Azure RMS and Azure Information Protection offer excellent tools to protect information in your organization. Using them it is easy for end users to encrypt sensitive information so that no matter where that information may go, it will still be secure. The Digital Rights Management (DRM) is embedded in the document itself and before someone can open it, they have to authenticate with your Azure AD.
So, what happens when an employee leaves the organization and they have a bunch of encrypted files left behind, or an Admin needs to remove the encryption from files?
This is where Azure RMS Super Users come into play. You can download the PDF that describes them https://gallery.technet.microsoft.com/Azure-RMS-Super-Users-e6ce395c
This is all done via PowerShell and if automatically configured for users when they are working in the Security and Compliance Center if you assign the Decrypt RMS role to the user. The cmdlet you use is:
Enable-aadrmSuperuserFeature Add-aadrmSuperUser -EmailAddress “[email protected]”
To remove Azure RMS encryption you can then use the Unprotect-RMSFile cmdlet and if you need to encrypt files you can use the Protect-RMSFile
These can be used on a single file, or on a folder for bulk updates.
Hope this helps Admins that are looking to programmatically remove Azure RMS encryption via PowerShell!