Set-IRMConfiguration

 

Applies to: Exchange Online, Exchange Server 2016

Topic Last Modified: 2017-11-16

This cmdlet is available in on-premises Exchange Server 2016 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Set-IRMConfiguration cmdlet to configure Information Rights Management (IRM) features on your organization.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

importantImportant:
Configuring and using IRM features in an on-premises Exchange organization requires Active Directory Rights Management Services (AD RMS).

Set-IRMConfiguration [-AzureRMSLicensingEnabled <$true | $false>] [-ClientAccessServerEnabled <$true | $false>] [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-EDiscoverySuperUserEnabled <$true | $false>] [-ExternalLicensingEnabled <$true | $false>] [-Force <SwitchParameter>] [-InternalLicensingEnabled <$true | $false>] [-JournalReportDecryptionEnabled <$true | $false>] [-LicensingLocation <MultiValuedProperty>] [-PublishingLocation <Uri>] [-RefreshServerCertificates <SwitchParameter>] [-RMSOnlineKeySharingLocation <Uri>] [-SearchEnabled <$true | $false>] [-ServiceLocation <Uri>] [-SimplifiedClientAccessEnabled <$true | $false>] [-TransportDecryptionSetting <Disabled | Optional | Mandatory>] [-WhatIf [<SwitchParameter>]]

This example enables journal report decryption.

Set-IRMConfiguration -JournalReportDecryptionEnabled $true

This example enables transport decryption and enforces decryption. When decryption is enforced, messages that can't be decrypted are rejected, and an NDR is returned.

Set-IRMConfiguration -TransportDecryptionSetting Mandatory

This example enables licensing for external messages.

Set-IRMConfiguration -ExternalLicensingEnabled $true

IRM requires the use of an on-premises AD RMS server or the ILS service. IRM features can be selectively enabled or disabled.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Information Rights Management (IRM) configuration" entry in the Messaging policy and compliance permissions in Exchange 2016 topic.

 

Parameter Required Type Description

AzureRMSLicensingEnabled

Optional

System.Boolean

This parameter is available only in the cloud-based service.

The AzureRMSLicensingEnabled parameter specifies whether the Exchange Online organization can to connect directly to Azure Rights Management. Valid values are:

  • $true   The Exchange Online organization can to connect directly to Azure Rights Management. This enables data encryption policies.

  • $false   The Exchange Online organization can't to connect directly to Azure Rights Management.

ClientAccessServerEnabled

Optional

System.Boolean

The ClientAccessServerEnabled parameter specifies whether to enable IRM for Outlook on the web (formerly known as Outlook Web App) and Exchange ActiveSync. Valid values are:

  • $true   IRM is enabled for Outlook on the web and Exchange ActiveSync. This is the default value. Note that enabling IRM in Outlook on the web requires additional configuration on AD RMS servers. For more information, see Information Rights Management in Outlook Web App.

  • $false   IRM is disabled for Outlook on the web and Exchange ActiveSync.

Confirm

Optional

System.Management.Automation.SwitchParameter

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.

  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

This parameter is available only in on-premises Exchange 2016.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.

EDiscoverySuperUserEnabled

Optional

System.Boolean

The EDiscoverySuperUserEnabled parameter specifies whether members of the Discovery Management role group can access IRM-protected messages in a discovery mailbox that were returned by a discovery search. Valid values are:

  • $true   Members of the Discovery Management role group can access IRM-protected messages in discovery mailboxes.

  • $false   Members of the Discovery Management role group can't access IRM-protected messages in discovery mailboxes.

For more information about In-Place eDiscovery and IRM-protected messages, see In-Place eDiscovery in Exchange 2016.

ExternalLicensingEnabled

Optional

System.Boolean

The ExternalLicensingEnabled parameter specifies whether to enable IRM features for messages that are sent to external recipients. Valid values are:

  • $true   IRM features are enabled for external messages. This is the default value in Exchange Online.

  • $false   IRM features are disabled for external messages. This is the default value in on-premises Exchange.

Force

Optional

System.Management.Automation.SwitchParameter

The Force switch specifies whether to suppress the confirmation prompt that appears when you modify the InternalLicensingEnabled parameter. You don't need to specify a value with this switch.

InternalLicensingEnabled

Optional

System.Boolean

The InternalLicensingEnabled parameter specifies whether to enable IRM features for messages that are sent to internal recipients. Valid values are:

  • $true   IRM features are enabled for internal messages. This is the default value in Exchange Online.

  • $false   IRM features are disabled for internal messages. This is the default value in on-premises Exchange. Note that this value causes the Get-RMSTemplate to return no AD RMS templates.

JournalReportDecryptionEnabled

Optional

System.Boolean

The JournalReportDecryptionEnabled parameter specifies whether to enable journal report decryption. Valid values are:

  • $true   Journal report encryption is enabled. A decrypted copy of the IRM-protected message is attached to the journal report. This is the default value. Note that journal report decryption requires additional configuration on AD RMS servers. For more information, see Journal report decryption.

  • $false   Journal report decryption is disabled.

LicensingLocation

Optional

Microsoft.Exchange.Data.MultiValuedProperty

This parameter is available only in on-premises Exchange 2016.

The LicensingLocation parameter specifies additional AD RMS licensing URLs in on-premises Exchange deployments. You can specify multiple URL values separated by commas.

Typically, you only need to use this parameter in cross-forest deployments of AD RMS licensing servers.

PublishingLocation

Optional

System.Uri

This parameter is available only in the cloud-based service.

The PublishingLocation parameter specifies the AD RMS publishing URL.

RefreshServerCertificates

Optional

System.Management.Automation.SwitchParameter

This parameter is available only in on-premises Exchange 2016.

The RefreshServerCertificates switch clears all Rights Account Certificates (RACs), Computer Licensor Certificates (CLCs), and cached AD RMS templates from all Exchange servers in the organization. You don't need to specify a value with this switch.

Clearing RACs, CLCs, and cached templates might be required during troubleshooting or after changing keys on the AD RMS cluster in your organization. For more information about RACs and CLCs, see Understanding AD RMS Certificates.

RMSOnlineKeySharingLocation

Optional

System.Uri

This parameter is available only in the cloud-based service.

The RMSOnlineKeySharingLocation parameter specifies the Azure Rights Management URL that's used to get the trusted publishing domain (TPD) for the Exchange Online organization.

SearchEnabled

Optional

System.Boolean

The SearchEnabled parameter specifies whether to enable searching of IRM-encrypted messages in Outlook on the web. Valid values are:

  • $true   Searching IRM-encrypted messages in Outlook on the web is enabled. This is the default value.

  • $false   Searching IRM-encrypted messages in Outlook on the web is disabled.

ServiceLocation

Optional

System.Uri

This parameter is available only in the cloud-based service.

The ServiceLocation parameter specifies the AD RMS service URL.

SimplifiedClientAccessEnabled

Optional

System.Boolean

This parameter is available only in the cloud-based service.

The SimplifiedClientAccessEnabled parameter specifies whether to enable the Protect button in Outlook on the web. Valid values are:

  • $true   The Protect button is enabled in Outlook on the web.

  • $false   The Protect button is disabled in Outlook on the web. This is the default value.

TransportDecryptionSetting

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.TransportDecryptionSetting

The TransportDecryptionSetting parameter specifies the transport decryption configuration. Valid values are:

  • Disabled   Transport decryption is disabled for internal and external messages.

  • Mandatory   Messages that can't be decrypted are rejected with a non-delivery report (also known as an NDR or bounce message).

  • Optional   Messages are decrypted if possible, but are delivered even if decryption fails. This is the default value.

WhatIf

Optional

System.Management.Automation.SwitchParameter

The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

 
Show: