Share via

Create an Outlook Protection Rule

Applies to: Exchange Server 2013

Using Microsoft Outlook protection rules, you can protect messages with Information Rights Management (IRM) by applying an Active Directory Rights Management Services (AD RMS) template in Outlook 2010 before the messages are sent.

For additional management tasks related to IRM, see Information Rights Management procedures.

What do you need to know before you begin?

  • Estimated time to completion: 1 minute.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Rights protection" entry in the Messaging policy and compliance permissions topic.

  • You must have an AD RMS server deployed in the same Active Directory forest as your server running Microsoft Exchange Server 2013.

  • If you configure Outlook protection rules to IRM-protect messages, consider enabling transport decryption to allow transport agents, including the Transport Rules agent, to decrypt and access the message. If you use journaling, you should also consider enabling journal report decryption to allow the Journaling agent to save an unencrypted copy of the message in the journal report. For more information, see Journal report decryption.

  • You can't use the Exchange admin center (EAC) to create Outlook protection rules. You must use the Shell.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.


Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.

Use the Shell to create an Outlook protection rule

This example creates the Outlook protection rule Project Contoso. The rule protects messages sent to the ContosoPMs distribution group with the AD RMS template Business Critical.

New-OutlookProtectionRule -Name "Project Contoso" -SentTo "" -ApplyRightsProtectionTemplate "Business Critical"


When you use the SentTo predicate for an Outlook protection rule and specify a distribution group, only messages addressed to the distribution group in the To, Cc, or Bcc fields are IRM-protected. IRM protection isn't applied to messages addressed to individual members of the distribution group.

You can also use the FromDepartment and SentToScope predicates to apply IRM protection to messages sent from users in the specified department or messages sent to the specified scope (InOrganization for internal messages, All for all recipients).

For detailed syntax and parameter information, see New-OutlookProtectionRule.

How do you know this worked?

To verify that you have successfully created an Outlook protection rule, do the following:

  • Run the Get-OutlookProtectionRule cmdlet to make sure that the rule has been created and to view the rule's properties. For an example of how to retrieve an Outlook protection rule, see Examples.

  • Use Outlook 2010 to create a test message that meets the rule's condition and make sure the rule is triggered on the client.


    It may take some time for an Outlook protection rule to be available in Outlook.