Share via

How to setup Azure Rights Management

Deborah Alexander 0 Reputation points
2026-05-13T20:04:56.85+00:00

How to setup Azure Rights Management to encrypt outgoing attachments.

Azure Information Protection
Azure Information Protection

An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SAI JAGADEESH KUDIPUDI 3,300 Reputation points Microsoft External Staff Moderator
    2026-05-14T00:05:07.7533333+00:00

    Hi Deborah Alexander,
    you can get Azure Rights Management (RMS) encrypting your outgoing attachments in a few steps:

    1. Make sure you have the right subscription/license • You need a Microsoft 365 plan or Purview Information Protection subscription that includes Azure RMS. • Confirm you’ve got the “Information Protection” service in your subscription.
    2. Activate the Rights Management service a. In the Azure portal go to Azure Information Protection > Overview > Activate b. Or use PowerShell: 
        ```powershell
      Install-Module AzureInformationProtection
      Enable-AipService
      ```

    c. Wait a few minutes for the service to fully provision.

    1. Create or update a protection policy/label a. Still in Azure Information Protection, switch to the Labels blade. b. Either edit an existing label or create a new one. Under Protection settings, turn on Encrypt, choose who can access (e.g., “Recipients”), and set their rights (e.g., “View,” “Edit”). c. Save and publish your policy so it flows down to users.
    2. Deploy the client to your endpoints • Download and install the Microsoft Purview Information Protection (unified labeling) client on your users’ machines. • This gives Outlook, Word, etc. the ability to automatically apply the labels you created.
    3. (Optional) Automate encryption on all outgoing mail via Exchange transport rules If you want every attachment to be encrypted automatically (without users having to pick a label): a. In the Microsoft 365 admin center open the Exchange Admin Center b. Go to Mail flow > Rules > + > Apply rights protection to messages c. Set the conditions you want (e.g., “If the message has an attachment”) and pick your RMS template from the Rights protection dropdown. d. Save the rule. Now any mail that matches will be encrypted by Azure RMS.

    That’s it – after that, when users send emails with attachments, Azure RMS will apply your encryption template, keeping your files secure in transit and at rest.

    References

    1. Activate Azure Rights Management service https://learn.microsoft.com/azure/information-protection/deploy-use/activate-azure
    2. Create and publish Azure Information Protection labels https://learn.microsoft.com/azure/information-protection/how-to-guides
    3. Admin guide: Azure Information Protection client and logging https://docs.microsoft.com/azure/information-protection/rms-client/clientv2-admin-guide-files-and-logging
    4. Using PowerShell with the Information Protection client https://docs.microsoft.com/azure/information-protection/rms-client/clientv2-admin-guide-powershell
    5. Set up IRM in SharePoint (for protecting libraries) https://learn.microsoft.com/purview/set-up-irm-in-sp-admin-center
    6. Learn about the Azure Rights Management encryption service https://learn.microsoft.com/purview/azure-rights-management-learn-about
      Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

    Was this answer helpful?

  2. AI answer

    2026-05-13T20:05:11.2533333+00:00

    Azure Rights Management (Azure RMS) is now managed through Microsoft Purview Information Protection and sensitivity labels, which apply Azure Rights Management encryption to documents and email (including attachments).

    To encrypt outgoing attachments, configure and use Azure Rights Management as follows:

    1. Activate Azure Rights Management
      • In Microsoft Purview, activate the Azure Rights Management encryption service for the tenant so that clients can obtain the organization’s key and user certificates needed for encryption and decryption.
      • Optionally configure onboarding controls if only a subset of users should be able to protect content initially. For example, to restrict protection to a specific security group: 
             Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "<group-object-id>"
        Or to allow only correctly licensed users to protect content: 
             Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $True
        Remove onboarding controls later with: 
             Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False
    2. Use sensitivity labels to apply Azure RMS encryption
      • Configure sensitivity labels in Microsoft Purview Information Protection with encryption settings that define:
        • Which users or groups can access the protected content.
        • Their usage rights (for example, view-only, edit, print, copy) and any expiration.
      • When a user applies such a label to a document or email, the Azure Rights Management client:
        • Generates a random AES content key and encrypts the document.
        • Creates a policy that includes the usage rights and restrictions for specified users or groups.
        • Encrypts the policy and content key with the organization’s key and embeds the policy in the file.
      • The account that encrypts the content becomes the Rights Management issuer and is granted Full Control, including access after expiry and offline access.
    3. Configure Outlook and Office apps to use labels for attachments
      • Ensure users have Office apps that support built-in sensitivity labels.
      • Train users to:
        • Apply a sensitivity label directly to the file before attaching it to an email. The encrypted file can then be safely shared as an attachment while leaving the email body unencrypted for instructions or context.
        • Alternatively, apply a label to the email itself (for example, a label configured with “Do Not Forward” or similar rights), which encrypts the message and any attachments.
      • Because the encryption policy is embedded in the file, attachments remain protected wherever they are stored or forwarded.
    4. Enable collaboration with external recipients
      • Azure Rights Management supports business-to-business collaboration by default with organizations that already have Microsoft 365 or a Microsoft Entra directory.
      • For organizations without Microsoft 365 or Microsoft Entra, recipients can use:
        • An RMS for individuals subscription, or
        • A Microsoft account with supported applications
      • This allows external users to open encrypted attachments according to the rights defined in the label’s encryption policy.
    5. (Optional) Use the Rights Management connector for on-premises Exchange
      • If using on-premises Exchange, deploy the Azure Rights Management connector so that Exchange can use the cloud-based Azure RMS service to protect email and attachments.
      • The connector enables Exchange to apply and honor Azure RMS policies, providing continuous protection for messages and attached documents.

    Once these steps are in place, any outgoing attachment that has a sensitivity label configured with Azure Rights Management encryption will be encrypted automatically, and the embedded policy will control who can open it and what they can do with it.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.