ITS

Information Technology Services
Information Technology Services

Information Rights Management in SharePoint Online

Information Rights Management (IRM) helps to control and protect digital documents by limiting the actions that users can take on documents that have been downloaded from SharePoint Online or OneDrive for Business document libraries and lists. IRM encrypts the downloaded files and limits the set of users and programs that are allowed to decrypt these files, as well as limits the rights of the users who are allowed to read files, so that they cannot take actions such as print copies of the files or copy text from them. With IRM, administrators also have the ability to do the following:

  • Set document access rights, including rights to print, run scripts to enable screen readers, or enable writing on a copy of the document

  • Set expiration date (the date after which the document cannot be used)

  • Control whether documents that do not support IRM protection can be included in the library

  • Control whether Office Web Apps can render the documents in the library

  • Set group protection and credentials interval

How IRM works for lists and libraries

Document protection

  • On a site, IRM protection is applied to files in an entire list or library, rather than to individual files, which ensures a consistent level of protection for an entire set of documents or files. When IRM is enabled for a document library, rights management applies to all of the files in that library. When IRM is enabled for a list, rights management applies only to files that are attached to list items, not the actual list items.

  • When people download files in an IRM-enabled list or library, the files are encrypted so that only authorized people can view them. The Azure Rights Management service applies usage restrictions and data encryption for documents when they are downloaded from SharePoint, and not when the document is first created in SharePoint or uploaded to the library. For information about how documents are protected before they are downloaded, refer to Data Encryption in OneDrive for Business and SharePoint Online.

  • Each rights-managed file also contains an issuance license that imposes restrictions on the people who view the file.

  • Typical restrictions include making a file read-only, disabling the copying of text, preventing people from saving a local copy, and preventing people from printing the file.

  • Client programs that can read IRM-supported file types use the issuance license within the rights-managed file to enforce these restrictions. This is how a rights-managed file retains its protection even after it is downloaded. The types of restrictions that are applied to a file when it is downloaded from a list or library are based on the individual user's permissions on the site that contains the file. The following table explains how the permissions on sites correspond to IRM permissions.

Permissions IRM Permissions
Manage Permissions, Manage Web Site Full control (as defined by the client program): This permission generally allows a user to read, edit, copy, save, and modify permissions of rights-managed content.
Edit Items, Manage Lists, Add and Customize Pages Edit, Copy, and Save: A user can print a file only if the Allow users to print documents check box is selected on the Information Rights Management Settings page for the list or library.
View Items Read: A user can read the document, but cannot copy or modify its content. A user can print only if the Allow users to print documents check box is selected on the Information Rights Management Settings page for the list or library.
Other No other permissions correspond directly to IRM permissions.

Prevent opening in browser

  • Office Web Apps (included in Office 365) can render protected documents in the browser

  • If an authenticated user does not have a compatible Office client, the user can still view the documents using Office Web Apps

  • Office Web Apps presents document in read-only mode

  • Screen capturing of protected content in the browser is not blocked (as it is on clients). Site administrators can always prevent this capability by selecting the Prevent opening documents in the browser for this Document Library check box on the Information Right Management settings page.

Protects documents for groups

  • Each supported file type is encrypted and rights are restricted to the authenticated user who downloaded the document

  • Other users who have rights to the same library must get their own copy

  • One of the features that SharePoint Online supports is to protect a library for a group

  • A site admin can choose an Active Directory group and use it to stamp the usage license for the file

  • Documents that are downloaded can be used by all the members of the group

  • The user who downloaded the copy can transfer the copy to any member of the group directly

Supports office and PDF files

Limitations to using IRM

IRM cannot protect restricted content from the following:

  • Erasure, theft, capture, or transmission by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware

  • Loss or corruption because of the actions of computer viruses

  • Manual copying or retyping of content from the display on a screen

  • Digital or film photography of content that is displayed on a screen

  • Copying through the use of third-party screen-capture programs

  • Copying of content metadata (column values) through the use of third-party screen-capture programs or copy-and-paste action

Currently, there are some limitations when you use IRM in SharePoint Online:

  • Files that have a .ppdf file name extension for protected PDF files are not supported. For more information about viewing protected PDF documents, see Protected PDF readers for Microsoft Information Protection.

  • Coauthoring, when more than one person edits a document at the same time, is not supported. To edit a document in an IRM-protected library, you must first check out the document and download it, and then edit it in your Office application. Consequently, only one person can edit the document at a time.

  • To apply IRM to a list or library, you must have administrator permissions for that list or library.

  • If you are using SharePoint Online, your users might experience timeouts when downloading larger IRM-protected files. If so, then apply IRM protection by using your Office programs, and store larger files in a SharePoint library that does not use IRM.

  • You cannot create or edit documents in an IRM-enabled library using Office Online. Instead, one person at a time can download and edit IRM-encrypted files. Use check-in and check-out to manage co-authoring, or authoring across multiple users.

  • PDF files that are protected by SharePoint when downloaded from a document library do not use native PDF encryption and therefore cannot be read by Adobe Acrobat.

Syncing IRM-Protected libraries with OneDrive for Business

IRM-protected libraries for SharePoint and OneDrive for Business require the latest version of the new OneDrive sync client (OneDrive.exe), and the version of the Rights Management Service (RMS) client from the Microsoft Download Center.
Warning: if the IRM policy for a library is changed, OneDrive for Business will resynchronize document attributes for the entire document library, and implications for large libraries containing thousands of files.

Apply IRM to a list or library in SharePoint Online

  1. Go to the list or library for which you want to configure IRM.

  2. Select the Settings icon and then click Library Settings (if you are working in a list, select the Settings icon, and then click List Settings).

    Screen capture of document library settings pane
    Settings pane for a library
    Screen capture of document list settings pane
    Settings pane for a list
  3. Under Permissions Management, click Information Rights Management.
    Note: The IRM link does not appear for picture libraries.
    Screen capture of Information Rights Management link in the Permissions and Management section

  4. On the Information Rights Management Settings page, select the Restrict permission to documents in the library on download check box to apply restricted permission to documents that are downloaded from the list or library.
    Screen capture of IRM policy settings page.

  5. In the Create a permission policy title field (required), type a descriptive name for the policy that you can use later to differentiate the policy from other policies.

  6. In the Add a permission policy description box, type a description that will appear to people who use the list or library that explains how they should handle the documents in the list or library.

  7. Select SHOW OPTIONS to set additional IRM library settings, configure document access rights, or set group protection and credentials. Refer to Details of IRM Policy Setting Options for more information on settings.
    Screen capture of Information Rights Management policy settings with show options expanded.

  8. After you finish selecting options, click OK.

Apply IRM in OneDrive for Business

  1. Go to OneDrive for Business document library

  2. In the navigation pane, at the bottom, select Return to classic OneDrive.

  3. Select the Settings icon. In the Settings pane, select Show Ribbon.
    Screen capture of OneDrive for Business Settings pane.

  4. To configure IRM to be applied to all OneDrive for Business files, select the LIBRARY tab from the ribbon, and then select Library Settings.
    Screen capture of Library settings button in Classic OneDrive ribbon

  5. Under Permissions Management, click Information Rights Management.
    Note: The IRM link does not appear for picture libraries.
    Screen capture of Information Rights Management link in the Permissions and Management section

  6. On the Information Rights Management Settings page, select the Restrict permission to documents in the library on download check box to apply restricted permission to documents that are downloaded from the list or library.
    Screen capture of IRM policy settings page.

  7. In the Create a permission policy title field (required), type a descriptive name for the policy that you can use later to differentiate the policy from other policies.

  8. In the Add a permission policy description box, type a description that will appear to people who use the list or library that explains how they should handle the documents in the list or library.

  9. Select SHOW OPTIONS to set additional IRM library settings, configure document access rights, or set group protection and credentials. Refer to Details of IRM Policy Setting Options for more information on settings.
    Screen capture of Information Rights Management policy settings with show options expanded.

  10. After you finish selecting options, click OK.

Details of IRM Policy Setting Options

Additional IRM library settings

Do not allow users to upload documents that do not support IRM

If selected, users will be prevented from uploading documents that do not support IRM to the list or library. Microsoft Word, Excel, and PowerPoint file formats support rights management. If selected SharePoint will block file uploads for non-IRM supported file formats as shown in the following image.

Screen capture of a block file in IRM-protected library

Adobe PDF files can be uploaded to a document library, but cannot be viewed unless the device has a PDF viewer available that supports Rights Management (refer to following image), such as Azure Information Protection viewer. For additional options, refer to: SharePoint-Compatible PDF readers that support Microsoft Information Rights Management services and/or Supported readers for Microsoft Information Protection).

Screen capture of viewing PDF in IRM-protected library with an unsupported PDF viewer.

Stop restricting access to the library at [select date]

Allows for the setting of a policy expiration date. If selected, restricted permissions will be removed from the list or library on the date selected. If not selected, the policy will be applied indefinitely (or until deleted).

Prevent opening documents in the browser for this Document Library

If selected, this option will prevent users from opening documents in Office Online applications and documents will need to be opened with its respective desktop application.

Document Access Rights

Allow viewers to print

If selected, viewers will be able to print documents from the list or library.

Allow viewers to run script and screen reader function on downloaded documents

If selected, users with at least the View Items permission will be allowed to run embedded code or macros on a document. With this option enabled, users could run code to extract the contents of a document.

Allow viewers to write on a copy of the downloaded document

If selected, viewers will be able to edit a downloaded copy of the document. If you don’t check it, then the user will have a read only copy.

After download, document access rights will expire after these number of days (1 - 365)

If selected, document access rights will expire after the number of days specified.

Group protection and credentials interval

Users must verify their credentials using this interval (days)

Require that people verify their credentials at specific intervals. Select this option if you want to restrict access to content to a specified period of time. If you select this option, user’s issuance licenses to access the content will expire after the specified number of days, and users will be required to return the document library to verify their credentials and download a new copy.

Allow group protection

Allow group protection so that users can share with members of the same group.

Learn more

Information provided on this page has been compiled from Microsoft support resources, including, but not limited to the following. Select any of the links to learn more about topic areas covered on this page

Last Updated: July 16, 2019