Information Rights Management

Feature Guide
(Legacy Platform Release)
Applies to: Office 365 Dedicated Legacy Platform Releases

Topic Last Modified: 2015-07-07

This feature guide describes the Information Rights Management (IRM) implementation used for the
legacy releases of Office 365 Dedicated. The following topics are presented in the guide:

What Is Information Rights Management?

IRM Implementation in Office 365 Dedicated
Establishing the IRM Environment
Using IRM Clients
Supporting the IRM Environment
IRM Super User Access

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 1 of 50
Out of Scope Topics
The following information is not covered in this guide:
Active Directory Rights Management Services (AD RMS) fundamentals. The protection
technology used to support IRM in Office 365 is Active Directory Rights Management Services (AD
RMS). The IRM implementation for Office 365 requires the existence of an AD RMS infrastructure
within your on-premises environment. Because your organization already supports your own AD
RMS environment, it is expected that you are familiar with AD RMS functionality. Therefore, the
scope of this guide only addresses the uniqueness of the AD RMS implementation for Office 365.
Details regarding how to build an AD RMS environment or how to utilize any common tools and
interfaces within AD RMS are out of scope for this guide.
Exchange Online and SharePoint Online fundamentals. IRM functionality is utilized by Exchange
Online and SharePoint Online. AD RMS features offered with Office 365 and applicable to the
Exchange Online and SharePoint Online services are described within this guide. Detailed
information regarding the feature sets of Exchange Online and SharePoint Online, or how to
establish these environments, is out of scope for this guide.
IRM-enabled application fundamentals. Procedures describing how to utilize specific Microsoft or
third-party IRM-enabled applications are out of scope for this guide.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 2 of 50
 Notes:
1. Not all published Microsoft documentation for IRM or AD RMS is applicable for the
Office 365 Dedicated and ITAR-support plan offerings. Documentation simply labeled
Office 365 for Enterprises may only pertain to the multi-tenant plans for Office 365 and
not Office 365 Dedicated plans.
2. This document specifically applies to Exchange Online Dedicated customers on legacy
infrastructure platforms (Exchange 2010 Aruna, Exchange 2010 ANSI-D, or Exchange 2013
ANSI-D) and SharePoint Online Dedicated customers using SharePoint 2010. For all cases,
the content applies to the legacy AD RMS implementation that involves the placement of
AD RMS servers on-premises and within Microsoft datacenters. Unless otherwise indicated,
the information presented is applicable to the International Traffic in Arms Regulations
(ITAR-support) version of each server release.

Additional Resources
See the IRM landing page in the Customer Extranet site for additional implementation information and
diagnostic tools. Contact your Microsoft Service Delivery Manager for information on how to obtain
access to the Customer Extranet site.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 3 of 50
What Is Information Rights Management?
Information Rights Management (IRM) enables content publishers to create rights-protected content
such as an email message or document. Rights-protected content is content that is intended for use by
specific individuals and that carries specific restrictions placed on the use of the content item.
When IRM protection is applied to a message or document, the item becomes encrypted.
Accompanying the encrypted item is an issuance license used to maintain restrictions on access to, and
uses of, the content. These restrictions vary depending on the level of permissions granted to the
recipient(s). Typical restrictions include making a document read-only, disabling copying of text, not
allowing users to save a copy of the document, or preventing users from printing the document. Client
applications that read IRM-supported file types use the issuance license to enforce use restrictions. To
decrypt the item and consume the content, the recipient of the message or document must obtain an
end user license issued through interaction between their client device and the IRM environment.
IRM helps individuals enforce their personal preferences regarding the transmission of personal or
private information. It also helps organizations enforce corporate policy governing the control and
dissemination of confidential or proprietary information within the organization and with customers
and partners. The following table summarizes how IRM does and does not protect content.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 4 of 50
IRM helps to
Prevent an authorized recipient of protected content
from forwarding, copying, modifying, printing, faxing,
or pasting the content for unauthorized use; copying
restrictions include the use of the Print Screen or
Snipping Tool features of Microsoft Windows.
Protect supported attachment file formats with the
same level of protection as the message.
Maintain content restrictions regardless of where the
content is delivered.
Support file expiration to prevent content in
documents, workbooks, or presentations to no longer
be viewed after a specified period of time.
Enforce corporate policies that govern the use and
dissemination of content.
IRM does not prevent
Content from being captured by third-party
screen-capture programs.
Content from being erased, stolen, or captured
and transmitted by malicious programs such
as Trojan horses, keystroke loggers, and
certain types of spyware.
Content from being lost or corrupted because
of the actions of computer viruses.
Restricted content from being hand-copied or
retyped from a display on a recipient's screen.
Use of imaging devices such as cameras to
photograph IRM-protected content displayed
on the screen.

How Is Information Protected?

Office 365 dedicated plans use Active Directory Rights Management Services (AD RMS) to implement
the IRM protection feature. AD RMS uses extensible rights markup language (XrML)-based certificates
and licenses to certify computers and users. The XrML certificates and licenses are also used to encrypt
and protect content.
When content such as a document or a message is protected using AD RMS, an XrML license containing
the rights that authorized users have to the content is attached to the content. To access IRM-protected
content, AD RMS-enabled applications must procure a use license for the authorized user from a
trusted AD RMS server.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 5 of 50
The use license contains the public key to decrypt the protected content. Note that the AD RMS
protection mechanisms do not utilize Active Directory certificate services or public key infrastructure
(PKI) protection methods. AD RMS utilizes a database to hold data for certification, licensing, and
publishing activities and also relies on Active Directory to provide identity, authentication, group
expansion, and discovery services.
The diagram and text that follow provide an overview of client certificate acquisition, license issuance,
and the encryption, delivery, and decryption of content.

1. An individual who intends to protect content and consume content protected by others must first
acquire certificates that enroll his or her computer and domain user account into the AD RMS
certificate hierarchy. A certificate that identifies a computer is called a machine certificate and one
that identifies a user is called a rights account certificate (RAC) also referred to as a group identity
certificate (GIC). An IRM-supported application must retrieve these certificates from an activation
service configured on an AD RMS server in the same Active Directory forest as the user.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 6 of 50
2. After activated, an individual who wants to publish protected content uses their IRM-supported
application to create an issuance license, also referred to as a publishing license, that specifies who
can use the content and the terms of that use. The terms typically specify the time period for which
the license is valid and enumerate the rights granted to the consumer. Common rights typically
include the right to view, print, edit, and forward. The IRM-supported application can send the
issuance license to an AD RMS publishing service to be signed or use a client licensor certificate
(CLC) to sign the license offline. If the IRM-supported application uses online signing, the publishing
service signs the issuance license and returns it. The signing process also produces an owner license
that is saved in the license store of the user's computer. An owner license contains the OWNER right
that enables the user (in this case the individual who wants to protect content) to exercise all rights
enumerated by the issuance license. The IRM-supported application retrieves and binds to the
owner license and encrypts the content.
3. The encrypted content and the signed issuance license are then made available for distribution to
appropriate consumers. The distribution method is arbitrary and varies by application.
4. After an activated user has retrieved the signed issuance license, the IRM-supported application
uses it to request an end-user license, also known as a use license, from the AD RMS licensing
service specified in the issuance license. The end-user license contains a list of rights and conditions
that apply to the requesting user.
5. The IRM-supported application binds to, and enforces, the rights enumerated in the end-user
license and uses the public key in the issuance license to decrypt the protected content.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 7 of 50
IRM Implementation in Office 365 Dedicated
The Information Rights Management (IRM) feature for Office 365 Dedicated plans has specific
capabilities and constraints when compared to an on-premises IRM implementation. IRM protection is
available for Exchange Online and SharePoint Online. Both services rely upon the existence of your on-
premises AD RMS infrastructure, the export of the AD RMS server licensor certificate (SLC) public key
or trusted user domain (TUD) from one or more forests within this environment, and the import of each
TUD into the Office 365 AD RMS infrastructure dedicated to the subscribing organization.
The following sections describe how the IRM functionality applies to the Exchange Online and
SharePoint Online services, and points out other IRM feature implementation considerations your
organization should address.
1. Exchange Online Implementation
2. SharePoint Online Implementation
3. Additional Implementation Considerations

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 8 of 50
Exchange Online Implementation
Exchange Online messaging services can be provided solely from the Office 365 environment or within
a hybrid configuration involving on-premises and online Exchange resources. The hybrid configuration,
illustrated in the following diagram, is referred to as coexistence.

Exchange Online as an independent service will provide IRM protection for email and attachments that
are created and consumed within Office 365. IRM protection for email and documents is invoked when
an AD RMS rights policy template is applied to the email message. The template applies restrictions on
forwarding, the extraction of information from the message, saving the message, or printing the
message. Usage rights are attached to the message itself and remain with the message regardless of
whether the message remains within, or travels between, on-premises, online, and other external
environments.
For a coexistence environment, additional IRM functionality is available if the AD RMS trusted published
domain (TPD) of each on-premises AD RMS cluster is made available for use in the Office 365 AD RMS
infrastructure dedicated to your organization. A TPD collectively represents the server licensor certificate
(SLC), AD RMS cluster private key, and rights policy templates of the on-premises cluster. Providing
the TPD for use within Office 365 is optional. Two closely related reasons to support consideration of a
TPD import into the Office 365 environment are the following:

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 9 of 50
 Exchange coexistence with support for legacy protected content. If a user has an on-premises
mailbox which holds content protected by their on-premises AD RMS cluster and the mailbox is
migrated to the Exchange Online environment, the on-premises TPD will be needed to perform
virus scanning and to apply transport protection rules against the migrated content.
Newly protected content within on-premises environment is forward to Exchange Online
environment. If email messages and documents are protected within the on-premises environment
on an ongoing basis and the content is forwarded to the Exchange Online environment, the
presence of the on-premises TPD will allow the Office 365 AD RMS cluster to (a) issue use licenses
for email messages protected by the on-premises cluster and (b) allow system level Exchange
Online functions (for example, virus scanning and transport rule application) to be performed
against the forwarded content.

In addition, the presence of the imported TPD within Office 365 environment provides the following
functionality:
Availability of on-premises rights policy templates. All rights policy templates associated with
the source AD RMS licensing server for the TPD will be loaded into the Office 365 environment. The
templates can be used by IRM-enabled applications to decrypt content originally protected within
your on-premises environment.
Support for IRM in Outlook Web App. Users can use Outlook Web App to read IRM-protected
messages generated within the on-premises Exchange environment. IRM-protected messages in
Outlook Web App can be accessed through Internet Explorer, Firefox, Safari, and Google Chrome
(no plug-in required) browsers and include full-text search, conversation view, and the preview
pane. Exchange Online will pre-license the IRM-protected content for immediate viewing within
Outlook Web App and the ability to use WebReady document viewing of content also will be
provided by Outlook Web App.
Support for IRM in Exchange ActiveSync. Users with mobile devices that support the IRM
features of the Exchange ActiveSync protocol can open and work with IRM-protected messages
generated within the on-premises Exchange environment without tethering the phone or installing
additional IRM software. Administrators can control the use of this feature using Role-Based Access
Control (RBAC) and Exchange ActiveSync policies.
Indexing of IRM-protected messages to support Search. IRM-protected messages are indexed
and searchable. Headers, subject, body, and attachments are included. Users can search items
protected in Outlook and Outlook Web App within the on-premises Exchange environment and
administrators can search protected items by searching multiple mailboxes.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 10 of 50
 Application of Exchange Online transport protection rules. IRM-protected messages can be
decrypted to allow your defined transport protection rules to be applied within Exchange Online.
This provides persistent protection for the file regardless of where it is sent and prevents
forwarding, copying, or printing, depending on the rights policy template applied.
Malware scanning following transport decryption. IRM-protected messages received by
Exchange Online can be decrypted and forwarded to the Forefront Protection for Exchange (FPE)
application for virus scanning within the Exchange servers of Office 365.
Journal Report decryption for legal discovery and regulatory purposes. When messages
marked for journaling are sent to an external archive, a decrypted, clear-text copy of the IRM-
protected messages (including Office and XPS attachments) can be included in journal reports. This
allows IRM-protected messages to be indexed and searched for legal discovery and regulatory
purposes. The original IRM-protected message is also included in the report.
Unified Messaging Hosted Voicemail protection. Either senders or administrators can apply IRM-
protection to voice messages to prevent unauthorized individuals from consuming the message
and to prevent recipients from forwarding it, saving a copy of it, or saving or copying the audio
attachment. To apply these restrictions, senders must mark the message as private. For additional
information, see Understanding Protected Voice Mail.

Note:
Outlook Protection Rules (the application of IRM protection when messages are sent by an
Outlook client) are not supported.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 11 of 50
SharePoint Online Implementation
For on-premises and SharePoint Online installations, an IRM protector is used to automatically encrypt
and decrypt a document placed in a library or attached to a list item. Document protection is managed
by (1) a use license that grants rights to a specific user, (2) the AD RMS policy set on the SharePoint
library or list, and (3) the rights granted within the library or list for specific users.
With Office 365, SharePoint will use a client licensor certificate (CLC) issued by the Office 365 AD RMS
cluster to protect documents. The SharePoint Online user will then acquire a use license from the Office
365 AD RMS cluster to consume the protected documents. When requesting a use license, a consumer
will use the rights account certificate (RAC) issued by your on-premises AD RMS cluster. The users RAC
is recognized since the Office 365 AD RMS cluster has a copy of the TUD from the on-premises
environment. SharePoint Online has no use for the on-premises TPD since SharePoint Online servers
never request a use license from the Office 365 AD RMS cluster.
Within SharePoint Online, IRM protector applications exist only for Word, Excel, PowerPoint, XML Paper
Specification (XPS) format, and InfoPath forms. For additional information describing how IRM
protection is implemented with SharePoint, see the MSDN article IRM Framework Architecture in
SharePoint Foundation.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 12 of 50
Additional Implementation Considerations
When planning for implementation of the IRM feature, your organization may need to consider the
following:
Prerequisites to support an Exchange coexistence environment where messaging content is
protected and consumed between an Office 365 online environment and your on-premises
environment (see Hybrid Deployment on the Exchange Server 2013 Release Documentation landing
page).
Integration with other authentication systems, Unified Messaging applications, and other IT
environments external to Office 365 or the environments managed by your organization.
Supported versions of Exchange Online, SharePoint Online, server and client operating systems,
web browsers, client applications, and mobile devices.
Use of third-party IRM applications to protect content and the use of two-factor authentication
applications in conjunction with IRM.
Automatic rules-based protection of email and the automatic determination of revoked rights to
access IRM-protected content.

For a complete list of the capabilities and constraints of the IRM feature set including expanded
descriptions of each topic, see the AD RMS Service Description (Legacy Platform Release) on the IRM
landing page of the Customer Extranet site.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 13 of 50
Establishing the IRM Environment
The IRM feature for Office 365 Dedicated plans provides rights management capabilities for
organizations subscribed to Exchange Online and SharePoint Online. To establish an IRM environment,
you must understand how to configure and administer an on-premises AD RMS environment. You also
must be familiar with the scope of the IRM offering for Office 365 Dedicated including specific IT
environment requirements, non-supported functionality, and limitations associated with the Exchange
Online Dedicated and SharePoint Online Dedicated offerings. See the AD RMS Service Description
(Legacy Platform Release) on the IRM landing page of the Customer Extranet site. The prerequisites for
using the IRM feature are described in the following sections.

On-premises AD RMS Implementation

This prerequisite applies to Exchange Online and SharePoint Online.
The IRM feature will function only in conjunction with an AD RMS implementation within your on-
premises environment. The feature is not available to organizations that do not already manage their
own an AD RMS environment. If your organization does not have the required AD RMS infrastructure,
this environment first must be established before subscribing to the IRM feature. For more information,
see Installing an AD RMS Cluster.

Two-way Forest Trust with Selective Authentication

This prerequisite applies to Exchange Online.
Office 365 AD RMS application servers need to make calls to your Active Directory and AD RMS servers.
Without a trust from your environment to the Office 365 Active Directory environment, these calls
would fail. The Selective Authentication setting restricts the use of an Active Directory trust to allow only
designated credentials to leverage the trust. To establish the required trust, a Change Request must be
submitted on behalf of your organization by your Microsoft Service Delivery Manager (SDM). An
environment discovery process will follow and specific Customer Environment Configuration for Identity
(CECI) documentation will be provided to your organization.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 14 of 50
The two-way forest trust can be implemented with adequate security controls to support only the IRM
feature. For additional information, see Two-way Forest Trust with Selective Authentication FAQs. Also
see Security Configurations for Trusts.
The SDM assigned to your account can provide access to Microsoft personnel capable of assisting with
the implementation of the two-way forest trust configuration.

Trusted User Domain for Every AD RMS Cluster

This prerequisite applies to Exchange Online and SharePoint Online.
Your organization must export and provide to Microsoft the trusted user domain (TUD) for every AD
RMS certification cluster within your on-premises environment to be integrated with Office 365. The
addition of a TUD allows the Office 365 AD RMS certification cluster to process requests for client
licensor certificates or use licenses from each user whose rights account certificates (RAC) was issued by
a different AD RMS certification cluster. A TUD is similar to an Active Directory Domain Services (AD DS)
domain trust in that it allows the access to a foreign AD RMS cluster using a user RAC issued by the
local AD RMS cluster. The TUD from every on-premises AD RMS forest to be integrated with Office 365
must be provided to Microsoft. Each TUD is imported into the Office 365 AD RMS managed cluster.
The TUD is the public key equivalent to an x.509 public key infrastructure (PKI) certificate. Since the TUD
is used in a manner equivalent to the purpose of a PKI public key, a TUD owner can provide this
component without security risk. The delivery of the TUD will be coordinated between your IT staff and
the assigned Microsoft Deployment Program Manager.
The SDM assigned to your account can provide access to Microsoft personnel capable of assisting with
the transfer of a copy of the on-premises TUD(s).

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 15 of 50
Supported IRM Configurations
The Information Rights Management (IRM) feature is supported in the following environment
configurations for Office 365 dedicated plans and ITAR-support plans:
Exchange Online only.
Exchange Online with on-premises Exchange.
SharePoint Online only.
Exchange Online and SharePoint Online.
Exchange Online with on-premises Exchange and SharePoint Online.

As stated in the AD RMS Service Description (Legacy Platform Release) accessible via the IRM landing
page of the Customer Extranet site, the IRM feature does not support the following:
Interaction with AD RMS via federation protocols or clients.
Support for AD RMS trusts involving systems that are not within the security realm of your
organization.
Integration with Windows Live ID.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 16 of 50
The following diagram illustrates the principle elements required to implement the IRM feature to
support the configurations listed above. Also shown are the trust-granting relationships between the
environments.

As shown in the diagram, the following characteristics apply to an Office 365 dedicated plan or ITAR-
support plan implementation of IRM:
The on-premises or online environment is capable of protecting Exchange email messages and
Office documents. Documents can be protected when attached to an IRM-protected email
message, using a Microsoft IRM-enabled application, or when placed within an IRM-enabled
SharePoint document library or list. Conditions related to the protection and consumption of
content are described in the table below.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 17 of 50
 If the on-premises environment TPD has been imported into the Office 365 AD RMS cluster
dedicated to your organization, all of the features described in the Exchange Online Implementation
section can be utilized.

The following table identifies the IRM protection and consumption characteristics for content shared
within and between the IRM source and destination environments.

IRM Source IRM Destination

Environment Environment
Characteristics Characteristics
Source Source application Consumption Office 365 On-premises
environment application consumption consumption
experience experience
Office 365 Outlook or Outlook Content Content
Outlook Web App consumable within consumable within
Office 365 on-premises
environment by environment by
authorized user authorized user
(Office (Office
attachments also attachments also
consumable) consumable)
Office 365 Outlook or Outlook Content Content
Outlook Web App consumable within consumable within
Office 365 on-premises
environment by environment by
authorized user authorized user
(Office (Office
attachments also attachments also
consumable) consumable)

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 18 of 50
IRM Source IRM Destination
Environment Environment
Characteristics Characteristics
Office 365 Other Office Office applications Content Content
applications consumable within consumable within
(native Word, environment by environment by
Excel, and authorized user authorized user
PowerPoint
formats or XPS)
Office 365 SharePoint SharePoint Authorized user Authorized user
must access source must access source
SharePoint Online SharePoint Online
document library document library
or list to retrieve or list to retrieve
document document
On-premises Outlook or Outlook Content Content
Outlook Web App consumable within consumable within
Office 365 on-premises
environment by environment by
authorized user ( authorized user
Office attachments (Office
also consumable) attachments also
consumable)

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 19 of 50
IRM Source IRM Destination
Environment Environment
Characteristics Characteristics
On-premises Outlook or Outlook Web App Content (email and Content
Outlook Web App Office consumable within
attachments) on-premises
consumable within environment by
Office 365 authorized user
environment by (Office
authorized user if attachments also
your organization consumable
has provided on-
premises TPD(s)
for import into
Office 365
On-premises Other Office Office applications Content Content
applications consumable within consumable within
(native Word, environment by environment by
Excel, and authorized user authorized user
PowerPoint
formats or XPS)
On-premises SharePoint SharePoint Authorized user Authorized user
must access source must access source
on-premises on-premises
SharePoint SharePoint
document library document library
or list to retrieve or list to retrieve
document document

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 20 of 50
Export and Import of Trusted User Domain
By default, an AD RMS cluster does not service requests from a user with a rights account certificate
(RAC) issued by a different AD RMS cluster. To allow on-premises users to publish and consume
protected content within Office 365, the on-premises AD RMS domains must be added to a list of
trusted user domains within the Office 365 AD RMS infrastructure. The process involves the export of
the server licensor certificate (SLC) of every on-premises forest that provides AD RMS functionality to
the users that will utilize the Office 365 environment. Each exported SLC represents the trusted user
domain (TUD) of that specific AD RMS environment. These trusted domains are then imported into
the trusting Office 365 environment.
The following diagram illustrates the initial steps to export/import a TUD (steps 1 3) followed by the
publishing steps for IRM-protected content and the consumption scenarios (steps 4 9) for Office
applications (Outlook Web App premium and Exchange ActiveSync experiences excluded due to their
use of the AD RMS pre-licensing capability). Your service delivery manager and Deployment Program
Manager can assist with planning and execution of the TUD export/import process.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 21 of 50
Identification of Trusted Email Domains
An identity within AD RMS is the email address held within the Active Directory mail attribute for the
user. All users and groups that use AD RMS to acquire licenses and publish content must have an email
address configured within the on-premises Active Directory. When the process to import each TUD you
provide into the Office 365 environment is complete, an administrator for the Office 365 AD RMS
cluster can place a Change Request to specify which remote email domains of the on-premises
environment will become trusted email domains.

Note:
We recommend identifying which remote email domains will be trusted within the Office 365
AD RMS environment; otherwise, it may be possible for a user from a trusted (on-premises)
user domain to impersonate a user from another Active Directory forest.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 22 of 50
Exchange and SharePoint Online
Considerations
This topic describes the following considerations when implementing an IRM environment for Exchange
Online.
Trusted publishing domain (TPD) sharing
Rights policy templates
Transport protection rules
Journaling report decryption

Protection policies for SharePoint Online are descried in the Considerations for SharePoint Online
section.

Trusted Publishing Domain Sharing

The optional IRM functionality for Exchange Online described in the Exchange Online Implementation
section relies upon the existence of your on-premises trusted publishing domain (TPD)the private
key of the AD RMS cluster and rights policy templates--within the Office 365 AD RMS environment. To
provide this functionality, specific steps must be followed to export/import the TPD. The AD RMS
product requires the use of a password to protect a TPD at the time of export (the export process
prompt for a password). Specific instructions describing the TPD export process can be found in the
TechNet article Exporting a Trusted Publishing Domain. A Microsoft service delivery manager (SDM)
then can be contacted to place a Change Request to arrange to have the TPD provided to Microsoft for
import.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 23 of 50
 Note:
If an on-premises environment has more than one AD RMS licensing cluster, the export of the
TPD from each cluster is recommended to ensure IRM-protected content is processed properly
within the Office 365 environment. The export action is especially relevant for Exchange
coexistence configurations. Selective TPD exchange will result in restrictions being placed on
the additional functionality described in the topic IRM Implementation in Office 365 Dedicated.

Conversely, Microsoft can provide the TPD for the Office 365 environment to your organization for
import within your on-premises environment to support the bulk decryption of content for legal
discovery purposes. If the Office 365 TPD is required, your SDM and Deployment Program Manager can
assist with planning and execution of the TPD export/import process. To address smaller scale content
decryption requirements, your compliance personnel can use the super user access method described
in the topic IRM Super User Access.

Rights Policy Templates

As previously described, several Microsoft applications have the native ability to apply specific rights
management protection features. If an organization desires to define specific IRM protection policies to
be applied to content, rights policy templates can be used. A template such as Company Confidential
could be used to allow only employees to have the ability to view content but not forward, copy, or
save the document outside of the company. An Expires in 30 days policy could be used to ensure
content is made invalid after 30 days. The custom templates can be applied using Microsoft Office
applications, Outlook Web App, or via transport protection rules.
The following table provides a summary of the native rights and permissions that are available with
specific applications. Also shown are the custom rights available when using rights policy templates.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 24 of 50
Permission Office App XPS App1 SharePoint Windows AD RMS
Server Mobile Rights Policy
Devices Templates2
Full Control Yes Yes Yes No Yes
Export (Save Yes Yes No No Yes
As)
View (Read) Yes Yes Yes Yes Yes
Extract (copy) Yes Yes Yes No Yes
Allow Macros Yes No No Yes Yes
Reply Yes No No No Yes
View Rights No No No No Yes
Save No Yes Yes No Yes
Print Yes Yes Yes No Yes
Edit Yes No Yes No Yes
Forward No No No No Yes
Reply All No No No Yes Yes
Custom Rights No No No No Yes

1
XML Paper Specification (.xps) file format.
2
SharePoint Server IRM, Windows Mobile 6.x, and Windows Phone 7.5, 7.8, & 8.0 do not support
applying protection through templates. SharePoint Server will only store documents protected through
templates and will apply the additional IRM protection settings of the SharePoint library or list.
Windows Mobile and Windows Phone can only consume documents and email protected through
templates.
If rights policy templates are created and used within an on-premises AD RMS environment of your
security realm, these templates can be imported into the dedicated Office 365 environment for use by
Microsoft Office applications and Exchange Online to decrypt IRM protected content. The templates
become available for decryption use only by following the Trusted Publishing Domain Sharing process.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 25 of 50
 Note:
Whenever updates are applied to any of the on-premises environment templates, the same
updates must be applied to the Office 365 environment to ensure availability is consistent
throughout the enterprise by re-execution of the TPD sharing process.
When templates are imported into Office 365 via the TPD sharing process, the state of each
template is set as Archived and cannot be modified or used for transport protection within
Office 365. To create templates to be applied to content within Office 365, see the Creation of
rights policy templates within Office 365 section; to apply templates for transport protection
use, see the Transport Protection Rules section.
The re-import of a TPD into the Office 365 environment will remove all templates associated
with the prior TPD import followed by the loading of the new template versions into the
environment.

Important:
Because content may exist within Office 365 that was protected using a specific on-premises rights
policy template or a custom rights policy template created within Office 365, an appropriate best
practice is to retain templates for an extended period to ensure older protected content can be
decrypted.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 26 of 50
Creation of Rights Policy Templates
Within the Office 365 environment, additional rights policy templates can be created for use by Office
applications, Office Web App, or for transport protection. As shown below, newly created templates
become immediately accessible to Office Web App users and for transport protection; the templates
must be propagated to Office clients.

Prior to attempting to create or edit templates, confirm the administrative user has been added to the
RMS Template Administrators security group. The options to perform template creation and editing
within Office 365 are the following:
1. AD RMS snap-in for the Microsoft Management Console (MMC)
2. Windows PowerShell using the ADRMSAdmin provider

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 27 of 50
MMC Method
To use the MMC method, a connection must be made to the AD RMS cluster within Office 365. An SSL
connection, as shown in the example below, must be created. The Microsoft Deployment Program
Manager can provide the Office 365 AD RMS cluster URL.

Remote Windows PowerShell Method

To use the Remote Windows PowerShell method to create rights policy templates, use the following
Windows PowerShell commands:
1. Import the AD RMS Windows PowerShell administration module.
Import-module AdRmsAdmin
2. Create a Windows PowerShell drive that represents the AD RMS cluster to be administered.
New-PSDrive -Name <drive> -PsProvider AdRmsAdmin -Root <clusterURL>

The following example represents the creation of a drive named RMS that represents the AD RMS
cluster hosted within a fictitious Office 365 environment named 999d:
New-PSDrive -name RMS -PsProvider AdRmsAdmin -Root
https://rms.999.d.office365.com
3. Set the current location.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 28 of 50
 Set-Location <drive> :\[ <container>]
<drive> is the name of the drive created in a previous step (RMS in the
example)
<container> is the optional path name of the container within the drive. For
information about how to use these containers, see Understanding the AD RMS
Administration Provider Namespace.
The following example sets the current location to the RightsPolicyTemplate container in the RMS
drive:
Set-Location RMS:\RightsPolicyTemplate
4. Create a rights policy template.
New-Item -Path <drive>:\RightsPolicyTemplate -LocaleName < <locale_names> -
DisplayName "<display_names>" -Description "<descriptions>"
<drive> = name of the Windows PowerShell drive created in the previous step
<locale_names> = language and location
<display_names> = name of template
<descriptions> = general description of template
Example:
New-Item -Path RMS:\RightsPolicyTemplate -LocaleName en-us_-DisplayName
"O365 - FTE Only" -Description "Limits rights to full time employees only"
5. Complete the customization of the newly created template as described in the following:
Editing a Rights Policy Template using MMC
Editing a Rights Policy Template using PowerShell
Other reference information describing the initial creation of the template is the following:
Create a New Rights Policy Template using MMC
Using Windows PowerShell to Administer AD RMS
Creating a New Rights Policy Template using PowerShell

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 29 of 50
 Note:
If a TPD from your AD RMS environment has been imported into the Office 365 environment,
the on-premises templates will be recognized by Office 365. These templates are loaded into
the Office 365 AD RMS cluster in an Archived state and can only be used to support the
decryption of content protected on-premises; these templates cannot be renamed or modified.

Important:
When new templates are created within either the on-premises or online environments, care
must be taken to apply a unique name to each template to prevent a template name collision
from occurring when a TPD is transferred between the on-premises and Office 365
environments since the existence of duplicate template names will block TPD import.

Transport Protection Rules

Exchange Online can scan messages in transit and classify them as required. AD RMS protection is
considered to be another action within a transport rule and can be combined with any other transport
protection rule predicates and actions. A specific AD RMS rights policy template created within Office
365 can be associated with a specific transport rule. Note, however, that a transport rule to protect
content will not be honored if the content has already been IRM-protected by an application.
To associate an AD RMS rights policy template with an Exchange Online transport rule, the rights policy
template must be created in the Office 365 AD RMS service. As stated above, a template imported via a
TPD is set as Archived and cannot be used.

Applying Newly Created Rights Policy Templates as Transport

Protection
A newly created rights policy template can be associated with a transport rule by either creating a new
rule (New-TransportRule cmdlet) or modifying an existing rule (Set-TransportRule cmdlet) via Remote
Windows PowerShell along with the use of the ApplyRightsProtectionTemplate parameter. For more
information, see the TechNet articles Transport Protection Rules and Create a Transport Protection Rule,
which also includes a link to information describing how to disable a rule.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 30 of 50
 Important:
Improperly constructed transport rules have the potential to cause the issuance of a large
volume of non-delivery reports (NDRs) and to degrade system performance. Confirming
transport rule logic is essential before associating a template with a transport rule. To disable a
malfunctioning transport rule, use the Disable-TransportRule "transport_rule_name"
cmdlet of Remote Windows PowerShell and the Enable-TransportRule
"transport_rule_name" cmdlet to re-enable the rule. To completely remove
a disabled transport rule, contact Microsoft Online Services Support.

Note:
If a rights policy template used by a transport protection rule is deleted from the Office 365 AD
RMS cluster but the transport rule continues to attempt to use the template, the RMS server will
fail to license the content and a NDR will be sent to the sender.

Journaling Report Decryption

When sending messages to an external journal archive, IRM-protected messages and a decrypted
(clear-text) copy of each message will be included in the journal reports. Any Microsoft Office and XPS
attachments also will be decrypted and a protected and unprotected copy of the attachment will
accompany the archived message. Having unencrypted copies of the message and attachments allows
these messages to be indexed and searched for legal discovery and regulatory purposes. The original
IRM-protected message is also included in the report.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 31 of 50
 Note:
Forced Transport Layer Security (TLS) communication is recommended between Exchange
Online and the target external archiving system to prevent any information from being
transported in an unencrypted state.
If the Proofpoint service provided by Exchange Online is used as an archiving solution,
Proofpoint will not process a journal report that contains an encrypted and decrypted copy of
an Exchange message the message instead will be moved to the Archiving Issues folder. An
alternative procedure is to request disablement of transport server decryption for all IRM-
protected messages, allow a single encrypted message to be retrieved by Proofpoint, and allow
Proofpoint to index the To, From, Date, Subject, and Attachment Type attributes of the
message. For eDiscovery purposes, compliance personnel can utilize an elevated privilege to
examine IRM-protected messages held in Proofpoint (or other mailboxes) by implementing the
super user access method described in the IRM Super User Access section.

Considerations for SharePoint Online

Rights policy templates similar to those used by Microsoft Office clients are not used by SharePoint
Online. Protection policies are solely based upon IRM policy settings for the SharePoint Online library or
list.
Any additional protection applied to the content other than AD RMS protection from within the Office
365 environment (for example, protection provided by third-party applications or by a SharePoint
system outside of the Office 365 environment) cannot be decrypted by SharePoint Online. The content
will be considered opaque to SharePoint Online which means indexing and identification using the
search capability of SharePoint Online will not be possible.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 32 of 50
Using IRM Clients
Information Rights Management (IRM) functionality in Office 365 can use a variety of client-based
systems and devices. The list of supported clients includes traditional rich client desktop and laptop
systems using Microsoft Outlook or Microsoft Outlook Web App, popular Web browsers that support
Outlook Web App Premium version, and select mobile devices.
IRM protection is applied to email by applying an AD RMS rights policy template to the email message.
Usage rights are attached to the message itself to allow protection to be in effect while the client is
online or offline and also while the client is inside and outside of an organization's firewall. The rights
policy template applied to an email message can control what permissions recipients have on a
message and Microsoft Office attachments such as forwarding, extracting information from a message,
saving a message, or printing a message.

Note:
Email attachments that are not a native Office file type are encrypted along with an Microsoft
Exchange Online email message. When the message is decrypted, the attachment will not have
IRM restrictions. In SharePoint Online, no level of protection is provided to a non-native Office
file type that is uploaded into, or downloaded from, a document library or list.
You can find client information on Microsoft TechNet and from other Microsoft sources to help you
become familiar with the steps to configure an IRM client and how to interact with the IRM user
interface for these clients. The information below includes special notes and links to reference material.
A complete list of supported features and limitations is included in the AD RMS Service Description
(Legacy Platform Release) accessible via the IRM landing page of the Customer Extranet site.

Rich Client Systems

The following requirements and recommendations exist for rich client systems (for example, Windows
operating system based) used for IRM protection.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 33 of 50
Use Latest AD RMS Client
All clients that use IRM must use the latest AD RMS client and install the hotfix to remove the manifest
expiry feature on client systems (Microsoft Support article 979099).

Distribute Rights Policy Templates

Client systems require a copy of the Office 365 rights policy templates. Propagation of the templates is
accomplished by following methods commonly used for on-premises AD RMS installations, namely, (1)
via the AD RMS web service; (2) from a client that has already downloaded the templates via the web
service; (3) via a publishing universal naming convention (UNC) location. If a UNC location is used, the
location must be on-premises and the Office 365 AD RMS service account must have write access
permissions to the UNC location. A slip stream Change Request must be placed with Microsoft Online
Services to establish a UNC template export arrangement.

Configure Local Intranet Zone in Internet Explorer

Clients used for IRM applications must be configured to use Windows Integrated Authentication when
accessing the Office 365 licensing URL. The most common method to implement the settings is to place
the fully qualified domain name (FQDN) for the Office 365 AD RMS licensing URL in the Local Intranet
Zone within the security settings of Internet Explorer. The Group Policy settings feature of Active
Directory can be used to distribute the security setting. We also recommend adding the FQDN of the
local AD RMS cluster to the Local Intranet Zone of the client.

Implement Registry Overrides to Point to Office 365 Licensing URL

To simplify administration and support, a single AD RMS cluster can be used for licensing. For more
information about the method that allows you to set client registry override keys, see the TechNet
article AD RMS Client Service Discovery. The EnterprisePublishing key should be set to the URL of the
Office 365 AD RMS licensing cluster (for example, https://rms.999.d.office365.com) to allow the AD RMS
client to discover the Office 365 AD RMS cluster. You can obtain the value for your Office 365
environment from the Office 365 Deployment Program Manager assigned to your organization.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 34 of 50
Clean Up Previous AD RMS Customizations
All AD RMS clients that were used with a previous AD RMS release should be re-initialized by
performing the following:
1. Delete the Digital Rights Management (DRM) folder in %localappdata%\Microsoft\
2. Delete any cached configurations stored in the following registry locations:
a) HKEY_CURRENT_USER\Software\Microsoft\Office\X.0\Common\DRM
b) HKEY_CURRENT_USER\Software\WoW6432Node\Microsoft\Office\X.0\Common\DRM
3. Delete any custom AD RMS-related registry values that may have been deployed.

Web Browsers and Office Online

Only the premium version of Outlook Web App (version for a thick client Web browser) provides
support for IRM in Exchange Online. If you use the light version on a mobile device, it will not render
IRM-protected messages or documents. To use Outlook Web App with a thick client web browser, the
pre-licensing capability must be enabled in Exchange Online.
In SharePoint Online, content placed in an IRM-protected document library or list is opened in a Web
browser by Office Online as read-only. For more information about forcing IRM-protected items to
open in the native application loaded on the client, see Set the default open behavior for browser-
enabled documents (Office Web Apps when used with SharePoint 2013).

Note:
Use of the Print Screen function and Snippet tool cant be blocked when viewing IRM-protected
content using a Web browser application (i.e., Outlook Web App or Office Online).

For the latest list of supported browsers for the IRM feature, see Office 365 system requirements (Web
browsers sections). For more information about additional browser constraints in SharePoint Online,
see Plan browser support in SharePoint 2013.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 35 of 50
Mobile Devices
Mobile device support is provided for Windows Mobile 6.x and Windows Phone version 7.5 and later
devices. IRM feature functionality support is not provided by Microsoft for Android, BlackBerry OS,
Apple iOS, or Nokia Symbian OS devices. Third-party products providing IRM-enabled applications for
the unsupported devices may exist. Microsoft does not endorse the use of, or provide support for, any
third-party IRM products.
Similar to the use of a web browser to interact with the IRM environment of Office 365, the pre-
licensing capability must be enabled in Exchange Online for mobile devices. TechNet articles related to
the use of mobile devices provided by Microsoft include:
Integrate AD RMS and Windows Mobile
Opening AD-RMS Protected Files on Your Windows Mobile Phone.
Windows Phone version 7.5 and later all include built-in functionality to access rights-managed email
and Office documents.
An up-to-date list of supported mobile devices is described in the AD RMS Service Description (Legacy
Platform Release) accessible via the IRM landing page of the Customer Extranet site.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 36 of 50
Supporting the IRM Environment
The following table summarizes the assigned ownership of Information Rights Management (IRM)-
related support issues that arise in the Office 365 environment.

Function or Scenario Description Customer Microsoft

Troubleshooting client Follow procedures described with the IRM Client Yes No
issues Diagnostic Handbook available from the Customer
Extranet site. (See your service delivery manager
(SDM) for Customer Extranet site access.) The tools
described can be used for initial troubleshooting,
gathering environmental information, and
reconfiguring AD RMS on the client machine. If
client issues persist, your organization must utilize
their Microsoft Premier Support Contract to access
AD RMS specialists at Microsoft technical support.
On-premises AD RMS Performing any steps against the on-premises AD Yes No
server support RMS servers. If server issues persist, your
organization must utilize their Microsoft Premier
Support Contract to access AD RMS specialists at
Microsoft technical support.
O365 AD RMS issues Office 365 users of your environment are unable to No Yes
that affect all users connect to the Office 365 licensing pipeline URL
after verifying the following on-premises services
are functional:
AD RMS service
Network
DNS
Active Directory Domain Services
Client Computers

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 37 of 50
Function or Scenario Description Customer Microsoft
Implement tasks Contact your SDM to place an environment No Yes
requested through the changes within CRAS. After the request has been
Change Request received and processed, Microsoft implements the
Analysis System (CRAS) specified changes.

A service request for support from Microsoft will require that your organization provide specific error
messages, client operating system version, client application software with version number (for example,
Outlook and Internet Explorer), and related information. To submit a request, you use the IRM template
in the Escalation Template/Infrastructure folder of the Customer Extranet site for Office 365 dedicated
plans.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 38 of 50
IRM Super User Access
The AD RMS super user access feature provides the ability for your authorized personnel to examine
IRM-protected content for compliance purposes. Your organization must create a Universal Distribution
Group to hold the Active Directory user accounts placed into the group by your administrative staff. A
member of the group will have rights to open IRM-protected mail messages and files.

Create or Identify a Universal Distribution Group

To support super user access, your organization is required to provide the name of an on-premises
Universal Distribution Group that will be granted access in the Office 365 AD RMS cluster. If a specific
Universal Distribution Group is already used for super user access by the on-premises AD RMS cluster,
the same group can be used by the Office 365 cluster. Alternatively, a different UDG can be created.
Controlling access to the chosen group and regularly auditing membership changes of the group is
strongly recommended.

Note:
The Universal Distribution Group must be outside the scope of Office 365 directory
synchronization (MMSSPP). The Universal Distribution Group must have an email address
specified in the mail attribute object in Active Directory; the email address must be unique and
should not be re-used on any other objects in any of your directories.

Configure the Access Control List on the

GroupExpansion Folder
When the Office 365 AD RMS service was activated, the MGD-GSG-RMSService security group was
granted read and execute permissions on specific Web Services source files (.asmx) used by the on-
premises AD RMS cluster. The permissions granted allow the Office 365 AD RMS service to certify on-
premises users. Similar steps must be followed for the GroupExpansion.asmx file on all AD RMS Root

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 39 of 50
Certification clusters to allow AD RMS to validate user permissions. For specific instructions on this task,
see the TechNet article Configure the Access Control List on the GroupExpansion Folder.

Verify the GroupExpansionServiceURL Value

The GroupExpansionServiceURL value in the on-premises AD RMS Root Certification Cluster
database must be set to the Certification URL DNS name. If the certification URL was renamed on the
on-premises Root Certification Cluster, the value will be set to the Licensing URL DNS name and must
be updated. To view or update the value, use the RMS Config Editor utility in the Rights Management
Services Administration Toolkit, which is available at the Microsoft Download Center.
To view the GroupExpansionServiceURL value, connect to the database server, select the Configuration
Database, and view the contents of the DRMS ClusterPolicies table. Locate the
GroupExpansionServiceURL value in the table (typically row 124). For more information on using the
RMS Config Editor, refer to the Readme_RMS_Config_Editor file provided with the Rights Management
Services Administration Toolkit.
Example
Intranet cluster URLs
Licensing: https://licensing.customer.com/_wmcs/licensing
Certification: https://certification.customer.com/_wmcs/certification/certification.asmx
Extranet cluster URLs
Licensing: https://licensing.customer.com/_wmcs/licensing
Certification: https://certification.customer.com/_wmcs/certification/certification.asmx
If the current GroupExpansionServiceURL value is https://licensing.customer.com/_wmcs/groupexpansion,
this value must be updated to https://certification.customer.com/_wmcs/groupexpasion.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 40 of 50
Active Directory Rights Management Services
FAQs for Office 365 Dedicated
Information Rights Management (IRM) is an optional feature available with the Exchange Online and
SharePoint Online services of Office 365 dedicated plans. Active Directory Rights Management Services
(AD RMS) is the underlying Microsoft technology used to support IRM. The following frequently asked
questions (FAQs) can help you better understand IRM functionality and how AD RMS is implemented.

Note:
1. See Information Rights Management for Office 365 Dedicated for a complete description of
how to implement, administer, and support an IRM implementation in Office 365 dedicated
plans.
2. Unless otherwise indicated, the information presented also applies to the International Traffic in
Arms Regulations (ITAR-support) version of Office 365.
3. Recent updates applied to this article contain an asterisk (*) at the beginning of each item title.

1. What is a RAC?
A rights account certificate (RAC) identifies a user account by binding the account into the pre-
production or production certificate hierarchy. Each RAC is tied to the machine certificate of the
computer on which the user is activated. A RAC and a machine certificate must exist before an end-
user license can be created and content encrypted or decrypted. A user can have more than one
RAC on a computer, one for each AD RMS service against which the user is activated, but the user
cannot transfer a RAC between computers.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 41 of 50
2. What is a TUD and how is it used?
A trusted user domain (TUD) is an AD RMS file that is similar in function to the public key of an
X.509 private/public key pair. The act of adding a TUD from one AD RMS cluster to another cluster
results in the receiving AD RMS cluster trusting the RACs that were issued by the source AD RMS
cluster. Exchanging a TUD is similar to implementing an Active Directory trust in that it allows users
from one Active Directory environment to be trusted by another Active Directory environment.
3. What is the scope and frequency of TUD export from the on-premises environment followed
by import into Office 365?
The TUD of every on-premises forest containing accounts for users that also will utilize Office 365 is
required. Each TUD is imported once into the Office 365 AD RMS managed cluster.
4. Is the Office 365 TUD imported into the on-premises AD RMS systems of the customer?
The TUD for the Office 365 managed AD RMS cluster does not need to be imported into the
customer environment.
5. What is a TPD?
A trusted publishing domain (TPD) is an encryption key used at the time content is published. The
addition of TPD allows one AD RMS cluster to issue use licenses against publishing licenses that
were issued by a different AD RMS cluster. A TPD is added by importing the server licensor
certificate and private key of the server to trust. TPD sharing is only useful when using Exchange
Online and is most commonly used when there is both on-premises Exchange and Exchange Online.
TPD sharing is optional.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 42 of 50
6. What circumstances require the on-premises TPD to be provided for use within Office 365?
The TPD of the on-premises AD RMS environment is needed to allow Exchange content protected
on-premises to be decrypted by Exchange Online. The import of the TPD is used to transfer all of
the on-premises rights policy templates to the online environment (see FAQ entries below for
further info re: template management). In addition, the TPD is used to support the following IRM
features:
Prelicensing
Outlook Web App WebReady document viewing
IRM Decryption for Exchange Search
IRM in Outlook Web App
Journal Report Decryption
IRM with Exchange ActiveSync clients

Note:
Transport Decryption can be provided by Exchange Online by creating new templates for this
purpose within Office 365 (see guidelines regarding template creation within the Office 365 IRM
Feature Guide). See the IRM agents table in Information Rights Management for a handy
reference describing how IRM agents on Exchange Transport servers are used to support the
above listed features.
A customer with more than one licensing cluster may choose to enable the above features for only
a subset of their content protected on-premises by providing the TPD from selected RMS licensing
clusters. If the on-premises TPD is not provided, Exchange Online will process content protected
on-premises as opaque. Messages and files will be delivered using Exchange Online but the content
will not be rendered within Outlook Web App, scanned for malware, available for transport rules,
decrypted for journaling, indexed for searching, or delivered to Exchange ActiveSync devices.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 43 of 50
7. Is the on-premises TPD needed to decrypt content placed within SharePoint?
SharePoint does not utilize the on-premises TPD. If content protected by an on-premises IRM
system is uploaded into SharePoint Online, the content will not be decrypted and the existing
protection will be preserved. In this scenario, SharePoint Online also will not be able to index or
search the IRM protected file.
8. Is the export of the on-premises TPD a one-time operation or are there scenarios where the
TPD needs to be re-exported and provided to Office 365?
The export of the on-premises TPD and the import into Office 365 is needed to enable IRM features
for Exchange Online. Following the initial export/import procedure, the following circumstances will
trigger the need to re-export the on-premises TPD for import into Office 365:
Changes made to on-premises AD RMS rights policy templates.
Creation of new on-premises AD RMS rights policy templates.
Policy templates that are imported via TPD exchange are locked for editing, which is an AD
RMS product feature and not a design characteristic of Office 365. Since the imported
templates cannot be modified, any template changes made with the on-premises
environment must be re-exported for import into Office 365.

Note:
If User Rights settings are changed within an on-premises template and the corresponding
template within Office 365 is not updated, content protected by Exchange Online or consumed
by authorized users within Exchange Online will utilize the older set of User Rights.

If content is protected within the on-premises environment using a newly created rights
policy template and the template is not exported for use by Exchange Online, an attempt to
decrypt content within Office 365 by a consumer or by an IRM feature requiring this specific
template will fail.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 44 of 50
9. If a customer elects to provide their on-premises TPD to Office 365, how is it used within the
service?
The customer TPD is used to decrypt content that was protected using the customers AD RMS
service. When an Exchange Online Transport server needs to decrypt content, it will call the Office
365 AD RMS service to license the content. The TPD also is used to support the features described
Question 6.
10. When is the Office 365 TPD used to encrypt content?
The Office 365 TPD (encryption key) is used when the Exchange Online Transport server is required
to encrypt content. This occurs when Outlook Web App or an Exchange ActiveSync client is used for
protecting content and when a transport rule is used to apply AD RMS protection.
11. What security controls are used to protect keys stored in the Office 365 AD RMS service?
Office 365 follows applicable security best practices documented for the AD RMS product including
least privilege access, database isolation, and physical access controls. A comprehensive explanation
of Office 365 security practices can be found in Standard Response to Request for Information
Security and Privacy at the Microsoft Download Center.
12. Can the Office 365 AD RMS service be configured to allow templates to be published to a
Uniform Naming Convention (UNC) location?
Yes, but the following conditions apply:
An on-premises UNC is required.
The Office 365 AD RMS service account must have write access permissions to the UNC
location.
13. Can the Office 365 TPD be exported and made available for use in a customer managed on-
premises AD RMS environment to allow content encrypted using the Office 365 AD RMS
service to be decrypted on-premises?
The Office 365 TPD can be exported and provided for use in the customer environment for
situations requiring the bulk decryption of content to support litigation discovery and the migration
of accounts from Office 365 back to the on-premises environment. Your service delivery manager
(SDM) can assist with providing instructions to place the request and the import guidelines to be
followed.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 45 of 50
14. How is the two-way Active Directory trust used in conjunction with the Office 365 AD RMS
service account to access on-premises RMS cluster(s)?
The Office 365 AD RMS service account uses the Allowed to Authenticate right (granted on the on-
premises Active Directory domain controllers and AD RMS web servers) to authenticate to the on-
premises Active Directory and to look up the on-premises AD RMS service connection point. The
Office 365 AD RMS server then makes HTTPS requests to the Certification URL found in the on-
premises service connection point in order to retrieve RAC information for users that need licenses
for content. More specifically, the _wmcs/certification/server.asmx and
_wmcs/certification/precertification.asmx files are called by the Office 365 AD RMS service using the
identity of the Office 365 AD RMS service account.
15. Is the Office 365 AD RMS service account granted permissions directly to the on-premises
Active Directory and AD RMS service or is an Active Directory security group used?
Office 365 will provide an Active Directory security group for use in configuring the necessary
permissions. A security group is used instead of the AD RMS service account for ease of
troubleshooting as well as flexibility with future design changes. The use of groups rather than
individual security principals is a well-established best practice.
16. How can membership be monitored for the group used to allow the Office 365 AD RMS
service account to access the on-premises AD RMS service?
Customers can monitor the membership of the Active Directory group used to provide access to
on-premises resources, however, this capability may not existing within Office 365 in the future.
Office 365 does not provide any reporting regarding this configuration item.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 46 of 50
17. How can Office 365 Exchange transport rules be configured to apply AD RMS protection?
Standard self-service tools are used to configure transport rules for Exchange Online. To associate a
rights policy template with a transport rule, the customer must first create the template within the
Office 365 AD RMS service. Template management is possible using either the AD RMS
Administration snap-in for the Microsoft Management Console (MMC) or by using Remote
Windows PowerShell . A customer also can use Remote Windows PowerShell commands to
associate the template with a specific rule.

Note:
AD RMS rights policy templates imported into the Office 365 service using the TPD
exchange method are not available for use in Exchange transport rules since these
templates are marked as Archived and cannot be modified. This is an AD RMS product
limitation.
18. If a new AD RMS cluster is added within the on-premises enterprise, what tasks are required
to integrate the clusters with Office 365?
Essentially, the same assessment and integration process used for the initial deployment will be
executed again. Because an established environment exists, this process is likely to be completed
more quickly. Implementation time depends upon configuration characteristics.
19. Can an on-premises Exchange server decrypt content protected in the Office 365 service?
The on-premises Exchange server will not be able to decrypt content, however, users with on-
premises mailboxes that use Outlook will be able to read content protected in Office 365.
20. *Why must the on-premises AD RMS Certification URL be different from the Licensing URL?1
When the Exchange Online service needs to license (encrypt or decrypt) and process content that
was protected by the customer AD RMS cluster, the licensing transaction must be directed to the
Office 365 AD RMS service. Because the Licensing URL in the protected content wrapper will be the
on-premises Licensing URL, that URL needs to be redirected to the Office 365 AD RMS cluster. This
redirection is accomplished through DNS.
If the customer Licensing and Certification URLs were identical, calls to both URLs would be
redirected to the Office 365 AD RMS service. This would cause the user certification process
(including the process to obtain the users RAC for use in the licensing process) to fail.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 47 of 50
21. *Why does Office 365 recommend changing the Certification URL rather than the Licensing
URL?1
Changing an AD RMS Licensing URL has implications on content already protected using that URL
but changing the Certification URL does not affect previously issued RACs. While changing the
customer Licensing URL would meet the Office 365 requirement, the potential impact of making
this change is significant; changing a Certification URL has essentially no impact.

Note:
Microsoft strongly recommends using an FQDN, rather than a single-label name, for the
Certification URL. Using a single label name (for example, https://certify) for an AD RMS
URL can cause service issues. The first security-related concern is the use of a rogue server
established to share the same server name and to lure clients to use it to protect content
without the possibility of the clients to differentiate between the two. The second concern is
related to multi-forest or cross-company collaboration environments presenting a situation
where different AD RMS servers with identical names would conflict. If identical names are
used for AD RMS servers, an attempt to exchange protected content between the
identically named servers would fail due to clients being directed to the wrong cluster after
resolving the single-label server name. These issues are not related to the Office 365
implementation. The use of an FQDN is considered to be a general AD RMS best practice.

22. *An attempt to change the Certification URL using the AD RMS Administration snap-in for
MMC was not allowed. How can the change be applied?1
The AD RMS Certification URL cannot be changed using the AD RMS Administration snap-in for
MMC. The AD RMS Certification URL can be changed via direct modification of the
serviceBindingInformation attribute of the Active Directory AD RMS service connection point.
This operation can be done using ADSIEDIT, LDP, or other Active Directory object editor.
23. *How will changing the Certification URL affect the AD RMS service and clients?1
Changing the Certification URL shouldnt affect any existing services, clients, or content. If a client
has trouble reactivating after the SCP has been changed, the DRM folder under the users profile
can be deleted to force the client to reactivate itself with the new URL.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 48 of 50
24. Why is it recommended to configure Extranet URLs for the on-premises AD RMS service?
Different IRM-enabled applications follow different sequences to license content. Some attempt to
utilize the Intranet URL stamped in protected content first; if this fails, the application will try the
Extranet URL. Other applications follow the opposite sequence. Some applications will assume the
Extranet URL is valid and not try the Intranet URL if the former is not present. In order to avoid
failure scenarios or performance issues due to applications looking for the Extranet URL and not
finding it, it is strongly recommended that an Extranet URL is configured. Adding an Extranet URL is
not related to actually publishing the service to the Internet and can be done at any time without
impacting the service.
25. Is a new SSL certificate required for the on-premises AD RMS service?
The on-premises AD RMS SSL certificate must contain all URLs that are used to contact the on-
premises AD RMS service. If the Certification URL must be changed to meet Office 365 integration
requirements, then the SSL certificate will need to be updated to include the new Certification URL.
26. *After a rename of the on-premises Certification URL, is it possible to use a DNS CNAME
(alias) record to resolve the Certification URL to the Licensing URL?1
No, the fully qualified name in the Certification URL cannot resolve as an alias to the fully qualified
name of the Licensing URL. If the Certification URL were to resolve as the Licensing URL, calls to
either URL would be redirected to the Office 365 AD RMS service. However, it is possible to use a
DNS alias record to resolve the Licensing URL to the Certification URL.
27. *Is it possible to make the on-premises AD RMS Certification URL a DNS subdomain of the
Licensing URL?1
The Certification DNS name must not fall within the DNS path of the Licensing name. For instance,
if the Licensing URL is https://rms.contoso.com, the Certification URL cannot be
https://certify.rms.contoso.com.
28. Can Journal decryption be disabled?
At the request of the customer, Exchange Journal decryption can be disabled.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 49 of 50
29. Why cant users view IRM protected messages in Outlook Web App when the message is also
signed with an S/MIME certificate?
Using IRM and S/MIME together is not supported in the Outlook Web App experience. In scenarios
where both IRM protection and S/MIME signatures are required, users should be directed to use the
Outlook client.
1
An architecture change implemented within the Exchange Server 2013 platform of Exchange Online
allows the on-premises AD RMS Certification URL and the Licensing URL to be identical rather than
unique. When your environment has been upgraded, either URL configuration can be applied.

IRM Feature Guide

Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
2015 Microsoft Corporation. All rights reserved.
Page 50 of 50