Working with a client today on Office 365 Azure Rights Management and I set up Office for Mac 2016 to use my account on their Office 365 domain. It worked great…until I wanted to test it on a different domain. Unless Office 2016 for Windows, Office 2016 stores the credentials in the keychain and doesn’t provide anyway to switch IRM accounts in the GUI. Therefore, when you try to open an IRM protected document from a different domain, you get access denied. Unfortunately, I’m not 100% sure which keys need to be deleted yet, but I can say that deleting the following keys did solve my issue:

  • handoff-own-encryption-key
  • MSProtection.framework.service
  • MSOpenTech.ADAL.1|followed by a large string of random characters
  • [GUID] that was tied to https:..msoCredentialSchemeADAL

*One thing to note, is there is a good chance this will also remove the password for your account for all your other Office Apps (Outlook, Onenote, etc). It won’t hurt anything, just require you to re-enter any passwords when you first open the application after removing these items from the keychain.

When I reopened my Office Application and click on: File -> Restrict Permissions it still showed the old tenant IRM Rules. However, when I selected one of them, it prompted me to enter new credentials. The old tentant username was sitll listed, but I changed it to the new account, logged in, and the rule templates in Restrict Permissions were updated to my new tenant. I was also able to open documents from the new tenant again.

So, while it doesn’t appear that it erases all the old settings completely, it does remove enough of the stored credentials to allow you to change them to a new set of credentials. Hopefully in a future release Microsoft will proved a more user friendly way to update Office 365 IRM credentials, or the ability to set a default, but prompt for different credentails if you try to assess content protected by IRM in a domain other than your default.