比较 Azure 信息保护与 AD RMSComparing Azure Information Protection and AD RMS

适用于: Active Directory Rights Management Services、 Azure 信息保护Office 365Applies to: Active Directory Rights Management Services, Azure Information Protection, Office 365

如果你了解或以前部署过 Active Directory Rights Management Services (AD RMS),你可能想知道 Azure 信息保护作为信息保护解决方案在功能和要求方面与它相比有何差别。If you know or have previously deployed Active Directory Rights Management Services (AD RMS), you might be wondering how Azure Information Protection compares in terms of functionality and requirements as an information protection solution.

Azure 信息保护的一些主要差异:Some of the main differences for Azure Information Protection:

  • 无需服务器基础结构:Azure 信息保护不需要 AD RMS 所需的额外服务器和 PKI 证书,因为 Microsoft Azure 将处理那些内容。No server infrastructure required: Azure Information Protection doesn't require the additional servers and PKI certificates that AD RMS needs, because Microsoft Azure takes care of those for you. 因而这一云解决方案可以更快部署且更易维护。That makes this cloud solution quicker to deploy and easier to maintain.

  • 基于云的身份验证:对于内部用户和来自其他组织的用户,Azure 信息保护都使用 Azure AD 进行身份验证。Cloud-based authentication: Azure Information Protection uses Azure AD for authentication - for both internal users and users from other organizations. 这意味着,即使用户未连接到内部网络,也可以对其进行身份验证,并且可以更轻松地与其他组织的用户共享受保护的内容。That means your users can be authenticated even when they are not connected to your internal network and it is easier to share protected content with users from other organizations. 许多组织由于运行 Azure 服务或使用 Office 365,因而在 Azure AD 中已拥有用户帐户。Many organizations already have user accounts in Azure AD because they are running Azure services or have Office 365. 但是如果没有,个人的 RMS 可以让用户创建一个免费帐户,或者 Microsoft 帐户可以用于支持此 Azure 信息保护身份验证的应用程序But if not, RMS for individuals lets users create a free account, or a Microsoft account can be used for applications that support this authentication for Azure Information Protection. 相比之下,若要与另一个组织共享 AD RMS 受保护的内容,你必须为每个组织配置显式信任关系。In comparison, to share AD RMS protected content with another organization, you must configure explicit trusts with each organization.

  • 对移动设备的内置支持: Azure 信息保护不需要进行任何部署更改即可支持移动设备和 Mac 计算机。Built-in support for mobile devices: No deployment changes are needed for Azure Information Protection to support mobile devices and Mac computers. 若要使 AD RMS 支持这些设备,必须安装移动设备扩展、配置 AD FS 以便进行联合身份验证,并为公共 DNS 服务创建其他记录。To support these devices with AD RMS, you must install the mobile device extension, configure AD FS for federation, and create additional records for your public DNS service.

  • 默认模板: Azure 信息保护会自动创建默认模板,用于将内容访问限制到你自己的组织。Default templates: Azure Information Protection automatically creates default templates that restrict access of the content to your own organization. 这些模板使你可以轻松地立即开始保护敏感数据。These templates make it easy to start protecting sensitive data immediately. AD RMS 无默认模板。There are no default templates for AD RMS.

  • 部门模板:也称为作用域模板。Departmental templates: Also known as scoped templates. Azure 信息保护支持将部门模板用于用户创建的额外模板。Azure Information Protection supports departmental templates for additional templates that you create. 通过此配置,可指定部分用户在其客户端应用程序中看到特定模板。This configuration lets you specify a subset of users to see specific templates in their client applications. 通过限制用户可查看的模板数量,使他们更容易选择你为不同用户组定义的正确策略。Limiting the number of templates that users see makes it easier for them to select the correct policy that you define for different groups of users. AD RMS 不支持部门模板。AD RMS doesn't support departmental templates.

  • 文档跟踪和吊销: Azure 信息保护通过 Azure 信息保护客户端(经典)支持这些功能,而 AD RMS 不支持。Document tracking and revocation: Azure Information Protection supports these features with the Azure Information Protection client (classic), whereas AD RMS does not.

  • 分类和标记: Azure 信息保护支持应用分类和保护(可选)的标签。Classification and labeling: Azure Information Protection supports labels that apply classification, and optionally, protection. Azure 信息保护客户端(经典)和 Azure 信息保护统一标签客户端随附了这些功能。These capabilities are provided with the Azure Information Protection client (classic) and the Azure Information Protection unified labeling client. 使用这些客户端,可以将分类和标签与 Office 应用程序、文件资源管理器、PowerShell 以及本地数据存储的扫描程序集成。Using these clients, classification and labeling can be integrated with Office applications, File Explorer, PowerShell, and a scanner for on-premises data stores. AD RMS 不支持这些分类和标签功能。AD RMS does not support these classification and labeling capabilities.

此外,由于 Azure 信息保护是一项云服务,因此与基于本地服务器的解决方案相比,它可以更快交付新功能和修补程序。In addition, because Azure Information Protection is a cloud service, it can deliver new features and fixes more quickly than an on-premises server-based solution. Windows Server 中没有为 AD RMS 规划的新功能。There are no new features planned for AD RMS in Windows Server.

对于其他差异,请使用下表进行并行比较。For other differences, use the following table for a side-by-side comparison. 如果你有安全方面的比较问题,请参阅本文中的签名和加密的加密控制If you have security-specific comparison questions, see the Cryptographic controls for signing and encryption section in this article.

Azure 信息保护Azure Information Protection AD RMSAD RMS
支持 Microsoft Online services 和本地 Microsoft 服务器产品中的信息权限管理(IRM)功能。Supports information rights management (IRM) capabilities in both Microsoft Online services and on-premises Microsoft server products. 支持本地 Microsoft 服务器产品和 Exchange Online 的信息权限管理(IRM)功能。Supports information rights management (IRM) capabilities for on-premises Microsoft server products, and Exchange Online.
与任何也使用 Azure AD 进行身份验证的组织自动实现文档的安全协作。Automatically enables secure collaboration on documents with any organization that also uses Azure AD for authentication. 在组织外部实现文档的安全协作要求在两个组织之间以直接点对点的关系显式定义身份验证信任。Secure collaboration on documents outside the organization requires authentication trusts to be explicitly defined in a direct point-to-point relationship between two organizations. 必须配置受信任的用户域 (TUD) 或使用 Active Directory 联合身份验证服务 (AD FS) 创建的联合信任。You must configure either trusted user domains (TUDs) or federated trusts that you create by using Active Directory Federation Services (AD FS).
如果不存在任何身份验证信任关系,则向用户发送受保护的电子邮件(可选择附加自动受到保护的 Office 文档附件)。Send a protected email (optionally, with Office document attachments that are automatically protected) to users when no authentication trust relationship exists. 使用联合与社交提供程序或一次性密码和 Web 浏览器进行查看时可能需要采取这种操作。This scenario is made possible by using federation with social providers or a one-time passcode and web browser for viewing. 如果不存在任何身份验证信任关系,则不支持发送受保护的电子邮件。Does not support sending protected email when no authentication trust relationship exists.
支持 Azure 信息保护客户端(经典)和 Azure 信息保护统一标签客户端,同时提供保护和消耗活动。Supports the Azure Information Protection client (classic) and the Azure Information Protection unified labeling client for both protection and consumption activities. 支持用于保护和消耗活动的 Azure 信息保护客户端(经典)。Supports the Azure Information Protection client (classic) for protection and consumption activities.

仅支持 Azure 信息保护统一标签客户端以供使用,并且必须安装Active Directory Rights Management Services 移动设备扩展Supports the Azure Information Protection unified labeling client for consumption only, and you must install the Active Directory Rights Management Services Mobile Device Extension.
支持适用于计算机和移动设备的多因素身份验证 (MFA)。Supports multi-factor authentication (MFA) for computers and mobile devices.

有关详细信息,请参阅多重身份验证 (MFA) 和 Azure 信息保护For more information, see the Multi-factor authentication (MFA) and Azure Information Protection.
如果将 IIS 配置为请求证书,将支持智能卡身份验证。Supports smart card authentication if IIS is configured to request certificates.
默认情况下支持加密模式2,以便为密钥长度和加密算法提供推荐的安全级别。Supports Cryptographic Mode 2 by default to provide a recommended level of security for key lengths and encryption algorithms. 默认情况下支持加密模式1,需要额外配置才能支持加密模式2,以获得推荐的安全级别。Supports Cryptographic Mode 1 by default and requires additional configuration to support Cryptographic Mode 2 for a recommended level of security.

有关详细信息,请参阅 AD RMS Cryptographic Modes(AD RMS 加密模式)。For more information, see AD RMS Cryptographic Modes.
要求使用 Azure 信息保护许可证或具有 Office 365 的 Azure Rights Management 许可证来保护内容。Requires an Azure Information Protection license or Azure Rights Management license with Office 365 to protect content.

无需许可证即可使用已受 Azure 信息保护(包括另一个组织的用户)保护的内容。No license is required to consume content that has been protected by Azure Information Protection (includes users from another organization).

有关授权的详细信息,包括 P1 和 P2 许可证之间的差异,请参阅 Azure 信息保护站点中的功能列表For more information about licensing, including the differences between a P1 and P2 license, see the feature list from the Azure Information Protection site.
需要 RMS 许可证才能保护内容,以及使用已受 AD RMS 保护的内容。Requires an RMS license to protect content, and to consume content that has been protected by AD RMS.

有关授权的详细信息,请参阅客户端访问许可证和管理许可证获取一般信息,但请联系 microsoft 合作伙伴或 microsoft 代表了解特定信息。For more information about licensing, see Client Access Licenses and Management Licenses for general information, but contact your Microsoft partner or Microsoft representative for specific information.

对签名和加密的加密控制Cryptographic controls for signing and encryption

默认情况下,Azure 信息保护将 RSA 2048 用于所有公钥加密,将 SHA 256 用于签名操作。Azure Information Protection by default, uses RSA 2048 for all public key cryptography and SHA 256 for signing operations. 相比之下,AD RMS 支持 RSA 1024 和 RSA 2048,还将 SHA 1 或 SHA 256 用于签名操作。In comparison, AD RMS supports RSA 1024 and RSA 2048, and SHA 1 or SHA 256 for signing operations.

Azure 信息保护和 AD RMS 都将 AES 128 用于对称加密。Both Azure Information Protection and AD RMS use AES 128 for symmetric encryption.

租户密钥大小为 2048 位时,Azure 信息保护符合 FIPS 140-2,这是激活 Azure Rights Management 服务时的默认设置。Azure Information Protection is compliant with FIPS 140-2 when your tenant key size is 2048 bits, which is the default when the Azure Rights Management service is activated.

有关加密控制的详细信息,请参阅 Azure RMS 使用的加密控制:算法和密钥长度For more information about the cryptographic controls, see Cryptographic controls used by Azure RMS: Algorithms and key length.

后续步骤Next steps

若要详细了解如何使用 Azure 信息保护,例如设备支持和最低版本,请参阅Azure 信息保护的要求For more detailed requirements to use Azure Information Protection, such as device support and minimum versions, see Requirements for Azure Information Protection.

如果希望从 AD RMS 迁移到 Azure 信息保护,请参阅从 AD RMS 迁移到 Azure 信息保护If you are looking to migrate from AD RMS to Azure Information Protection, see Migrating from AD RMS to Azure Information Protection.

开始Active Directory Rights Management Services 移动设备扩展Get started with Active Directory Rights Management Services Mobile Device Extension.

你可能对以下 Faq 感兴趣:You might be interested in the following FAQs: