Manage super users for rights managed content

The Rights Management super users group is a special group that has full control over all rights-protected content managed by the Rights Management service. Its members are granted full owner rights in all use licenses that are issued by the subscriber organization for which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it for content previously protected within that organization.

By default, the super users feature is not enabled and no groups or users are assigned membership to it.

The following demonstrates how to enable the super user feature for your organization with the Rights Management service:

Enable-AadrmSuperUserFeature

Caution
Enabling the super users feature should be done only on an as-needed basis. During normal operations, the super users feature should be disabled, unless it is used to provide a trusted application with the ability to decrypt rights-protected content, such as to enable the application to scan the content for malware. It should be enabled only when necessary.

To disable the super user feature for your organization, the following cmdlet is used:

Disable-AadrmSuperUserFeature

The following demonstrates how to add a super user for the Rights Management service by specifying the email address to identify a user object to be granted super user rights:

Add-AadrmSuperUser -EmailAddress "user1@contoso.com"

Additional information

The following demonstrates how to list all the super users for the Rights Management service:

Get-AadrmSuperUser

The following demonstrates how to remove a role-based administrator for the Rights Management service by specifying the email address to identify a user object to be removed from the list of super users:

Remove-AadrmSuperUser -EmailAddress "user1@contoso.com"