Activating the protection service from Azure Information Protection

This article describes how administrators can activate the Azure Rights Management protection service for Azure Information Protection (AIP). When the protection service is activated for your organization, administrators and users can start to protect important data by using applications and services that support this information protection solution. Administrators can also manage and monitor protected documents and emails that your organization owns.

This configuration information in this article is for administrators who are responsible for a service that applies to all users in an organization. If you are looking for user help and information to use the Rights Management functionality for a specific application or how to open a file or email that is rights-protected, use the help and guidance that accompanies your application.

Automatic activation for Azure Rights Management

When you have a service plan that includes Azure Rights Management, you may not have to activate the service:

  • If your subscription that includes Azure Rights Management or Azure Information Protection was obtained towards the end of February 2018 or later: The service is automatically activated for you. You do not have to activate the service unless you or another global administrator for your organization deactivated Azure Rights Management.

  • If your subscription that includes Azure Rights Management or Azure Information Protection was obtained before or during February 2018: Microsoft activates the Azure Rights Management service for these subscriptions if your tenant is using Exchange Online. For these subscriptions, the service will be activated for you unless you see that AutomaticServiceUpdateEnabled is set to false when you run Get-IRMConfiguration.

If neither of the listed scenarios apply to you, you must manually activate the protection service.

How to activate or confirm the status of the protection service


Do not activate the protection service if you have Active Directory Rights Management Services (AD RMS) deployed for your organization. More information

To activate the protection service, your organization must have a service plan that includes the Azure Rights Management service from Azure Information Protection. For more information, see Microsoft 365 licensing guidance for security & compliance.

When the protection service is activated, all users in your organization can apply information protection to their documents and emails, and all users can open (consume) documents and emails that have been protected by this service. However, if you prefer, you can restrict who can apply information protection, by using onboarding controls for a phased deployment. For more information, see the Configuring onboarding controls for a phased deployment section in this article.

Activate protection via PowerShell

You must use PowerShell to activate the Rights Management protection service (Azure RMS). You can no longer activate or deactivate this service from the Azure portal.

  1. Install the AIPService module, to configure and manage the protection service. For instructions, see Installing the AIPService PowerShell module.

  2. From a PowerShell session, run Connect-AipService, and when prompted, provide the Global Administrator account details for your Azure Information Protection tenant.

  3. Run Get-AipService to confirm whether the protection service is activated. A status of Enabled confirms activation; Disabled indicates that the service is deactivated.

  4. To activate the service, run Enable-AipService.

Configuring onboarding controls for a phased deployment

If you don’t want all users to be able to protect documents and emails immediately by using Azure Information Protection, you can configure user onboarding controls by using the Set-AipServiceOnboardingControlPolicy PowerShell command. You can run this command before or after you activate the Azure Rights Management service.

For example, if you initially want only administrators in the “IT department” group (that has an object ID of fbb99ded-32a0-45f1-b038-38b519009503) to be able to protect content for testing purposes, use the following command:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "fbb99ded-32a0-45f1-b038-38b519009503"

Note that for this configuration option, you must specify a group; you cannot specify individual users. To obtain the object ID for the group, you can use the Microsoft Graph PowerShell—for example, for version 1.0 of the module, use the Get-MgGroup command. Or, you can copy the Object ID value of the group from the Azure portal.

Alternatively, if you want to ensure that only users who are correctly licensed to use Azure Information Protection can protect content:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $True

When you no longer need to use onboarding controls, whether you used the group or licensing option, run:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False

For more information about this cmdlet and additional examples, see the Set-AipServiceOnboardingControlPolicy help.

When you use these onboarding controls, all users in the organization can always consume protected content that has been protected by your subset of users, but they won’t be able to apply information protection themselves from client applications. Server-side applications, such as Exchange, can implement their own per-user controls to achieve the same result. For example, to prevent users from protecting emails in Outlook on the web, use Set-OwaMailboxPolicy to set the IRMEnabled parameter to $false.

Next steps

Now that the protection service is activated for your organization, apps and services can apply encryption to help protect your data. One of the easiest ways to apply encryption, is by using sensitivity labels from Microsoft Purview Information Protection.