Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how administrators can activate the Azure Rights Management encryption service for Microsoft Purview Information Protection. When this encryption service is activated for your organization, administrators and users can start to protect important data by using apps and services that support this encryption solution. Administrators can also manage and monitor encrypted items that your organization owns.
The configuration information in this article is for administrators who are responsible for a service that applies to all users in an organization. If you are looking for user help and information to use the Rights Management functionality for a specific application or how to open a file or email that is rights-protected, use the help and guidance that accompanies your application.
Automatic activation for Azure Rights Management
When you have a service plan that includes Azure Rights Management, you may not have to activate the service:
If your subscription that includes Azure Rights Management, Azure Information Protection (former name), or Microsoft Purview Information Protection was obtained towards the end of February 2018 or later: The service is automatically activated for you. You do not have to activate the service unless you or another global administrator for your organization deactivated Azure Rights Management.
If your subscription that includes Azure Rights Management, Azure Information Protection (former name), or Microsoft Purview Information Protection was obtained before or during February 2018: Microsoft activates the Azure Rights Management service for these subscriptions if your tenant is using Exchange Online. For these subscriptions, the service will be activated for you unless you see that AutomaticServiceUpdateEnabled is set to false when you run Get-IRMConfiguration.
If neither of the listed scenarios apply to you, you must manually activate the Azure Rights Management service.
How to activate or confirm the status of the encryption service
Important
Do not activate Azure Rights Management if you have Active Directory Rights Management Services (AD RMS) deployed for your organization. More information
To activate Azure Rights Management, your organization must have a service plan that includes the Azure Rights Management service from Microsoft Purview Information Protection. For more information, see Microsoft 365 licensing guidance for security & compliance.
When Azure Rights Management is activated, all users in your organization can apply encryption to items such as documents and emails, and all users can open (consume) items that have been encrypted by this service. However, if you prefer, you can restrict who can apply this encryption, by using onboarding controls for a phased deployment. For more information, see the Configuring onboarding controls for a phased deployment section in this article.
Activate Azure Rights Management via PowerShell
You must use PowerShell to activate Azure Rights Management. You can no longer activate or deactivate this service from admin portals.
Install the AIPService module, to configure and manage the Azure Rights Management service. For instructions, see Install the AIPService PowerShell module for the Azure Right Management service.
From a PowerShell session, run Connect-AipService, and when prompted, provide the Global Administrator account details for your tenant.
Run Get-AipService to confirm whether the Azure Rights Management service is activated. A status of Enabled confirms activation; Disabled indicates that the service is deactivated.
To activate the service, run Enable-AipService.
Configuring onboarding controls for a phased deployment
If you don’t want all users to be able to encrypt documents and emails immediately by using Azure Rights Management, you can configure user onboarding controls by using the Set-AipServiceOnboardingControlPolicy PowerShell command. You can run this command before or after you activate the Azure Rights Management service.
For example, if you initially want only administrators in the “IT department” group (that has an object ID of fbb99ded-32a0-45f1-b038-38b519009503) to be able to protect content for testing purposes, use the following command:
Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "fbb99ded-32a0-45f1-b038-38b519009503"
For this configuration option, you must specify a group; you can't specify individual users. To get the object ID for the group, you can use the Microsoft Graph PowerShell—for example, for version 1.0 of the module, use the Get-MgGroup command. Or, you can copy the Object ID value of the group from the Azure portal.
Alternatively, if you want to ensure that only users who are correctly licensed to use Azure Rights Management can protect content:
Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $True
When you no longer need to use onboarding controls, whether you used the group or licensing option, run:
Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False
For more information about this cmdlet and additional examples, see the Set-AipServiceOnboardingControlPolicy help.
When you use these onboarding controls, all users in the organization can always consume encrypted content that has been protected by your subset of users, but they won’t be able to apply encryption themselves from client applications. Server-side applications, such as Exchange, can implement their own per-user controls to achieve the same result. For example, to prevent users from protecting emails in Outlook on the web, use Set-OwaMailboxPolicy to set the IRMEnabled parameter to $false.
Next steps
Now that the Azure Rights Management service is activated for your organization, apps and services can apply encryption to help protect your data. The easiest, and recommended way to apply encryption, is by using sensitivity labels from Microsoft Purview Information Protection. If you're ready to do that, see Get started with sensitivity labels.
A simple verification test for the Azure Rights Management service is to apply a sensitivity label that encrypts a document or email message by using one user account. Then attempt to open and use that encrypted content from another user account on a different computer.