What happens when I send a document to the wrong person or no longer want them to see the content?

Most of the time, the answer to this question is to plan and prepare better. Setting a content expiration (“self-destructing” document) is a reasonable approach to ensure recipients are either frequently referring back to the source of record for updates (e.g., for a document repository), or do not retain access to content longer than needed (e.g., for a bid or proposal).

Enabling a short use license expiration will ensure that the user’s credentials are revalidated on a frequent basis, requiring an online connection to RMS servers. For example, if a user is terminated, his AD credential will likely be automatically disabled by the Identity and Access Management system, thus removing his ‘key’ to opening RMS-protected content. For very sensitive content, there are few use cases where offline access should be extended beyond a week, especially in the days of internet connectivity everywhere.

When paired with assiduously managed SharePoint Permissions, short content and use license expirations cover almost all cases where sensitive content falls into the wrong hands.

However, if these controls were not put in place and you still need to revoke access to an RMS-protected document, here are your options:

Revocation Level AD RMS Azure RMS Implementer
User ✔︎ ✔︎ AD Admin
RMS ✔︎ ✔︎ RMS Admin
Document Document Owner*

* Requires Enterprise Mobility Suite (EMS) license not included with standard Office 365MT E3 tier
** RMS policy templates and template revocation lists are an option not covered in depth here because they are clunky, error prone, and may not be supported depending on the version of AD RMS. Also, using many policy templates can lead to operational difficulties – a topic for another day.

Document-level revocation in the traditional IRM/eDRM sense is only available in the cloud-hosted Azure RMS, where it can be done by the document owner. As noted above, additional licensing is required. This option has a beautiful UX and works as expected.

For on-premise AD RMS, AD administrators could revoke the user’s credentials entirely, rendering his RMS-protected documents unusable by dint of terminating the ‘key’, his AD credential. Or the RMS administrator could revoke the user’s access to RMS which will have a similar effect but will not impact the user’s ability to access other AD domain resources. Unfortunately, both of these are ‘nuke from orbit’ style approaches and may not make sense in many revocation use cases.

The Azure RMS Document Tracking and Revocation feature in EMS delivers the best end user experience, but it is possible to achieve coarser-grained results in AD RMS.