Azure Information Protection has a feature known as “super user”. This feature enables an account (or group members) to fully manage protected documents, including removing encryption, no matter the permissions configured on the single label.
This feature is mainly used by auditing teams for reviews and by admins when setting up the AIP Scanner service account.
The configuration of the super users can only be done via PowerShell. While you can have multiple users assigned to this feature, only a group at a time can be configured.
The members of this feature should be monitored regularly, as this is a critical role. To audit members of the feature, refer to the following resources:
- Get-AipServiceSuperUserGroup (AIPService) | Microsoft Learn
- Configure super users for Azure Rights Management – AIP | Microsoft Learn
- Get-AipServiceSuperUser (AIPService) | Microsoft Learn
Microsoft Entra ID allows granting users just-in-time membership in groups with Privileged Identity Management (PIM). This is particularly useful, as you may want to only assign temporary membership to the eligible group members assigned to the super user feature. Please note that you’ll need Entra ID Plan 2 to use PIM.
Requirements
- You have to use a Global Administrator account to add users to this feature
- To use PIM for Groups you’ll need Entra ID Plan 2
Enable the feature and add a single user
Enabling the feature for a single user might be more convenient in urgent situations. If this is not the case, you’ll primarily refer to the group steps below.
# Install the Azure Information Protection module.
Install-module AIPservice
# Import the module
Import-module AIPservice
# Connect to Azure Information Protection.
Connect-AIPService
# Enable the Azure Information Protection super user feature since it's disabled by default.
Enable-AIPSuperUserFeature
# Check the activation status of the AIP super user feature
Get-AipServiceSuperUserFeature
# Add a user as a super user
Add-AipServiceSuperUser -EmailAddress "superuser@azvise.com"
# List the current super users
Get-AipServiceSuperUser
Enable the feature and add a group
If you enable PIM for this group, you can better audit who enabled their permissions and improve your general posture.
Running this command overwrites the previous group assigned to the feature. If you already use the super user feature, please check before erasing the previous configuration.
# Install the Azure Information Protection module.
Install-module AIPservice
# Import the module
Import-module AIPservice
# Connect to Azure Information Protection.
Connect-AIPService
# Enable the Azure Information Protection super user feature since it's disabled by default.
Enable-AIPSuperUserFeature
# Check the activation status of the AIP super user feature
Get-AipServiceSuperUserFeature
# Add a group as a super user
Set-AipServiceSuperUserGroup -GroupEmailAddress "SUGroup@azvise.com"
# List the current super users group
Get-AipServiceSuperUserGroup
Remove users from the feature and deactivate it
If you wish to turn off the feature, note that any unremoved users and groups will still be listed as members even if the feature is disabled. When you enable the feature again, they’ll get their super user permissions back. To clean up, follow these steps:
# List the current super users
Get-AipServiceSuperUser
# List the current super users group
Get-AipServiceSuperUserGroup
# Clear the super user group
Clear-AipServiceSuperUserGroup
# Remove users from the feature
Remove-AipServiceSuperUser -EmailAddress "superuser@azvise.com"
# Disable the feature
Disable-AipServiceSuperUserFeature
# Check the activation status of the AIP super user feature
Get-AipServiceSuperUserFeature
Azvise 