How to start your AIP project with only a selected group of users.

I am sometimes asked if AIP needs to be visible to all users, and usable by all users when customers are starting a PoC or just want to play around with the security settings in AIP. 

After all, you may not want all your users to start protecting content, and especially before they have been informed and trained. Well, Microsoft has thought of this, and an easy way to select only the users you want to include in the PoC/test is by using this simple PowerShell command:


Info: Since this article requires you to have the AADRM PowerShell module, I have included a short guide on how to install this at the bottom.

The Onboarding policy is a great tool for a gradual deployment of Azure Information Protection. It gives us the ability to specify who should be allowed to protect content. We can chose either the members of a group, or select users by if they are licensed or not. 

If you want to give AIP only to the users who are licensed, you can run the following command:

Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $True

If you would rather use a group to control which ones of your users who get AIP, you can find the groups Object ID in the Azure portal, under Azure Active Directory – Group - Properties (see illustration below) or run the Get-MsolGroup command.

Groups in Azure Active Directory

You can then run the following command:

Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "feb2c2a7-0798-4b72-936b-c7454a53efb1"

to specify that only the members of this group should be able to protect content.
AIP should now only be usable for the users/groups you have specified. 

And when you no longer want to use the onboarding policy, regardless of if you decided to use group or license:
Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $False

Installing the AADRM PowerShell module

Getting the AADRM PowerShell is done by starting PowerShell as an admin, and running the following command:

Install-Module -Name AADRM

You may receive a warning that you are installing from an untrusted repository. Press Y to continue.
If you already have AADRM PowerShell installed, but you need a newer version (the actions in this article requires AADRM PowerShell or above) you can run:

Update-Module -Name AADRM

Hopefully this gets you one step closer to starting your AIP PoC.


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label