Set up Information Rights Management (IRM) in SharePoint admin center

Within SharePoint Online, IRM protection is applied to files at the list and library level. Before your organization can use IRM protection, you must first set up Rights Management. IRM relies on the Azure Rights Management service from Azure Information Protection to encrypt and assign usage restrictions. Some Microsoft 365 plans include Azure Rights Management, but not all. To learn more, read How Office applications and services support Azure Rights Management.


If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Turn on IRM service using SharePoint admin center

Before your organization can IRM-protect SharePoint lists and libraries, you must first activate the Rights Management service for your organization. To learn how see Activating Azure Rights Management. You must use a work or school account that has global administrator privileges to enable the Rights Management service. Otherwise, you won't be able to use IRM features with SharePoint Online.

After activating the Rights Management service, sign in to the SharePoint admin center to turn on IRM.

  1. Sign in as a global admin or SharePoint admin.

  2. Select the app launcher icon The app launcher icon in Office 365. in the upper-left and choose Admin to open the Microsoft 365 admin center. (If you don't see the Admin tile, your work or school account doesn't have administrator permissions in your organization.)

  3. In the left pane, choose Admin centers > SharePoint admin center.

  4. In the left pane, choose settings, and then choose classic settings page.

  5. In the Information Rights Management (IRM) section, choose Use the IRM service specified in your configuration, and then choose Refresh IRM Settings. After you refresh IRM settings, people in your organization can begin using IRM in their SharePoint lists and document libraries. However, the options to do so may take up to an hour to appear in Library Settings and List Settings.

IRM-enable SharePoint document libraries and lists

After refreshing IRM settings, site owners can IRM-protect their SharePoint lists and document libraries. For more information, see Apply Information Rights Management to a list or library.

When site owners enable IRM for a list or library, they can protect any supported file types in that list or library. When IRM is enabled for a library, rights management applies to all of the files in that library. When you enable IRM for a list, rights management applies only to files that are attached to list items, not the actual list items.

When people download files in an IRM-enabled list or library, the files are encrypted so that only authorized people can view them. Each rights-managed file also contains an issuance license that imposes restrictions on the people who view the file. Typical restrictions include making a file read-only, disabling the copying of text, preventing people from saving a local copy, and preventing people from printing the file. Client programs that can read IRM-supported file types use the issuance license within the rights-managed file to enforce these restrictions. This is how a rights-managed file retains its protection even after it is downloaded. To enable IRM on a list or library, see Apply Information Rights Management to a list or library.

You cannot create or edit documents in an IRM-enabled library using Office in a browser. Instead, one person at a time can download and edit IRM-encrypted files. Use check-in and check-out to manage co-authoring, or authoring across multiple users.

When you download a PDF file from an IRM-protected library, Microsoft 365 creates a protected PDF file. The file's extension won't change, but the file is protected. To view this file you'll need the Azure Information Protection viewer, the full Azure Information Protection client, or another application that supports viewing protected PDF files.

SharePoint Online supports encryption of the following file types:

  • PDF

  • The 97-2003 file formats for the following Microsoft Office programs: Word, Excel, and PowerPoint

  • The Office Open XML formats for the following Microsoft Office programs: Word, Excel, and PowerPoint

  • The XML Paper Specification (XPS) format


IRM protection cannot be applied to protected documents (like digitally signed PDF files) as SharePoint needs to open the document on upload.

Next steps

Once you've enabled IRM for SharePoint Online, you can start applying rights management to lists and libraries. For information, see Apply Information Rights Management to a list or library.

The new OneDrive sync client for Windows now supports synchronizing IRM-protected SharePoint document libraries and OneDrive locations (as long as the IRM setting for the library isn't set to expire document access rights). For more information, or to get started deploying the new sync client, see Deploy the new OneDrive sync client for Windows.