February 3, 2020

Configuring super-user role in Azure Information Protection

Rights management solutions revolves around protection for encrypting and decrypting the content. Each document which is being protected will be issued with a unique content key (private key) and each Organization will be issued with a tenant key(public key) and authorization of the appropriate recipients happens with these keys.  There will be certain scenarios where authorized account(s) have to be given privileges to decrypt any content  for below said reasons

  1. Owner of the protected content leaves the organization
  2. Integration with other Data Protection technologies like DLP ( content analysis ) and Exchange ( Email searches ) to decrypt any protected content
  3. Bulk decryption as a part of Legal and compliance reasons
  4. Decrypting the content during Exit plan

Considering these scenarios, Azure Information Protection (AIP) gives an option to configure an account, superuser, which will have complete access to any protected content.

Steps to configure Super user role in AIP:

Create a user account and add to Global admin group


Create a sample spreadsheet and restrict access only to the owner

Spreadsheet protected rights

Send the spreadsheet to super user

Sending email to superuser

As the super user role is not configured in AIP, the spreadsheet is restricted to view and open

Not able to open the file attachment

Configure Super user role 

Connect to AIP Service using below commandlet.  This will take to organization sign in page for authentication. AIP powershell module can be installed with the below command

Install-module AIPservice

Import-module AIPservice



Configure super user role

Add-aipservicesuperuser -Emailaddress “Email address of the super user account”

Powershell to configure Super user role in AIP

Enable Super user role by executing Enable-AIPServicesuperuserrolefeature

Check if the super user role is enabled



Now, check the access to the restricted spreadsheet which was shared earlier. As we can see, super user account is now able to open the spreadsheet which is restricted only to the owner.

Super user able to open the restricted spreadsheet
super user pening the spreadsheet

Additional permissions mapped to super user:

These additional permissions will give the options to remove/change permissions to the restricted documents, thus unlocking them for further use and sharing

Additional permissions to super user

Auditing Super User Activity


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s