Configuring and using IRM with Office 365 and SharePoint Online

Posted Thursday, March 28, 2013 4:34 PM by CoreyRoth

I’ve always founds IRM quite fascinating and the nice thing about Office 365 is that it is really easy to configure and use.  There are a few steps involved, but I managed to figure them out without having to go read a heap of documentation.  I thought I would share my experience here today so you know what’s possible.  This assumes you are on a new Office 365 tenant or one that has been upgraded already (not that any of mine have been. :) ).  I know this is only available in certain plans and I need to double-check which ones, but I haven’t had a chance yet.  If you set up a trial from, you can definitely try it with that account.

To configure IRM, it requires you turn it on in two places: in the Office 365 Portal and in SharePoint Online tenant administration.  Let’s start by going to the Office 365 Portal.  You can get there by clicking on Admin –> Office 365 at the top.  Then click on Service Settings –> Rights Management.  Rights Management is disabled by default, so you need to activate it.


On this screen simply click Manage and you will be taken to the Windows Azure Directory Rights Management site (notice the URL changes).  From here, you can start the activation process.


Click the Activate button and you’ll be taken to a screen to confirm.


Click the Activate button again and the process gets started.


Now, you need to go your SharePoint tenant administration to activate it there.  Click on Admin –> SharePoint and then Settings.  In the middle of the page, look for the Information Rights Management (IRM) section and check Use the IRM service specified in your configuration.  Then click Refresh IRM Settings.  Now, it takes a few minutes for your activation to take effect in the Office 365 Portal so if you click on this too early, you are likely to see the following error.

Error: RMS Online is configured for this tenant but is turned off, please turn on in Office 365 to enable.


Keep trying and after a few minutes, it should activate.  Be sure and click Save when you are done.


At this point, you can actually try things out inside office.  I’m working off of the demo sites that I mentioned earlier.  Now, one thing to point out is that Office uses whatever account you are signed in with to determine which Rights Management Server to connect to.  Therefore, if you are using a test Office 365 account, you need to actually, log into Office with that account.  Simply click on your name in the top right and click Switch Account.  If you don’t do this, it may time out or try to connect to another RMS server like the one at your company.

To try things out, open up a document on your SharePoint server, click File and then click Protect Document and then Restrict Access.  The first time you choose this, there is an option to connect to rights management services.  Once it connects, you’ll see options on protecting the document.  We’re going to go with Restricted Access.


On the next screen, you will be prompted to assign who can view the document or edit the document.  In my example, I am going to grant read permission to Sara Davis.  I simply typed in her full Office 365 Id.  This means she will be able to open the document and view it, but cannot save or print it.


If you click on More Options, you’ll get a window where you can set even more granular permissions such as expiring the document, allowing printing, as well as an E-mail address that gets used to request additional permissions.


Once we are finished, save the document back to SharePoint.  Now, when Sara opens the document, she is going to get a different experience.  To test using the document with Sara, I have to sign in to SharePoint with her account.  I also have to open Office and sign out with Garth and sign in with Sara’s account.  Here’s what it looks like.


Office informs me that access is restricted and if I click View Permission, it will show me what I am allowed to do.  Notice I can only view the document.  If I try to access the document with a user who does not have access granted through IRM, Office tells me I can’t open the document like this.


When a document is protected with IRM, Office Web Apps will be unable to show a preview of the document’s contents.  Here’s what it looks like when that happens.


I really like how easy it is to get started with IRM in Office 365.  If you have an interest in this feature, check it out today.  It’s definitely much easier to get started with it here than it is on-premises.


# Office 365 and IRM | Sladescross's Blog

Tuesday, April 2, 2013 1:48 AM by Office 365 and IRM | Sladescross's Blog

Pingback from  Office 365 and IRM | Sladescross's Blog

# Configuring and using IRM with Office 365 and S...

Friday, April 19, 2013 12:29 PM by Configuring and using IRM with Office 365 and S...

Pingback from  Configuring and using IRM with Office 365 and S...

# re: Configuring and using IRM with Office 365 and SharePoint Online

Wednesday, December 4, 2013 5:05 PM by Guy Wiggins

Good Post Corey. I'm a little confused about the difference between applying IRM on a document library in Office 365 and applying it at the document level. From your post, it looks like you can save an IRM protected document to any library, even one that that is not enabled for IRM. Is that correct?

Also, does the above work in Office 2010 or only 2013?

# re: Configuring and using IRM with Office 365 and SharePoint Online

Tuesday, December 17, 2013 11:45 AM by CoreyRoth

@Guy IRM policies are applied to individual documents.  You should be able to use Office 2010 as well.

# re: Configuring and using IRM with Office 365 and SharePoint Online

Thursday, June 26, 2014 10:35 AM by Noah

Any updates on IRM within Office 365 since you published this post?

# re: Configuring and using IRM with Office 365 and SharePoint Online

Tuesday, July 1, 2014 9:19 AM by CoreyRoth

@Noah not a lot has changed.  Although you are seeing a more complete story around compliance with the new compliance center changes.

# re: Configuring and using IRM with Office 365 and SharePoint Online

Thursday, February 19, 2015 1:30 PM by Trevor

Can you set permissions on the whole library to disable the ability to download/save but still allow editing of any of the documents in the library.  I ask because this appears to be for specific documents, but I would like it apply to all documents including new ones that will be created without having to modify each one.

# re: Configuring and using IRM with Office 365 and SharePoint Online

Thursday, February 19, 2015 1:41 PM by CoreyRoth

@Trevor there is nothing built-in to prevent download.  You can configure things on the whole library but you only have a handful of settings available.

# re: Configuring and using IRM with Office 365 and SharePoint Online

Thursday, February 26, 2015 2:17 PM by mattblessing

Trevor, the way the IRM policies work in SharePoint is they only apply the protection when you either view (if the policy allows web-view) or download the docs. The data is not protected in place like the document protection (this allows SharePoint to allow text search of content). If you apply a document level protection (either through an app that natively supports RMS or using the RMS Client app, then SharePoint cannot text search the docs and they are then done on an individual basis. Once you create RMS Templates in Azure Portal, you can choose to apply those pre-set values to protect similar data.

Leave a Comment