Fixing IRM License Expiration Issues in Outlook: Prevent Re-Authentication for Older Emails

by

Introduction

Information Rights Management (IRM) is a crucial security feature that protects sensitive emails in Outlook by applying encryption and access restrictions. However, many users face an issue where older IRM-protected emails (beyond 30 days) require re-authentication when accessed in Outlook. This happens due to the default expiration of Azure Rights Management (Azure RMS) use licenses, which is set to 30 days.

In this blog, we will explore the cause of this issue and provide a step-by-step guide to increasing the IRM license validity period, ensuring seamless access to protected emails without frequent re-authentication. Below image is showing what you going to face when IRM encryption validity period is over.

Why Does This Happen?

The default behavior of Azure RMS is to issue a use license for IRM-protected content with a validity period of 30 days. Once this period expires:

  • Outlook cannot automatically renew the license, leading to authentication prompts.
  • Users need to click on ‘Read Message’, which opens the email in a browser instead of directly within Outlook.

This can be frustrating, especially for users who frequently work with encrypted emails.

Solution: Increase IRM License Validity Period

Microsoft allows organizations to extend the Azure RMS use license expiration period using PowerShell. By increasing this period, you can reduce the need for frequent re-authentication.

Step 1: Connect to Azure RMS PowerShell

Before making changes, ensure you have the necessary admin rights and run the following commands:

Import-Module AIPService  # Load the Azure Information Protection (AIP) module
Connect-AipService        # Sign in to Azure RMS

You will be prompted to sign in using your Microsoft 365 administrator credentials.

Step 2: Check the Current License Expiry Setting

To verify the current IRM license validity period, run:

Get-AipServiceMaxUseLicenseValidityTime

This command will return the number of days IRM licenses remain valid before requiring renewal. By default, this value is 30 days.

Step 3: Extend the IRM License Expiration Period

To increase the IRM license validity (e.g., to 90 days), execute the following command:

Set-AipServiceMaxUseLicenseValidityTime -Days 90

This sets the license validity to 90 days, reducing the frequency of re-authentication requests.

Step 4: Verify the Change

Confirm that the new validity period has been applied:

Get-AipServiceMaxUseLicenseValidityTime

You should now see 90 as the output.

Step 5: Restart Outlook & Refresh IRM License

Once the changes are applied, affected users should restart Outlook and refresh their IRM settings using the following steps:

  1. Close Outlook completely.
  2. Run the IRM refresh command:irmcertmgr.exe /refresh
  3. Restart Outlook and try opening older IRM emails.

Final Thoughts

By increasing the IRM license validity period, users can access older IRM-protected emails directly within Outlook without the need for frequent re-authentication. This small but effective configuration tweak significantly enhances the user experience, particularly in organizations that rely heavily on encrypted emails.

Have you faced similar IRM challenges in your organization? Let us know in the comments below!

!!! THANKS FOR READING !!!

Regards,
HARISH KUMAR

Knowledge is not a finite resource to hoard; it’s a boundless treasure that grows when shared

Leave a Comment