Azure RMS - External users - you don't have credentials that allow you to open this document. you can request updated permissions from RRS feed

  • Question

  • Dear All,

    We have implemented Azure RMS has been implemented and integrated with their existing Exchange Server 2013 with SP1. The templates when created and applied work fine for the internal users i.e. end users apply the templates on email and send it to another user who is internally part of the same organization, its working fine without any issue,

    But the issue is when the templates are applied via email and shared with an user who is outside the organization ( External user ) who is either on O365 or on-premises, the end users are not able to open the email. Even if the end user is having an Azure RMS license, the email shared outside the organization is not opening. 

    The external user is getting the below message.

    you don't have credentials that allow you to open this document. you can request updated permissions from do you want to request updated permissions? change user | yes | no

    Appreciate if anyone has faced the same issue and how to get resolve this.



    Sunday, May 10, 2015 5:29 PM

All replies

  • Templates are usually for users within your organization - unless you (or an administrator) specifically added their account to the template.  Is that the case?  If not, you will need to choose another option, such as "Viewer – View Only" (one of the options that have a round, world globe icon rather than a square, building icon) from the RMS sharing app:

    Monday, May 11, 2015 2:19 PM
  • 1.For testing Azure RMS integrate with Exchange, please type this command at exchange powershell : Test-IRMConfiguration -sender <user@domain "who already has azure RMS license">.

    2.For outside organization you mean is a different domain? please make sure they have Azure RMS.


    Fazar Susanto

    Sunday, May 24, 2015 3:15 PM
  • I didn't think we allowed you to add external users to a template.
    I just tried and there isn't a way to do this, so I'm confused to what the actual scenario is.
    Wednesday, June 10, 2015 3:50 PM
  • We keep seeing this question/confusion about adding external users to templates, so added this as a new entry to the FAQs for Azure Rights Management:

    • Can I add users from outside my company to custom templates?

    Friday, August 14, 2015 7:47 PM
  • Hi Carol,

    I am following the FAQ mentioned in your comment above but it is not working in my case.

    We added the Contact with external email address under the Office 365 Active Directory (this same directory is connected to Azure RMS) as shown below:

    But when we go to Azure Template and try to search the contact, we are not able to find. All other users are there in the directory.

    Is there any specific way to add the External Contact in RMS template (using GUI)?



    Wednesday, November 18, 2015 9:33 AM
  • Looking into this for you ... tracing back where we got this information originally, that person is no longer with the team so we'll have to investigate it.

    Friday, November 20, 2015 7:28 PM
  • J.A - I can't get this to work either :-(  I tried adding an external user email address in the Office 365 admin portal under Contacts, and also as an Exchange Online contact. After a day, they are still not appearing in the Azure AD portal to select when configuring custom templates.  I'll ask somebody else to look into this as well, in case I'm missing something.

    In the meantime, I've removed this GUI option from the documentation. If you're using PowerShell to add external uses to an existing template, I think it's actually easier/safer to do this by exporting the template to a .CSV file and editing that, and importing the modified template rather than by specifying a rights definition object for these external users. Reason being, you'll have to specify rights definition objects for the existing users and rights, as well as the new (external) users.

    Can you try this & report back?   

    Sunday, November 22, 2015 6:49 PM
  • Hi Carol,

    Sure. I can try that. Can you please guide me how to export the template to CSV.



    Sunday, November 22, 2015 6:55 PM
  • Hi.

    Okay I got it. so you updated the FAQ documentation at

    Thank you for this update. I will try this and update here.



    Sunday, November 22, 2015 7:46 PM
  • Hi, J.A - wondering how you're getting on with this.  Now I've tried to do this myself, I know exporting a template creates an XML file, not CSV.  And it's not that easy to edit!  So a better way is to use Example 3 we just added to Set-AadrmTemplateProperty ( - like this:

    PS C:\> $templateid = "7b1db17a-cb1a-41cf-bad7-b452f9d384c1"
    PS C:\> [array]$r = New-AadrmRightsDefinition -EmailAddress -Rights "DOCEDIT", "EXTRACT"
    PS C:\> $r += New-AadrmRightsDefinition -EmailAddress -Rights "VIEW"
    PS C:\> $CurrentRightsDefinitions = [array]((get-aadrmtemplate -templateid $templateid).RightsDefinitions)
    PS C:\> $ResultingRightsDefinitions = $CurrentRightsDefinitions + $r
    PS C:\> Set-AadrmTemplateProperty -TemplateId $templateid -RightsDefinition $ResultingRightsDefinitions

    When I did this, I could see the external email address ( in the template when I looked at it in the Azure portal.

    Wednesday, December 2, 2015 5:50 AM
  • The external user could be added into the template,but the external user still cannot open the protected document.
    • Edited by lptian Wednesday, December 9, 2015 8:21 AM
    Wednesday, December 9, 2015 8:06 AM
  • The actual scenario is
    The local program which run by a domain user read permissions from file protected by policy of Windows azure right management service.

    Wednesday, December 9, 2015 8:24 AM
  • Thanks a lot Carol. Will try this method and update here.

    seems easy now :)


    Thursday, December 10, 2015 10:51 AM
  • Iptian, Azure RMS always uses Azure Active Directory to authenticate users - did you confirm whether this domain user has an account in Azure AD that uses the same email address that you specified in the template? When we tested his, it worked so if it's not working for you, please open a support case.

    If the user's organization doesn't have Azure AD, the user can sign up for RMS for individuals, which automatically creates an unmanaged Azure tenant for that organization so the user can be authenticated. This is the same flow as when you send a protected attachment in email ("Share Protected") with the RMS sharing application, and the recipient sees signing in instructions within the email message. You might want to try this method first, before opening a support case - to make sure the user email address can be authenticated in Azure.

    Thursday, December 10, 2015 5:33 PM
  • Thanks the reply.

    When I sign up for a work account,the following error message show up

    Looks like your Administrator has not specified where you are located. Please contact your Administrator to set your location in the Azure Active Directory or Office 365 management portal and retry sign up.

    I have another question:

    I am using  Microsoft Rights Management sharing app for Windows and Azure AD RMS

    to protect file,and using  AD RMS SDK 2.1 Interop Library to unprotect file.

    The program which run by a domain user read permissions from file protected by policy of Windows azure right management service.

    byte[] licenseByte = SafeFileApiNativeMethods.IpcfGetSerializedLicenseFromFile("C:\\test.docx");
    SafeIpcPromptContext ipcPromptContext = CreateIpcPromptContext(suppressUI, offline, hasUserConsent, credential);
    SafeInformationProtectionKeyHandle keyHandle= SafeNativeMethods.IpcGetKey(licenseByte , false, false, false,ipcPromptContext );

    I have specified the credential.

    SymmetricKeyCredential credential = new SymmetricKeyCredential();
    credential.Base64Key = "o9Z7cO6IP+xpGUb06u********************";
    credential.AppPrincipalId = "12ee0d8e-9777-4f39-b265-5***********";
    credential.BposTenantId = "5941bcdb-00b2-418b-91ae-95***********";

    domain user: rms\user1      online service

    Online service account( is also super user.

    when the third row is executed,a excepiton is thrown

    Microsoft.InformationProtectionAndControl.InformationProtectionException: You have not been granted the rights necessary to complete the specified operation. Contact the content owner for additional rights. HRESULT: 0x80040211

    How to resolve it?


    Monday, December 14, 2015 9:07 AM