Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2013-07-10

If you use Information Rights Management (IRM) in your on-premises Exchange organization and you want your Exchange Online users to also use IRM in your hybrid deployment, this topic explains how to achieve that outcome.

For additional management tasks related to hybrid deployments, see Hybrid Deployment procedures.

WarningWarning:
This feature of Exchange Server 2013 isn’t fully compatible with Office 365 operated by 21Vianet in China and some feature limitations may apply. For more information, see Learn about Office 365 operated by 21Vianet.

What do you need to know before you begin?

  • Estimated time to complete: 30 minutes

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the “Information Rights Management (IRM) configuration" entry in the Messaging policy and compliance permissions topic.

  • Configure your Exchange organization for a hybrid deployment using the Hybrid Configuration wizard.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

TipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

How do you do this?

Step1: Configure on-premises AD RMS servers

To configure IRM in a hybrid deployment, you need to use Windows PowerShell to access your on-premises AD RMS server. Learn more at Using Windows PowerShell to Administer AD RMS. Do the following to configure your on-premises AD RMS server:

  1. Export TPD data from your on-premises organization. Learn more at Export a Trusted Publishing Domain.

  2. Configure access to AD RMS servers from external clients. Learn more at Adding an Extranet Cluster URL.

Step 2: Enable IRM in the Exchange Online organization

After you export the TPD data from your on-premises AD RMS servers, you need to import that data into the Exchange Online organization and then enable IRM.

  1. In the Exchange Online organization, run the following command to import the TPD data.

    Copy Code 
    Import-RMSTrustedPublishingDomain -FileData $( [Byte[]] (Get-Content -Encoding Byte -Path "<Path to exported TPD file>" -ReadCount 0))

  2. Run the following command to enable IRM in the Exchange Online organization.

    Copy Code 
    Set-IRMConfiguration -InternalLicensingEnabled $True

Step 3: Distribute AD RMS templates in the Exchange Online organization

After you've enabled IRM in the Exchange Online organization, you must distribute the imported AD RMS templates. The following Exchange Online users and features use AD RMS templates:

  • Microsoft Outlook Web App users

  • Exchange ActiveSync users

  • Transport rules

  • Journal report decryption

  • Outlook protection rules

To distribute the AD RMS templates, complete the following steps:

  1. In the Exchange Online organization, run the following command to retrieve a list of AD RMS templates.

    Copy Code 
    Get-RMSTemplate -Type All

  2. Run the following command to distribute the AD RMS templates to users and features in the Exchange Online organization.

    Copy Code 
    Set-RMSTemplate <template name> -Type Distributed
    NoteNote:
    You can't modify the "Do Not Forward" AD RMS template.

How do you know this worked?

Outlook Web App users should be able to apply AD RMS templates to new messages. Outlook Web App and Exchange ActiveSync users should be able to read messages that have AD RMS templates applied to them. In addition, all the AD RMS templates that were imported from your on-premises organization should be listed when you run the Get-RMSTemplate cmdlet.

To verify that you have successfully configured IRM, run the following command in the Exchange Online organization.

Copy Code 
Get-RMSTemplate