Add an RMS account for SharePoint Online and OneDrive for Business to allow Cloud App Security to scan RMS-protected files for these services. Cloud App Security uses the RMS account to communicate with Azure RMS to get permission to access RMS-protected files and run advanced threat protection and data loss prevention scanning on them.
To configure Cloud App Security to scan RMS-protected files, see Configuring General Settings.
Before you begin adding an RMS account, make sure that:
You have provisioned a SharePoint Online Delegate Account for SharePoint Online or OneDrive for Business.
You have logged on to the Cloud App Security management console as an administrator assigned to the default Global administrator role. For details about Cloud App Security role-based access control, see Administrator and Role.
You have the Office 365 Global Administrator credentials for SharePoint Online and OneDrive for Business.
The SharePoint Online or OneDrive for Business service uses and enables Azure RMS.
Hover over the ring icon on the upper right of the management console and click the corresponding link on the Notifications screen that appears.
Go to Administration > Service Account, click Add, and then click Rights Management Services.
You can create only one RMS account. If an RMS account already exists, Rights Management Services is dimmed and unavailable.
If no SharePoint Delegate Account exists, Rights Management Services is dimmed and unavailable.
The Add RMS Account screen appears.
If the SharePoint Online Delegate Account is already promoted to Global Administrator privileges, Cloud App Security detects it and prompts a message on the screen.
The RMS account is successfully created and listed on the Service Account screen.
To enable Cloud App Security to scan RMS-protected files and keep detailed logs, turn on Enable RMS Protected File Scanning in the corresponding Advanced Threat Protection policies. For details, see Configuring General Settings.