Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Within SharePoint in Microsoft 365, IRM protection is applied to files at the list and library level. Before your organization can use IRM protection, you must first set up Rights Management. IRM relies on the Azure Rights Management service from Azure Information Protection to encrypt and assign usage restrictions. Some Microsoft 365 plans include Azure Rights Management, but not all. To learn more, read How Office applications and services support Azure Rights Management.
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Turn on IRM service using SharePoint admin center
Before your organization can IRM-protect SharePoint lists and libraries, you must first activate the Rights Management service for your organization. To learn how, see Activating Azure Rights Management. You must use a work or school account that has sufficient administrator privileges to enable the Rights Management service, such as site owner or SharePoint admin. Otherwise, you can't use IRM features with SharePoint.
After you activate the Rights Management service, sign in to the SharePoint admin center to turn on IRM.
Sign in to SharePoint.
Select the app launcher icon
and choose Admin to open the Microsoft 365 admin center. (If you don't see the Admin tile, your work or school account doesn't have administrator permissions in your organization.)In the left pane, choose Admin centers > SharePoint admin center.
In the left pane, choose settings, and then choose classic settings page.
In the Information Rights Management (IRM) section, choose Use the IRM service specified in your configuration, and then choose Refresh IRM Settings. After you refresh IRM settings, people in your organization can begin using IRM in their SharePoint lists and document libraries. However, the options to do so might take up to an hour to appear in Library Settings and List Settings.
IRM-enable SharePoint document libraries and lists
After IRM settings refresh, site owners can IRM-protect their SharePoint lists and document libraries. For more information, see Apply Information Rights Management to a list or library.
When site owners enable IRM for a list or library, they can protect any supported file types in that list or library. When IRM is enabled for a library, rights management applies to all of the files in that library. When you enable IRM for a list, rights management applies only to files that are attached to list items, not the actual list items.
When people download files in an IRM-enabled list or library, the files are encrypted so that only authorized people can view them. Each rights-managed file also contains an issuance license that imposes restrictions on the people who view the file. Typical restrictions include:
- Making a file read-only
- Disabling the copying of text
- Preventing people from saving a local copy
- Preventing people from printing the file
Client programs that can read IRM-supported file types use the issuance license within the rights-managed file to enforce these restrictions. So, a rights-managed file retains its protection even after download. To enable IRM on a list or library, see Apply Information Rights Management to a list or library.
You can't create or edit documents in an IRM-enabled library using Office in a browser. Instead, one person at a time can download and edit IRM-encrypted files. Use check-in and check-out to manage coauthor, or authoring across multiple users.
When you download a PDF file from an IRM-protected library, Microsoft 365 creates a protected PDF file. The file's extension doesn't change, but the file is protected. To view this file, you need the information protection viewer, the full information protection client, or another application that supports viewing protected PDF files.
SharePoint supports encryption of the following file types:
PDF
The 97-2003 file formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
The Office Open XML formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
The XML Paper Specification (XPS) format
Note
IRM protection can't be applied to protected documents (like digitally signed PDF files) as SharePoint needs to open the document on upload.
Next steps
Once you enabled IRM for SharePoint, you can start applying rights management to lists and libraries. For information, see Apply Information Rights Management to a list or library.
The OneDrive sync client for Windows supports synchronizing IRM-protected SharePoint document libraries and OneDrive locations (as long as the IRM setting for the library isn't set to expire document access rights). For more information, or to get started deploying the sync client, see Deploy the new OneDrive sync client for Windows.