配置 Azure 信息保护标签的 Exchange Online 邮件流规则Configuring Exchange Online mail flow rules for Azure Information Protection labels

适用对象:Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

下面介绍了如何将 Exchange Online 邮件流规则配置为使用 Azure 信息保护标签,并为特定方案应用其他保护。Use the following information to help you configure mail flow rules in Exchange Online to use Azure Information Protection labels, and to apply additional protection for specific scenarios. 例如:For example:

  • 默认标签为不应用保护的“常规”。Your default label is General, which does not apply protection. 对于有此标签且在外部发送的电子邮件,额外应用“不转发”保护操作。For emails with this label that are sent externally, apply the additional Do Not Forward protection action.

  • 如果有“机密\合作伙伴”标签的附件通过电子邮件方式发送给组织外部人员,且电子邮件不受保护,请额外应用“仅加密”保护操作。If an attachment with a Confidential \ Partners label is emailed to people outside the organization and the email is not protected, apply the additional Encrypt-Only protection action.

如果电子邮件受保护,将保护配置应用为操作的邮件流规则会遭忽略。Mail flow rules that apply protection as an action are ignored if the email is already protected. 例如,如果电子邮件受“不转发”保护,Exchange 邮件流规则无法将其更改为使用“仅加密”选项。For example, an email message that has been protected by Do Not Forward cannot be changed by an Exchange mail flow rule to use the Encrypt-Only option.

可以扩展和修改这些示例。You can extend these examples as well as modify them. 例如,添加更多条件。For example, add more conditions. 若要详细了解如何配置邮件流规则,请参阅 Exchange Online 文档 Exchange Online 中的邮件流规则(传输规则)For more information about configuring mail flow rules, see Mail flow rules (transport rules) in Exchange Online from the Exchange Online documentation.

若要详细了解如何将邮件流规则配置为加密电子邮件,请参阅 Office 文档在 Office 365 中将邮件流规则定义为加密电子邮件For more information about configuring mail flow rules to encrypt email messages, see Define mail flow rules to encrypt email messages in Office 365 from the Office documentation.

先决条件:了解标签 GUIDPrerequisite: Know your label GUID

因为 Azure 信息保护标签存储在元数据中,所以 Exchange Online 邮件流规则可以为邮件和 Office 文档附件读取此类信息。Because an Azure Information Protection label is stored in metadata, mail flow rules in Exchange Online can read this information for messages and Office document attachments. 邮件流规则不支持为 PDF 文档检查元数据。Mail flow rules do not support inspecting the metadata for PDF documents.

将邮件流规则配置为确定已标记的邮件和文档前,请确保自己知道要使用的 Azure 信息保护标签的 GUID。Before you configure mail flow rules to identify messages and documents that are labeled, make sure that you know the GUID of the Azure Information Protection label that you want to use.

若要详细了解标签存储的元数据,以及如何确定标签 GUID,请参阅电子邮件和文档中存储的标签信息For more information about the metadata stored by a label and how to identify label GUIDs, see Label information stored in emails and documents.

示例配置Example configurations

对于下面的示例,请按照以下步骤操作,新建邮件流规则:For the following examples, create a new mail flow rule by using the following steps:

  1. 在 Web 浏览器中,使用被授予全局管理员权限的工作或学校帐户,登录 Office 365。In a web browser, using a work or school account that has been granted global administrator permissions, sign in to Office 365.

  2. 选择“管理员”磁贴。Choose the Admin tile.

  3. 在 Microsoft 365 管理中心,选择“管理中心” > “Exchange”。In the Microsoft 365 admin center, choose Admin centers > Exchange.

  4. 在 Exchange 管理中心内:依次选择“邮件流” > “规则” > “+” > “新建规则”。In the Exchange admin center: mail flow > rules > + > Create a new rule.

提示

如果在配置规则时无法使用用户界面,请尝试使用其他浏览器(如 Internet Explorer)。If you have problems with the user interface when you configure your rules, try a different browser, such as Internet Explorer.

当电子邮件在组织外部发送时,下面的示例有一个保护应用条件。The examples have a single condition that applies protection when an email is sent outside the organization. 若要详细了解可以选择的其他条件,请参阅 Exchange Online 中的邮件流规则条件和异常(谓词)For more information about other conditions that you can select, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.

示例 1:向在组织外部发送时包含“常规”标签的电子邮件应用“不转发”选项的规则Example 1: Rule that applies the Do Not Forward option to emails that are labeled General when they are sent outside the organization

在此示例中,“常规”标签的 GUID 为 0e421e6d-ea17-4fdb-8f01-93a3e71333b8。In this example, the General label has a GUID of 0e421e6d-ea17-4fdb-8f01-93a3e71333b8. 替换为要对此规则使用的自己的标签或子标签 GUID。Substitute your own label or sublabel GUID that you want to use with this rule.

在 Azure 信息保护策略中,此标签已配置为默认标签来将电子邮件分类为“常规”,此标签未应用保护。In the Azure Information Protection policy, this label has been configured as the default label to classify emails as General and the label does not apply protection.

  1. 在“名称”中,键入规则名称(如 Apply Do Not Forward for General emails sent externally)。In Name, type a name for the rule, such as Apply Do Not Forward for General emails sent externally.

  2. 对于“此规则的应用条件”:依次选择“收件人位于”、“组织外部”和“确定”。For Apply this rule if: Select The recipient is located, select Outside the organization, and then select OK.

  3. 依次选择“更多选项”和“添加条件”。Select More options, and then select add condition.

  4. 对于“和”:依次选择“邮件头”和“包含任意这些字词”:For and: Select A message header, and then select includes any of these words:

    a.a. 选择“输入文本”,再输入“msip_labels”。Select Enter text, and enter msip_labels.

    b.b. 选择“输入字词”,再输入“MSIP_Label_0e421e6d-ea17-4fdb-8f01-93a3e71333b8_Enabled=TrueSelect Enter words, and enter MSIP_Label_0e421e6d-ea17-4fdb-8f01-93a3e71333b8_Enabled=True

    c.c. 依次选择“+”和“确定”。Select +, and then select OK.

  5. 对于“执行以下操作”:依次选择“修改消息安全性” > “应用 Office 365 消息加密和权限保护” > “不转发”和“确定”。For Do the following: Select Modify the message security > Apply Office 365 Message Encryption and rights protection > Do Not Forward, and then select OK.

    规则配置应看似如下:为 Azure 信息保护标签配置的 Exchange Online 邮件流规则 示例 1Your rule configuration should now look similar to the following: Exchange Online mail flow rule configured for an Azure Information Protection label - example 1

  6. 选择“保存”Select Save

若要详细了解“不转发”选项,请参阅适用于电子邮件的“不转发”选项For more information about the Do Not Forward option, see Do Not Forward option for emails.

示例 2:向在组织外部发送时附件包含“机密/合作伙伴”标签的电子邮件应用“仅加密”选项的规则Example 2: Rule that applies the Encrypt-Only option to emails when they have attachments that are labeled Confidential \ Partners and these emails are sent outside the organization

在此示例中,机密\合作伙伴子标签的 GUID 为 0e421e6d-ea17-4fdb-8f01-93a3e71333b8。In this example, the Confidential \ Partners sublabel has a GUID of 0e421e6d-ea17-4fdb-8f01-93a3e71333b8. 替换为要对此规则使用的自己的标签或子标签 GUID。Substitute your own label or sublabel GUID that you want to use with this rule.

此标签用于分类和保护合作伙伴协作文档。This label is used to classify and protect documents that you use for partner collaboration.

  1. 在“名称”中,键入规则名称(如 Apply Encrypt to emails sent externally if protected attachments)。In Name, type a name for the rule, such as Apply Encrypt to emails sent externally if protected attachments.

  2. 对于“此规则的应用条件”:依次选择“收件人位于”、“组织外部”和“确定”。For Apply this rule if: Select The recipient is located, select Outside the organization, and then select OK.

  3. 依次选择“更多选项”和“添加条件”。Select More options, and then select add condition.

  4. 对于“和”:依次选择“任何附件”和“包含这些属性,包括任意这些字词”:For and: Select Any attachment, and then select has these properties, including any of these words:

    a.a. 依次选择“+” > “指定自定义附件属性”。Select + > Specify a custom attachment property.

    b.b. 对于“属性”,输入“MSIP_Label_0e421e6d-ea17-4fdb-8f01-93a3e71333b8_Enabled”。For Property, enter MSIP_Label_0e421e6d-ea17-4fdb-8f01-93a3e71333b8_Enabled.

    c.c. 对于“值”,输入“TrueFor Value, enter True

    d.d. 依次选择“保存”和“确定”。Select Save, and then select OK.

  5. 对于“执行以下操作”:依次选择“修改消息安全性” > “应用 Office 365 消息加密和权限保护” > “加密”和“确定”。For Do the following: Select Modify the message security > Apply Office 365 Message Encryption and rights protection > Encrypt, and then select OK.

    规则配置应看似如下:为 Azure 信息保护标签配置的 Exchange Online 邮件流规则 示例 2Your rule configuration should now look similar to the following: Exchange Online mail flow rule configured for an Azure Information Protection label - example 2

  6. 选择“保存”Select Save

若要详细了解“加密”选项,请参阅适用于电子邮件的“仅加密”选项For more information about the Encrypt option, see Encrypt-Only option for emails.

后续步骤Next steps

若要了解如何创建和配置用于 Exchange Online 邮件流规则的标签,请参阅配置 Azure 信息保护策略For information about creating and configuring the labels to use with Exchange Online mail flow rules, see Configuring Azure Information Protection policy.

此外,为了帮助对包含附件的电子邮件进行分类,请考虑使用以下 Azure 信息保护策略设置:对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签。In addition, to help classify email messages that contain attachments, consider using the following Azure Information Protection policy setting: For email messages with attachments, apply a label that matches the highest classification of those attachments.