SharePoint (2003 thru Online): February 2019

Thursday, February 28, 2019

IRM service - SharePoint Online, OneDrive & Teams


To use IRM features with SharePoint Online, OneDrive & TeamsWe should follow the below 3 steps.
_______________________________________________________________

Step 1: Activate the Azure Rights Management Service (Azure RMS).


You must use Office 365 global administrator privileges to enable the Azure Rights Management Service. Open a new browser window and sign in to the Azure portal. On the left menu, click All services and start typing Information in the Filter box. Select Azure Information Protection.


If you haven't accessed the Azure Information Protection blade before, see the one-time additional steps to add this blade to the portal.

[Note: To open the Azure Information Protection blade, you must have either an Azure Information Protection Premium plan or an Office 365 plan that includes Rights Management.]


Locate the Manage menu options, and select Protection activation.

Click Activate, and then confirm your action.

When activation is complete, the information bar displays Activation finished successfully.





_______________________________________________________________

Step 2: @ SharePoint admin center to turn on IRM.

Sign in to Office 365 as a global admin or SharePoint admin.

Select the app launcher icon in the upper-left and choose Admin to open the Office 365 admin center. (If you don't see the Admin tile, you don't have Office 365 administrator permissions in your organization.)

In the left pane, choose Admin centers > SharePoint.

In the left pane, choose settings.

In the Information Rights Management (IRM) section, choose Use the IRM service specified in your configuration, and then Click on Refresh IRM Settings.



6. Click OK at the botton of the settings page.

After you refresh IRM settings, may take up to an hour to appear in Library Settings and List Settings. Users in your organization can begin using IRM in their SharePoint lists and document libraries.
_______________________________________________________________

Step 3:Apply Information Rights Management (IRM) to a list or library



Information Rights Management (IRM) is used to help control and protect files that are downloaded from lists or libraries. To apply IRM to a list or library, you must have administrator permissions for that list or library.


Note: If you are using SharePoint Online, your users might experience timeouts when downloading larger IRM-protected files. If this happens, then apply IRM protection by using your Office programs, and store larger files in a SharePoint library that does not use IRM.

Go to the list or library for which you want to configure IRM.

On the ribbon, click the Library tab, and then click Library Settings. (If you are working in a list, click the List tab, and then click List Settings).



Under Permissions and Management, click Information Rights Management

Note: The Information Rights Management link does not appear for picture libraries.


On the Information Rights Management Settings page, select the Restrict permission to documents in this library on download check box to apply restricted permission to documents that are downloaded from this list or library.



In the Create a permission policy title box, type a descriptive name for the policy that you can use later to differentiate this policy from other policies. For example, you can type Company Confidential if you are applying restricted permission to a list or library that will contain company documents that are confidential.


In the Add a permission policy description box, type a description that will appear to people who use this list or library that explains how they should handle the documents in this list or library. For example, you can type Discuss the contents of this document only with other employees if you want to restrict access to the information in these documents to internal employees.






To apply additional restrictions to the documents in this list or library, click Show Options, and do any of the following:

To do this:Do this:
Allow people to print documents from this list or library Select the Allow viewers to print check box. 
Allow people with at least the View Items permission to run embedded code or macros on a document. Select the Allow viewers to run script and screen reader to function on downloaded documents check box. 
If you select this option, users could run code to extract the contents of a document.
Require that people verify their credentials at specific intervals. 
Select this option if you want to restrict access to content to a specified period of time. If you select this option, people's issuance licenses to access the content will expire after the specified number of days, and people will be required to return to the server to verify their credentials and download a new copy. 
Select the Users must verify their credentials using this interval (days)check box, and then specify the number of days for which you want the document to be viewable. 
Prevent people from uploading documents that do not support IRM to this list or library. 
If you select this option, people will not be able to upload any of the following file types: 
File types that do not have corresponding IRM protectors installed on all of the front-end Web servers. 
File types that SharePoint Server 2010 cannot decrypt. 
File types that are IRM protected in another program 
Select the Do not allow users to upload documents that do not support IRMcheck box. 
Remove restricted permissions from this list or library on a specific date. Select the Stop restricting access to the library at check box, and then select the date that you want. 
Control the interval that credentials are cached for the program that is licensed to open the document. In the Set group protection and credentials interval, enter theinterval for caching credentials in number of days. 
Allow group protection so that users can share with members of the same group. Select Allow group protection, and enter the group's name for sharing. 

After you finish selecting the options you want, click OK.
_______________________________________________________________


IRM helps to protect restricted content in the following ways:

  • Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or copying and pasting the content for unauthorized use.
  • Helps to prevent an authorized viewer from copying the content by using the Print Screen feature in Microsoft Windows.
  • Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail after it is downloaded from the server.
  • Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again.
  • Helps to enforce corporate policies that govern the use and dissemination of content within your organization.

IRM cannot protect restricted content from the following:
  • Erasure, theft, capture, or transmission by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware.
  • Loss or corruption because of the actions of computer viruses.
  • Manual copying or retyping of content from the display on a screen.
  • Digital or film photography of content that is displayed on a screen.
  • Copying through the use of third-party screen-capture programs.
  • Copying of content metadata (column values) through the use of third-party screen-capture programs or copy-and-paste action.
IRM protection is applied to files at the list or library level. When IRM is enabled for a library, rights management applies to all of the files in that library. When IRM is enabled for a list, rights management applies only to files that are attached to list items, not the actual list items.



When people download files in an IRM-enabled list or library, the files are encrypted so that only authorized people can view them. Each rights-managed file also contains an issuance license that imposes restrictions on the people who view the file. Typical restrictions include making a file read-only, disabling the copying of text, preventing people from saving a local copy, and preventing people from printing the file. Client programs that can read IRM-supported file types use the issuance license within the rights-managed file to enforce these restrictions. This is how a rights-managed file retains its protection even after it is downloaded from the server.



The types of restrictions that are applied to a file when it is downloaded from a list or library are based on the individual user's permissions on the site that contains the file. The following table explains how the permissions on sites correspond to IRM permissions.

PermissionsIRM Permissions
Manage Permissions, Manage Web Site Full control (as defined by the client program): This permission generally allows a user to read, edit, copy, save, and modify permissions of rights-managed content. 
Edit Items, Manage Lists, Add and Customize Pages EditCopy, and Save: A user can print a file only if the Allow users to print documents check box is selected on the Information Rights Management Settings page for the list or library. 
View Items Read: A user can read the document, but cannot copy or modify its content. A user can print only if the Allow users to print documents check box is selected on the Information Rights Management Settings page for the list or library. 
Other No other permissions correspond directly to IRM permissions. 

_______________________________________________________________

When site owners enable IRM for a list or library, they can protect any supported file types in that list or library. When IRM is enabled for a library, rights management applies to all of the files in that library. When you enable IRM for a list, rights management applies only to files that are attached to list items, not the actual list items.

When people download files in an IRM-enabled list or library, the files are encrypted so that only authorized people can view them. Each rights-managed file also contains an issuance license that imposes restrictions on the people who view the file. Typical restrictions include making a file read-only, disabling the copying of text, preventing people from saving a local copy, and preventing people from printing the file. Client programs that can read IRM-supported file types use the issuance license within the rights-managed file to enforce these restrictions. This is how a rights-managed file retains its protection even after it is downloaded.

You cannot create or edit documents in an IRM-enabled library using Office Online. Instead, one person at a time can download and edit IRM-encrypted files. Use check-in and check-out to manage co-authoring , or authoring across multiple users.

When you download a PDF file from an IRM-protected library, Office 365 creates a protected PDF file. The file's extension won't change, but the file is protected. To view this file you'll need the Azure Information Protection viewer, the full Azure Information Protection client, or another application that supports viewing protected PDF files.

SharePoint Online supports encryption of the following file types:

  • PDF

  • The 97-2003 file formats for the following Microsoft Office programs: Word, Excel, and PowerPoint

  • The Office Open XML formats for the following Microsoft Office programs: Word, Excel, and PowerPoint

  • The XML Paper Specification (XPS) format



Document Library Settings >> IRM Settings in OneDrive.



Document Library Settings >>IRM Settings in Teams.