Office 365 – Use Right Management Services

With the new Office 365, Microsoft has introduced a new functionality to secure document sharing: Right Management Services.

This service is (should be) well know as this is available since Windows Server 2003 as additional component for internal deployment.

See for more details about RMS.

So, going back to Office 365 and Windows Azure Rights Management (as this is the commercial name of RMS on the cloud).

Windows Azure Rights Management (AADRM) is available through the Enterprise E3 Office 365 plan.


Enable Windows Azure RMS


By default, Windows Azure RMS is not activated.

To enable AADRM, connect with an Office 365 administrator account to the administration portal and go to Service Settings section (on the left)




Then hit the Rights Management tab and finally hit the Manage link




Once you have reached the Rights Management administration page, click on the Enable button and confirm the activation




Wait few minutes while AADRM is being activated




You are now redirected to the AADRM page which now is showing that RMS is activated; since this has been activated, you have the ability to disable it also from this page




NOTE Windows Azure RMS can also be activated using PowerShell


To do so, you must have installed Office 365 Modules for PowerShell and RMS Modules for PowerShell (, then run the following commands:

  • $user = "<your Office 365 administrator email">
  • $cred = Get-Credential -Credential $user
  • Import-Module AADRM
  • Connect-AadrmService -Credential $cred
  • Enable-Aadrm


Use of RMS with Exchange Online

Once RMS has been activated, you will be able to secure your mail exchange.

Automatic protection

To secure your emails with RMS, you must set a Mail flow rule (recommended). Doing so, your end-user will don’t have to think about RMS.

From the Exchange Online administration portal (Exchange Admin Center, which can be reached from the Office 365 administration portal, open the submenu just below Admin on the right side of your name and select Exchange.


Go to the Mail Flow section (from the left menu)


Then go to Rules section and create a new rule to apply RMS


Define the rule settings et voilà your email will be protected by RMS automatically.

Manual Protection


If you want to let your users to set RMS for their email when using OWA you must enable RMS for OWA.

Enable RMS for OWA

Launch a PowerShell command prompt (you must have install Office 365 Modules for PowerShell as well as RMS Modules for PowerShell

Run the following commands:

  • $user = "<your Office 365 administrator email">
  • $cred = Get-Credential -Credential $user
  • Import-Module MSOnline
  • Import-Module AADRM
  • Connect-MsolService -Credential $cred
  • Connect-AadrmService –Credential $cred
  • Enable-Aadrm
  • $msoExchangeURL = ""
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionURI -Credential $Cred -authentication Basic –Allowredirection
  • Import-PSSession $session
  • Enable-OrganizationCustomization

NOTE You may receive an error message saying this command is not required because your organization is already enabled for customization

This operation is not required. Organization is already enabled for
    + CategoryInfo          : NotSpecified: (:) [Enable-OrganizationCustomizat
   ion], InvalidOperationException
    + FullyQualifiedErrorId : F977D53F,Microsoft.Exchange.Management.Deploymen
    + PSComputerName        :

  • Import-RMSTrustedPublishingDomain –RMSOnline –Name “RMS Online” ; this CMDlet is importing the new RMS parameters to your tenant


  • Test-IRMConfiguration –RMSOnline ; this CMDlet is testing and validating the imported RMS configuration


  • Set-IRMConfiguration -InternalLicensingEnabled $true

You may have to wait a little bit before the options for Outlook Web Access appear.


Outlook Web Access

Connect to your mailbox using your web browser (

Create a new email and go to Set Permission


With Exchange 2013, there is no more need to download attachments secured by RMS; this is now fully integrated with Exchange



Outlook Client

When using Outlook, go to the Options tab when writing email


Message received and protected by RMS



Use of RMS with SharePoint Online

Once RMS has been activated, you can now use it to secure your document stored on SharePoint Online.

However, even if you have activated RMS from the Office 365 administration portal, this doesn’t mean this has been also activated for SharePoint Online.

To enable RMS for SharePoint, connect to the SharePoint Online Administration site (From the Office 365 administration portal, open the submenu just below Admin on the right side of your name and select SharePoint)


Then, from the SharePoint Online administration portal, reach the Settings section from the left menu and enable RMS for SharePoint


Finally, connect to your SharePoint site and browse to the document library you want to secure with RMS. Only ONE RMS policy can be applied on a document library.

Open the library settings using the ribbon


A new option has appears called Information Rights Management just below the Permission and Management section


When you open this option, you can enable RMS for the document library and define the RMS policy to be applied; this mean your end users will not have to think about RMS before uploading document onto the library

You have lot of option to define your RMS policy:


Additional RMS library settings

  • Do not allow users to upload document that do not support IRM: this option will block document upload if the document format doesn’t support RMS

If this settings is enabled, end-users will have an error message explaining the document format they are trying to upload is not compatible with RMS and so can not be secured


  • Stop restricting access to the library: this means after the defined date, the document library will no longer apply the RMS policy
  • Prevent opening documents in the browser for this document library: this will force end users to open the document with their Office client. NOTE RMS is supported with Office Web Application; document protected with RMS can be opened in the web browser

If this settings is NOT enabled, the Office document will be opened with the web browser. End user will see a yellow information bar explaining the document is protected by RMS (the RMS policy name is shown).


Document access rights

  • Allow viewers to print
  • Allow viewers to run script and screen reader to function on downloaded documents
  • Allow viewers to write on a copy of the downloaded document
  • After download, document access rights will expire after these number of days

Set group protection

  • Users must verify their credentials using this interval
  • Allow group protection


When saving document using your Office client on SharePoint Online, to protect your document go to the Office backstage (screenshots done with Office 2013)


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.