Sergiy Serdyuk - Fotolia
While Microsoft enables information rights management by default in Exchange 2016, using this feature requires administrative intervention before users can use Outlook IRM to protect email.
Exchange information rights management (IRM) enables users to control access to documents and email. Users can manually apply IRM to messages with Active Directory Rights Management Services (AD RMS) templates in the Outlook client or with Outlook on the web. After an administrator enables IRM in Outlook for the web, users can select an IRM template in the email creation dialog to protect outgoing messages and attachments or receive incoming content that is already protected by IRM.
IRM works with ActiveSync to enable users to create, view, forward and reply to IRM-protected messages across ActiveSync devices. Any ActiveSync device with IRM enabled -- even non-Windows devices -- can use IRM without the need to configure AD RMS permissions or connect to an IRM-enabled computer.
Outlook IRM features depend on the user
Although users can manually protect individual messages with Outlook IRM functionality, administrators can set up IRM automatically using protection rules. Administrators deploy these rules to Outlook clients to apply them automatically and meet business governance and compliance needs each time a user creates a new message. Users who forget to use Outlook IRM to protect important messages and attachments remain protected by these automatic rules.
To protect every message and attachment in an Exchange mailbox server automatically, administrators can create transport rules, also called mail flow rules, that will search messages for specified conditions and apply IRM accordingly. For example, if a user applies a do not forward IRM template to messages, only the intended recipient can read the message. IRM prevents the recipient from forwarding, copying or printing the content.
Exchange detects pre-existing IRM protection in messages and will not apply further protection rules if an Outlook user chooses to add protection to a message.
Be aware of IRM shortcomings
Using IRM does not guarantee absolute protection. Legitimate recipients can use screen capture tools to save content.
Certain designated internal staff can decrypt and access message content. Organizations rely on internal auditors or investigators who need to search IRM-protected content to adhere to regulatory compliance needs, litigation requirements, regulatory audits or internal investigations.
Administrators can use transport agents for investigative decryption on Exchange servers, copy content to journaling reports and use In-Place eDiscovery searches to check for legal discovery evidence. However, these capabilities require the addition of a federation mailbox to the Super Users group on the AD RMS server.
Dig Deeper on Microsoft messaging and collaboration services
Related Q&A from Stephen J. Bigelow
Microsoft Hyper-V on Windows comes with advanced protection schemes, including several virtualization-based security features the company introduced ... Continue Reading
The BitLocker encryption technology continues to evolve from its roots as a Windows Vista feature to protect resources both in the local data center ... Continue Reading
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ... Continue Reading