Applies to: Exchange Server 2013

Topic Last Modified: 2013-01-11

Use the Set-IRMConfiguration cmdlet to configure Information Rights Management (IRM) features.

For information about the parameter sets in the Syntax section below, see Syntax.

Important:
Configuring and using IRM features in an on-premises Microsoft Exchange Server 2013 deployment requires Active Directory Rights Management Services (AD RMS).

Syntax

Set-IRMConfiguration [-Identity <OrganizationIdParameter>] [-ClientAccessServerEnabled <$true | $false>] [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-EDiscoverySuperUserEnabled <$true | $false>] [-ExternalLicensingEnabled <$true | $false>] [-Force <SwitchParameter>] [-InternalLicensingEnabled <$true | $false>] [-JournalReportDecryptionEnabled <$true | $false>] [-LicensingLocation <MultiValuedProperty>] [-PublishingLocation <Uri>] [-RefreshServerCertificates <SwitchParameter>] [-RMSOnlineKeySharingLocation <Uri>] [-SearchEnabled <$true | $false>] [-ServiceLocation <Uri>] [-TransportDecryptionSetting <Disabled | Optional | Mandatory>] [-WhatIf [<SwitchParameter>]]

Examples

EXAMPLE 1

This example enables journal report decryption.

Copy Code
Set-IRMConfiguration -JournalReportDecryptionEnabled $true

EXAMPLE 2

This example enables transport decryption and enforces decryption. When decryption is enforced, messages that can't be decrypted are rejected, and an NDR is returned.

Copy Code
Set-IRMConfiguration -TransportDecryptionSetting Mandatory

EXAMPLE 3

This example enables licensing for external messages.

Copy Code
Set-IRMConfiguration -ExternalLicensingEnabled $true

Detailed Description

IRM requires the use of an on-premises AD RMS server or the ILS service. IRM features can be selectively enabled or disabled.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Information Rights Management (IRM) configuration" entry in the Messaging Policy and Compliance Permissions topic.

Parameters

Parameter Required Type Description

ClientAccessServerEnabled

Optional

System.Boolean

The ClientAccessServerEnabled parameter specifies whether to enable IRM in Microsoft Office Outlook Web App and in Microsoft Exchange ActiveSync. Both of these features are enabled by default. To disable them, set the parameter to $false.

Important:
Enabling IRM in Outlook Web App requires additional configuration on AD RMS servers. For more information, see Information Rights Management in Outlook Web App.

Confirm

Optional

System.Management.Automation.SwitchParameter

The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory.

EDiscoverySuperUserEnabled

Optional

System.Boolean

The EDiscoverySuperUserEnabled parameter specifies whether members of the Discovery Management role group can access IRM-protected messages that were returned by a discovery search and are residing in a discovery mailbox. To enable IRM-protected message access to the Discovery Management role group, set the value to $true. For more information about In-Place eDiscovery and IRM-protected messages, see In-Place eDiscovery.

ExternalLicensingEnabled

Optional

System.Boolean

The ExternalLicensingEnabled parameter specifies whether to enable IRM features for messages sent to external recipients. In on-premises deployments, licensing is disabled for external messages by default. To enable licensing, set the value to $true.

Force

Optional

System.Management.Automation.SwitchParameter

The Force switch specifies whether to suppress the confirmation prompt that appears when you modify the InternalLicensingEnabled parameter.

Identity

Optional

Microsoft.Exchange.Configuration.Tasks.OrganizationIdParameter

The Identity parameter is reserved for internal Microsoft use.

InternalLicensingEnabled

Optional

System.Boolean

The InternalLicensingEnabled parameter specifies whether to enable IRM features for messages sent to internal recipients. In on-premises deployments, licensing is disabled for internal messages by default. To enable licensing, set the value to $true.

Note:
If the InternalLicensingEnabled parameter is set to $false, no AD RMS templates are returned when you use the Get-RMSTemplate cmdlet.

JournalReportDecryptionEnabled

Optional

System.Boolean

The JournalReportDecryptionEnabled parameter specifies whether to enable journal report decryption. When enabled, journal report decryption attaches a decrypted copy of an IRM-protected message to the journal report. Journal report decryption is enabled by default. To disable journal report decryption, set the value to $false.

Important:
Enabling journal report decryption requires additional configuration on AD RMS servers. For more information, see Journal Report Decryption.

LicensingLocation

Optional

Microsoft.Exchange.Data.MultiValuedProperty

The LicensingLocation parameter specifies one or more additional AD RMS licensing URLs in on-premises deployments. It isn't required to populate this parameter if the organization doesn't have cross-forest deployment of licensing servers.

PublishingLocation

Optional

System.Uri

This parameter applies to objects in the cloud-based service. It isn’t available for on-premises deployments.

The PublishingLocation parameter specifies one or more AD RMS publishing URLs.

RefreshServerCertificates

Optional

System.Management.Automation.SwitchParameter

The RefreshServerCertificates switch clears all Rights Account Certificates (RACs), Computer Licensor Certificates (CLCs), and cached AD RMS templates from all Microsoft Exchange Server 2010 or Exchange Server 2013 servers in the organization. Clearing RACs, CLCs, and cached templates may be required during troubleshooting or in the event of a change of keys on the AD RMS cluster in your organization. For more information about RACs and CLCs, see Understanding AD RMS Certificates.

RMSOnlineKeySharingLocation

Optional

System.Uri

The RMSOnlineKeySharingLocation parameter specifies the RMS Online URL to obtain the trusted publishing domain (TPD) for the Microsoft Exchange Online organization.

SearchEnabled

Optional

System.Boolean

The SearchEnabled parameter specifies whether to enable searching of IRM-encrypted messages in Outlook Web App. Valid values include:

  • $true (default)   Enables search of IRM-encrypted messages in Outlook Web App.

  • $false   Disables search of IRM-encrypted messages in Outlook Web App.

ServiceLocation

Optional

System.Uri

This parameter applies to objects in the cloud-based service. It isn’t available for on-premises deployments.

The ServiceLocation parameter specifies the AD RMS service URL.

TransportDecryptionSetting

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.TransportDecryptionSetting

The TransportDecryptionSetting parameter specifies the transport decryption configuration. Valid values include one of the following:

  • Disabled   Transport decryption is disabled for internal and external messages.

  • Mandatory   Messages that can't be decrypted are rejected, and a non-delivery report (NDR) is returned.

  • Optional   A best effort approach to decryption is provided. Messages are decrypted if possible, but delivered even if decryption fails.

WhatIf

Optional

System.Management.Automation.SwitchParameter

The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.