Add an RMS account for SharePoint Online, OneDrive, and Microsoft Teams (Teams) to allow Cloud App Security to scan RMS-protected files for these services. Cloud App Security uses the RMS account to communicate with Azure RMS to get permission to access RMS-protected files and run advanced threat protection and data loss prevention scanning on them.
To configure Cloud App Security to scan RMS-protected files, see Configuring General Settings.
Before you begin adding an RMS account, make sure that:
You have provisioned a SharePoint Online, OneDrive, or Microsoft Teams (Teams) service account.
You have logged on to the Cloud App Security management console as an administrator assigned to the default Global administrator role. For details about Cloud App Security role-based access control, see Administrator and Role.
You have the Office 365 Global Administrator credentials for SharePoint Online, OneDrive, and Microsoft Teams (Teams).
The SharePoint Online or OneDrive service uses and enables Azure RMS.
Hover over the ring icon on the upper right of the management console and click the link Create an account for Azure Rights Management (Azure RMS) protected file scanning on the Notifications screen that appears.
Go to Administration > Service Account, click Add, and then click Rights Management Services.
You can create only one RMS account. If an RMS account already exists, Rights Management Services is dimmed and unavailable.
If no SharePoint Online service account exists, Rights Management Services is dimmed and unavailable.
The Add RMS Account screen appears.
If the SharePoint Online, OneDrive, or Microsoft Teams (Teams) service account is already promoted to Global Administrator privileges, Cloud App Security detects it and prompts a message on the screen.
The RMS account is successfully created and listed on the Service Account screen.
To enable Cloud App Security to scan RMS-protected files and keep detailed logs, turn on Enable RMS Protected File Scanning in the corresponding Advanced Threat Protection policies. For details, see Configuring General Settings.
Recreate an RMS account if the current account becomes invalid for some reason, for example, it reaches its expiration date.
View the status of your RMS account to confirm that it is invalid.
Click Recreate RMS Account and follow the instructions to create a new RMS account.
The new RMS account will appear in the service account list.
When the current RMS account becomes invalid, Cloud App Security also sends an email message to notify the administrator how to recreate an RMS account.