Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

Using Microsoft Outlook protection rules, you can protect messages with Information Rights Management (IRM) by applying an Active Directory Rights Management Services (AD RMS) template in Outlook 2010 before the messages are sent.

If you configure Outlook protection rules to IRM-protect messages, consider enabling transport decryption to allow transport agents, including the Transport Rules agent, to decrypt and access the message. If you use journaling, you should also consider enabling journal report decryption to allow the Journaling agent to save an unencrypted copy of the message in the journal report. For more information, see Understanding Journal Report Decryption.

Looking for other management tasks related to IRM? Check out Managing Information Rights Management.


You must have an AD RMS server deployed in the same Active Directory forest as your server running Microsoft Exchange Server 2010.

Use the Shell to create an Outlook protection rule

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.

You can't use the EMC to create Outlook protection rules.

This example creates the Outlook protection rule Project Contoso. The rule protects messages sent to the ContosoPMs distribution group with the AD RMS template Business Critical.

Copy Code
New-OutlookProtectionRule -Name "Project Contoso" -SentTo "" -ApplyRightsProtectionTemplate "Business Critical"
When you use the SentTo predicate for an Outlook protection rule and specify a distribution group, only messages addressed to the distribution group in the To, Cc, or Bcc fields are IRM-protected. IRM protection isn't applied to messages addressed to individual members of the distribution group.

You can also use the FromDepartment and SentToScope predicates to apply IRM protection to messages sent from users in the specified department or messages sent to the specified scope (InOrganization for internal messages, All for all recipients).

For detailed syntax and parameter information, see New-OutlookProtectionRule.

Other Tasks