Back
SharePoint

What’s New with Information Rights Management in SharePoint and SharePoint Online?

by Barak Cohen, Lead PM Document Protection Services; Neil Wang, SDET Document Protection Services

Document protection in the cloud

The new Office is the version that brings document protection using Information Rights Management (IRM) services to the cloud for the first time. Office 365 users can get a service plan that includes IRM capabilities powered by a new document protection service also known as Windows Azure AD Rights Management (AADRM) , that is part of Office 365 Enterprise Plan 3 and Plan 4, and Academic Plan 3 and Plan 4. This capability is symmetric to the ability to assign a Windows Right Management Server (RMS Server) to an on premises SharePoint installation.  Users can configure SharePoint Online to work with the service in their SharePoint Online Tenant Setting Page:
Enabling AADRM rights management for Office 365 tenant on the AADRM portal 
Figure 1. Enabling IRM service in Office 365 SharePoint Online Tenant Settings page

Note however, that the AADRM rights management service is not on by default in the SKUs listed above. Tenant admins have to enable it for their tenancy. Clicking the Refresh IRM Settings button on the Tenant Setting page queries the Office 365 directory for the AADRM settings and refreshes the settings in SharePoint Online.

To enable AADRM for Office 365 tenants you can go to this link to activate the service: https://activedirectory.windowsazure.com/RmsOnline/Manage.aspx?brandContextID=O365. (As mentioned above, one will have to have an Office 365 plan with AADRM for this to work, and one will have to log in using their Office 365 tenant admin credentials). This Rights Management page can also be accessed through the Information Protection menu on the Office 365 admin page.

Enabling AADRM rights management for Office 365 tenant on the AADRM portal 
Figure 2. Enabling AADRM rights management for Office 365 tenant on the AADRM portal

You can also use the following manual process to enable the service:

  1. Download the Windows Azure AD Rights Management administration module (WindowsAzureADRightsManagementAdministration.exe) for Windows PowerShell from here.
  2. From the local folder where you downloaded and saved the Rights Management installer file, double-click WindowsAzureADRightsManagementAdministration.exe to launch installation of the Rights Management administration module.
  3. Open Windows PowerShell, and then type the following commands:
      Import-Module AADRM
      Connect-AadrmService -Verbose
  4. Enter your Office 365 Preview credentials when prompted. For example: user@company.onmicrosoft.com
  5. Type the following commands:
      Enable-Aadrm
      Disconnect-AadrmService

Document protection on premises

On premises, IRM services are still supported by associating an AD RMS (Right Management Services) server role with a SharePoint farm, as described in the article AD RMS step-by-step guide. This is done by the farm admin on the Information Rights Management page that is linked from the farm admin page (the common configuration for on premises installation is for an RMS Server to be identified through Active directory). In SharePoint 2013, on-premises installations can target only on-premises RMS servers. (Note that SharePoint Online in Office 365 can target only AADRM).

Enabling IRM against an RMS Server in a SharePoint farm 
Figure 3. Enabling IRM against an RMS Server in a SharePoint farm

Setting IRM is done at the farm level through the UI shown in Figure 3, or on a subscription level (new in Office 2013), which is the way it is implemented in the cloud. Setting IRM to specific SharePoint subscriptions on premises requires the check box in Figure 3 to be selected, and then a Microsoft PowerShell script is used to set the specific RMS server URL for each subscription.

Protecting documents is easy

After IRM services are configured online or on premises, site collection admins can enable IRM protection on individual document libraries.

Setting IRM protection on a document library 
Figure 4. Setting IRM protection on a document library

After these settings are in place, documents that are compatible with Office IRM services are protected after they are downloaded to the client. The additional options enable people to set the usage rights in more granular detail.

You can easily set usage rights

Enhanced in Office 2013, the IRM settings UI for a document library was made easier to use. Beyond writing the permission policy title and description, library admins can also do the following:

  • Set access rights, including rights to print, run scripts to enable screen readers, or enable writing on a copy of the document (new to Office 2013)
  • Set expiration date (the date after which the document cannot be used
  • Control whether documents that do not support IRM protection can be included in the library
  • Control whether Office Web Apps can render the documents in the library (new in Office 2013)

Protected documents can be rendered in the browser

Also new to Office 2013, Office Web Apps can render protected documents. This means that if an authenticated user does not have a compatible Office client, they can still view the documents using Office Web Apps. Note that in the case of Web Apps, the document is presented in read-only mode. Also note that screen capturing of protected content in the browser is not blocked (as it is on clients), but, the information about the protected documents is cleared from the browser cache.  Library admins can always prevent this capability by selecting the Prevent opening documents in the browser for this Document Library check box on the Information Right Management setting page (shown below in figure 5).

You can protect documents for groups

When documents are downloaded from an IRM-enabled SharePoint document library, by default each supported file type is encrypted and rights are restricted to the authenticated user who downloaded the documents. Other users who have rights to the same library must get their own copy. One of the new features that SharePoint 2013 supports is to protect a library for a group. An admin can choose an Active Directory group and use it to stamp the usage license for the file. Then, documents that are downloaded can be used by all the members of the group, and the user who downloaded the copy can transfer the copy to any member of the group directly. In Office 365, these groups are created in the Exchange Control Panel (ECP).

Group protection as part of the advanced IRM settings on document libraries 
Figure 5. Group protection as part of the advanced IRM settings on document libraries

IRM supports Office documents and PDF files

Many people have expressed interest in tighter integration of PDF files in SharePoint and Office in general. New to Office 2013, PDF documents are integrated better into SharePoint 2013. PDF readers can register a control to allow simple opening of PDF files, and PDF documents can be protected with Microsoft IRM services. IRM protection of PDF documents is an extension of the PDF standard, which PDF readers can implement and support. One reader that already supports this feature is the Foxit PDF reader.

Programmability

New in Office 2013, IRM settings at the farm/subscription level are programmatically controlled. Table 1 shows examples of how IRM settings at the farm or subscription level can be manipulated from Windows PowerShell.

Table 1. IRM programmability with PowerShell

Example​ Windows PowerShell Command​
​Enable IRM for the farm and configure it to use the default RMS server that is configured in Active Directory. ​Set-SPIRMSettings -IrmEnabled -
UseActiveDirectoryDiscovery
​Enable IRM for the farm and specify the URL of the RMS server to use. ​Set-SPIRMSettings -IrmEnabled -
CertificateServerUrl http://myrmsserver
​Enable IRM for the specified tenant and specify the URL of the RMS server to use. ​Set-SPIRMSettings –IrmEnabled -
SubscriptionScopeSettingsEnabled

site = Get-SPSite http://myspserver
$subscription = $site.SiteSubscription
 Set-SPSiteSubscriptionIrmConfig -Identity
$subscription -IrmEnabled –
CertificateServerUrl http://myrmsserver

 

​Disable IRM for the farm. ​Set-SPIRMSettings -IrmEnabled:$false

 
For more information, see these links to descriptions of classes and APIs at the document library level:

The following Windows PowerShell script sample shows how a tenant admin can to turn on and configure IRM policy for all the document libraries on tenant’s sites: 


$webUrl = “https://contoso.sharepoint.com”
$username = “admin@contoso.onmicrosoft.com”
$password = ConvertTo-SecureString “password” -AsPlainText -Force

Add-Type -Path “c:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions15ISAPIMicrosoft.SharePoint.Client.dll”
Add-Type -Path “c:Program FilesCommon Filesmicrosoft sharedWeb Server Extensions15ISAPIMicrosoft.SharePoint.Client.Runtime.dll”

$ctx = New-Object Microsoft.SharePoint.Client.ClientContext($webUrl)
$ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password)
$lists = $ctx.Web.Lists
$ctx.Load($lists)
$ctx.ExecuteQuery()

$lists | `
    where { $_.BaseTemplate -eq [Microsoft.SharePoint.Client.ListTemplateType]::DocumentLibrary } | `
        foreach { `
            $_.IrmEnabled = $true; `
            $_.InformationRightsManagementSettings.PolicyTitle = “IRM enabled”; `
            $_.InformationRightsManagementSettings.PolicyDescription = “This file is protected by SharePoint IRM.”; `
            $_.Update(); `
            Write-Host “IRM enabled on $($_.Title)” `
        }
$ctx.ExecuteQuery()

Supported client matrix

On the Office 365 services side, both SharePoint 2013 Online and Exchange 2013 Online support IRM services. (To get the services, you have to be a subscriber to one of the Office365 service plans that include IRM support as described in the Office 365 Web Site).

Table 2 provides a coverage matrix for client applications that are compatible with IRM services in Office 2013.

Table 2. Client application support matrix

App​ ​SharePoint 2013 SharePoint Online 2013​ RMS Server ​ ​RMS Online
​Word, PowerPoint, Excel 2013 (windows)  ​Yes ​Yes ​Yes ​Yes
​Word, PowerPoint, Excel 2013 RT ​Yes ​Yes ​Yes ​Yes
​Word, PowerPoint, Excel 2010   ​Yes ​Yes (After you install the Office 365 sign-on assistant.) ​Yes ​Yes
​Office for Mac 2010   ​Yes ​ No   ​Yes ​No
​Outlook on Windows Phone 7 ​NR   ​NR  ​Yes ​No
​Word on Windows Phone 7   ​Yes ​No  ​Yes ​No
​Foxit PDF reader on Windows ​Yes ​Yes (After you install the Office 365 sign-on assistant.) ​Yes ​Yes

Next Steps

IRM protection gives you better control of how you distribute and manage your digital documents. With the growing popularity of cloud services coupled with the affordable availability of the Office 365 platform, IRM services are easier to use and more readily available than ever before. Furthermore, trying the new service is available at no cost to anyone, so go ahead, sign up and never be worried about sensitive Microsoft Office and PDF document leaks. As always, our team is interested in feedback to help us improve the service further, feel free to comment