Applies to: Exchange Server 2013
Topic Last Modified: 2012-12-04
Using Microsoft Outlook protection rules, you can protect messages with Information Rights Management (IRM) by applying an Active Directory Rights Management Services (AD RMS) template in Outlook 2010 before the messages are sent.
For additional management tasks related to IRM, see Information Rights Management Procedures.
What do you need to know before you begin?
- Estimated time to completion: 1 minute.
- You need to be assigned permissions before you can perform this
procedure or procedures. To see what permissions you need, see the
"Rights protection" entry in the Messaging Policy and
Compliance Permissions topic.
- You must have an AD RMS server deployed in the same Active
Directory forest as your server running Microsoft Exchange Server
- If you configure Outlook protection rules to IRM-protect
messages, consider enabling transport decryption to allow transport
agents, including the Transport Rules agent, to decrypt and access
the message. If you use journaling, you should also consider
enabling journal report decryption to allow the Journaling agent to
save an unencrypted copy of the message in the journal report. For
more information, see Journal Report
- You can't use the Exchange Administration Center (EAC) to
create Outlook protection rules. You must use the Shell.
- For information about keyboard shortcuts that may apply to the
procedures in this topic, see Keyboard Shortcuts in
the Exchange Admin Center.
Use the Shell to create an Outlook protection rule
This example creates the Outlook protection rule Project Contoso. The rule protects messages sent to the ContosoPMs distribution group with the AD RMS template Business Critical.
New-OutlookProtectionRule -Name "Project Contoso" -SentTo "DL-ContosoPMs@contoso.com" -ApplyRightsProtectionTemplate "Business Critical"
|When you use the
You can also use the
SentToScope predicates to apply IRM protection to
messages sent from users in the specified department or messages
sent to the specified scope (
All for all recipients).
For detailed syntax and parameter information, see New-OutlookProtectionRule.
How do you know this worked?
To verify that you have successfully created an Outlook protection rule, do the following:
- Run the Get-OutlookProtectionRule
cmdlet to make sure that the rule has been created and to view the
rule’s properties. For an example of how to retrieve an Outlook
protection rule, see Examples in
- Use Outlook 2010 to create a test message that meets the rule’s
condition and make sure the rule is triggered on the client.
Note: It may take some time for an Outlook protection rule to be available in Outlook.