Sets the super user group for Rights Management.


   -GroupEmailAddress <String>



This cmdlet from the AADRM module is now deprecated. After July 15, 2020, this cmdlet name will be supported only as an alias to its replacement in the AIPService module.

For more information, see the overview page.

The Set-AadrmSuperUserGroup cmdlet specifies a group to use as the super user group for your Azure Rights Management service. Members of this group are then super users, which means they become a Rights Management owner for all content that is protected by your organization. These super users can decrypt this protected content and remove protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.

You can specify any group that has an email address, but be aware that for performance reasons, group membership is cached. For information about group requirements, see Preparing users and groups for Azure Information Protection.

If a super user group already exists, running this cmdlet overwrites it. This cmdlet does not affect users that are individually assigned as super users with the Add-AadrmSuperUser cmdlet.

An organization can have only one super user group in addition to multiple users who are assigned the privilege individually, but you can nest groups.

You must use PowerShell to configure super users; you cannot do this configuration by using a management portal.

For more information about super users, see Configuring super users for Azure Rights Management and discovery services or data recovery.


Example 1: Set the super user group

PS C:\>Set-AadrmSuperUserGroup -GroupEmailAddress ""

This command sets the super user group for the organization to



Specifies the group email address for the super user group.

GroupEmailAddress can specify a group that contains individual users or other nested groups. It must be a valid group email address for an existing group in the organization.

Default value:None
Accept pipeline input:False
Accept wildcard characters:False