Configure IRM to use an on-premises AD RMS server
Applies to: Exchange Online
Topic Last Modified: 2016-04-29
Information Rights Management (IRM) in Exchange Online uses Active Directory Rights Management Services (AD RMS), an information protection technology in Windows Server 2008 and later. IRM protection is applied to email by applying an AD RMS rights policy template to an email message. Usage rights are attached to the message itself so that protection occurs online and offline and inside and outside of your organization’s firewall.
This topic shows you how to configure IRM to use an AD RMS server. For details about how to accomplish the same task using Microsoft Azure Rights Management, see Configure IRM to use Azure Rights Management.
To learn more about IRM in Exchange Online, see Information Rights Management in Exchange Online.
Estimated time to complete this task: 30 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Information Rights Management" entry in the Messaging policy and compliance permissions topic.
The AD RMS server must be running Windows Server 2008 or later. For details about how to deploy AD RMS, see Installing an AD RMS Cluster.
For details about how to install and configure Windows PowerShell and connect to the service, see Connect to Exchange Online using remote PowerShell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
The first step is to export a trusted publishing domain (TPD) from the on-premises AD RMS server to an XML file. The TPD contains the following settings needed to use RMS features:
The server licensor certificate (SLC) used for signing and encrypting certificates and licenses
The URLs used for licensing and publishing
The AD RMS rights policy templates that were created with the specific SLC for that TPD
When you import the TPD, it’s stored and protected in Exchange Online.
Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster.
In the console tree, expand Trust Policies, and then click Trusted Publishing Domains.
In the results pane, select the certificate for the domain you want to export.
In the Actions pane, click Export Trusted Publishing Domain.
In the Publishing domain file box, click Save As to save the file to a specific location on the local computer. Type a file name, making sure to specify the
.xmlfile name extension, and then click Save.
In the Password and Confirm Password boxes, type a strong password that will be used to encrypt the trusted publishing domain file. You will have to specify this password when you import the TPD to your cloud-based email organization.
After the TPD is exported to an XML file, you have to import it to Exchange Online. When a TPD is imported, your organization's AD RMS templates are also imported. When the first TPD is imported, it becomes the default TPD for your cloud-based organization. If you import another TPD, you can use the Default switch to make it the default TPD that is available to users.
To import the TPD, run the following command in Windows PowerShell:
Import-RMSTrustedPublishingDomain -FileData $([byte](Get-Content -Encoding byte -Path <path to exported TPD file> -ReadCount 0)) -Name "<name of TPD>" -ExtranetLicensingUrl <URL> -IntranetLicensingUrl <URL>
You can obtain the values for the ExtranetLicensingUrl and IntranetLicensingUrl parameters in the Active Directory Rights Management Services console. Select the AD RMS cluster in the console tree. The licensing URLs are displayed in the results pane. These URLs are used by email clients when content has to be decrypted and when Exchange Online needs to determine which TPD to use.
When you run this command, you’ll be prompted for a password. Enter the password that you specified when you exported the TPD from your AD RMS server.
For example, the following command imports the TPD named Exported TPD using the XML file that you exported from your AD RMS server and saved to the desktop of the Administrator account. The Name parameter is used to specify a name to the TPD.
Import-RMSTrustedPublishingDomain -FileData $([byte](Get-Content -Encoding byte -Path C:\Users\Administrator\Desktop\ExportTPD.xml -ReadCount 0)) -Name "Exported TPD" -ExtranetLicensingUrl https://corp.contoso.com/_wmcs/licensing -IntranetLicensingUrl https://rmsserver/_wmcs/licensing
For detailed syntax and parameter information, see Import-RMSTrustedPublishingDomain.
After you import the TPD, you must make sure an AD RMS rights policy template is distributed. A distributed template is visible to Outlook Web App users, who can then apply the templates to an email message.
To return a list of all templates contained in the default TPD, run the following command:
Get-RMSTemplate -Type All | fl
If the value of the Type parameter is
Archived, the template isn't visible to users. Only distributed templates in the default TPD are available in Outlook Web App.
To distribute a template, run the following command:
Set-RMSTemplate -Identity "<name of the template>" -Type Distributed
For example, the following command imports the Company Confidential template.
Set-RMSTemplate -Identity "Company Confidential" -Type Distributed
The Do Not Forward template
When you import the default TPD from your on-premises organization into Exchange Online, one AD RMS rights policy template named Do Not Forward is imported. By default, this template is distributed when you import the default TPD. You can't use the Set-RMSTemplate cmdlet to modify the Do Not Forward template.
When the Do Not Forward template is applied to a message, only the recipients addressed in the message can read the message. Additionally, recipients can't do the following:
Forward the message to another person.
Copy content from the message.
Print the message.
|The Do Not Forward template can't prevent information in a message from being copied with third-party screen capture programs, cameras, or users manually transcribing the information|
You can create additional AD RMS rights policy templates on the AD RMS server in your on-premises organization to meet your IRM protection requirements. If you create additional AD RMS rights policy templates, you have to export the TPD from the on-premises AD RMS server again and refresh the TPD in the cloud-based email organization.
After you import the TPD and distribute an AD RMS rights policy template, run the following command to enable IRM for your cloud-based email organization.
Set-IRMConfiguration -InternalLicensingEnabled $true
For detailed syntax and parameter information, see Set-IRMConfiguration.
To verify that you have successfully imported the TPD and enabled IRM, do the following:
Use the Test-IRMConfiguration cmdlet to test IRM functionality. For details, see “Example 1” in Test-IRMConfiguration.
Compose a new message in Outlook Web App and IRM-protect it by selecting Set permissions option from the extended menu ().