Forum Discussion

Melvin_Maldonado03's avatar
Melvin_Maldonado03
Copper Contributor
Oct 22, 2025

How does the super user functionality in Azure Rights Management?

We have recently performed labeling tests with Microsoft Purview on emails and Office documents. However, a question arises about what happens when a user encrypts a document or email and it becomes necessary to recover that information.

I understand that the super user functionality must be enabled via PowerShell to access encrypted content, but how is this functionality actually used in practice? What steps should I follow to recover encrypted documents and emails using the super user?

3 Replies

  • Ankit365's avatar
    Ankit365
    Iron Contributor

    In Microsoft Purview Information Protection, which includes Azure Rights Management, the super user feature lets authorized administrators open and recover encrypted files and emails when the original user or permissions are no longer available. It gives the assigned account full control over all encrypted content in the organization’s tenant, so it can decrypt, open, or reapply labels and policies to protected data. This feature is often used by security or compliance officers to access files that were encrypted through sensitivity labels or Rights Management templates.

    To use it in practice, you first enable the super user feature through PowerShell. After importing the AIPService module and connecting to the tenant with Connect-AipService, you run the command Enable-AipServiceSuperUserFeature to activate it. Then, you assign specific users or a group using Add-AipServiceSuperUser or Set-AipServiceSuperUserGroup. Once that is done, those users can open encrypted Office files or Outlook messages directly because they now have full control rights under the encryption policies. If you need to recover a protected document, you simply sign in with a super user account, open the file, and either remove the encryption with the Purview Information Protection client or reapply a new label to make it readable to others.

    AdministraStors usually use this feature for investigations, data recovery, or legal discovery. Microsoft recommends enabling it only when necessary and limiting membership to a small number of trusted users. All super user activities are logged for auditing, so you can trace when a file was decrypted and by whom. This capability ensures that even if an employee leaves or a file becomes inaccessible due to policy changes, the organization can still recover and manage its encrypted data safely.

    Please hit like if you like the solution.

    • Melvin_Maldonado03's avatar
      Melvin_Maldonado03
      Copper Contributor

      Can a SharePoint administrator, solely by being a superuser, access another user's repository and decrypt specific files? If bulk decryption of multiple documents is required, can this be done through eDiscovery or another Microsoft tool?

       

       

  • AladinH's avatar
    AladinH
    Brass Contributor

    Hi Melvin_Maldonado03​,

    Yes, you’re right - the super user feature in Purview allows designated accounts to decrypt any content protected by AIP/Purview labels, even if they aren’t the author or recipient.

    I would suggest following approach:

    - Enable the feature in your Azure/Rights Management settings.

    - Assign trusted users as super users.

    - Open encrypted emails or documents - super users can access the content automatically.

    - Audit and monitor activity to ensure proper usage.

    Best practice: Only assign to trusted accounts and disable the feature if not needed.

    Microsoft references:

    https://learn.microsoft.com/en-us/purview/encryption-super-users

    https://learn.microsoft.com/en-us/powershell/module/aipservice/enable-aipservicesuperuserfeature?view=azureipps

Resources