• Home
  • Blog
  • Technical
  • How to Enable Information Rights Management for SharePoint Online & OneDrive for Business

How to Enable Information Rights Management for SharePoint Online & OneDrive for Business

Back to Blog
17Mar2016

How to Enable Information Rights Management for SharePoint Online & OneDrive for Business

This is a four-part post on Azure Rights Management for Office 365. The Azure RMS service is a powerful tool that we can use to prevent data leakage and share information securely with users inside & outside of the organization.

Follow along as we explore how to:

  1. Activate Azure Rights Management for Office 365 
  2. Configure Email encryption for Office 365 
  3. Compare Email encryption & Rights Management templates 
  4. Enable Rights Management for SharePoint Online & OneDrive for Business (this post)

Before proceeding to enable Rights Management for SharePoint Online & OneDrive for Business services, you must be sure to activate Azure Rights Management for your Office 365 tenancy.

Rights Management for SharePoint Online allows you to assign really interesting permissions to document libraries and lists, such as restricting the ability to print or to download, export or run scripts against content. You can also let the content expire, and force users to authenticate in order to view the content (or else it will remain locked and unable to be read/opened).

 

How-to Enable Rights Management for SharePoint Online

Begin by signing into the Office 365 portal, and navigate immediately to Admin centers > SharePoint.

SP-RMS-1a

From the SharePoint Admin center, click Settings on the left. Scroll down to find the Information Rights Management (IRM) section, choose Use the IRM service specified in your configuration, and then choose Refresh IRM Settings.

Now users will be able to apply IRM restrictions to their libraries and files.

 

How-to apply Rights Management to Libraries

The following basically follows along with this support article from Microsoft–refer to it for more details. As a site administrator, navigate to the SharePoint library for which you would like to enable IRM.  On the ribbon, click the Library tab, and then click Library Settings.

Under Permissions and Management, click Information Rights Management.

SP-RMS-5

From here you can restrict permissions, give your policy a name & description, and choose how you’d like to restrict it with SHOW OPTIONS.

Now documents added to this library will be protected according to the rules you set up for the library.

Z-SP-IRM-2

 

How-to apply Rights Management to OneDrive for Business

You can find these instructions on this TechNet article from Microsoft. You can provide these instructions to your users, and they can enable protections for their own documents!

From OneDrive, click the Settings icon, and then click Site Contents.

SP-RMS-7

Hover on the Documents tile, chose the ellipses (), and then click SETTINGS.

SP-RMS-8

 

On the Settings page, in the Permissions and Management section, click Information Rights Management.

SP-RMS-9

 

This page should look familiar if you’ve already configured a SharePoint library (above). On the Information Rights Management Settings page, select Restrict permissions on this library on download check box, specify your choice of name and a description for the permissions, and optionally, click SHOW OPTIONS to see additional choices, and then click OK.

SP-RMS-9b

 

Testing the results

Let’s see how this behaves. In this example, I set my restrictions to prevent other users from printing the documents they download. Additionally, I’d like the content to expire after 60 days, and the user should have to re-authenticate every 5 days.

Now let’s try inviting someone to the document. Select a document in OneDrive and click Share.

OD-RMS-6

Now we can sign into OWA as the user to whom we sent the share invite. Follow the link to open the document in Word online.

We can also work with the document by choosing Open in Word.

And from here, you will see the warning ribbons that explain we have some restrictions on the document. See below:

OD-RMS-9

Click View Permission… to see more details. Notice how we are not allowed to print, and the access will expire in 60 days.

OD-RMS-9a

If this user tries to send the document to another person not authorized to view it, e.g. to someone outside of the organization, it is not even readable. If we download the document and try to open it on another computer, we find that we cannot, without signing in with appropriate credentials, or by requesting access from the owner.

OD-RMS-5

 

Aren’t there always some gotcha’s?

Yes, it wouldn’t be technology without some gotcha’s. The first major caveat is simple, and you may have already noticed: in OneDrive for Business you can only enable IRM for the entire OneDrive; it is not possible to turn this lever up or down on individual documents and folders. Bummer.

The second major caveat you have to be aware of is that sharing IRM-protected documents with external users is a bit of a pain in the you-know-what. For starters, external users cannot download and open rights protected documents. In order to do that, they will need an identity in your Office 365 organization.

Indeed, it appears that this limitation has been confirmed by others, and Microsoft support explicitly states that IRM-protected documents sent to external users cannot be downloaded. External users must authenticate using at least a Microsoft Live ID just in order to view the document in a web browser.

Furthermore, when attempting to share with external users from OneDrive, you might get this message:

X-SP-caveat-0

I have not found a successful site-level administrative action or permission that will allow this to work like it normally does, when IRM is not enabled, so the message is misleading.

To make external sharing happen successfully, we have to select the document, click the ellipses, and then choose Details. From the right-hand menu, choose Advanced.

X-SP-caveat-1

On this screen you will need to click Grant Permissions from the ribbon. Specify your external user’s email address, choose your permission level, and click Share.

X-SP-caveat-2

Now we see the invitation arrive. Follow the link.

To further complicate matters, again the user must sign in with a Microsoft ID (either a 365 organizational account or something like an Outlook.com or Live account).

Interestingly, even though we sent this to a Gmail address, and the user authenticated into an Outlook.com account, it will still deliver the content (confusing, I know). Microsoft is earning no points here, and the “clunky” moniker that has long been attributed to SharePoint remains.

 

Conclusions

My wish for Christmas this year is to have IRM for SharePoint work more like Email encryption for Office 365, which behaves the same–and flawlessly–inside and outside the organization. Thanks in advance, Microsanta (or Santasoft). Until that time, the most likely use case for this technology is probably going to be limited mostly to internal use, and of course, to enable these settings only on certain document libraries marked as confidential or sensitive.

Still, at the end of the day, IRM gives us some pretty powerful options for adding security to documents and allowing users to manage their information, and better prevent data leakage and/or unauthorized access.

Technical , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

19Nov

How to configure Mobile Application Management (MAM) with Microsoft 365 Business (and Intune)

With a traditional MDM solution, the goal is typically to impose management controls at the device level--enforcing policies like pass code with automatic screen lock, encryption, and remote device wipe. It can also be helpful in tracking inventory of mobile devices. All of these "MDM"... read more
22Sep

Tutorial: How to Setup a Site-to-Site VPN between an Azure Virtual Network and WatchGuard Firewall, part 2

In this article, we will cover how to configure a WatchGuard firewall for site-to-site VPN with an Azure Virtual Network. Prior to this, you will have already built your Azure Virtual Network and related objects, to enable the connection. See the previous article for details... read more
24Jul

Updates coming soon to the Azure AD Best practices checklist

Update: The best practices checklists and guides are now available. I will be updating the best practices checklist and guide for Azure AD again soon, but I wanted to post a couple of notes about the coming changes--since it may be a while before I get... read more
21Dec

How to bulk create users in a hybrid environment with Office 365 Exchange Online

In a hybrid Exchange environment, user accounts are created on-premises, but then licensed through the Office 365 portal (to enable mailbox access). Admins often provision hybrid user accounts incorrectly, and sometimes this needs to be cleaned up after the fact.  But, if you want to... read more
16Mar

Why You Should Avoid Single Label Domains

What is a Single Label Domain (SLD)?  This is a term that Microsoft uses to describe domains which have only a single name, and no suffix such as ".local" or ".com."  For example, your Active Directory domain might have a name like "company.local," but if it... read more
18Apr

How to Use Azure as a DR Site

Hyper-V Replica (HVR) has been available since Windows Server 2012, bringing easy and affordable DR to the SMB space. Using HVR, virtual machines can be replicated over secure, higher-latency (but reliable) links across the Internet. However, until recently, many SMB's did not have a place to... read more
08Feb

Azure Multi-factor Authentication vs. MFA included with Office 365

I have previously described MFA for Office 365. It's a great way to add an extra layer of security to your cloud-based applications. Here are the features included with MFA for Office 365: Administrators can protect accounts with MFA Mobile app as a second factor Phone call as a... read more
15Apr

We need “MDATP Lite,” not full MDATP, in order to complete Defender’s value proposition in the SMB–and this is what it looks like

TL;DR: Just give me the device risk level with a description of "why" so I can follow up with potentially at-risk users. You can keep Advanced Hunting, etc. So many people I talk to in the SMB community think that they want MDATP. Well, it is... read more
08Aug

Hyper-V Failover Cluster: MPIO & CSV Storage

Continuing our last post on Hyper-V Failover Clustering, we turn our focus from networking to storage. To bring storage into the picture, we will have to provision some volumes from Storage Spaces, our SAN or other Shared Storage device. This varies by vendor, so see their... read more
11Jul

How to fix guest processing errors on Hyper-V virtual machine backups

So you setup a third party backup system, sticking mostly to defaults on the job settings, with "application aware" or "guest OS processing" enabled, in order to capture Hyper-V virtual machines, and keep their application data consistent (process database transaction logs, etc.) Or, perhaps you... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me