Super users can read and inspect data that's protected by Azure RMS in case of an emergency or the need for recovery. However, the super users feature is not enabled by default. You can enable it and assign super users by utilizing PowerShell:
- Enable the super user feature:
Enable-AadrmSuperUserFeature
- Assign a super user (this could be an individual or a service account):
Add-AadrmSuperUser -EmailAddress "[email protected]"
Alternatively, you can use the following command:
Add-AadrmSuperUser -ServicePrincipalId "1A234567-89B0-1234-5678-9C012345D67"
Alternatively, set a group as super users:
Set-AadrmSuperUserGroup -GroupEmailAddress "[email protected]"
- You can have the feature enabled when it's needed and then use the following cmdlet to disable it when it's not needed:
Disable-AadrmSuperUserFeature...