IRM – Information Rights Management for SharePoint 2013

Overview of IRM

With the Introduction of new Office 2013 there have been new additions to Information Rights Management (IRM) in SharePoint 2013.Firstly, What is Information Rights Management (IRM) – It is a file-level technology from Microsoft where it uses permissions and authorization to help prevent sensitive information from being printed, forwarded, or copied by unauthorized people. SharePoint supports use of IRM on documents that are stored in document libraries. By using IRM, you can control which actions users can take on documents when they open them from libraries in SharePoint. This differs from IRM applied to documents stored on client computers, where the owner of a document can choose which rights to assign to each user of the document.

  1. The permissions are enforced by using authentication, typically by using Active Directory directory service (AD DS). A Microsoft account can be used to authenticate and grant permission if Active Directory is not implemented.
  2. Before you apply IRM to a list or library it must first be enabled in Central Administration for your site. It can be configured on a subscription level (new in Office 2013) for cloud-Office 365 services.
  3. To enable IRM on Libraries admins Must have at least Design Permissions on that library.
  4. A Server administrator must install Protectors on all front-end Web servers for every file type that they Want to protect using IRM. A protector is a program that controls the encryption and decryption of rights-managed files of a specific file format.

Here is the List of New and Old Features in Information Rights Management (IRM) –

  • IRM on Library Files and List attachments – If the IRM is enabled for a library, it applies to all of the files in that library. In the list however, it applies only to files that are attached to list items, not the actual list items.
  • Easier to use IRM Settings – Settings UI for a document library has been made easier to use (New).
  • New UI settings– Admins can now set the following
    • Set access rights, including rights to print, run scripts to enable screen readers, or enable writing on a copy of the document (new to Office 2013)
    • Set expiration date (the date after which the document cannot be used
    • Control whether documents that do not support IRM protection can be included in the library
    • Control whether Office Web Apps can render the documents in the library (new in Office 2013)


  • Office Web Apps can render Protected documents – This means that if an authenticated user does not have a compatible Office client, they can still view the documents using Office Web Apps. Note that in the case of Web Apps, the document is presented in read-only mode.
  • Prevent Opening documents – Admins can Prevent Opening documents in the browser for a Document Library by simply selecting a check box on the Information Right Management setting page.
  • Protect Documents for a group – An admin can choose an Active Directory group and use it to stamp the usage license for the file. Then, documents that are downloaded can be used by all the members of the group, and the user who downloaded the copy can transfer the copy to any member of the group directly.
  • IRM supports PDF files – Since PDF documents are integrated better into SharePoint 2013, PDF readers can register a control to allow simple opening of PDF files, and PDF documents can be protected with Microsoft IRM services.
  • IRM by Tenant – IRM Integration can now be configured to be tenant aware, thus providing the ability for each tenant to have different IRM settings.
How to: Register an IRM Protector?

After you compile your custom Information Rights Management (IRM) protector, you must register that protector with Microsoft SharePoint Foundation 2010 to make it available for document libraries.

Each IRM protector is registered at the farm level, and made available to every document library in the server farm. Each IRM protector must be registered and deployed on every front-end Web server, and must be added to every registry subtree of each front-end Web server.

To register an IRM protector with SharePoint Foundation

  1. Register the protector as a COM object.

    The threading model for this object should be set to both. Registering the protector as a COM object enables SharePoint Foundation 2010 to reference the protector’s functions.

  2. Create the following registry key:

    HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\<protector name>

  3. Set the following registry subkeys in the HKLM\ SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\12.0\IrmProtectors key:
    • Name: ClassID of the protector. Must be the ClassID used to register the protector as a COM object.
    • Value: Name of the protector.
    • Type: String

    In addition, we highly recommended that a protector stores certain metadata about itself in the registry. Specifically, we recommended, but do not require, that a protector set and consume the following registry subkeys, which are set in the HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\<protector name> key:

    • Name: Extensions
    • Value: Comma-separated list of file extensions that this protector converts.
    • Type: String
    • Name: Product
    • Value: Name of the protector.
    • Type: String
    • Name: Version
    • Value: Version number of the protector.
    • Type: String

The following example is a .wxs file that demonstrates how to associate file formats with an IRM protector. The example registers an IRM protector as a COM object, and sets the correct registry keys.

<?xml version="1.0" encoding="UTF-8"?>
<Wix xmlns="">
    <DirectoryRef Id="STSBin">
      <Component Id="Contoso_IrmProtector" DiskId="1">
        <File Id="CONIRMP.DLL_0001">
          <TypeLib Id="C0321D28-5B26-4CE5-855C-7863852283C6" 
            Advertise="no" Language="0" MajorVersion="1">
            <Class Id="4F9976DC-47C3-4518-B2A2-A258B379F970" 
              Description="IrmProtector Class" ThreadingModel="both" 
              Context="InprocServer InprocServer32">
              <ProgId Id="IrmProtector.Protector.1">
                <ProgId Id="IrmProtector.Protector" />

<Registry Id="IrmProtector.1" Root="HKLM" Key="SOFTWARE\Microsoft\Shared Tools\Web Server 
Extensions\12.0\IrmProtectors" Name="{4F9976DC-47C3-4518-B2A2-A258B379F970}" 
Value="Contoso.Irm.Protector" Type="string" />

<Registry Id="IrmProtector.2" Root="HKLM" Key="SOFTWARE\Microsoft\Shared Tools\Web Server 
Extensions\IrmProtector" Action="createKeyAndRemoveKeyOnUninstall" />

<Registry Id="IrmProtector.3" Root="HKLM" Key="SOFTWARE\Microsoft\Shared Tools\Web Server 
Extensions\IrmProtector" Name="Extensions" Value="XYZ,PDQ,FOO"  Type="string" />

<Registry Id="MsoProtector.4" Root="HKLM" Key="SOFTWARE\Microsoft\Shared Tools\Web Server 
Extensions\IrmProtector" Name="Product" Value="MsoProtector" Type="string" />

<Registry Id="IrmProtector.5" Root="HKLM" Key="SOFTWARE\Microsoft\Shared Tools\Web Server 
Extensions\IrmProtector" Name="Version" Value="1" Type="string" />







One thought on “IRM – Information Rights Management for SharePoint 2013

  1. I must say you have hi quality articles here. Your content should go viral.
    You need initial boost only. How to get massive traffic?
    Search for: Murgrabia’s tools go viral

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s