,請使用 [以系統管理員身分執行]選項來執行 Windows PowerShell 工作階段,然後輸入:Set-ExecutionPolicy UnrestrictedTo do this, run a Windows PowerShell session with the Run as Administrator option, and type: Set-ExecutionPolicy Unrestricted. 不過,此設定可讓所有未簽署的指令碼執行 (較不安全)。However, this configuration lets all unsigned scripts run (less secure).

    如需有關簽署 Windows PowerShell 指令碼的詳細資訊,請參閱 PowerShell 文件庫中的 about_SigningFor more information about signing Windows PowerShell scripts, see about_Signing in the PowerShell documentation library.

  6. 執行腳本,並在出現提示時,提供 Microsoft 365 系統管理員帳戶的密碼。Run the script and if prompted, supply the password for the Microsoft 365 admin account. 如果你修改指令碼,並在相同的 Windows PowerShell 工作階段中加以執行,系統將不會提示您輸入認證。If you modify the script and run it in the same Windows PowerShell session, you won't be prompted for credentials.

提示

您也可以使用此腳本來設定 SharePoint 文件庫的 IRM。You can also use this script to configure IRM for a SharePoint library. 對於此組態,您可能希望啟用其他選項 [不允許使用者上載不支援 IRM 的文件],以確保文件庫只包含受保護的文件。For this configuration, you will likely want to enable the additional option Do not allow users to upload documents that do not support IRM, to ensure that the library contains only protected documents. 若要這樣做,請將 -IrmReject 參數新增至指令碼中的 Set-IrmConfiguration 命令。To do that, add the -IrmReject parameter to the Set-IrmConfiguration command in the script.

您也必須修改 $webUrls 變數 (例如, HTTPs: / /contoso.sharepoint.com) 和 $listTitle 變數 (例如 $Reports) 。You would also need to modify the $webUrls variable (for example, https://contoso.sharepoint.com) and $listTitle variable (for example, $Reports).

如果您需要停用使用者 OneDrive 程式庫的 IRM,請參閱使用 onedrive 停用 irm 的腳本 一節。If you need to disable IRM for user's OneDrive libraries, see the Script to disable IRM for OneDrive section.

額外的腳本,可將所有 OneDrive Url 輸出至。CSV 檔案Additional script to output all OneDrive URLs to a .CSV file

針對上述步驟4c,您可以使用下列 Windows PowerShell 腳本,將所有使用者的 OneDrive 程式庫的 Url 解壓縮,然後您可以進行檢查並視需要進行編輯,然後匯入至主要腳本。For step 4c above, you can use the following Windows PowerShell script to extract the URLs for all users' OneDrive libraries, which you can then check, edit if necessary, and then import into the main script.

此腳本也需要 Sharepoint 用戶端元件 SDKsharepoint 管理命令介面。This script also requires the SharePoint Client Components SDK and the SharePoint Management Shell. 請遵循相同的指示來複製及貼上、在本機儲存檔案 (例如,"Report-OneDriveForBusinessSiteInfo.ps1")、如先前修改 $sharepointAdminCenterUrl$tenantAdmin 值,然後執行指令碼。Follow the same instructions to copy and paste it, save the file locally (for example, "Report-OneDriveForBusinessSiteInfo.ps1"), modify the $sharepointAdminCenterUrl and $tenantAdmin values as before, and then run the script.

**免責聲明**:所有 Microsoft 標準支援計畫或服務皆不支援此範例指令碼。**Disclaimer**: This sample script is not supported under any Microsoft standard support program or service. 此範例指令碼係依「現況」提供,不提供任何形式的擔保。This sample script is provided AS IS without warranty of any kind.

# Requires Windows PowerShell version 3

<#
  Description:

    Queries the search service of a Microsoft 365 tenant to retrieve all OneDrive sites.  
    Details of the discovered sites are written to a .CSV file (by default,"OneDriveForBusinessSiteInfo_<date>.csv").

 Script Installation Requirements:

   SharePoint Client Components SDK
   https://www.microsoft.com/download/details.aspx?id=42038

   SharePoint Management Shell
   https://www.microsoft.com/download/details.aspx?id=35588

======
#>

# URL will be in the format https://<tenant-name>-admin.sharepoint.com
$sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com"

$tenantAdmin = "admin@contoso.onmicrosoft.com"                           

$reportName = "OneDriveForBusinessSiteInfo_$((Get-Date).ToString("yyyy-MM-dd_hh.mm.ss")).csv"

$oneDriveForBusinessSiteUrls= @()
$resultsProcessed = 0

function Load-SharePointOnlineClientComponentAssemblies
{
    [cmdletbinding()]
    param()

    process
    {
        # assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI
        try
        {
            Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            return $true
        }
        catch
        {
            if($_.Exception.Message -match "Could not load file or assembly")
            {
                Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038"
            }
            else
            {
                Write-Error -Exception $_.Exception
            }
            return $false
        }
    }
}

function Load-SharePointOnlineModule
{
    [cmdletbinding()]
    param()

    process
    {
        do
        {
            # Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell
            $spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue

            if(-not $spoModule)
            {
                try
                {
                    Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
                    return $true
                }
                catch
                {
                    if($_.Exception.Message -match "Could not load file or assembly")
                    {
                        Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588"
                    }
                    else
                    {
                        Write-Error -Exception $_.Exception
                    }
                    return $false
                }
            }
            else
            {
                return $true
            }
        }
        while(-not $spoModule)
    }
}

function Get-CredentialFromCredentialCache
{
    [cmdletbinding()]
    param([string]$CredentialName)

    #if( Test-Path variable:\global:CredentialCache )
    if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue )
    {
        if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName))
        {
            Write-Verbose "Credential Cache Hit: $CredentialName"
            return $global:O365TenantAdminCredentialCache[$CredentialName]
        }
    }
    Write-Verbose "Credential Cache Miss: $CredentialName"
    return $null
}

function Add-CredentialToCredentialCache
{
    [cmdletbinding()]
    param([System.Management.Automation.PSCredential]$Credential)

    if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue))
    {
        Write-Verbose "Initializing the Credential Cache"
        $global:O365TenantAdminCredentialCache = @{}
    }

    Write-Verbose "Adding Credential to the Credential Cache"
    $global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential
}

# load the required assemblies and Windows PowerShell modules

    if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return }

# Add the credentials to the client context and SharePoint service connection

    # check for cached credentials to use
    $o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin

    if(-not $o365TenantAdminCredential)
    {
        # when credentials are not cached, prompt for the tenant admin credentials
        $o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Office 365 admin"

        if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 )
        {
            Write-Error -Message "Could not validate the supplied tenant admin credentials"
            return
        }

        # add the credentials to the cache
        Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential
    }

# establish the client context and set the credentials to connect to the site

    $clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($sharepointAdminCenterUrl)
    $clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password)

# run a query against the Microsoft 365 tenant search service to retrieve all OneDrive URLs

    do
    {
        # build the query object
        $query = New-Object Microsoft.SharePoint.Client.Search.Query.KeywordQuery($clientContext)
        $query.TrimDuplicates        = $false
        $query.RowLimit              = 500
        $query.QueryText             = "SPSiteUrl:'/personal/' AND contentclass:STS_Site"
        $query.StartRow              = $resultsProcessed
        $query.TotalRowsExactMinimum = 500000

        # run the query
        $searchExecutor = New-Object Microsoft.SharePoint.Client.Search.Query.SearchExecutor($clientContext)
        $queryResults = $searchExecutor.ExecuteQuery($query)
        $clientContext.ExecuteQuery()

        # enumerate the search results and store the site URLs
        $queryResults.Value[0].ResultRows | % {
            $oneDriveForBusinessSiteUrls += $_.Path
            $resultsProcessed++
        }
    }
    while($resultsProcessed -lt $queryResults.Value.TotalRows)

$oneDriveForBusinessSiteUrls | Out-File -FilePath $reportName
針對 OneDrive 停用 IRM 的腳本Script to disable IRM for OneDrive

如果您需要針對使用者的 OneDrive 停用 IRM,請使用下列範例腳本。Use the following sample script if you need to disable IRM for users' OneDrive.

此腳本也需要 Sharepoint 用戶端元件 SDKsharepoint 管理命令介面。This script also requires the SharePoint Client Components SDK and the SharePoint Management Shell. 複製並貼上內容、在本機儲存檔案 (例如,"Disable-IRMOnOneDriveForBusiness.ps1"),然後修改 $sharepointAdminCenterUrl$tenantAdmin 值。Copy and paste the contents, save the file locally (for example, "Disable-IRMOnOneDriveForBusiness.ps1"), and modify the $sharepointAdminCenterUrl and $tenantAdmin values. 手動指定 OneDrive Url 或使用上一節中的腳本,讓您可以匯入這些 Url,然後執行腳本。Manually specify the OneDrive URLs or use the script in the previous section so that you can import these, and then run the script.

**免責聲明**:所有 Microsoft 標準支援計畫或服務皆不支援此範例指令碼。**Disclaimer**: This sample script is not supported under any Microsoft standard support program or service. 此範例指令碼係依「現況」提供,不提供任何形式的擔保。This sample script is provided AS IS without warranty of any kind.

# Requires Windows PowerShell version 3

<#
  Description:

    Disables IRM for OneDrive and can also be used for SharePoint libraries and lists

 Script Installation Requirements:

   SharePoint Client Components SDK
   https://www.microsoft.com/download/details.aspx?id=42038

   SharePoint Management Shell
   https://www.microsoft.com/download/details.aspx?id=35588

======
#>

$sharepointAdminCenterUrl = "https://contoso-admin.sharepoint.com"

$tenantAdmin = "admin@contoso.com"

$webUrls = @("https://contoso-my.sharepoint.com/personal/user1_contoso_com",
             "https://contoso-my.sharepoint.com/personal/user2_contoso_com",
             "https://contoso-my.sharepoint.com/personal/person3_contoso_com")

<# As an alternative to specifying the URLs as an array, you can import them from a CSV file (no header, single value per row).
   Then, use: $webUrls = Get-Content -Path "File_path_and_name.csv"

#>

$listTitle = "Documents"

function Load-SharePointOnlineClientComponentAssemblies
{
    [cmdletbinding()]
    param()

    process
    {
        # assembly location: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI
        try
        {
            Write-Verbose "Loading Assembly: Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.Office.Client.Policy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.Office.Client.TranslationServices, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.DocumentManagement, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Publishing, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Runtime, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search.Applications, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.Taxonomy, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            Write-Verbose "Loading Assembly: Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
            [System.Reflection.Assembly]::Load("Microsoft.SharePoint.Client.UserProfiles, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c") | Out-Null

            return $true
        }
        catch
        {
            if($_.Exception.Message -match "Could not load file or assembly")
            {
                Write-Error -Message "Unable to load the SharePoint Server 2013 Client Components.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=42038"
            }
            else
            {
                Write-Error -Exception $_.Exception
            }
            return $false
        }
    }
}

function Load-SharePointOnlineModule
{
    [cmdletbinding()]
    param()

    process
    {
        do
        {
            # Installation location: C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell
            $spoModule = Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue

            if(-not $spoModule)
            {
                try
                {
                    Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
                    return $true
                }
                catch
                {
                    if($_.Exception.Message -match "Could not load file or assembly")
                    {
                        Write-Error -Message "Unable to load the SharePoint Online Management Shell.`nDownload Location: https://www.microsoft.com/download/details.aspx?id=35588"
                    }
                    else
                    {
                        Write-Error -Exception $_.Exception
                    }
                    return $false
                }
            }
            else
            {
                return $true
            }
        }
        while(-not $spoModule)
    }
}

function Remove-IrmConfiguration
{
    [cmdletbinding()]
    param(
        [parameter(Mandatory=$true)][Microsoft.SharePoint.Client.List]$List
    )

    process
    {
        Write-Verbose "Disabling IRM Configuration on '$($List.Title)'"

        $List.IrmEnabled = $false
        $List.IrmExpire  = $false
        $List.IrmReject  = $false
        $List.InformationRightsManagementSettings.Reset()
    }
    end
    {
        if($List)
        {
            Write-Verbose "Committing IRM configuration settings on '$($list.Title)'"
            $list.InformationRightsManagementSettings.Update()
            $list.Update()
            $script:clientContext.Load($list)
            $script:clientContext.ExecuteQuery()
        }
    }
}

function Get-CredentialFromCredentialCache
{
    [cmdletbinding()]
    param([string]$CredentialName)

    #if( Test-Path variable:\global:CredentialCache )
    if( Get-Variable O365TenantAdminCredentialCache -Scope Global -ErrorAction SilentlyContinue )
    {
        if($global:O365TenantAdminCredentialCache.ContainsKey($CredentialName))
        {
            Write-Verbose "Credential Cache Hit: $CredentialName"
            return $global:O365TenantAdminCredentialCache[$CredentialName]
        }
    }
    Write-Verbose "Credential Cache Miss: $CredentialName"
    return $null
}

function Add-CredentialToCredentialCache
{
    [cmdletbinding()]
    param([System.Management.Automation.PSCredential]$Credential)

    if(-not (Get-Variable CredentialCache -Scope Global -ErrorAction SilentlyContinue))
    {
        Write-Verbose "Initializing the Credential Cache"
        $global:O365TenantAdminCredentialCache = @{}
    }

    Write-Verbose "Adding Credential to the Credential Cache"
    $global:O365TenantAdminCredentialCache[$Credential.UserName] = $Credential
}

# load the required assemblies and Windows PowerShell modules

    if(-not ((Load-SharePointOnlineClientComponentAssemblies) -and (Load-SharePointOnlineModule)) ) { return }

# Add the credentials to the client context and SharePoint service connection

    # check for cached credentials to use
    $o365TenantAdminCredential = Get-CredentialFromCredentialCache -CredentialName $tenantAdmin

    if(-not $o365TenantAdminCredential)
    {
        # when credentials are not cached, prompt for the tenant admin credentials
        $o365TenantAdminCredential = Get-Credential -UserName $tenantAdmin -Message "Enter the password for the Office 365 admin"

        if(-not $o365TenantAdminCredential -or -not $o365TenantAdminCredential.UserName -or $o365TenantAdminCredential.Password.Length -eq 0 )
        {
            Write-Error -Message "Could not validate the supplied tenant admin credentials"
            return
        }

        # add the credentials to the cache
        Add-CredentialToCredentialCache -Credential $o365TenantAdminCredential
    }

# connect to Office365 first, required for SharePoint cmdlets to run

    Connect-SPOService -Url $sharepointAdminCenterUrl -Credential $o365TenantAdminCredential

# enumerate each of the specified site URLs

    foreach($webUrl in $webUrls)
    {
        $grantedSiteCollectionAdmin = $false

        try
        {
            # establish the client context and set the credentials to connect to the site
            $script:clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($webUrl)
            $script:clientContext.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365TenantAdminCredential.UserName, $o365TenantAdminCredential.Password)

            # initialize the site and web context
            $script:clientContext.Load($script:clientContext.Site)
            $script:clientContext.Load($script:clientContext.Web)
            $script:clientContext.ExecuteQuery()

            # load and ensure the tenant admin user account if present on the target SharePoint site
            $tenantAdminUser = $script:clientContext.Web.EnsureUser($o365TenantAdminCredential.UserName)
            $script:clientContext.Load($tenantAdminUser)
            $script:clientContext.ExecuteQuery()

            # check if the tenant admin is a site admin
            if( -not $tenantAdminUser.IsSiteAdmin )
            {
                try
                {
                    # grant the tenant admin temporary admin rights to the site collection
                    Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $true | Out-Null
                    $grantedSiteCollectionAdmin = $true
                }
                catch
                {
                    Write-Error $_.Exception
                    return
                }
            }

            try
            {
                # load the list orlibrary using CSOM

                $list = $null
                $list = $script:clientContext.Web.Lists.GetByTitle($listTitle)
                $script:clientContext.Load($list)
                $script:clientContext.ExecuteQuery()

               Remove-IrmConfiguration -List $list
            }
            catch
            {
                Write-Error -Message "Error setting IRM configuration on site: $webUrl.`nError Details: $($_.Exception.ToString())"
            }
       }
       finally
       {
            if($grantedSiteCollectionAdmin)
            {
                # remove the temporary admin rights to the site collection
                Set-SPOUser -Site $script:clientContext.Site.Url -LoginName $o365TenantAdminCredential.UserName -IsSiteCollectionAdmin $false | Out-Null
            }
       }
    }

Disconnect-SPOService -ErrorAction SilentlyContinue