Activating Azure Rights Management
Updated: August 1, 2015
Applies To: Azure Rights Management, Office 365
When you activate Azure Rights Management (Azure RMS), your organization can start to protect important data by using applications and services that support this information protection solution. Administrators can also manage and monitor protected files and emails that your organization owns. You must enable Rights Management before you can begin to use the information rights management (IRM) features within Office, SharePoint, and Exchange, and protect any sensitive or confidential file.
If you want to learn more about Azure Rights Management before you activate the service—for example, what business problems it solves, some typical use cases, and how it works—see What is Azure Rights Management?
Before you activate Rights Management, make sure that your organization has a service plan that includes Rights Management services. If not, you will not be able to activate Azure RMS.
After you have activated Azure RMS, all users in your organization can apply information protection to their files, and all users can open (consume) files that have been protected by Azure RMS. However, if you prefer, you can restrict who can apply information protection, by using onboarding controls for a phased deployment. For more information, see the Configuring onboarding controls for a phased deployment section in this topic.
Use one of the following procedures to activate Rights Management.
You can also use the Windows PowerShell cmdlet, Enable-Aadrm, to activate Rights Management.
To activate Rights Management from the Office 365 admin center
After you have signed up for an Office 365 plan that includes Rights Management, sign in to Office 365 with your work or school account that is an administrator for your Office 365 deployment.
If the Office 365 admin center does not automatically display, select the app launcher icon in the upper-left and choose Admin. The Admin tile appears only to Office 365 administrators.
For admin center help, see About the Office 365 admin center - Admin Help.
In the left pane, expand SERVICE SETTINGS.
Click Rights Management.
If you do not see this option, it might be because your service plan or product version cannot support Rights Management, or it has not yet been upgraded to support Rights Management.
Use the information in the Cloud subscriptions that support Azure RMS section in the Requirements for Azure Rights Management topic to confirm support. If your service plan or product version is supported but you do not see the Rights Management option, it might be because the service is not yet upgraded. For help with this issue, send an email message to askipteam.
On the RIGHTS MANAGEMENT page, click Manage.
On the rights management page, click activate.
When prompted Do you want to activate Rights Management?, click activate.
You should now see Rights management is activated and the option to deactivate.
To activate Rights Management from the Azure Management Portal
After you have signed up for your Azure account, sign in to the Azure Management Portal.
In the left pane, click ACTIVE DIRECTORY.
From the active directory page, click RIGHTS MANAGEMENT.
Select the directory to manage for Rights Management, click ACTIVATE, and then confirm your action.
If you see an activation error, it might be because your service plan or product version cannot support Rights Management.
Use the information in the Cloud subscriptions that support Azure RMS section in the Requirements for Azure Rights Management topic to confirm RMS support. For help with this issue, send an email message to askipteam.
The RIGHTS MANAGEMENT STATUS should now display Active and the ACTIVATE option is replaced with DEACTIVATE.
In addition to the Active status, which indicates that the Rights Management service is enabled and ready to use, you might also see Inactive, Unavailable, or Unauthorized.
Rights Management is enabled and ready for use.
Rights Management is disabled and must be activated before your organization can protect files.
The Rights Management service is down. Try again later.
You do not have permissions to view the status of the Rights Management service. For example, your account is locked out or you are not the global administrator for the selected tenant.
If you don’t want all users to be able to protect files immediately by using Azure RMS, you can configure user onboarding controls by using the Set-AadrmOnboardingControlPolicy Windows PowerShell command. You can run this command before or after you activate Azure RMS.
To use this command, you must have at least version 18.104.22.168 of the Azure RMS Windows PowerShell module.
To check the version you have installed, run: (Get-Module aadrm –ListAvailable).Version
For example, if you initially want only administrators in the “IT department” group (that has an object ID of fbb99ded-32a0-45f1-b038-38b519009503) to be able to protect content for testing purposes, use the following command:
Set-AadrmOnboardingControlPolicy – SecurityGroupObjectId fbb99ded-32a0-45f1-b038-38b519009503
Note that for this configuration option, you must specify a group; you cannot specify individual users.
Or, if you want to ensure that only users who are correctly licensed to use Azure RMS can protect content:
Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $true
When you use these onboarding controls, all users in the organization can always consume protected content that has been protected by your subset of users, but they won’t be able to apply information protection themselves from client applications. For example, they won’t see in their Office clients the default templates that are automatically published when Azure RMS is activated, or custom templates that you might configure. Server-side applications, such as Exchange, can implement their own per-user controls for RMS-integration to achieve the same result.
Now that you’ve activated Azure Rights Management for your organization, use the Azure Rights Management Deployment Roadmap to check whether there are other configuration steps that you might need to do before you roll out Azure Rights Management to users and administrators. For example, you might want to use custom templates to make it easier for users to apply information protection to files, connect your on-premises servers to use Azure Rights Management by installing the RMS connector, and deploy the Rights Management sharing application that supports protecting all file types on all devices. Office services, such as Exchange Online and SharePoint Online require additional configuration before you can use their Information Rights Management (IRM) features. However, if there are no other configuration steps that you need to do, see Using Azure Rights Management for operational guidance to support a successful deployment for your organization.
For information about how your applications work with Azure Rights Management, see How Applications Support Azure Rights Management.