Control 1.16: Information Rights Management (IRM) for Documents

Overview

Control ID: 1.16 Control Name: Information Rights Management (IRM) for Documents Pillar: Security Regulatory Reference: GLBA 501(b), SEC Reg S-P, FINRA 4511, SOX 404 Setup Time: 1-2 hours

Purpose

Information Rights Management (IRM) provides persistent protection for documents accessed by Copilot Studio agents, ensuring that sensitive financial documents maintain protection even when downloaded or shared outside the organization. IRM controls what users and agents can do with protected content—preventing unauthorized copying, printing, forwarding, or screen capture of sensitive financial information. In FSI environments, IRM is critical for protecting MNPI, customer PII, and confidential trading strategies.

This control addresses key FSI requirements:

• Persistent Document Protection: Rights travel with the document
• Access Control: Control who can view, edit, copy, or print
• Expiration and Revocation: Time-limit access and revoke remotely
• Audit Trail: Track who accessed protected content

---

Prerequisites

Primary Owner Admin Role: Purview Info Protection Admin Supporting Roles: SharePoint Admin

Required Licenses

License	Purpose
Microsoft 365 E3/E5	Azure Information Protection
Microsoft 365 E5 or E5 Compliance	Advanced sensitivity labels
Azure Information Protection P1/P2	IRM protection and tracking

Required Permissions

Permission	Scope	Purpose
Compliance Administrator	Microsoft Purview	Create and manage sensitivity labels
SharePoint Administrator	SharePoint Online	Configure IRM on libraries
Global Administrator	Initial setup	Enable Azure RMS
Information Protection Admin	Microsoft Purview	Manage label policies

Dependencies

• Control 1.5: DLP and Sensitivity Labels - Sensitivity label creation
• Control 1.15: Encryption - Underlying encryption
• Control 1.3: SharePoint Governance - Library permissions

Pre-Setup Checklist

• [ ] Azure Rights Management Service (Azure RMS) activated
• [ ] Sensitivity labels created with encryption
• [ ] SharePoint modern experience enabled
• [ ] Client applications support IRM (Office 365 ProPlus)
• [ ] Document classification scheme defined

---

Governance Levels

Baseline (Level 1)

Apply IRM to sensitive documents; restrict copy, print, screenshot, forward permissions.

Recommended (Level 2-3)

IRM applied to all team collaboration and enterprise managed documents; time-limited access; audit logging of document access.

Regulated/High-Risk (Level 4)

Mandatory IRM with expiration; no download without audit; continuous access revocation capability.

---

Setup & Configuration

Step 1: Activate Azure Rights Management Service

Portal Path: Microsoft 365 Admin Center → Settings → Org settings → Security & privacy → Azure Information Protection

1. Navigate to Microsoft 365 Admin Center (admin.microsoft.com)
2. Select Settings → Org settings
3. Click Security & privacy tab
4. Select Azure Information Protection
5. Activate Azure RMS:
6. If not activated, click Manage Microsoft Azure Information Protection
7. This redirects to Azure portal
8. Navigate to Azure Information Protection → Protection activation
9. Click Activate if status shows "Not activated"
10. Verify activation status shows "Protection is activated"

Step 2: Create IRM-Enabled Sensitivity Labels

Portal Path: Microsoft Purview → Information protection → Labels → Create label

1. Navigate to Microsoft Purview (compliance.microsoft.com)
2. Select Information protection → Labels
3. Click + Create a label
4. Configure Label Properties:
5. Name: "Confidential - FSI Client Data"
6. Display name: "Confidential - Client Data"
7. Description for users: "Apply to documents containing client financial information"

8. Description for admins: "IRM-protected label for client PII and financial data"

9. Click Next → Scope:

10. Enable Items (files, emails)

11. Enable Groups & sites (optional for library protection)

12. Click Next → Encryption:

13. Select Apply encryption

14. Assign permissions now:

    • Click Assign permissions
    • Add internal users/groups with appropriate rights
    • Add agent service accounts with Viewer rights only

15. Configure Rights: | Permission | Personal Productivity | Team Collaboration | Enterprise Managed | |------------|--------|--------|--------| | View | ✓ | ✓ | ✓ | | Copy | ✓ | ✗ | ✗ | | Print | ✓ | ✗ | ✗ | | Edit | ✓ | ✓ | ✗ | | Forward | ✗ | ✗ | ✗ |

16. Set Content Expiration:

17. For enterprise managed: Set Content access expires to 90 days

18. Configure Allow offline access for limited days (7-14)

19. Click Next → Content marking:

20. Enable watermark for enterprise managed documents
21. Add header: "CONFIDENTIAL - [CompanyName]"

22. Add footer: "Internal Use Only"

23. Complete label creation and publish

Step 3: Configure SharePoint Library IRM

Portal Path: SharePoint site → Library settings → Information Rights Management

1. Navigate to the SharePoint site containing agent knowledge sources
2. Go to the document library
3. Click Settings (gear icon) → Library settings
4. Under Permissions and Management, click Information Rights Management
5. Enable IRM on the library:
6. Check Restrict permission to documents in this library on download
7. Policy title: "FSI Protected Content"

8. Policy description: "Protected by IRM - copying and printing restricted"

9. Configure IRM Settings:

10. Allow viewers to print: Uncheck for enterprise managed
11. Allow viewers to run script and screen reader: Check (accessibility)
12. Allow users to upload documents that do not support IRM: Uncheck

13. Stop restricting access to the library at: Set expiration date if needed

14. Additional Options (click "Show Options"):

15. Group protection: Set reasonable group size
16. Document access rights: Configure per governance level

17. Prevent opening documents in browser: Enable for high-security libraries

18. Click OK to apply IRM settings

Step 4: Configure IRM for OneDrive

Portal Path: SharePoint Admin Center → Settings → OneDrive → Sync

1. Navigate to SharePoint Admin Center (admin.sharepoint.com)
2. Select Settings → OneDrive
3. Enable IRM for OneDrive:
4. Under Sync, click IRM
5. Enable Let users sync IRM-protected files with the OneDrive sync app
6. Configure Sync Client IRM:
7. Users can sync IRM-protected libraries
8. Files maintain protection when synced locally

Step 5: Configure Agent Access to IRM Content

Portal Path: Copilot Studio → [Agent] → Knowledge → Manage sources

1. Open Copilot Studio (copilotstudio.microsoft.com)
2. Select the agent that accesses protected content
3. Navigate to Knowledge → Manage sources
4. Verify Agent Permissions:
5. Agent service account must be included in label permissions
6. Grant minimum required rights (typically View only)
7. For IRM-Protected Libraries:
8. Agent respects IRM permissions
9. Agent cannot extract content beyond granted rights

10. Document content is decrypted for authorized access only

11. Test Agent Access:

12. Upload IRM-protected test document
13. Query agent about document content
14. Verify agent can read but not expose protected content inappropriately

Step 6: Enable Document Tracking and Revocation

Portal Path: Azure Information Protection → Track and revoke

1. Navigate to Azure portal → Azure Information Protection
2. Select Track and revoke
3. Enable Document Tracking:
4. Users can track who accessed their protected documents
5. Available in Office applications and online
6. Configure Revocation:
7. Authorized users can revoke access to protected documents
8. Revocation is immediate for online access

9. Offline access limited by "Allow offline access" days setting

10. For Compliance Teams:

11. Compliance administrators can track all protected documents
12. Super user account can access all protected content (audit access)

Step 7: Configure Label Policies

Portal Path: Microsoft Purview → Information protection → Label policies

1. Navigate to Microsoft Purview → Information protection
2. Select Label policies → Publish labels
3. Create Publishing Policy:
4. Name: "FSI Agent Document Protection"
5. Labels: Select IRM-enabled labels created in Step 2

6. Users/Groups: All users who work with agent-accessed content

7. Policy Settings:

8. Apply default label to documents: Select appropriate default
9. Require users to apply a label: Enable for enterprise managed

10. Require justification for label change: Enable

11. Publish the policy

12. Allow 24-48 hours for policy propagation

Step 8: Configure Auto-Labeling for IRM

Portal Path: Microsoft Purview → Information protection → Auto-labeling

1. Navigate to Microsoft Purview → Information protection
2. Select Auto-labeling → Create auto-labeling policy
3. Configure Policy:
4. Name: "Auto-protect FSI Documents"
5. Conditions: Match sensitive information types
   • SSN, Credit card numbers, Bank account numbers
   • Custom SITs for MNPI indicators
6. Select IRM Label:
7. Choose label with IRM protection
8. Configure for automatic application
9. Locations:
10. SharePoint sites used by agents
11. OneDrive locations
12. Exchange for email content
13. Run policy in simulation mode first, then enable

---

PowerShell Configuration

Enable Azure RMS and Configure IRM

# Install required modules
Install-Module -Name AIPService
Install-Module -Name PnP.PowerShell

# Connect to Azure Information Protection
Connect-AipService

# Verify Azure RMS is activated
$rmsStatus = Get-AipServiceConfiguration
Write-Host "Azure RMS Status: $($rmsStatus.FunctionalState)" -ForegroundColor Cyan

# If not activated, activate it
if ($rmsStatus.FunctionalState -ne "Enabled") {
    Enable-AipService
    Write-Host "Azure RMS has been activated" -ForegroundColor Green
}

# Configure super user feature (for compliance access)
Enable-AipServiceSuperUserFeature

# Add compliance admin as super user
Add-AipServiceSuperUser -EmailAddress "compliance-admin@domain.com"

# Get current IRM configuration
Get-AipServiceConfiguration | Select-Object *

Configure SharePoint Library IRM via PowerShell

# Connect to SharePoint Online
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/AgentKnowledgeBase" -Interactive

# Get the library
$libraryName = "Agent Documents"
$library = Get-PnPList -Identity $libraryName

# Enable IRM on the library
Set-PnPList -Identity $libraryName -IrmEnabled $true

# Configure IRM settings
$irmSettings = @{
    PolicyTitle = "FSI Protected Content"
    PolicyDescription = "Documents protected by IRM - copying and printing restricted"
    AllowPrint = $false
    AllowScript = $true
    AllowWriteCopy = $false
    DisableDocumentBrowserView = $true
    DocumentAccessExpireDays = 90
    EnableDocumentAccessExpire = $true
    GroupProtectionExpiryDays = 30
}

# Apply IRM settings via CSOM (more granular control)
$ctx = Get-PnPContext
$list = $ctx.Web.Lists.GetByTitle($libraryName)
$ctx.Load($list.InformationRightsManagementSettings)
$ctx.ExecuteQuery()

$list.InformationRightsManagementSettings.AllowPrint = $false
$list.InformationRightsManagementSettings.AllowScript = $true
$list.InformationRightsManagementSettings.AllowWriteCopy = $false
$list.InformationRightsManagementSettings.DisableDocumentBrowserView = $true
$list.InformationRightsManagementSettings.DocumentAccessExpireDays = 90
$list.InformationRightsManagementSettings.EnableDocumentAccessExpire = $true
$list.InformationRightsManagementSettings.PolicyTitle = "FSI Protected Content"
$list.InformationRightsManagementSettings.PolicyDescription = "Restricted by IRM"

$list.Update()
$ctx.ExecuteQuery()

Write-Host "IRM configured on library: $libraryName" -ForegroundColor Green

Audit IRM-Protected Document Access

# Connect to Exchange Online for audit log search
Connect-ExchangeOnline

# Search for IRM document access events
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date

$irmEvents = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -Operations "ProtectionApplied","ProtectionRemoved","FileAccessed" `
    -RecordType AzureActiveDirectoryAccountLogon `
    -ResultSize 5000

# Parse IRM access events
$accessReport = $irmEvents | ForEach-Object {
    $auditData = $_.AuditData | ConvertFrom-Json
    [PSCustomObject]@{
        Timestamp = $_.CreationDate
        User = $_.UserIds
        Operation = $_.Operations
        File = $auditData.ObjectId
        Result = $auditData.ResultStatus
    }
}

# Export report
$accessReport | Export-Csv -Path "IRM_AccessReport_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Summary
Write-Host "=== IRM Access Summary ===" -ForegroundColor Cyan
Write-Host "Total IRM events: $($irmEvents.Count)"
Write-Host "Protection applied: $(($irmEvents | Where-Object Operations -eq 'ProtectionApplied').Count)"
Write-Host "Documents accessed: $(($irmEvents | Where-Object Operations -eq 'FileAccessed').Count)"

Create Sensitivity Label with IRM (Microsoft Graph)

# Note: Requires Microsoft.Graph module
Install-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes "InformationProtectionPolicy.ReadWrite.All"

# Define label with encryption (simplified example)
$labelParams = @{
    displayName = "Highly Confidential - FSI"
    description = "For MNPI and highly sensitive financial data"
    color = "#FF0000"
    sensitivity = 10
    contentFormats = @("file", "email")
    isEndpointProtectionEnabled = $true
    settings = @(
        @{
            "@odata.type" = "#microsoft.graph.encryptionSettings"
            encryptionMethod = "AESGCM256"
            contentExpiredOnDateInDaysOrNever = "90"
        }
    )
}

# Note: Full implementation requires Microsoft Graph API calls
# This is a simplified example - use Microsoft Purview portal for production

---

Financial Sector Considerations

Regulatory Alignment

Regulation	Requirement	IRM Implementation
GLBA 501(b)	Protect customer NPI	IRM prevents unauthorized copying/sharing
SEC Reg S-P	Privacy of consumer financial info	Watermarks and access restrictions
FINRA 4511	Books and records retention	IRM audit trail for access history
SOX 404	Internal controls	Prevent unauthorized document distribution
SEC Reg S-ID	Red flags for identity theft	Protect customer identity documents

Zone-Specific Configuration

Configuration	Zone 1 (Personal Productivity)	Zone 2 (Team Collaboration)	Zone 3 (Enterprise Managed)
IRM on Libraries	Optional	Required	Mandatory
Print Protection	Allowed	Blocked	Blocked
Copy Protection	Allowed	Blocked	Blocked
Watermarking	Disabled	Header/Footer	Full watermark
Access Expiration	None	180 days	90 days
Offline Access	30 days	14 days	7 days
Screen Capture Block	Disabled	Enabled	Enabled
Revocation Capability	Manual	Admin + User	Automated alerts

FSI Use Case Example

Scenario: Research Analyst Report Protection

Requirements:

• Equity research reports contain MNPI
• SEC regulations require access controls
• Reports shared with select institutional clients

IRM Implementation:

1. Sensitivity Label: "Highly Confidential - Research"
2. Permissions:
3. Research team: View, Edit
4. Sales desk: View only
5. Institutional clients: View only (via external sharing)
6. No copy, print, or forward
7. Expiration: Access expires 90 days after publication
8. Watermarking: Dynamic watermark with viewer's email
9. Agent Access: Copilot agents have View-only access for Q&A

Regulatory Benefit:

• Demonstrates MNPI access controls to SEC/FINRA
• Audit trail for who accessed research
• Revocation capability for compliance issues

---

Verification & Testing

Verification Steps

1. Azure RMS Verification:
2. [ ] Azure RMS activated in tenant
3. [ ] IRM-enabled labels published

4. [ ] Label policies applied to users

5. Library IRM Verification:

6. [ ] IRM enabled on sensitive libraries
7. [ ] Download restrictions working

8. [ ] Print/copy blocked as configured

9. Agent Access Testing:

10. [ ] Agent can read IRM-protected content
11. [ ] Agent respects protection restrictions

12. [ ] Agent cannot expose protected content inappropriately

13. Audit Trail Verification:

14. [ ] Document access logged
15. [ ] Protection events captured
16. [ ] Revocation tested and working

Compliance Checklist

• [ ] IRM enabled on all team collaboration and enterprise managed document libraries
• [ ] Sensitivity labels include IRM protection
• [ ] Auto-labeling policies active for SIT matches
• [ ] Document tracking enabled
• [ ] Revocation procedures documented
• [ ] Agent service accounts have minimum IRM rights

---

Troubleshooting & Validation

Issue 1: Agent Cannot Access IRM-Protected Content

Symptoms: Agent returns errors or empty responses for protected documents

Resolution:

1. Verify agent service account is in label permissions
2. Check that service account has Azure RMS rights
3. Confirm library IRM settings allow service accounts
4. Test with unprotected version to isolate issue
5. Review agent authentication method

Issue 2: IRM Not Applying to Downloaded Files

Symptoms: Files lose protection when downloaded

Resolution:

1. Verify IRM is enabled on the library
2. Check that file type supports IRM (Office docs, PDF)
3. Ensure client has Azure Information Protection client
4. Verify user isn't in exception group
5. Check for conflicting Group Policy settings

Issue 3: Users Cannot Open IRM-Protected Documents

Symptoms: "You don't have permission" errors

Resolution:

1. Verify user is in label permissions
2. Check document expiration date
3. Verify offline access hasn't expired
4. Ensure Azure RMS is reachable
5. Clear Azure RMS credential cache

Issue 4: IRM Watermarks Not Displaying

Symptoms: Content marking not appearing on documents

Resolution:

1. Verify content marking enabled in label
2. Check that document format supports watermarks
3. Ensure client application is updated
4. Verify label was properly applied
5. Check for macro or add-in interference

---

Additional Resources

• Azure Information Protection overview
• Apply IRM to SharePoint library
• Sensitivity labels with encryption
• Track and revoke documents
• Auto-labeling policies

---

Related Controls

Control ID	Control Name	Relationship
1.5	DLP and Sensitivity Labels	Label-based protection
1.15	Encryption	Underlying encryption
1.3	SharePoint Governance	Library permissions
1.14	Data Minimization	Access restrictions
4.1	SharePoint IAG	Content discovery control

---

Support & Questions

For implementation support or questions about this control, contact:

• AI Governance Lead (governance direction)
• Compliance Officer (regulatory requirements)
• Technical Implementation Team (platform setup)

---

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification