When you apply Information Rights Management to a Word document, the permissions should travel with the file. But some users find that permissions disappear or reset when the file is saved to a specific folder or network location. This happens because IRM permissions are tied to the file’s location in the file system, and certain save paths break the permission link. This article explains why IRM fails on certain paths and how to keep permissions intact.
Key Takeaways: IRM Permission Loss on Save Paths
- File > Info > Protect Document > Restrict Access: The main IRM settings are applied here, but the permission token is stored in a local cache tied to the file path.
- Windows temporary folders and redirected folders: Saving to paths like %Temp% or network redirected folders can cause the permission token to be discarded on the next open.
- File > Save As > Browse > Tools > General Options > Password to modify: IRM permissions are separate from file-level passwords, but both can be lost when the file is moved to a path not recognized by the Rights Management Service.
Why IRM Permissions Depend on the Save Path
Information Rights Management in Word uses a permission token that is issued by the Azure Rights Management Service or an on-premises AD RMS server. This token is stored in a local cache on the user’s machine. The cache entry is keyed to the full file path of the document. When you open a protected document, Word checks the cache for a matching token using the file’s path. If the path changes or the cache entry is missing, Word requests a new token from the server.
The problem arises when the file is saved to a path that the Rights Management Service does not recognize as a valid location for that user. For example, saving to a network share that is mapped differently on different machines or saving to a temporary folder that is cleaned periodically can cause the token to be invalidated. The service sees a new path and treats the file as though it has no permissions, forcing the user to reapply them.
How the Permission Token Cache Works
The token cache is stored in the user’s AppData folder under Microsoft\DRM. Each entry contains the file path, the user’s identity, and the permission rights. When you save a file to a new path, Word creates a new cache entry for that path. But if the path is not a standard local drive or a trusted network location, the cache entry may not be created correctly. The next time the file is opened, Word cannot find a matching cache entry and prompts the user to authenticate again. At that point, the original permissions may be lost if the server requires the permissions to be reissued.
Steps to Prevent IRM Permission Loss on Specific Save Paths
Follow these steps to ensure IRM permissions are preserved regardless of the save path.
- Save the file to a local drive first
Before applying IRM, save the document to a local drive such as C:\Users\YourName\Documents. This establishes a baseline path that the Rights Management Service recognizes. Once permissions are applied, you can move or copy the file to another location. - Apply IRM permissions while the file is on the local drive
Go to File > Info > Protect Document > Restrict Access. Choose the appropriate permission level. Word creates the token cache entry for the local path. Do not close the document yet. - Use Save As to copy the file to the target path
Press F12 to open the Save As dialog. Navigate to the desired folder, such as a network share or a USB drive. Click Save. Word creates a second cache entry for the new path, copying the token from the original entry. The permissions remain intact. - Clear the local DRM cache if permissions are lost
If permissions are still lost after moving the file, close Word. Open File Explorer and navigate to %LocalAppData%\Microsoft\DRM. Delete all files in this folder. Reopen the document. Word requests a new token from the server. You must have a valid IRM account to reapply permissions. - Configure trusted network locations in Group Policy
For enterprise environments, administrators can define trusted network paths in Group Policy. Open the Group Policy Management Console. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Rights Management Services. Enable the policy “Specify the location of the Rights Management account certificate”. Add the network paths that should be trusted. This prevents the token cache from being invalidated on those paths.
If IRM Permissions Still Fail on Certain Paths
IRM permissions are lost when saving to a OneDrive or SharePoint folder
OneDrive and SharePoint use their own permission systems that can conflict with IRM. When a document is saved to a OneDrive folder that is synced to the local machine, the file path may change due to the sync process. To avoid this, apply IRM permissions after the file has been saved to the synced folder. Do not move the file after applying permissions. If the issue persists, use SharePoint’s built-in Information Protection policies instead of Word’s IRM.
IRM permissions are lost when saving to a USB drive or external drive
External drives are often assigned different drive letters on different machines. The token cache is keyed to the exact path, including the drive letter. When the drive letter changes, the cache entry does not match. The only reliable workaround is to save the file to a local drive, apply IRM, and then copy the file to the external drive. The user must open the file from the external drive on the same machine where permissions were applied. On a different machine, the permissions will not be recognized.
IRM permissions are lost when saving to a network share with a mapped drive
Mapped network drives use a letter like Z: but the actual path is \\Server\Share. If the mapping is not consistent across machines, the token cache entries will not match. Use the UNC path (\\Server\Share) when saving the file instead of the mapped drive letter. To do this, type the UNC path directly into the Save As address bar. This ensures the path is consistent across different machines in the same domain.
Word IRM vs SharePoint Information Protection: Token Storage Differences
| Item | Word IRM | SharePoint Information Protection |
|---|---|---|
| Token storage | Local DRM cache keyed to file path | Server-side metadata tied to the document library |
| Dependency on save path | High — token invalidated if path changes | Low — permissions follow the file in SharePoint |
| Works offline | Yes, after initial token download | No, requires server connection to verify |
| Supports external drives | Unreliable due to drive letter changes | Not applicable — files stay in SharePoint |
| Enterprise policy control | Group Policy for trusted paths | Centralized sensitivity labels |
Word IRM is designed for local file protection, but its token cache makes it sensitive to save path changes. SharePoint Information Protection uses server-side labels that do not depend on the file path. For files that need to be moved across multiple locations, consider using SharePoint or OneDrive with sensitivity labels instead of Word IRM. If you must use Word IRM, always save the file to a consistent local path first, then copy it to the target location. This preserves the token cache entry and prevents permission loss.