You can use transport protection rules to apply persistent rights protection to messages based on properties such as sender, recipient, message subject, and content.
Warning
Before you create transport rules in your production environment, we recommend creating them in a test environment and testing them thoroughly. The transport rules created in this topic are examples. You can create transport rules by using the appropriate transport rule predicates and values based on your requirements.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Transport rules" entry in the Messaging policy and compliance permissions topic.
If you configure transport protection rules to protect messages using IRM, and you also use journaling, consider enabling journal report decryption to allow the Journaling agent to save an unencrypted copy of the message in the journal report. To learn more, see Journal report decryption.
After you create a transport protection rule, if the rule can't be applied to messages because an AD RMS server is unavailable, messages will be queued by the Transport service on Mailbox servers. Depending on the volume of these messages, additional disk space may be consumed on Mailbox servers. Exchange will attempt to IRM-protect the message three times. After these attempts, if the AD RMS server is unreachable or the message can't be IRM-protected, a non-delivery report (NDR) is sent to the sender.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Use the EAC to create a transport protection rule
Navigate to Mail flow > Rules.
In the list view, click New .
In New Rule, first click More options, and then complete the following fields:
Name: Type a name for the transport rule.
Apply this rule if: Select a condition and enter any required values for the condition. To add more conditions, click Add condition.
Important
If you don't select any conditions when creating a transport protection rule, all messages handled by Exchange 2013 servers with the Transport service in your organization are IRM-protected. IRM-protecting all messages requires more resources. Therefore, we recommend that you plan your Mailbox server and AD RMS deployment accordingly.
Do the following: Select Apply rights protection to the message with and then use the Select RMS template dialog box to select a template.
Except if: (Optional) Click Add exception to specify an exception to the rule.
Click Save to create the transport rule.
Use the Shell to create a transport protection rule
To create a transport protection rule, you must have existing RMS templates in your AD RMS deployment. This example retrieves the available templates from your AD RMS cluster.
Get-RMSTemplate | format-list
For detailed syntax and parameter information, see Get-RMSTemplate.
This example creates the transport protection rule Protect-BusinessCriticalProject. The rule IRM-protects messages that contain the phrase "Business Critical" in the Subject field with the Do Not Forward template.
Note
The SubjectContainsWords predicate is used in this example. You can use any combination of transport rule predicates to form the conditions and exceptions for the rule. For information about the available predicates, see Transport rule conditions (predicates).
New-TransportRule -Name "Protect-BusinessCriticalProject" -SubjectContainsWords "Business Critical" -ApplyRightsProtectionTemplate "Do Not Forward"
For detailed syntax and parameter information, see New-TransportRule.
How do you know this worked?
To verify that you have successfully created a transport protection rule, do one of the following:
Use the EAC to verify that the rule has been created, and then click Edit to view the rule's properties.
Use the Get-TransportRule cmdlet to retrieve the rule. For an example of how to retrieve a rule, see Examples in Get-TransportRule.
Using Outlook, Outlook Web App, or a mobile device, send a test message that meets the rule conditions and check whether the message received by the recipient is IRM-protected.
This module examines how to manage Safe Attachments in your Microsoft 365 tenant by creating and configuring policies and using transport rules to disable a policy from taking effect in certain scenarios. MS-102