ADRMS service provides Information Rights Management protection to Exchange Server, SharePoint Servers and File Servers. When using ADRMS, we can configure Protection Templates like Do Not Reply All, View Only etc and made them available for end users to apply those templates on email or documents to protect the confidential documents and emails.

We need to deploy ADRMS service in On-Premise environment with the required templates and need to publish those templates for end users to consume it. I have the ADMRS Infrastructure in my lab and Exchange Server 2019 installed.

Exchange Server will have the below IRM configuration as default

And users will be prompted to Connect to Rights Management Servers to get the IRM templates published by an administrator

Configuring Exchange Server 2019 to use ADRMS

Setting up Exchange Server to use IRM is simple, we need to set the InternalLicensingEnabled parameter on the Set-IRMConfiguration command to True. Below shows the settings change.

Exchange will do a SCP lookup and do the IRM configuration.

User is able to access the IRM template now after the ADRMS service deployment and the IRM configuration in Exchange.

IRM Template from OWA

I have a plan to show case the demo on IRM configuration change from ADRMS to Azure RMS for Exchange Server 2019. I will post it later.

If you are migrating from AD RMS to Azure RMS, or fully on Azure RMS, you may end up in issue when protecting a content or when trying to open a protected content, here we will see the troubleshooting steps for Azure RMS.

Note 1: Identify the User.

During the AD RMS to Azure RMS migration, few users will be migrated as Azure ARMS users and few may still pointing to AD to have IRM functionality. If a user is complaining that, he is not able to protect or consume a content. You need to identify whether the user is AD RMS user or Azure RMS users first. It will help you to know which logs (Azure RMS or AD RMS) you have to look at.

Note 2: Basic things to validate

  1. User should reach the respective service. AD RMS user should have access to AD RMS server and Azure RMS user should have internet access to consume to Azure RMS service hosted in cloud.
  2. If user is Azure RMS user, ensure the required registry settings are properly set using Azure RMS analyzer
  3. Office should be updated with recent updates
  4. Azure Information Protection client to be latest Generally Available one.
  5. Ensure the below sites are added as trusted sites in IE.
  • https://*
  • https://*
  • https://*
  1. If the user is using Office 2013, ensure the Office is ADAL compliant
  2. If the user is using Office 2010, ensure the Microsoft Online Services Sign in Assistant installed

Note 3: Validate the IRM Configuration

Use Test-IRMConfiguration command after connecting to Exchange Online PowerShell or on On-Premise Exchange Management Shell. Overall list should show as PASS like below.

Test-IRMConfiguration -Sender –Recipient

Note 4: User is not able to protect a content

If the user is not able to protect a content, there will be only 2 possible reasons

  1. User machine not properly initialized to use the service, in other words not bootstrapped. Or
  2. User is not part of the on-boarding controlling policy or not enabled with Azure RMS license to protect the contents

Note 5: User not able to open a protected content

If the user is unable to consume a protected content, check the below things.

  1. Check whether he is able to protect a document, if not check the things mentioned in Note 3.
  2. Ensure user opening the protected content is having permission on the template that was used to protect the content

Note 6: User RMS Analyzer to check the perquisites.

For Issue related to Azure RMS, you can user RMS Analyzer to validate the Prerequisites. RMS Analyzer prompts you to choose a role before starting the perquisites check like below

If it showing Microsoft Online Sign on Assistant not installed or the SCP not registered like below, you can ignore those steps.

You can continue to check the settings that will show the things that are configured as part of bootstrapping.

For any reason if you are not able to identify the issue, you can reset the settings using RMS Analyzer and the reconfigure the device with Azure RMS settings.

Note 7: Collect the Logs

You validated all the settings mentioned above still an issue, you can use the logging option on the RMS Analyzer utility and share the logs with Microsoft support to analyse the issue.

Note 8: AADRM User Log

Always good to looks at Aadrmuser log which will show the details on which stage the user not able to protect or consume a protected content.

You can connect to Azure RMS PowerShell and run the below command to get the logs. You can read the logs on your own. Few things to be analysed only by Microsoft support, you can share the logs with them.

Get-AadrmUserLog -ForDate 1/22/2018 -Path c:\temp

Hope this post is useful for troubleshooting the Azure RMS related issues.

Once you activate Azure Information Protection service on your Office 365 Tenant, you can manage Azure RMS service by connecting through PowerShell. Below show how to connect Azure RMS service using PowerShell.

As prerequisites, you need to install Azure Rights Management Administration Tool, which can be downloaded from here.

Note: To Install Windows PowerShell for Azure Rights Management, you need Windows PowerShell 2.0 or above and .Net FrameWork 4.5.

Once the Windows PowerShell for Azure Right Management Installed, you can connect to Azure RMS service using below command.


After entering the credential, you will be connected to Azure Right Management Service and you can manage Azure RMS now.