Information Rights Management in Exchange Online
Applies to: Exchange Online
Topic Last Modified: 2014-04-04
People often use email to exchange sensitive information, such as financial data, legal contracts, confidential product information, sales reports and projections, patient health information, or customer and employee information. As a result, mailboxes can become repositories for large amounts of potentially sensitive information and information leakage can become a serious threat to your organization.
To help prevent information leakage, Exchange Online includes Information Rights Management (IRM) functionality that provides online and offline protection of email messages and attachments. IRM protection can be applied by users in Microsoft Outlook or Outlook Web App, and it can be applied by administrators using transport protection rules or Outlook protection rules. IRM helps you and your users control who can access, forward, print, or copy sensitive data within an email.
Exchange Online IRM uses Active Directory Rights Management Services (AD RMS), an information protection technology in Windows Server 2008 and later. IRM protection is applied to email by applying an AD RMS rights policy template to an email message. Usage rights are attached to the message itself so that protection occurs online and offline and inside and outside of your organization’s firewall.
Users can apply a template to an email message to control the permissions recipients have on a message. Actions, such as forwarding, extracting information from a message, saving a message or printing a message can be controlled by applying an AD RMS rights policy to the message.
You can configure IRM to use either of the following AD RMS services:
An AD RMS server running Windows Server 2008 or later. You can use this AD RMS server to manage the AD RMS rights policy templates for your cloud-based organization. Outlook also relies on the AD RMS server to enable users to apply IRM protection to messages they send. For details, see Configure IRM to Use an On-Premises AD RMS Server.
Microsoft Azure Rights Management, an information protection technology in Office 365. For details, see Configure IRM to Use Microsoft Azure Rights Management. To learn more, see What is Azure Rights Management?.
After it’s enabled, IRM protection can be applied to messages as follows:
Users can manually apply a template using Outlook and Outlook Web App Users can apply an AD RMS rights policy template to an email message by selecting the template from the Set permissions list. When users send an IRM-protected message, any attached files that use a supported format also receive the same IRM protection as the message. IRM protection is applied to files associated with Word, Excel, and PowerPoint, as well as .xps files and attached email messages.
Administrators can use transport protection rules to apply IRM protection automatically to both Outlook and Outlook Web App You can create transport protection rules to IRM-protect messages. Configure the transport protection rule action to apply an AD RMS rights policy template to messages that meet the rule condition. After you enable IRM, your organization's AD RMS rights policy templates are available to use with the transport protection rule action called Apply rights protection to the message with.
Administrators can create Outlook protection rules Outlook protection rules automatically apply IRM-protection to messages in Outlook 2010 (not Outlook Web App) based on message conditions that include the sender's department, who the message is sent to, and whether recipients are inside or outside your organization. For details, see Create an Outlook Protection Rule.