TechShizz | All posts tagged 'Security'

Installing Information Right Management for Office 365

IRM needs to be activated first:

Service settings > Rights Management > Manage

Click Activate:

Rights Management is not activated


Managing IRM


Before we can manage IRM in PowerShell there is an module that needs to be downloaded and installed.

Download the Azure Rights Management Administration Tool - English - United Kingdom







Import-module aadrm

Connect-aadrmservice -verbose



Connect-aadrmservice -verbose




Configuring Office 365 Admin Center Administration Roles

Admin Center Admin Roles


Global Administrator - All tasks in O365 admin center.

Manage Domains

Manage Organization information

Delegate administrator roles

Use Directory Syncronization



User Management - Manage users and groups, manage service requests, reset passwords and monitor health.

Cannot create other admins

Cannot delete global administrators

Cannot reset passwords for Billing, Global or Service Admins.


Password - Manage passwords, service requests and monitor health. (Not manage passwords of other admin roles)


Service - Manage service requests and monitor health. Must assign admin permissions to online service before this role.


Billing - Make purchases, manage subscriptions and support tickets and monitor health. (Only if bought from Microsoft).


PowerShell to Admin Center

Titles for administration groups vary in Office 365 to sharepoint. Below is a list of the equivelant role for each administraton role in each.PowerShell= left, SharePoint=right.

Company Administrator = Global Administrator


User Management Administrator = User Management


Helpdesk Administrator = Password Administrator


Service Support Administrator = Services Administrator


Billing Administrator = Billing Administrator


Managing in PowerShell





List the role groups:





Add a member to a role group:


Add-msolrolemember -rolename "User Account Administrator" -rolememberemailaddress ""


To list who is in a role group:


$Roleinfo = get-msolrole -rolename "user account administrator"


Get-msolrolemember -roleobjectid $roleinfo.objectid



Remove a member to a role group:


Remove-msolrolemember -rolename "User Account Administrator" -rolememberemailaddress ""




Integrating with Exchange

This enables IRM in Office 365 - It will allow the control of content in exchange via use of the menus as shown:


Set Permissions - Do Not Forward

It also allows us to create rights protection mail rules in Exchange online:

Apply Right Protecting to Messages






In order to enable IRM in Exchange online we need to do the following.


Open PowerShell as Admin and run the following commands in order.


Set-ExecutionPolicy RemoteSigned

$usercred = Get-Credential

$sessioninfo = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $usercred -Authentication Basic -AllowRedirection

Import-PSSession $sessioninfo

Set-IRMConfiguration -RMSOnlineKeySharingLocation ""

Import-RMSTrustedPublishingDomain -RMSOnline -Name "RMS Online"

Set-IRMConfiguration -InternalLicensingEnabled $true

Test-IRMConfiguration -RMSOnline

Test-IRMConfiguration -Sender $usercred.username

Remove-PSSession $sessioninfo

Role Based Access in Exchange



Role groups or Management  Role groups are the groups that we see in the Active Directory "Microsoft Exchange Security groups" OU.

To see a list of Management Roles:




This lists all management roles, which are collections of commands. For example:


Let's look at Databases: To look at what commands makes up the Databases Managemet role we can run:


Get-ManagementRoleEntry "Databases\*"


Create a custom role from an existing role by using the following:


New-ManagementRole -name "Distribution G Admins" -Parent "Distribution Groups"


This command creates a new Management role called "Distribution G Admins" and populates it with the ability to use all the powershell commands that the "Distribution Groups" 


To remove a management role entry, we can do this to strip the existing temple down to what access we want to give. You would use:


Remove-ManagementRoleEntry "Distribution G Admins\Remove-Distributiongroup"


If for some reason this group needs a permission from another Management role we first need to create a Role Group, which contains both ManagementRoleEntry's that we need. 

Because we created this Management role from the Distribution Groups Role, we cant immediately add the role entries from other roles.


So to create a New Role Group which in this example will contain Distribution group and Transport Rule group role entries:


New-RoleGroup "Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -members rbulloc


This creates a group visible in AD with the other Role Groups


To remove a role group


Remove-RoleGroup "Distros and Transports"


If we want to Create a role group, and scope it so that the users in that group can only administer users/mailboxes in a specific OU (in this example this will be the "Liverpool" OU) we can use the following command:


New-RoleGroup "Liverpool Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -RecipientOrganizationalUnitScope "contoso.local/Liverpool"




To see which Management Roles make up a management group and also to see it's scope you need to query using this command:


Get-ManagementRoleAssignmet | Select Name


Find the roles you're looking for:


Then run:


Get-ManagementRoleAssignment "MANAGEMENTROLENAME" | fl



This shows the Scope.

Dynamic Access Control



  • One DC must be on Server 2012 or above however, 2008 DCs will work but require a scheme update.
  • File server must be a domain member
  • File server Resource Manage must be installed on the file server.
  • Clients must be Windows 7 +
  • For Access Denied Remediation (ADR) Clients must be Windows 8 or later.
  • Active Directory Administrative Centre (RSAT Tool)

  1. Claim Type
  2. Resource Properties
  3. Resource Property List
  4. Central Access Rules
  5. Central Access Policy




  1. Create a claim type such as
    1. Company
    2. Department
    3. Manager
  2. Next you need to Enable the resource property. Before this can be done you need to add the properties.


Go into each resource and add properties, for example:

Company= Microsoft; Apple; Cisco

Department= Finance; HR; IT


  1. Create a Resource property list. This is a list that will be made globally to all supported file servers with the attributes configured previously.
  2. Create a Central Access Rule - This can be called something like "Company-Dept-Match-Required". This rule will dictate what value the department and company attributes must say before the file can be accessed.
    1. Add the target Resources to add the conditions. Choose : Resource > "Attribute" > Exists
    2. Create the "AND" statement and repeat for the next attribute.
    3. Apply permissions. For this to apply to All users the general thing to do is give "Authenticated Users" Full control access. As this is being used in conjunction with NTFS permissions the user will never be able to harness these full control abilities anyway unless they create the document/folder.
    4. Add the condition for the permissions as follows: User > "Attribute" > Equals > Resource > Company
    5. Repeat for Department.
  3. Create a central access policy - This can be named "Company-Dept-Match-Reqd-Policy"
    1. Click add on the Member Central Access section and add the rule into the policy.
  4. Create a group policy to deploy the Central Access Policy to the domain File Servers (wherever they are). The policy is located under: Computer > Policies > Windows Settings > Security Settings > File System > Central Access Policy
    1. Right click to create the policy and add the Access Policy to the configuration. 
    2. Create another policy and link to the domain controllers named "DAC KDC Kerberos Armouring". Add policy located at: Computer > Administrative Templates > System > KDC > KDC Support for claims, compound authentication and Kerberos Armouring"
    3. Set the Policy to "Supported"
    4. In the same policy, Add policy located at: Computer > Administrative Templates > System >Kerberos > Kerberos Client Support for claims, compound authentication and Kerberos armoring. The policy does not need to be linked to the clients to enable the feature for them. As the clients obtain their Kerberos claim from the DC it's only necessary to enable this on the DC which will in turn filer to any client that uses the feature.
  5. To update group policy on the FileServer and FSRM we need to run the following:
    1. Gpupdate /force
    2. Update-FSRMClassificationpropertyDefinition
    3. Klist purge
  6. Go to the fileserver and modify the classifications in the properties of the files/folders.
  7. REMEMBER to apply the Central Policy from the Advanced Security section.