< Back
Set-AadrmOnboardingControlPolicy
Post
NAME Set-AadrmOnboardingControlPolicy
SYNOPSIS
Sets the user on-boarding control policy for Rights Management.
SYNTAX
Set-AadrmOnboardingControlPolicy [-Force] [-Scope {All | WindowsApp | MobileApp}] [-SecurityGroupObjectId <Guid>]
-UseRmsUserLicense <Boolean> [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Set-AadrmOnboardingControlPolicy cmdlet sets the policy that controls user on-boarding for Azure Rights
Management. This cmdlet supports a gradual deployment by controlling which users in your organization can protect
content by using Azure Rights Management.
You must use PowerShell to set this configuration; you cannot do this configuration by using a management portal.
This control can be based on assigned user licenses for the service or membership in a designated security group.
You can also define whether the policy applies to just mobile devices, just Windows clients, or mobile devices and
Windows clients.
If you use the assigned license option, you can assign licenses to users by using the Office 365 admin center or
by using Azure PowerShell and the Set-MsolUserLicense
(https://docs.microsoft.com/en-us/powers ... readps-1.0) cmdlet from
the Azure AD PowerShell administration module. You can also use the [Get-MsolAccountSku](https://docs.microsoft.com
/en-us/powershell/module/msonline/get-msolaccountsku?view=azureadps-1.0)cmdlet to obtain the different types of
licenses that you can assign in your organization.
If you use the group membership option, you must specify a security group, which does not have to be mail-enabled
and it can contain other groups. To specify the group, use the group GUID. For more information about the user and
group requirements and how to find the group GUID, see Preparing users and groups for Azure Information Protection
(https://docs.microsoft.com/information- ... gn/prepare).
For more information about the Azure AD PowerShell cmdlets, see Azure Active Directory PowerShell
(https://docs.microsoft.com/powershell/a ... readps-2.0).
Note: This cmdlet does not stop users from consuming protected content or prevent administrators from configuring
services for Azure Rights Management (for example, Exchange Online transport rules, SharePoint protected
libraries, Windows Server FCI). Instead, it is designed for user applications such as Office, so that users do not
see the options or templates to use Azure Rights Management protection.
PARAMETERS
-Force [<SwitchParameter>]
Indicates that this cmdlet configures the on-boarding control policy even if there is already an on-boarding
control policy for the organization.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-Scope <OnboardingControlPolicyScope>
Specifies the types of applications to which the on-boarding policy applies.
Valid values are:
- All
- WindowsApp
- MobileApp
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-SecurityGroupObjectId <Guid>
Specifies the object ID of a security group in Azure AD. If you try to specify the object ID of a distribution
group, you will see an error.
The specified group restricts which users can protect content by using Rights Management. If you also enable
license enforcement, only users that have a license assigned and are members of this specified group can
protect content by using Azure Rights Management.
You can use this parameter to implement a phased deployment of Azure Rights Management even if all users have
a license assigned to them.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-UseRmsUserLicense <Boolean>
Specifies whether users without a license assigned to them can use Azure Rights Management to protect content.
Users can always use Azure Rights Management to consume protected content regardless of this setting and their
license assignment.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Example 1: Restrict Azure Rights Management to users who have a license and are members of a specified group
PS C:\\> Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $True -SecurityGroupObjectId
"fba99fed-32a0-44e0-b032-37b419009501" -Scope All
This command configures the Azure Rights Management service to allow only users who have a license to use Azure
Rights Management to protect content. Further, the command requires users to be members of the security group with
the specified object ID. The restriction applies to Windows clients and mobile devices.
Example 2: Restrict Azure Rights Management to users who are members of a specified group
PS C:\\> Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId
"fba99fed-32a0-44e0-b032-37b419009501" -Scope All
This command allows only users that are members of the security group with the specified object ID to protect
content by using Azure Rights Management. The command applies to Windows clients and mobile devices.
Example 3: Restrict Azure Rights Management to users who have a license
PS C:\\> Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $True -Scope All
This command allows only users who have a license assigned to protect content by using Azure Rights Management.
The command applies to Windows clients and mobile devices.
- Example 4: Do not restrict Azure Rights Management for users -
PS C:\\> Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $False -Scope All
This command allows all users to protect content by using Azure Rights Management. The command applies to Windows
clients and mobile devices.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?LinkId=521419
Get-AadrmOnboardingControlPolicy
SYNOPSIS
Sets the user on-boarding control policy for Rights Management.
SYNTAX
Set-AadrmOnboardingControlPolicy [-Force] [-Scope {All | WindowsApp | MobileApp}] [-SecurityGroupObjectId <Guid>]
-UseRmsUserLicense <Boolean> [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Set-AadrmOnboardingControlPolicy cmdlet sets the policy that controls user on-boarding for Azure Rights
Management. This cmdlet supports a gradual deployment by controlling which users in your organization can protect
content by using Azure Rights Management.
You must use PowerShell to set this configuration; you cannot do this configuration by using a management portal.
This control can be based on assigned user licenses for the service or membership in a designated security group.
You can also define whether the policy applies to just mobile devices, just Windows clients, or mobile devices and
Windows clients.
If you use the assigned license option, you can assign licenses to users by using the Office 365 admin center or
by using Azure PowerShell and the Set-MsolUserLicense
(https://docs.microsoft.com/en-us/powers ... readps-1.0) cmdlet from
the Azure AD PowerShell administration module. You can also use the [Get-MsolAccountSku](https://docs.microsoft.com
/en-us/powershell/module/msonline/get-msolaccountsku?view=azureadps-1.0)cmdlet to obtain the different types of
licenses that you can assign in your organization.
If you use the group membership option, you must specify a security group, which does not have to be mail-enabled
and it can contain other groups. To specify the group, use the group GUID. For more information about the user and
group requirements and how to find the group GUID, see Preparing users and groups for Azure Information Protection
(https://docs.microsoft.com/information- ... gn/prepare).
For more information about the Azure AD PowerShell cmdlets, see Azure Active Directory PowerShell
(https://docs.microsoft.com/powershell/a ... readps-2.0).
Note: This cmdlet does not stop users from consuming protected content or prevent administrators from configuring
services for Azure Rights Management (for example, Exchange Online transport rules, SharePoint protected
libraries, Windows Server FCI). Instead, it is designed for user applications such as Office, so that users do not
see the options or templates to use Azure Rights Management protection.
PARAMETERS
-Force [<SwitchParameter>]
Indicates that this cmdlet configures the on-boarding control policy even if there is already an on-boarding
control policy for the organization.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-Scope <OnboardingControlPolicyScope>
Specifies the types of applications to which the on-boarding policy applies.
Valid values are:
- All
- WindowsApp
- MobileApp
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-SecurityGroupObjectId <Guid>
Specifies the object ID of a security group in Azure AD. If you try to specify the object ID of a distribution
group, you will see an error.
The specified group restricts which users can protect content by using Rights Management. If you also enable
license enforcement, only users that have a license assigned and are members of this specified group can
protect content by using Azure Rights Management.
You can use this parameter to implement a phased deployment of Azure Rights Management even if all users have
a license assigned to them.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-UseRmsUserLicense <Boolean>
Specifies whether users without a license assigned to them can use Azure Rights Management to protect content.
Users can always use Azure Rights Management to consume protected content regardless of this setting and their
license assignment.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Example 1: Restrict Azure Rights Management to users who have a license and are members of a specified group
PS C:\\> Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $True -SecurityGroupObjectId
"fba99fed-32a0-44e0-b032-37b419009501" -Scope All
This command configures the Azure Rights Management service to allow only users who have a license to use Azure
Rights Management to protect content. Further, the command requires users to be members of the security group with
the specified object ID. The restriction applies to Windows clients and mobile devices.
Example 2: Restrict Azure Rights Management to users who are members of a specified group
PS C:\\> Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId
"fba99fed-32a0-44e0-b032-37b419009501" -Scope All
This command allows only users that are members of the security group with the specified object ID to protect
content by using Azure Rights Management. The command applies to Windows clients and mobile devices.
Example 3: Restrict Azure Rights Management to users who have a license
PS C:\\> Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $True -Scope All
This command allows only users who have a license assigned to protect content by using Azure Rights Management.
The command applies to Windows clients and mobile devices.
- Example 4: Do not restrict Azure Rights Management for users -
PS C:\\> Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $False -Scope All
This command allows all users to protect content by using Azure Rights Management. The command applies to Windows
clients and mobile devices.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?LinkId=521419
Get-AadrmOnboardingControlPolicy