Image: binary code going into a black hole

Synchronising IRM-protected SharePoint Online libraries

With the move to cloud services, information protection and the lifecycle of sensitive information is an important topic to consider. As organisations adopt Office 365, sensitive information may be stored in services such as SharePoint Online. Part of the lifecycle of sensitive information in Office 365 is protecting it based on policy, such as:

• Applying encryption via Azure Rights Management Services (Azure RMS) and Information Rights Management (IRM)
• Applying retention policies via Office 365 labels
• Blocking sharing via Data Loss Prevention (DLP)

Organisations need an effective way to allow the appropriate users to continue to work with sensitive information. The Office 365 security and compliance feature set is continually evolving, and on Friday 19th January 2018, Microsoft announced an update to the OneDrive sync client (version 17.3.7294.0108) that allows it to synchronise the contents of an IRM-protected SharePoint Online library.

What is IRM anyway?

This is a great question, not least because Microsoft’s terminology around Azure Information Protection, Azure Rights Management and Information Rights Management can seem confusing at first. To define these terms:
• Azure Information Protection (AIP). This is Microsoft’s cloud-based service that provides labelling, classification and protection services for emails and documents
• Azure Rights Management Services (Azure RMS). Azure RMS is the protection technology used by AIP to apply protection to emails and documents
• Information Rights Management (IRM). IRM is Azure RMS protection technology as used with SharePoint Online, Exchange Online and Office-based products such as Microsoft Word

How does IRM work within SharePoint Online?

For an organisation to make use of IRM protection in SharePoint Online, AIP must have been activated for the Office 365 tenancy and IRM enabled for the SharePoint Online service within the SharePoint admin centre. Once these configuration steps have been completed, IRM settings can be configured on specific SharePoint Online libraries and lists by an administrator. The IRM configuration screen for a document library is shown below.

Image: IRM Setting Screen

IRM in SharePoint Online applies protection to documents when they are downloaded. In other words, the content is stored in an unprotected state in SharePoint Online. Why is this? If a protected file is uploaded to SharePoint Online, it cannot be read by the service and hence key functionality such as co-authoring, indexing, search and document previews are no longer possible. To permit this functionality, protection is applied when the content is downloaded – not when it is created or uploaded to SharePoint Online.

The historical IRM challenge with the OneDrive sync client

As shown below, the Sync button in SharePoint Online is used to synchronise the contents of a document library to the local computer via the OneDrive sync client.

Image: IRM Sync Screen

Upon selecting the Sync button, the OneDrive window shown below is presented. This window gives the user the ability to choose which files and folders from the SharePoint Online document library are to be synchronised to the local computer. This is the behaviour that users expect. However, it assumes that the document library has not had IRM protection applied. Up until the recent announcement from Microsoft, the OneDrive sync client has not historically been able to synchronise the contents of IRM-protected libraries.

Image: Sync message

Let’s do a test where an IRM-protected library in a separate Office 365 tenancy is added to an older version of the OneDrive sync client (version 17.3.7131.1115 to be precise). When an attempt is made to synchronise this document library for the first time, the following error message is presented:

Image: IRM OneDrive Error screen

This is not a particularly helpful error message. A quick search of the Internet reveals many different causes of, and solutions for, this error.
How about the scenario where a document library is already being synchronised, and the SharePoint Online administrator subsequently enables IRM protection on that document library? In this scenario, the OneDrive client provides the error message shown below:

Image: IRM OneDrive Error screen 2

At first glance, this appears to be a much more helpful error message. In step 4, the error message references the fact that IRM is the issue. However, one issue with this error message is that it refers to synchronising the personal OneDrive document library. IRM protection was applied to a SharePoint Online site document library, not the personal OneDrive document library.  In short, this is not a good end-user experience at all.

Updated sync client addresses the issue

The latest OneDrive sync client from Microsoft now allows IRM-protected SharePoint libraries to be synchronised to the local computer. Continuing the previous test, the sync of the IRM-protected document library immediately started working as soon as the OneDrive client updated itself to version 17.3.7294.0108 as per the Microsoft announcement.
In its blog post, Microsoft states that the updated OneDrive sync client will hit all users by the end of January. According to the OneDrive sync client release notes, version 17.3.7294.0108 is now in the Production Ring.

How Can Silversands Help?

Understanding Microsoft’s information protection solutions together with their benefits, applicability and requirements can be a daunting experience. We have extensive experience with Office 365, Azure Active Directory and information protection solutions, and can assist you in making sense of the options available to you. Use the attached form and someone will be in contact with you very soon.

Also take a look at our latest events which include a dedicated Security and Compliance session plus a dedicated SharePoint session. And don’t forget to follow us on Twitter and LinkedIn to keep up with our regular blogs and commentary.

Icon: LinkedInIcon: twitter bird

Contact us

  • This field is for validation purposes and should be left unchanged.