Using a MIP or RMS Account

When your Office 365 services leverage Microsoft Information Protection (MIP) or Azure Rights Management (Azure RMS) to protect sensitive information, the files or email messages in the services may become encrypted and not accessible to Cloud App Security.

To extend protection to MIP or RMS encrypted content, grant Cloud App Security required permissions by using either of the following service accounts.

Account	Available Protection
MIP account	For Exchange Online email messages: decrypt messages for scanning For files in SharePoint Online, OneDrive, and Microsoft Teams (Teams): decrypt files for scanning and apply sensitivity labels. The protection is available for the following file types: Microsoft Word: docm, docx, dotm, and dotx Microsoft Excel: xlam, xlsm, xlsx, and xltx Microsoft PowerPoint: potm, potx, ppsx, ppsm, pptm, and pptx PDF: pdf Text: txt
RMS account	Decrypt files in SharePoint Online, OneDrive, and Microsoft Teams (Teams) for scanning

Account

Available Protection

MIP account

For Exchange Online email messages: decrypt messages for scanning
For files in SharePoint Online, OneDrive, and Microsoft Teams (Teams): decrypt files for scanning and apply sensitivity labels.

The protection is available for the following file types:
- Microsoft Word: docm, docx, dotm, and dotx
- Microsoft Excel: xlam, xlsm, xlsx, and xltx
- Microsoft PowerPoint: potm, potx, ppsx, ppsm, pptm, and pptx
- PDF: pdf
- Text: txt

RMS account

Decrypt files in SharePoint Online, OneDrive, and Microsoft Teams (Teams) for scanning

Cloud App Security recommends you create a MIP account for enhanced protection. Provisioning an RMS account is no longer available.

If you have already provisioned an RMS account, Trend Micro recommends you migrate to a MIP account.
If you have provisioned both the RMS and MIP accounts, Cloud App Security uses only the MIP account and you can remove the RMS account.