Restrict access to documents with Information Rights Management in Word

Using IRM in Microsoft 365, you can rights manage XML Paper Specification (.xps) files and the following Word file types:

• Documents    .doc, .docx

• Macro-enabled document    .docm

• Template    .dot, .dotx

• Macro-enabled template    .dotm

Configure your computer to use IRM

To use IRM in Microsoft 365, the minimum required software is Windows Rights Management Services (RMS) Client Service Pack 1 (SP1). The RMS administrator can configure company-specific IRM policies that define who can access information and what level of editing is permitted for an e-mail message.

For example, a company administrator might define a rights template called "Company Confidential," which specifies that an e-mail message that uses that policy can be opened only by users inside the company domain.

Download permissions

The first time you try to open a document with restricted permission, you must connect to a licensing server to verify your credentials and download a use license. The use license defines the level of access that you have to a file. This process is required for each file that has restricted permission.

Downloading permissions requires that Microsoft 365 send your credentials, which includes your e-mail address, and information about your permission rights to the licensing server. Information contained in the document is not sent to the licensing server.

Restrict permission to content in files

IRM lets you apply restrictions on a per-user, per-file, or per-group basis (group-based permissions require Active Directory).

For example, in a document Ranjit creates, he might give Adele permission to read but not change it. and give Alex permission to edit the document. Ranjit might also decide to apply a five-day limit to both Adele and Alex's access to the document. 

1. Save the document.

2. Select the File tab.

3. Select Info, choose Protect Document, point to Restrict Permission by People, and then select Restricted Access.

4. In the Permissions dialog box, select Restrict permission to this document, and then assign the access levels that you want for each user.

   Note: Your choices might be limited if an administrator has set custom permission policies that individuals can't change.

Permission levels

• Read     Users with Read permission can read a document, but they don't have permission to edit, print, or copy it.

• Change     Users with Change permission can read, edit, and save changes to a document, but they don't have permission to print it.

• Full Control     Users with Full Control permission have full authoring permissions and can do anything with the document that an author can do, including set expiration dates for content, prevent printing, and give permissions to users.

After permission for a document has expired for authorized users, the document can be opened only by the author or by users with Full Control permission to the document. Authors always have Full Control permission.

1. To give someone Full Control permission, in the Permissions dialog box, select More Options, and then in the Access Level column, select the arrow, and then select Full Control in the Access Level list.

   

2. After you assign permission levels, select OK.

   The Message Bar appears, which indicates that the document is rights-managed. If you must make any access permission changes to the document, select Change Permission.

   

   If a document that has restricted permission is forwarded to an unauthorized person, a message appears with the author's e-mail address or Web site address so that the unauthorized person can request permission for the document.

   

   If the author chooses not to include an e-mail address, unauthorized users just get a message letting them know they can't access the file.

Set an expiration date for a file

1. Open the file.

2. Go to File.

3. On the Info tab, select Protect Document, point to Restrict Permission by People, and then select Restricted Access.

4. In the Permissions dialog box, select the Restrict permission to this document check box, and then select More Options.

5. Under Additional permissions for users, select the This document expires on check box, and then enter a date.

6. Select OK twice.

Use a different Windows user account to rights-manage files

1. Open the document, worksheet, or presentation.

2. Select the File tab.

3. On the Info tab, select Protect Document, point to Restrict Permission by People, and then select Manage Credentials.

4. Do one of the following:

   • In the Select User dialog box, select the e-mail address for the account that you want to use, and then select OK.

   • In the Select User dialog box, select Add, type your credentials for the new account, and then select OK twice.

     

View content with restricted permission

To view rights-managed content that you have permissions to by using Microsoft 365, just open the document.

If you want to view the permissions you have, either select View Permission in the Message Bar or choose This document contains a permissions policy  .

IRM in Office for Mac provides three permission levels.

• Read   Read

• Change   Read, edit, copy, save changes

• Full Control   Read, edit, copy, save changes, print, set expiration dates for content, grant permissions to users, access content programmatically

Do any of the following:

Set permission levels manually

1. On the Review tab, under Protection, select Permissions, and then select Restricted Access.

   

2. If this is the first time that you are accessing the licensing server, enter your user name and password for the licensing server, and then select the Save password in Mac OS keychain check box.

   Note: If you do not select Save password in Mac OS keychain, you might have to enter your user name and password multiple times.

3. In the Read, Change, or Full Control boxes, enter the e-mail address or name of the person or group of people that you want to assign an access level to.

4. If you want to search the address book for the e-mail address or name, select .

5. If you want to assign an access level to all people in your address book, select Add Everyone   .

6. After you assign permission levels, select OK.

   The Message Bar appears and displays a message that the document is rights-managed.

Use a template to restrict permission

An administrator can configure company-specific IRM policies that define who can access information permissions levels for people. These aspects of rights management are defined by using Active Directory Rights Management Services (AD RMS) server templates. For example, a company administrator might define a rights template called "Company Confidential," which specifies that documents that use that policy can be opened only by users inside the company domain.

• On the Review tab, under Protection, select Permissions, and then select the rights template that you want.

  

Change or remove permission levels that you have set

If you applied a template to restrict permission, you can't change or remove permission levels; these steps only work if you have set permission levels manually.

1. On the Message Bar, select Change Permissions.

2. In the Read, Change, and Full Control box, enter a new e-mail address or name of the person or group of people that you want to assign an access level to.

3. To remove a person or group of people from an access level, select the e-mail address, and then press DELETE .

4. To remove Everyone from a permission level, select Add Everyone  .

Set an expiration date for a restricted file

Authors can use the Set Permissions dialog box to set expiration dates for content.

1. On the Review tab, under Protection, select Permissions, and then select Restricted Access.

   

2. Select More Options, and then select This document expires on, and then enter the date.

   After permission for a document has expired for authorized people, the document can be opened only by the author or by people with Full Control permission.

Allow people with Change or Read permission to print content

By default, people with Change and Read permission cannot print.

1. On the Review tab, under Protection, select Permissions, and then select Restricted Access.

   

2. Select More Options, and then select Allow people with Change or Read permission to print content.

Allow people with Read permission to copy content

By default, people with Read permission cannot copy content.

1. On the Review tab, under Protection, select Permissions, and then select Restricted Access.

   

2. Select More Options, and then select Allow people with Read permission to copy content.

Allow scripts to run in a restricted file

Authors can change settings to allow Visual Basic macros to run when a document is opened and to allow AppleScript scripts to access information in the restricted document.

1. On the Review tab, under Protection, select Permissions, and then select Restricted Access.

   

2. Select More Options, and then select Access content programmatically.

Require a connection to verify permissions

By default, people have to authenticate by connecting to the AD RMS server the first time that they open a restricted document. However, you can change this to require them to authenticate every time that they open a restricted document.

1. On the Review tab, under Protection, select Permissions, and then select Restricted Access.

   

2. select More Options, and then select Require a connection to verify permissions .

Remove restrictions

1. On the Review tab, under Protection, select Permissions, and then select No Restrictions.

   

2. In the dialog box, select Remove Restrictions.

Related Topics

Restrict permission to content in a file

Add credentials to open a rights-managed file or message
File formats that work with IRM

In the iOS versions of Microsoft 365, any IRM-protected files that you receive will open if you are signed in with an account that has permissions to the file. When you open an IRM-protected file you will see an information bar at the top that offers to let you view the permissions that have been assigned to this file.

If you're a Microsoft 365 Subscriber with Azure Rights Management and your IT-department has defined some IRM templates for you to use, you can assign those templates to files in Office on iOS.

To protect a file tap the edit button in your app, go to the Review tab and tap the Restrict Permissions button. You'll see a list of available IRM policies; select the one you want and tap Done to apply.

In the Android versions of Microsoft 365, any IRM-protected files that you receive will open if you are signed in with an account that has permissions to the file. When you open an IRM-protected file you will see an information bar at the top that offers to let you view the permissions that have been assigned to this file.

Information Rights Management (IRM) helps do the following:

• Prevent an authorized recipient of restricted content from forwarding, copying, changing, printing, faxing, or pasting the content for unauthorized use

• Restrict content wherever it is sent

• Provide file expiration so that content in documents can no longer be viewed after a specified time

• Enforce corporate policies that govern the use and dissemination of content within the company

IRM can't prevent restricted content from being:

• Erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain kinds of spyware

• Lost or corrupted because of the actions of computer viruses

• Hand-copied or retyped from a display on a recipient's screen

• Digitally photographed (when displayed on a screen) by a recipient

• Copied by using third-party screen-capture programs