TechShizz | All posts tagged 'Security'

Integrating Information Rights Management in Office 365 with SharePoint



To have the ability to enable IRM you need to have the "Design" permission. (This is included in Global Admin)


There is only one global settings required to enable IRM in SharePoint. From the SharePoint Admin panel we need to enable IRM.


O365 Admin > Admin > SharePoint > Settings



Information Rights Services



Once this has been enabled, in site settings from within a SharePoint site (from the library tab in a SharePoint site you can create an IRM policy for the site.

Information Rights Services Settings



This policy prevents un-supported documents from being uploaded. When tested see the error below.



This library does not accept files of the given type

Integrating with Exchange

This enables IRM in Office 365 - It will allow the control of content in exchange via use of the menus as shown:


Set Permissions - Do Not Forward

It also allows us to create rights protection mail rules in Exchange online:

Apply Right Protecting to Messages






In order to enable IRM in Exchange online we need to do the following.


Open PowerShell as Admin and run the following commands in order.


Set-ExecutionPolicy RemoteSigned

$usercred = Get-Credential

$sessioninfo = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $usercred -Authentication Basic -AllowRedirection

Import-PSSession $sessioninfo

Set-IRMConfiguration -RMSOnlineKeySharingLocation ""

Import-RMSTrustedPublishingDomain -RMSOnline -Name "RMS Online"

Set-IRMConfiguration -InternalLicensingEnabled $true

Test-IRMConfiguration -RMSOnline

Test-IRMConfiguration -Sender $usercred.username

Remove-PSSession $sessioninfo

Installing Information Right Management for Office 365

IRM needs to be activated first:

Service settings > Rights Management > Manage

Click Activate:

Rights Management is not activated


Managing IRM


Before we can manage IRM in PowerShell there is an module that needs to be downloaded and installed.

Download the Azure Rights Management Administration Tool - English - United Kingdom







Import-module aadrm

Connect-aadrmservice -verbose



Connect-aadrmservice -verbose




Role Based Access in Exchange



Role groups or Management  Role groups are the groups that we see in the Active Directory "Microsoft Exchange Security groups" OU.

To see a list of Management Roles:




This lists all management roles, which are collections of commands. For example:


Let's look at Databases: To look at what commands makes up the Databases Managemet role we can run:


Get-ManagementRoleEntry "Databases\*"


Create a custom role from an existing role by using the following:


New-ManagementRole -name "Distribution G Admins" -Parent "Distribution Groups"


This command creates a new Management role called "Distribution G Admins" and populates it with the ability to use all the powershell commands that the "Distribution Groups" 


To remove a management role entry, we can do this to strip the existing temple down to what access we want to give. You would use:


Remove-ManagementRoleEntry "Distribution G Admins\Remove-Distributiongroup"


If for some reason this group needs a permission from another Management role we first need to create a Role Group, which contains both ManagementRoleEntry's that we need. 

Because we created this Management role from the Distribution Groups Role, we cant immediately add the role entries from other roles.


So to create a New Role Group which in this example will contain Distribution group and Transport Rule group role entries:


New-RoleGroup "Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -members rbulloc


This creates a group visible in AD with the other Role Groups


To remove a role group


Remove-RoleGroup "Distros and Transports"


If we want to Create a role group, and scope it so that the users in that group can only administer users/mailboxes in a specific OU (in this example this will be the "Liverpool" OU) we can use the following command:


New-RoleGroup "Liverpool Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -RecipientOrganizationalUnitScope "contoso.local/Liverpool"




To see which Management Roles make up a management group and also to see it's scope you need to query using this command:


Get-ManagementRoleAssignmet | Select Name


Find the roles you're looking for:


Then run:


Get-ManagementRoleAssignment "MANAGEMENTROLENAME" | fl



This shows the Scope.

Dynamic Access Control



  • One DC must be on Server 2012 or above however, 2008 DCs will work but require a scheme update.
  • File server must be a domain member
  • File server Resource Manage must be installed on the file server.
  • Clients must be Windows 7 +
  • For Access Denied Remediation (ADR) Clients must be Windows 8 or later.
  • Active Directory Administrative Centre (RSAT Tool)

  1. Claim Type
  2. Resource Properties
  3. Resource Property List
  4. Central Access Rules
  5. Central Access Policy




  1. Create a claim type such as
    1. Company
    2. Department
    3. Manager
  2. Next you need to Enable the resource property. Before this can be done you need to add the properties.


Go into each resource and add properties, for example:

Company= Microsoft; Apple; Cisco

Department= Finance; HR; IT


  1. Create a Resource property list. This is a list that will be made globally to all supported file servers with the attributes configured previously.
  2. Create a Central Access Rule - This can be called something like "Company-Dept-Match-Required". This rule will dictate what value the department and company attributes must say before the file can be accessed.
    1. Add the target Resources to add the conditions. Choose : Resource > "Attribute" > Exists
    2. Create the "AND" statement and repeat for the next attribute.
    3. Apply permissions. For this to apply to All users the general thing to do is give "Authenticated Users" Full control access. As this is being used in conjunction with NTFS permissions the user will never be able to harness these full control abilities anyway unless they create the document/folder.
    4. Add the condition for the permissions as follows: User > "Attribute" > Equals > Resource > Company
    5. Repeat for Department.
  3. Create a central access policy - This can be named "Company-Dept-Match-Reqd-Policy"
    1. Click add on the Member Central Access section and add the rule into the policy.
  4. Create a group policy to deploy the Central Access Policy to the domain File Servers (wherever they are). The policy is located under: Computer > Policies > Windows Settings > Security Settings > File System > Central Access Policy
    1. Right click to create the policy and add the Access Policy to the configuration. 
    2. Create another policy and link to the domain controllers named "DAC KDC Kerberos Armouring". Add policy located at: Computer > Administrative Templates > System > KDC > KDC Support for claims, compound authentication and Kerberos Armouring"
    3. Set the Policy to "Supported"
    4. In the same policy, Add policy located at: Computer > Administrative Templates > System >Kerberos > Kerberos Client Support for claims, compound authentication and Kerberos armoring. The policy does not need to be linked to the clients to enable the feature for them. As the clients obtain their Kerberos claim from the DC it's only necessary to enable this on the DC which will in turn filer to any client that uses the feature.
  5. To update group policy on the FileServer and FSRM we need to run the following:
    1. Gpupdate /force
    2. Update-FSRMClassificationpropertyDefinition
    3. Klist purge
  6. Go to the fileserver and modify the classifications in the properties of the files/folders.
  7. REMEMBER to apply the Central Policy from the Advanced Security section.