Plan Information Rights Management in Office 2013

 

Applies to: Office 2013, Office 365 ProPlus

Summary: Use Information Rights Management (IRM) in Office 2013 to specify permissions for accessing and using sensitive documents and messages.

Audience: IT Professionals

This article contains a summary of IRM technology and how it works in Office applications, together with links to more information about how to set up and install the required software to implement IRM in Office 2013.

Important

This article is part of the Roadmap for Office 2013 identity, authentication, and authorization for IT Professionals. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 identity.
Are you looking for help about individual Office 2013 applications? You can find this information by searching on Office.com.

In this article:

  • IRM overview

  • How IRM works in Office 2013

  • Setting up IRM for Office 2013

  • Configuring IRM settings for Office 2013

  • Configuring IRM settings for Outlook 2013

IRM overview

Azure Rights Management and Active Directory Rights Management are persistent document-level information protection technologies from Microsoft. They use permissions and authorization to help prevent sensitive information from being printed, forwarded, or copied by authorized users, or accessed by unauthorized people. After permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or email message as part of the contents of the file. Microsoft Office implements support for these technologies by using Information Rights Management (IRM) features.

Note

The ability to create documents or email messages that have restricted permission by using IRM is available in Office Professional Plus 2013, and in the stand-alone versions of Excel 2013, Outlook 2013, PowerPoint 2013, InfoPath 2013, and Word 2013. IRM content that is created in Office 2013 can be viewed in Office 2007, Office 2010, or Office 2013.
For more information about IRM and Active Directory Rights Management Services (AD RMS) features that are supported in Office 2013, Office 2010, and Office 2007, see AD RMS and Microsoft Office Deployment Considerations. For information about IRM and Azure RMS see How applications support Azure Rights Management and What is Azure Rights Management.

IRM support in Office 2013 helps organizations and knowledge workers address two fundamental needs:

  • Restricted permissions for sensitive information IRM helps protect sensitive information from unauthorized access and reuse. Organizations rely on firewalls, logon security-related measures, and other network technologies to help protect sensitive intellectual property. A basic limitation of using these technologies is that legitimate users who have access to the information can share it with unauthorized people. This could lead to a potential breach of security policies.

  • Information privacy, control, and integrity Information workers often work with confidential or sensitive information. By using IRM, employees do not have to depend on the discretion of other people to ensure that sensitive materials remain inside the company. IRM prevents users' ability to forward, copy, or print confidential information by disabling those functions in documents and messages that use restricted permissions.

For information technology (IT) managers, IRM helps enable the enforcement of existing corporate policies about document confidentiality, workflow, and email retention. For executives and security officers, IRM reduces the risk of having key company information fall into the hands of the wrong people, whether by accident, thoughtlessness, or malicious intent.

How IRM works in Office 2013

Office users apply permissions to messages or documents by using options in the File menu; for example, by using the Restrict Access command, under Info, Protect Document. The protection options that are available are based on Rights Policy Templates that you can customize for your organization. Rights Policy Templates are groups of IRM rights that you package together in a predefined policy users can apply to their documents. Office 2013 also provides a predefined Do Not Forward option which grants specific rights to the recipients of an email. To learn more about Rights Policy Templates see Configuring Custom Templates for Azure Rights Management.

Note

In addition to using the options in the Office File menu, users can select Share Protected from the Office ribbon when you install the Rights Management sharing application for Windows. This application also enables additional functionality, such as the ability to track consumption of shared documents. For more information, see Rights Management Sharing Application for Windows.

To IRM protect a document in Office 2013, you must have an on-premises AD RMS server or an Azure RMS subscription either as part of Office 365 or as a standalone service.

Using IRM with an RMS server

Enabling IRM in your organization requires access to a computer running Active Directory Rights Management Services (AD RMS) for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, or to a cloud tenant with an Azure RMS subscription. The permissions are enforced by using authentication, typically by using Active Directory Domain Services (AD DS) or Azure Active Directory.

Organizations can define the permissions policies that appear in Office applications by creating Rights Policy Templates. For example, you might define a Rights Policy Template named Marketing Confidential, which specifies that documents or email messages that use the policy can only be opened by users inside that department. While there is no limit to the number of permission policies that can be created, Office can only display up to 20 policy templates at a time. Azure Rights Management provides two pre-defined organization-wide templates to which you can either add your own custom templates, or alternatively you can disable the templates if you want.

Note

SharePoint supports the automatic application of IRM policies on documents that are stored in document libraries. By using this option, you can control which actions users can take on documents when they open them from libraries in SharePoint. This differs from IRM applied to documents stored on client computers, where the owner of a document can choose which rights to assign to each user of the document. For more information about how to use IRM with document libraries, see Document library planning (SharePoint Foundation 2010).

With AD RMS on Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, users can share rights-protected documents between companies that have a federated trust relationship. For more information, see Active Directory Rights Management Services Overview and Federating AD RMS. With Azure RMS, the ability to securely collaborate between organizations is built-in and doesn't require you to complete any special configuration.

While the ability to create and consume protected emails in Outlook 2013 does not require any special configuration in the email server, Exchange Server 2013 offers additional IRM-protected email functionality including RMS protection for Unified Messaging voice mail messages and Outlook protection rules that can automatically apply IRM-protection to messages in Outlook 2013 before they leave the Outlook client. Additionally, enabling IRM integration in Exchange Server allows users to create and consume protected emails in Outlook Web App and in Exchange ActiveSync IRM-enabled mobile devices. For more information, see What’s New in Exchange 2013 and Understanding Information Rights Management.

Setting up IRM for Office 2013

Applying IRM permissions to documents or email messages requires the following:

  • Access to AD RMS for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, or to Azure Rights Management in order obtain licenses to consume content.

  • Rights Management client software. This client software is included in Windows Vista and later versions. The Rights Management sharing applications provides an optional add-on that enhances IRM functionality in Office.

  • Microsoft Office 2007, Office 2010, or Office 2013. Only specific editions of Office enable users to create IRM permissions.

Setting up RMS server access

AD RMS and Azure RMS manage licensing and other server functions that work with IRM to provide rights management to client applications such as Office 2013. An RMS-enlightened client program, such as Office 2013, lets users create and view rights-protected content.

To learn more about how RMS works and how to install and configure an RMS server or enable cloud-based Azure RMS, see, the Microsoft Rights Management Services home page.

Installing the Rights Management client software

RMS client software is included in Windows Vista, Windows 7, Windows 8, and Windows 8.1. In order to enable the additional IRM functionality in Office by using the RMS sharing application, users can install it themselves or administrators can automatically deploy it for users.

Defining and deploying Rights Policy Templates for Office 2013

As in Office 2007 and Office 2010, Office 2013 includes the option for users to apply individual rights to documents and messages, such as Read and Change in Word 2013, Excel 2013, and PowerPoint 2013. In Outlook you can use the Do Not Forward option that allows you to confidently share email, granting only limited rights to the intended recipients of the message. You can also define custom rights policy templates for your organization that are deployed to clients automatically so they can be applied by users in one click.

You create and manage rights policy templates by using the administration site on your RMS or AD RMS server. For information about how to create, configure, and post custom permissions policy templates, see AD RMS Rights Policy Templates Deployment Step-by-Step Guide. For Exchange Server 2010 Outlook protection rules, see Understanding Outlook Protection Rules.

The rights that you can include in permissions policy templates for Office 2013 are listed in the following sections.

IRM rights

Each IRM right that is listed in the following table can be enforced by Office 2013 applications that are configured to work with Azure RMS or AD RMS.

IRM permissions rights

IRM right Description

Full Control

Gives the user every right that is listed in this table, and the right to change permissions that are associated with content. Expiration does not apply to users who have Full Control.

View

Allows the user to open IRM content. This corresponds to Read Access in the Office 2013 user interface.

Edit

Allows the user to modify the document's content. This includes the ability to sort and filter content in Excel.

Save

Allows the user to save a file.

Extract

Allows the user to make a copy of any part of a file and paste that part of the file into the work area of another application.

Export

Allows the user to save content in another file format by using the Save As command. Depending on the application that uses the file format that you select, the content might be saved without protection.

Print

Allows the user to print the contents of a file.

Allow Macros

Allows the user to run macros against the contents of a file, as well as perform programmatic access to content from other applications and link to content across worksheets.

Forward

Allows an email recipient to forward an IRM email message and to add or remove recipients from the To: and Cc: lines. This right does not imply the ability to grant rights to additional users, and even if a user is forwarded the content, if that user is not granted rights by the template then the user will be prevented from opening the content. Not granting this right in a template is not equivalent to using the Do Not Forward option in Outlook, since that option grants rights only to the users specified in the To: and Cc: lines of the email.

Reply

Allows email recipients to reply to an IRM email message.

Reply All

Allows email recipients to reply to all users on the To: and Cc: lines of an IRM email message.

View Rights

Gives the user permission to view the rights associated with a file. Office ignores this right.

Predefined groups of permissions

Office 2013 provides the following predefined groups of rights that users can choose from when they create IRM content. The options are available in the Permission dialog box for Word 2013, Excel 2013, and PowerPoint 2013. In the Office application, select the File tab, choose Info, choose the Protect Document button, select Restrict Access, and then choose from the Rights Policy Templates listed, which are populated from the Rights Management server or service, or choose Restricted Access, which will give you the option of selecting one of the predefined permission groups for each individual user.

Predefined read/change permissions groups

IRM predefined group Description

Read

Users who have Read permission have View rights.

Change

Users who have Change permission have rights to View, Edit, Extract, and Save.

In Outlook 2013, users can select the following predefined group of rights when they create an email item. To access the option from the email item, choose File, Info, and then Set Permissions. Next, choose from the Rights Policy Templates listed, which are populated by the Rights Management server or service, or choose Do Not Forward, which implements the following rights.

Predefined “Do not forward” group

IRM predefined group Description

Do Not Forward

In Outlook, Do Not Forward to an email grants users on the To:, Cc:, and Bcc: lines the View, Edit, Reply, and Reply All rights.

Advanced permissions

In Word 2013, Other IRM permissions can be specified for parts of a document. From Info, Protect Document, choose Restrict Editing, and select the More Users option to add users with rights to edit the indicated sections of a document. For even more restriction options, choose Restrict permission at the bottom of the Restrict Editing panel. For example, users can specify an expiration date, restrict other users from printing or copying content, and so on.

Configuring IRM settings for Office 2013

You can lock down many settings to customize IRM by using the Office Group Policy template (Office15.admx). Use this Group Policy Template to configure Group Policy Objects in Active Directory and should not be confused with the Rights Policy Templates already described in this document. You can also use the Office Customization Tool (OCT) to configure default settings, which enables users to configure the settings. In addition, there are IRM configuration options that can only be configured by using registry key settings.

Office 2013 IRM settings

The settings that you can configure for IRM in Group Policy and by using the OCT are listed in the following table. In Group Policy, these settings are under User Configuration\Administrative Templates\Microsoft Office 2013\Manage Restricted Permissions. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

IRM settings for Group Policy or the OCT

IRM option Description

Active Directory time-out for querying one entry for group expansion

Specify the time-out value for querying an Active Directory entry when you expand a group.

Additional permissions request URL

Specify the location where a user can obtain more information about how to access the IRM content when consuming content protected in this client.

Always expand groups in Office when restriction permission for documents

Group name is automatically expanded to display all the members of the group when users apply permissions to a document by selecting a group name in the Permission dialog box.

Always require users to connect to verify permission

Users who open a rights-managed Office document must connect to the RMS service to verify that they are still entitled to consume the content by acquiring a new IRM license.

Never allow users to specify groups when restricting permission for documents

Return an error when users select a group in the Permission dialog box: ''You cannot publish content to Distribution Lists. You may only specify email addresses for individual users.''

Prevent users from changing permission on rights managed content

If enabled, users can consume content that already includes IRM permissions, but cannot apply IRM permissions to new content nor configure the rights on a document.

Turn off Information Rights Management user interface

Disable all Rights Management-related options within the user interface of all Office applications.

For more information about how to customize these settings, see Configure Information Rights Management in Office 2013.

Office 2013 IRM registry key options

The settings that you can configure for IRM in the registry are listed in the following tables.

The following IRM registry settings are located in HKCU\Software\Microsoft\Office\15.0\Common\DRM.

IRM registry key options

Registry entry Type Value Description

RequestPermission

DWORD

1 = The box is checked.

0 = The box is cleared.

This registry key toggles the default value of the Users can request additional permissions from check box.

DoNotUseOutlookByDefault

DWORD

0 = Outlook is used

1 = Outlook is not used

The Permission dialog box uses Outlook to validate email addresses that are entered in that dialog box. This causes an instance of Outlook to be started when restricting permissions. Disable the option by using this key.

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\15.0\Common\DRM\LicenseServers. There is no corresponding Group Policy setting.

IRM registry setting for license servers

Registry entry Type Value Description

LicenseServers

Key/Hive. Contains DWORD values that have the name of a license server.

Set to the server URL. If the value of the DWORD is 1, Office will not prompt to obtain a license, it will get the license automatically.

If the value is zero or there is no registry entry for that server, Office prompts for a license.

Example: If ‘https://contoso.com/_wmcs/licensing = 1’ is a value for this setting, a user who tries to obtain a license from that server to open a rights-managed document will not be prompted for authorization. This is the same as the user selecting the checkbox asking not to be notified again the first time that they consume the content.

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\15.0\Common\Security. There is no corresponding Group Policy setting.

IRM registry settings for security

Registry entry Type Value Description

DRMEncryptProperty

DWORD

1 = The file metadata is encrypted.

0 = The metadata is stored in plaintext. The default value is 0.

Specify whether to encrypt all metadata that is stored inside a rights-managed document.

Encrypted metadata is not compatible with Azure Information Protection labels. If you use these labels, do not set the value to 1.

For Open XML Formats (for example, docx, xlsx, pptx, and so on), users can decide to encrypt the Office metadata that is stored inside a rights-managed file, or leave metadata content as not encrypted so other applications, such as the FCI functionality in a Windows File Server, can access the data.

Users can choose to encrypt the metadata by setting a registry key. You can set a default option for users by deploying the registry setting. There is no option for encrypting some of the metadata: all metadata is encrypted or none is encrypted.

In addition, the DRMEncryptProperty registry setting does not determine whether non-Office client metadata storage, such as metadata created by SharePoint 2013, is encrypted.

Configuring IRM settings for Outlook 2013

In Outlook 2013, users can create and send email messages that have restricted permission to help prevent messages from being forwarded, printed, or copied. Office 2013 documents, workbooks, and presentations that are attached to messages that have restricted permission are also automatically restricted.

As an Outlook administrator, you can configure several options for IRM email, such as disabling IRM or configuring local license caching.

The following IRM settings and features can be useful when you configure rights-managed email messaging:

  • Configure automatic license caching for IRM.

  • Help enforce an email message expiration period.

  • Do not use Outlook for validating email addresses for IRM permissions.

Note

To disable IRM in Outlook, you must disable IRM for all Office applications. There is no separate option to disable IRM only in Outlook.

Outlook 2013 IRM settings

You can lock down most settings to customize IRM for Outlook by using the Outlook Group Policy template (Outlk15.admx) or the Office Group Policy template (Office15.admx). Or, you can configure default settings for most options by using the Office Customization Tool (OCT), which enables users to configure the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

Outlook IRM options

Location IRM option Description

Microsoft Outlook 2013\Miscellaneous

Do not download rights permissions license information for IRM email during Exchange folder sync

Enable to prevent license information from being cached locally. If enabled, users must connect to the network to retrieve license information to open rights-managed email messages. This doesn't affect Exchange prelicensing which is performed at the server.

Microsoft Outlook 2010\Outlook Options\Email Options\ Advanced Email Options

When sending a message

To enforce email expiration, enable and enter the number of days before a message expires. The expiration period is enforced only when users send rights-managed email and the message can't be accessed after the expiration period.

For more information about how to customize these settings, see Configure Information Rights Management in Office 2013.

Outlook 2013 IRM registry key options

The Permission dialog box uses Outlook to validate email addresses that are entered in that dialog box. This causes an instance of Outlook to start when permissions are restricted. You can disable this option by using the registry key that is listed in the following table. There is no corresponding Group Policy or OCT setting for this option.

The following IRM registry setting is located in HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\DRM.

Outlook IRM registry key options

Registry entry Type Value Description

DoNotUseOutlookByDefault

DWORD

0 = Outlook is used

1 = Outlook is not used

Disable the option by using this key.

See also

Roadmap for Office 2013 identity, authentication, and authorization

Active Directory Rights Management Services
Understanding Information Rights Management
Plan document libraries (Windows SharePoint Services)