Who is Azure RMS Super Users?

A group of highly trusted administrators who can decrypt and access files that the organization has
protected by using Rights Management. Typically, this level of access is required for legal eDiscovery and
by auditing teams.

Configuring Super Users for Azure Rights Management and Discovery

Services or Data Recovery

The super user feature of Microsoft Azure Rights Management (Azure RMS) ensures that authorized
people and services can always read and inspect the data that Azure RMS protects for your organization.
And if necessary, remove the protection or change the protection that was previously applied. A super
user always has full owner rights for all use licenses that was granted by the organization’s RMS tenant.
This ability is sometimes referred to as “reasoning over data” and is a crucial element in maintaining
control of your organization’s data.

For example, you would use this feature for any of the following scenarios:

 An employee leaves the organization and you need to read the files that they protected.

 An IT administrator needs to remove the current protection policy that was configured for files
and apply a new protection policy.

 Exchange Server needs to index mailboxes for search operations.

 You have existing IT services for data loss prevention (DLP) solutions, content encryption
gateways (CEG), and anti-malware products that need to inspect files that are already protected.

 You need to bulk decrypt files for auditing, legal, or other compliance reasons.

By default, the super user feature is not enabled, and no users are assigned this role. It is enabled for
you automatically if you configure the Rights Management connector for Exchange, and it is not
required for standard services that run Exchange Online, SharePoint Online, or SharePoint Server.
How to enable Super User?
Prerequisites software

1. Download and Install the latest Microsoft Online Services Sign-In Assistant
2. Download and Install Azure Rights Management Administration Tool
3. Download and install RMS Protection Tool

Enable Super User

I have created a normal user given a name “Super User”

1. On the computer you installed the required software, open Windows PowerShell with elevated
permissions.
2. Write the below set of commands

Import-Module AADRM
Connect-AadrmService –Verbose

“type the global administrator credentials in the Office 365”

Enable-aadrmSuperuserFeature
Add-aadrmSuperUser -EmailAddress “Superuser@emsdemo05.onmicrosoft.com”

RMS Protection Rule New Functions

The RMS Protection Tool contains PowerShell Cmdlets designed for developers and IT professionals who
want to use scripting mechanisms to bulk protect and unprotect documents.
Unprotect-RMSFile

The Unprotect-RMSFile cmdlet removes Rights Management (RMS) protection from one or more files in
a specified folder if those files were previously protected by AD RMS or Azure RMS. When you run this
cmdlet, you have the following options:

 The file is unprotected in the same folder so that the original protected file and the new
unprotected file co-exist.
 The original file remains protected and an unprotected version of the file is created in another
location.
 All the files in the specified folder are unprotected, replacing all the original, protected files.
 If you are unprotecting a container file, each child is recursively extracted, unprotected, and
repackaged. Supported container file types are .ZIP, .RAR, .7Z, .MSG, and .PST.

Note: To unprotect a .PST file, you must use Outlook and if the .PST file belongs to another user, you
must run Outlook as an RMS super user for your organization. Outlook might display popup messages
during the decryption process, so you cannot run this cmdlet unattended.

Example 1: Unprotect a single file, replacing the original file

Unprotect-RMSFile -File "C:\Test.ptxt"

Example 2: Unprotect a single file, retaining the original file

Unprotect-RMSFile -File "C:\Test.ptxt" -OutputFolder

Example 3: Unprotect a folder

Unprotect-RMSFile -Folder "C:\Protected" -OutputFolder "C:\Temp"

Example 4: Unprotect a .PST file

Unprotect-RMSFile -File "C:\Test.pst" -OutputFolder "C:\Temp"

Example 5: Unprotect a .RAR file

Unprotect-RMSFile -File "C:\Test.rar" -OutputFolder "C:\Temp"
Protect-RMSFile

The Protect-RMSFile cmdlet protects a file or all files in a specified folder by using Azure RMS or AD
RMS. If the file was previously protected, it will be protected again, to apply any changes such as those
that might be made to the template that is being used to protect the file.

All file types can be protected in the same way that the RMS sharing application can protect all files.
However, different levels of protection will be automatically applied (native or generic), depending on
the file type. You can change the level of protection by editing the registry. In addition, some files
change their file name extension after they are protected by Rights Management. For more information,
see File API configuration on MSDN.

When you run this cmdlet, you have the following options:

 The file is protected in the current location, replacing the original file that was unprotected.
 The original file remains unprotected and a protected version of the file is created in another
location.
 All files in the specified folder are protected, replacing all the original files that were
unprotected.

Example 1: Protect a single file by using a template

Protect-RMSFile -File "C:\Test.docx" -TemplateID 82bf3474-6efe-4fa1-8827-d1bd93339119 -OwnerEmail
“IT@Contoso.com”

Example 2: Create a protected version of a file by using a template

rotect-RMSFile -File "C:\Test.docx" -OutputFolder "C:\Temp" -TemplateID e6ee2481-26b9-45e5-b34a-
f744eacd53b0 -OwnerEmail "admin@Contoso.com"

Example 3: Protected all files in a folder by using a template

Protect-RMSFile -Folder "\\server1\Documents" -TemplateID e6ee2481-26b9-45e5-b34a-f744eacd53b0
-OwnerEmail "IT@Contoso.com"

Example 4: Protected files with a specific file name extension in a folder by using a template
foreach ($file in (Get-ChildItem -Path \\server1\Docs -Recurse -Force | where {!$_.PSIsContainer} |
Where-Object {$_.Extension -eq ".docx"})) {Protect-RMSFile -File $file.PSPath -TemplateID "e6ee2481-
26b9-45e5-b34a-f744eacd53b0" -OwnerEmail "IT@Contoso.com"}

Example 5: Protect a single file by using an ad-hoc rights policy

The first command creates an ad-hoc rights policy that grants Edit rights to user1@contoso.com. The
second command protects a single file named Test.txt by using this ad-hoc rights policy just created, and
replaces the original unprotected file.

Note that unless your email address is user1@contoso.com, you will not be able to unprotect this file
after the command completes because you do not have any rights to it and you are not the owner. If
you need to be able to unprotect this file later, you can add your name and grant the user and yourself
either the EXTRACT or OWNER right in the ad-hoc rights policy in the first command. Or if you do not
want the user to be able to unprotect the file, add -OwnerEmail <your email address> to the end of the
second command.

$License = New-RMSProtectionLicense -UserEmail 'user1@contoso.com' -Permission EDIT

Protect-RMSFile -License $License -File "C:\Test.txt"