Configuring IRM/RMS in SharePoint Online/Office 365
Michel Mendes
Microsoft MVP (Business Applications) | Power Platform | Power Apps | Power Pages | Microsoft 365 | SharePoint
I’ve been working with IRM policies in Office 365 recently, in order to build a solution to prevent information leaks. Basically, Information rights management (IRM) is a subset of digital rights management (DRM), technologies that protect sensitive information from unauthorized access. You can choose which specific libraries you want to apply this kind of policies in your SharePoint Environment. You can restrict which kinds of actions can be taken on protected documents, preventing information to be forwarded and accessed by unauthorized people. If the documents with IRM/RMS protection are downloaded or forwarded to any place outside the SharePoint/Office 365 Environment, they can only be viewed only after the user authenticates with his credentials AND he has permissions on the source library.
At first, IRM/RMS in SharePoint libraries works out-of-the-box only with Office and PDF files. When it comes to SharePoint Online, the configuration is easier, because you can have your IRM policies easily activated with Azure RMS.
The definition is on the Office 365 administration level and not on the SharePoint 365 admin only. Here's a quick step by step on how to activate it.the technical implementation of the IRM in Office 365:
1) Activate the Rights Management in Azure AD.
On Office 365 Go to Admin Tile. In the Admin Center choose Azure AD. In the Active Directory, in the Rights Management Tab Activate the Rights Management. After that, it is applied to your whole organization in office 365.
You can configure policy and permissions according to your clients' requirements and needs, regarding the following actions: Editing the content, Forwarding a file, Copy/cut/paste the content as text, Printing the file, etc.
2) Activate it on the SharePoint level.
- If you are using the previous Office 365 Admin interface, you can do it as explained in this tutorial:
https://www.youtube.com/watch?v=L2B_vWXKyaU
- In the new Office 365 Admin interface, you may do it as follows:
In the SharePoint Admin center, choose "Settings" in the left navigation. Scroll till you see the relevant IRM:
Choose “Use the IRM service specified in your configuration”, then refresh the IRM settings. The IRM settings menu will appear in all the document libraries of your SharePoint Online sites.
You may configure additional settings, as seen in the following image:
One interesting point, in addition to IRM for the tenant users, I needed to evaluate IRM + External Users.
After some research, I found out that an IRM protected document that is shared with an external user with a Microsoft Account (non-Office 365 User), will not be able to be viewed after downloaded. If a standard Microsoft ID is used, the document will only be able to be to be viewed in the browser.
Depending on the requirements, I would consider this as a useful feature, instead of a restriction.
Removing IRM/RMS from protected documents:
If you need to remove RMS/IRM from documents, there are some approaches (in all of them you'll need to have full control permissions over the library):
- You can turn off IRM for the whole library (I wouldn't recommend this approach in some scenarios), OR
- You can configure a date for the library to stop restricting access to the documents, OR
- You can remove the protection on the file on the client application:
