How to read file content for a IRM Protected PDF?

1. Use the Microsoft Graph API to get the files
Access SharePoint files through the Microsoft Graph API and ensure that the request carries a valid access token:
csharp
var graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
var stream = await graphClient.Sites[“{site-id}”].Drives[“{drive-id}”].Items[“{item-id}”].Content
    .Request()
    .GetAsync();
Note: The application needs to be registered with Azure AD and granted the Files.Read.All permission.

2. Configure Azure AD application permissions
In the Azure portal, add API permissions for the application:
Microsoft Graph → Files.Read.All or Sites.Read.All
Office 365 SharePoint Online → AllSites.Read
The administrator needs to agree to these permissions.
3. Decrypting using the Azure Information Protection (RMS) SDK
Install the Microsoft.InformationProtection.File SDK to decrypt files through the service body:
csharp
var session = ProtectionProvider.CreateProtectionSession(new ProtectionSettings());
session.RegisterKeyAsync(protectionPolicy); // load the IRM policy
var decryptedStream = session.Decrypt(encryptedStream);
The service subject certificate needs to be configured and associated with the IRM policy.
4. Ensure the IRM policy allows service account access
In Microsoft 365 Compliance Center, add the service account as an authorized user when configuring IRM policy.
Set permissions such as View, Edit, etc.
5. Use SharePoint PnP libraries to process documents
Access the files through the PnP library with an elevated privilege account:
csharp
using (var context = new ClientContext(siteUrl))
{
    context.Credentials = new SharePointOnlineCredentials(username, securePassword); var file = context.Web.
    var file = context.Web.GetFileByServerRelativeUrl(filePath);
    context.Load(file); var stream = file.
    var stream = file.OpenBinaryStream(); // Process the decrypted stream.
    // Process the decrypted stream
}
Make sure the account has decryption permissions in the IRM policy.