从 Azure 信息保护中激活保护服务Activating the protection service from Azure Information Protection

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

备注

此配置信息适用于负责应用于组织中所有用户的服务的管理员。This configuration information is for administrators who are responsible for a service that applies to all users in an organization. 如果你要寻找针对特定应用程序使用 Rights Management 功能,或者如何打开受权限保护的文件或电子邮件的用户帮助和信息,请使用你的应用程序附带的帮助和指南。If you are looking for user help and information to use the Rights Management functionality for a specific application or how to open a file or email that is rights-protected, use the help and guidance that accompanies your application.

例如,对于 Office 应用程序,请单击帮助图标并输入搜索词,例如 Rights ManagementIRMFor example, for Office applications, click the Help icon and enter search terms such as Rights Management or IRM. 有关适用于 Windows 的 Azure 信息保护客户端,请参阅 Azure 信息保护客户端用户指南For the Azure Information Protection client for Windows, see the Azure Information Protection client user guide.

有关技术支持和其他服务问题,请参阅支持选项和社区资源信息。For technical support and other questions about the service, see the Support options and community resources information.

为组织激活 Azure 信息保护的保护服务后,管理员和用户可以使用支持此信息保护解决方案的应用程序和服务开始保护重要数据。When the protection service for Azure Information Protection is activated for your organization, administrators and users can start to protect important data by using applications and services that support this information protection solution. 管理员还可以管理和监视你的组织拥有的受保护文档和电子邮件。Administrators can also manage and monitor protected documents and emails that your organization owns.

是否需要激活保护服务 Azure Rights Management?Do you need to activate the protection service, Azure Rights Management?

如果你拥有包含 Azure Rights Management 的服务计划,则可能不需要激活此服务:When you have a service plan that includes Azure Rights Management, you might not have to activate the service:

  • 如果在2018年2月版或更高版本中获取了包含 azure Rights Management 或 Azure 信息保护的订阅: 将自动为你激活此服务。If your subscription that includes Azure Rights Management or Azure Information Protection was obtained towards the end of February 2018 or later: The service is automatically activated for you. 除非你或你组织的其他全局管理员停用了 Azure Rights Management,否则你无需激活此服务。You do not have to activate the service unless you or another global administrator for your organization deactivated Azure Rights Management.

  • 如果包含 Azure Rights Management 或 Azure 信息保护的订阅是在 2018 年 2 月之前或期间获取: 如果租户使用的是 Exchange Online,Microsoft 即将开始为这些订阅激活 Azure Rights Management 服务。If your subscription that includes Azure Rights Management or Azure Information Protection was obtained before or during February 2018: Microsoft is starting to activate the Azure Rights Management service for these subscriptions if your tenant is using Exchange Online. 对于这些订阅,自动激活将于 2018 年 8 月 1 日开始推出,届时将为你激活此服务,除非在运行 Get-IRMConfiguration 时看到 AutomaticServiceUpdateEnabled**** 设置为 false****。For these subscriptions, automatic activation is starting to roll out August 1, 2018 when the service will be activated for you unless you see AutomaticServiceUpdateEnabled is set to false when you run Get-IRMConfiguration.

如果两种后续方案都不适用,必须手动激活保护服务。If neither of the subsequent scenarios apply to you, you must manually activate the protection service.

激活此服务后,组织中的所有用户都可以对文档和电子邮件应用信息保护,并且所有用户都能打开(使用)受 Azure Rights Management 服务保护的文档和电子邮件。When the service is activated, all users in your organization can apply information protection to their documents and emails, and all users can open (consume) documents and emails that have been protected by the Azure Rights Management service. 但是,如果你愿意,可以通过对分阶段部署使用加入控制来限制哪些人员可以应用信息保护。However, if you prefer, you can restrict who can apply information protection, by using onboarding controls for a phased deployment. 有关详细信息,请参阅本文中的 为分阶段部署配置加入控制 部分。For more information, see the Configuring onboarding controls for a phased deployment section in this article.

如何激活或确认保护服务的状态How to activate or confirm the status of the protection service

重要

如果已为组织部署 Active Directory Rights Management Services (AD RMS),请不要激活保护服务。Do not activate the protection service if you have Active Directory Rights Management Services (AD RMS) deployed for your organization. 详细信息More information

若要使用此数据保护解决方案,你的组织必须拥有包含 Azure 信息保护中的 Azure Rights Management 服务的服务计划。To use this data protection solution, your organization must have a service plan that includes the Azure Rights Management service from Azure Information Protection. 如果没有此功能,保护服务将无法激活。Without this, the protection service cannot be activated. 必须具有以下项之一:You must have one of the following:

激活保护服务后,组织中的所有用户都可以对其文档和电子邮件应用信息保护,并且所有用户均可打开(使用)受此服务保护的文档和电子邮件。When the protection service is activated, all users in your organization can apply information protection to their documents and emails, and all users can open (consume) documents and emails that have been protected by this service. 但是,如果你愿意,可以通过对分阶段部署使用加入控制来限制哪些人员可以应用信息保护。However, if you prefer, you can restrict who can apply information protection, by using onboarding controls for a phased deployment. 有关详细信息,请参阅本文中的 为分阶段部署配置加入控制 部分。For more information, see the Configuring onboarding controls for a phased deployment section in this article.

选择激活方法Choosing your activation method

有关如何从管理门户激活保护服务的说明,请选择是使用 Microsoft 365 管理中心还是 Azure 门户:For instructions how to activate the protection service from your management portal, select whether to use the Microsoft 365 admin center or the Azure portal:

或者,你也可以使用以下 PowerShell 命令:Alternatively, you can use the following PowerShell commands:

  1. 安装 AIPService 模块,以配置和管理保护服务。Install the AIPService module, to configure and manage the protection service. 有关说明,请参阅安装 AIPService PowerShell 模块For instructions, see Installing the AIPService PowerShell module.

  2. 在 PowerShell 会话中,运行AipService,并在出现提示时提供 Azure 信息保护租户的全局管理员帐户详细信息。From a PowerShell session, run Connect-AipService, and when prompted, provide the Global Administrator account details for your Azure Information Protection tenant.

  3. 运行AipService以确认是否已激活保护服务。Run Get-AipService to confirm whether the protection service is activated. 状态为“Enabled”则确认已激活;状态为“Disabled”则指示此服务已停用********。A status of Enabled confirms activation; Disabled indicates that the service is deactivated.

  4. 若要激活此服务,请运行AipServiceTo activate the service, run Enable-AipService.

为分阶段部署配置加入控制Configuring onboarding controls for a phased deployment

如果你不希望所有用户能够立即使用 Azure 信息保护来保护文档和电子邮件,你可以使用AipServiceOnboardingControlPolicy PowerShell 命令配置用户载入控制。If you don’t want all users to be able to protect documents and emails immediately by using Azure Information Protection, you can configure user onboarding controls by using the Set-AipServiceOnboardingControlPolicy PowerShell command. 在激活 Azure Rights Management 服务之前或之后,你可以运行此命令。You can run this command before or after you activate the Azure Rights Management service.

例如,如果出于测试目的,你最初只想让“IT 部门”组(具有对象 ID fbb99ded-32a0-45f1-b038-38b519009503)中的管理员能够保护内容,请使用以下命令:For example, if you initially want only administrators in the “IT department” group (that has an object ID of fbb99ded-32a0-45f1-b038-38b519009503) to be able to protect content for testing purposes, use the following command:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "fbb99ded-32a0-45f1-b038-38b519009503"

请注意:对于此配置选项,必须指定组,不能指定单个用户。Note that for this configuration option, you must specify a group; you cannot specify individual users. 若要获取组的对象 ID,可使用 Azure AD PowerShell,例如,对于 1.0 版的模块,请使用 Get-MsolGroup 命令。To obtain the object ID for the group, you can use Azure AD PowerShell—for example, for version 1.0 of the module, use the Get-MsolGroup command. 或者,可以从 Azure 门户复制组的对象 ID 值。Or, you can copy the Object ID value of the group from the Azure portal.

或者,如果要确保只有正确获得使用 Azure 信息保护的许可的用户可以保护内容,请使用以下命令:Alternatively, if you want to ensure that only users who are correctly licensed to use Azure Information Protection can protect content:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $True

不需要再使用载入控件时,无论使用了组还是授权选项,都运行:When you no longer need to use onboarding controls, whether you used the group or licensing option, run:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False

有关此 cmdlet 的详细信息和其他示例,请参阅AipServiceOnboardingControlPolicy帮助。For more information about this cmdlet and additional examples, see the Set-AipServiceOnboardingControlPolicy help.

使用这些加入控制时,组织中的所有用户始终可以使用由用户的子集保护的受保护内容,但他们自身将不能从客户端应用程序应用信息保护。When you use these onboarding controls, all users in the organization can always consume protected content that has been protected by your subset of users, but they won’t be able to apply information protection themselves from client applications. 例如,它们不会在其 Office 应用中看到默认保护模板(在激活保护服务时自动发布),也不会显示你可能配置的自定义模板。For example, they won’t see in their Office apps the default protection templates that are automatically published when the protection service is activated, or custom templates that you might configure. 服务器端应用程序(如 Exchange)可以实现其自己的每用户控件以获得相同的结果。Server-side applications, such as Exchange, can implement their own per-user controls to achieve the same result. 例如,若要阻止用户保护网页版 Outlook 中的电子邮件,请使用 Set-OwaMailboxPolicy,以将 IRMEnabled** 参数设置为 $false**。For example, to prevent users from protecting emails in Outlook on the web, use Set-OwaMailboxPolicy to set the IRMEnabled parameter to $false.

后续步骤Next steps

为组织激活保护服务时,请使用Azure 信息保护部署路线图来检查向用户和管理员推出 Azure 信息保护之前是否需要执行其他配置步骤。When the protection service is activated for your organization, use the Azure Information Protection deployment roadmap to check whether there are other configuration steps that you might need to do before you roll out Azure Information Protection to users and administrators.

例如,你可能需要使用模板使用户更轻松地对文件应用保护,通过安装Rights Management 连接器来连接你的本地服务器以使用保护服务,并部署支持保护所有设备上的所有文件类型的Azure 信息保护客户端For example, you might want to use templates to make it easier for users to apply protection to files, connect your on-premises servers to use the protection service by installing the Rights Management connector, and deploy the Azure Information Protection client that supports protecting all file types on all devices.

Office 服务(例如 Exchange Online 和 Microsoft SharePoint)需要进行额外配置,然后才能使用其信息 Rights Management (IRM)功能。Office services, such as Exchange Online and Microsoft SharePoint require additional configuration before you can use their Information Rights Management (IRM) features. 有关应用程序如何与保护服务一起工作的信息,请参阅 Azure Rights Management,请参阅应用程序如何支持 azure Rights Management 服务For information about how your applications work with the protection service, Azure Rights Management, see How applications support the Azure Rights Management service.