Prepare the environment for Azure Rights Management when you have AD RMS
Important
Guidance if you are using Active Directory Rights Management Services (AD RMS)
If the Azure Rights Management service is activated and you are also using AD RMS, this combination isn't compatible. Without additional steps, some computers might automatically start using the Azure Rights Management service and also connect to your AD RMS cluster. This scenario isn't supported and has unreliable results, so it's important that you take additional steps.
To check whether you have deployed AD RMS:
Although optional, most AD RMS deployments publish the service connection point (SCP) to Active Directory so that domain computers can discover the AD RMS cluster.
Use ADSI Edit to see whether you have an SCP published in Active Directory:
CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP
If you are not using an SCP, Windows computers that connect to an AD RMS cluster must be configured for client-side service discovery or licensing redirection by using the Windows registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation
orHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServiceLocation
For more information about these registry configurations, see Enabling client-side service discovery by using the Windows registry and Redirecting licensing server traffic.
If AD RMS is deployed for your organization, consider whether you can migrate to Azure Information Protection. Azure Information Protection has many advantages over AD RMS. For example, better support for mobile devices and integration with Microsoft 365 services as well as with Exchange Server and SharePoint Server. For more information, see Comparing Azure Information Protection and AD RMS.
When you migrate to Azure Information Protection, you won't lose access to previously protected content and you don't have to un-protect or re-protect your content. Documents and emails that were protected by AD RMS can still be opened even after you have de-provisioned AD RMS.
Whether you decide to migrate to Azure Information Protection or you decide to accept the limitations in using your current AD RMS deployment, you must first ensure that the Azure Rights Management service is deactivated. For instructions, follow the steps for the scenario that applies to you:
Your subscription that includes Azure Rights Management was purchased during or after February 2018
Your subscription was purchased before or during February 2018 and you have Exchange Online
Your subscription was purchased during or after February 2018
Towards the end of February 2018, new subscriptions that include Azure Information Protection now activate the Azure Rights Management service by default. If this service is automatically activated for you and you are also using Active Directory Rights Management Services (AD RMS), this combination isn't compatible so it's important that you deactivate the Azure Rights Management service as soon as possible.
Step 1: Deactivate Azure Rights Management
Use one of the following procedures to deactivate Azure Rights Management.
Tip
You can also use the Windows PowerShell cmdlet, Disable-AipService, to deactivate the Azure Rights Management service.
To deactivate Rights Management from the Microsoft 365 admin center
Go to the Rights Management page for Microsoft 365 administrators.
If you are prompted to sign in, use an account that is a global administrator for Microsoft 365.
On the rights management page, click deactivate.
When you see the prompt Do you want to deactivate Rights Management? click deactivate.
You should now see Rights Management is not activated and the option to activate.
To deactivate Rights Management from the Azure portal
If you haven't already done so, open a new browser window and sign in to the Azure portal. Then navigate to the Azure Information Protection pane.
For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.
If you haven't accessed the Azure Information Protection pane before, see the one-time additional steps to add this pane to the portal.
Select Protection activation from the menu options.
On the Azure Information Protection - Protection activation pane, select Deactivate. Select Yes to confirm your choice.
The information bar displays Deactivation finished successfully and Deactivate is now replaced with Activate.
Your subscription was purchased before or during February 2018 and you have Exchange Online
Microsoft is starting to activate the Azure Rights Management service for subscriptions that include Azure Rights Management or Azure Information Protection, and the tenants are using Exchange Online. For these tenants, automatic activation is starting to roll out August 1, 2018.
If the service is automatically activated for you and you are also using AD RMS, this combination isn't compatible so it's important that your tenant is opted out from the automatic service update.
Step 1: Opt out from the automatic service update
Use the following Set-IRMConfiguration Exchange Online PowerShell command:Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false
You see an option to activate protection when you configure Azure Information Protection
The Azure Information Protection - Protection activation pane has an option to activate the Azure Rights Management service.
If you are also using AD RMS, do not select the Activate option. When the Azure Rights Management service isn't activated, you can still use Azure Information Protection for labels that apply classification only. A special default policy is created for you that does not include data protection and those configuration options remain unavailable until the Azure Rights Management service is activated.
Step 1: Configure your Azure Information Protection policy for classification and labeling - without protection
From the Azure Information Protection - Labels pane, view and configure the labels that do not include options for data protection. For more information about how to configure the labels and policy settings, see Configuring Azure Information Protection policy.
Step 2: Configure labels for protection
After you have activated the Azure Rights Management service as part of the migration process, you can configure labels for data protection. However, if you migrate users in batches, make sure that labels that apply protection are scoped to migrated users only.