You're always in control of whether your organization protects content by using the Azure Rights Management encryption service from Microsoft Purview Information Protection. If you decide you no longer want to use this encryption service, you have the assurance that you won’t be locked out of content that was previously encrypted.
If you don’t need continued access to previously encrypted content, deactivate the Azure Rights Management encryption services and let your supporting subscription for this service expire. For example, this would be appropriate for when you have completed testing Microsoft Purview Information Protection before you deploy it in a production environment.
However, if you have deployed Microsoft Purview Information Protection in production and encrypted items by using the Azure Rights Management service, make sure that you have a copy of your Azure Rights Management tenant key and suitable trusted publishing ___domain (TPD) before you deactivate the Azure Rights Management service. Make sure that you have a copy of your key and the TPD before your subscription expires to ensure that you can retain access to content that was encrypted by Azure Rights Management after the service is deactivated.
If you used the bring your own key solution (BYOK) where you generate and manage your own key in an HSM, you already have your Azure Rights Management tenant key. You'll also have a suitable TPD if you followed the instructions that prepare for a future cloud exit. However, if your Azure Rights Management tenant key was managed by Microsoft (the default), see the instructions for exporting your tenant key in Operations for your Azure Rights Management tenant key article.
Tip
Even after your subscription expires, your tenant remains available for consuming encrypted content for an extended period. However, you will no longer be able to export your Azure Rights Management tenant key.
When you have your Azure Rights Management tenant key and the TPD, you can deploy Rights Management on premises (AD RMS) and import your Azure Rights Management tenant key as a trusted publishing ___domain (TPD). You then have the following options for decommissioning your Microsoft Purview Information Protection deployment:
| If this applies to you … | … do this: |
|---|---|
| You want all users to continue using Rights Management, but use an on-premises solution rather than using Azure Rights Management → | Redirect your clients to the on-premises deployment by using the LicensingRedirection registry key for Office apps. For instructions, see the service discovery section in the RMS client deployment notes. |
| You want to stop using Rights Management technologies completely → | Grant a designated administrator super user rights and install the Microsoft Purview Information Protection client for this user. This administrator can then use the PowerShell module from this client to bulk-decrypt files in folders that were encrypted by Azure Rights Management. Files revert to being unencrypted and can therefore be read without a Rights Management technology such as Microsoft Purview Information Protection or AD RMS. Because this PowerShell module can be used with both Microsoft Purview Information Protection and AD RMS, you have the choice of decrypting files before or after you deactivate the Azure Rights Management service, or a combination. |
| You can't identify all the files that were encrypted by Azure Rights Management. Or, you want all users to be able to automatically read any encrypted items that were missed → | Deploy a registry setting on all client computers by using the LicensingRedirection registry key for Office apps, as described in the service discovery section in the RMS client deployment notes. |
| You want a controlled, manual recovery service for any files that were missed → | Grant designated users in a data recovery group super user rights and install the Microsoft Purview Information Protection client for these users so that they can decrypt files when this action is requested by standard users. On all computers, deploy the registry setting to prevent users from encrypting new files by setting DisableCreation to 1, as described in Office Registry Settings. |
For more information about the procedures in this table, see the following resources:
For information about AD RMS and deployment references, see Active Directory Rights Management Services Overview.
For instructions to import your Azure Rights Management tenant key as a TPD file, see Add a Trusted Publishing Domain.
To use PowerShell with the Microsoft Purview Information Protection client, see Set up the information protection client using PowerShell.
When you're ready to deactivate the Azure Rights Management encryption service, use the following instructions.
Deactivating the Azure Rights Management service
You must use PowerShell to deactivate the Azure Rights Management service from Microsoft Purview Information Protection. You can no longer activate or deactivate this encryption service from admin portals.
Install the AIPService module, to configure and manage the Azure Rights Management service. For instructions, see Install the AIPService PowerShell module for the Azure Right Management service.
From a PowerShell session, run Connect-AipService, and when prompted, provide the Global Administrator account details for your tenant.
Run Get-AipService to confirm the current status of the Azure Rights Management service. A status of Enabled confirms activation; Disabled indicates that the service is deactivated.
To deactivate the service, run Disable-AipService.
Run Get-AipService again to confirm the encryption service is now deactivated. This time, the status should display Disabled.
Run Disconnect-AipService to disconnect from the service, and close your PowerShell session.