Enables the super user feature for Rights Management.


Enable-AadrmSuperUserFeature []



This cmdlet from the AADRM module is now deprecated. After July 15, 2020, this cmdlet name will be supported only as an alias to its replacement in the AIPService module.

For more information, see the overview page.

The Enable-AadrmSuperUserFeature cmdlet enables the super user feature for your organization's Azure Rights Management service. When this feature is enabled, any users that are defined as super users for your organization (individually or by the super user group) can decrypt content that your organization protected, and can remove protection from this content, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.

You must use PowerShell to configure super users; you cannot do this configuration by using a management portal.

By default, the super user feature is not enabled, and no users are assigned to this feature. To assign users, you must use Add-AadrmSuperUser or Set-AadrmSuperUserGroup.

Caution: We recommend that you enable the super user feature on an as-needed basis. During standard operations, we recommend that you disable the super user feature, unless you use it to provide a trusted application with the ability to decrypt rights-protected content. For example, this exception might be needed for an application to scan the contents of a file for malware.


Example 1: Enable the super user feature

PS C:\>Enable-AadrmSuperUserFeature

This command enables the super user feature for your organization.