如何配置 Azure 信息保护的自动和建议分类的条件How to configure conditions for automatic and recommended classification for Azure Information Protection

适用范围:Azure 信息保护Applies to: Azure Information Protection

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

备注

这些说明适用于 Azure 信息保护客户端(经典版),而不是 Azure 信息保护统一标记客户端。These instructions apply to the Azure Information Protection client (classic) and not the Azure Information Protection unified labeling client. 不确定这些客户端之间有何区别?Not sure of the difference between these clients? 请参见常见问题解答See this FAQ.

如果你正在寻找有关为统一标签客户端配置自动和建议分类的信息,请参阅 Microsoft 365 符合性文档。If you are looking for information to configure automatic and recommended classification for the unified labeling client, see the Microsoft 365 Compliance documentation. 例如,自动对内容应用敏感标签For example, Apply a sensitivity label to content automatically.

在配置标签的条件时,可以自动将标签分配到文档或电子邮件。When you configure conditions for a label, you can automatically assign a label to a document or email. 或者,可以提示用户选择建议的标签。Or, you can prompt users to select the label that you recommend.

配置这些条件时,可使用预定义的模式,如“信用卡号”或“美国社会安全号码 (SSN)”********。When you configure these conditions, you can use predefined patterns, such as Credit Card Number or USA Social Security Number (SSN). 或者,你可以定义自定义字符串或模式作为自动分类的条件。Or, you can define a custom string or pattern as a condition for automatic classification. 这些条件适用于文档和电子邮件中的正文文本和页眉及页脚。These conditions apply to the body text in documents and emails, and to headers and footers. 有关这些条件的详细信息,请参阅以下过程中的步骤 5。For more information about the conditions, see step 5 in the following procedure.

若要获取最佳用户体验并确保业务连续性,我们建议你从用户建议分类开始,而不是自动操作。For the best user experience and to ensure business continuity, we recommend that you start with user recommended classification, rather than automatic classification. 此配置使你的用户能够接受分类和任何关联保护,或覆盖这些建议(如果它们不适用于其文档或电子邮件)。This configuration lets your users accept the classification and any associated protection, or override these suggestions if they are not suitable for their document or email message.

通过自定义策略提示配置条件以将标签应用于建议的操作的示例提示:An example prompt for when you configure a condition to apply a label as a recommended action, with a custom policy tip:

Azure 信息保护检测和建议

在此示例中,用户可以单击“立即更改”**** 应用建议的标签,或通过选择“消除”**** 来替代该建议。In this example, the user can click Change now to apply the recommended label, or override the recommendation by selecting Dismiss. 如果用户选择消除建议并且在下一次打开文档时该条件仍然适用,会再次显示标签建议。If the user chooses to dismiss the recommendation and the condition still applies when the document is next opened, the label recommendation is displayed again.

如果配置自动分类(而不是建议分类),系统自动应用标签,并且用户仍会在自己的 Word、Excel 和 PowerPoint 中看到通知。If you configure automatic classification rather than recommended, the label is automatically applied and the user still sees a notification in Word, Excel, and PowerPoint. 但是,"立即更改" 和 "取消" 按钮将替换为 "确定"However, the Change now and Dismiss buttons are replaced with OK. 在 Outlook 中,自动分类无通知,且发送电子邮件时将应用标签。In Outlook, there is no notification for automatic classification and the label is applied at the time the email is sent.

重要

请勿为自动分类和用户定义的权限配置标签。Do not configure a label for automatic classification and a user-defined permission. “用户定义的权限”选项是一个保护设置,允许用户指定应向其授予权限的人员。The user-defined permissions option is a protection setting that lets users specify who should be granted permissions.

如果为自动分类和用户定义的权限配置标签,则会检查内容是否符合条件,并且不会应用用户定义的权限设置。When a label is configured for automatic classification and user-defined permissions, the content is checked for the conditions and the user-defined permission setting is not applied. 可使用建议的分类和用户定义的权限。You can use recommended classification and user-defined permissions.

  • 自动分类在保存文档时应用到 Word、Excel 和 PowerPoint,并在发送电子邮件时应用到 Outlook。Automatic classification applies to Word, Excel, and PowerPoint when you save documents, and apply to Outlook when you send emails.

    不能将自动分类用于以前已手动标记的或者以前已使用更高分类自动标记的文档和电子邮件。You cannot use automatic classification for documents and emails that were previously manually labeled, or previously automatically labeled with a higher classification.

  • 保存文档时,建议的分类适用于 Word、Excel 和 PowerPoint。Recommended classification applies to Word, Excel, and PowerPoint when you save documents. 除非配置当前处于预览阶段的高级客户端设置,否则无法使用建议的 Outlook 分类。You cannot use recommended classification for Outlook unless you configure an advanced client setting that is currently in preview.

    对于之前已设置标签(更高级别的分类标签)的文档,无法使用建议的分类。You cannot use recommended classification for documents that were previously labeled with a higher classification.

可以更改此行为,以便 Azure 信息保护客户端定期检查文档是否符合指定的条件规则。You can change this behavior so that the Azure Information Protection client periodically checks documents for the condition rules that you specify. 例如,如果你对自动保存在 Microsoft SharePoint、OneDrive for work 或 school 或 OneDrive for home 中的 Office 应用程序使用自动保存,则这种做法非常合适。For example, this would be appropriate if you're using AutoSave with Office apps that are automatically saved in Microsoft SharePoint, OneDrive for work or school, or OneDrive for home. 若要支持此方案,可以配置当前处于预览阶段的高级客户端设置To support this scenario, you can configure an advanced client setting that is currently in preview. 此设置会启用分类,使其在后台连续运行。The setting turns on classification to run continuously in the background.

多条件应用到多个标签时的评估方式How multiple conditions are evaluated when they apply to more than one label

  1. 根据在策略中指定的位置,将标签排序以供评估:排在第一的标签具有最低的位置(敏感度最低),排在最后的标签具有最高位置(敏感度最高)。The labels are ordered for evaluation, according to their position that you specify in the policy: The label positioned first has the lowest position (least sensitive) and the label positioned last has the highest position (most sensitive).

  2. 应用最敏感的标签。The most sensitive label is applied.

  3. 将应用最后一个子标签。The last sublabel is applied.

  1. 如果尚未这样做,请打开新的浏览器窗口,登录到 Azure 门户If you haven't already done so, open a new browser window and sign in to the Azure portal. 然后导航到“Azure 信息保护”**** 窗格。Then navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”**** 并选择“Azure 信息保护”****。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. 从 "分类 > 标签" 菜单选项:在 " Azure 信息保护-标签" 窗格中,选择要配置的标签。From the Classifications > Labels menu option: On the Azure Information Protection - Labels pane, select the label to configure.

  3. 在 "标签" 窗格的 "配置自动应用此标签的条件" 部分中,单击 "添加新条件"。On the Label pane, in the Configure conditions for automatically applying this label section, click Add a new condition.

  4. 如果要使用预定义条件,请在 "条件" 窗格中选择 "信息类型",如果要指定自己的条件,请选择 "自定义":On the Condition pane, select Information Types if you want to use a predefined condition, or Custom if you want to specify your own:

    • 对于“信息类型”:从可用条件列表中选择,然后选择最小出现次数以及出现计数中是否应具有唯一的值****。For Information Types: Select from the list of available conditions, and then select the minimum number of occurrences and whether the occurrence should have a unique value to be included in the occurrence count.

      信息类型使用 Office 365 数据丢失防护 (DLP) 敏感信息类型和模式检测。The information types use the Office 365 data loss prevention (DLP) sensitivity information types and pattern detection. 可以从多种常见敏感信息类型中进行选择,其中某些类型特定于不同的区域。You can choose from many common sensitive information types, some of which are specific for different regions. 有关详细信息,请参阅 Office 365 文档中的敏感信息类型查找的内容For more information, see What the sensitive information types look for from the Office 365 documentation.

      可从 Azure 门户选择的信息类型列表会定期更新,以包含任何新的 Office DLP 添加。The list of information types that you can select from the Azure portal is periodically updated to include any new Office DLP additions. 但是,该列表不包含作为规则包定义和上传到 Office 365 安全与合规中心的任何自定义敏感信息类型。However, the list excludes any custom sensitive information types that you have defined and uploaded as a rule package to the Office 365 Security & Compliance Center.

      重要

      某些信息类型需要最低版本的客户端。Some of the information types require a minimum version of the client. 详细信息More information

      Azure 信息保护评估你选择的信息类型时,不使用 Office DLP 置信度设置,而是根据最低置信度进行匹配。When Azure Information Protection evaluates the information types that you select, it does not use the Office DLP confidence level setting but matches according to the lowest confidence.

    • 对于“自定义”:指定匹配的名称和短语,其必须排除引号和特殊字符。For Custom: Specify a name and phrase to match, which must exclude quotation marks and special characters. 然后指定是否匹配正则表达式,区分大小写,发生的最小数目以及发生计数中是否应具有唯一的值。Then specify whether to match as a regular expression, use case sensitivity, and the minimum number of occurrences and whether the occurrence should have a unique value to be included in the occurrence count.

      正则表达式使用 Office 365 正则表达式模式。The regular expressions use the Office 365 regex patterns. 为帮助你指定自定义条件的正则表达式,请参阅 Boost 的以下特定版本的 Perl 正则表达式语法To help you specify regular expressions for your custom conditions, see the following specific version of Perl Regular Expression Syntax from Boost.

  5. 确定是否需要更改“最小出现次数”和“仅计算唯一值的出现次数”,然后选择“保存”************。Decide whether you need to change the Minimum number of occurrences and the Count occurrence with unique value only, and then select Save.

    出现次数选项示例:选择社会安全号码的信息类型并将最小出现次数设置为 2,并且文档已两次列出同一社会安全号码:如果将“仅计算唯一值的出现次数”设置为“开”,则不符合条件********。Example of the occurrences options: You select the information type for the social security number, set the minimum number of occurrences as 2, and a document has the same social security number listed twice: If you set the Count occurrences with unique value only to On, the condition is not met. 如果将此选项设置为“关闭”,则满足条件****。If you set this option to Off, the condition is met.

  6. 返回到 "标签" 窗格,配置以下各项,然后单击 "保存":Back on the Label pane, configure the following, and then click Save:

    • 选择自动或建议的分类:对于选择如何应用该标签:自动或向用户建议,选择“自动”或“建议”。Choose automatic or recommended classification: For Select how this label is applied: automatically or recommended to user, select Automatic or Recommended.

    • 指定用户提示或策略提示文本:保持默认文本或指定你自己的字符串。Specify the text for the user prompt or policy tip: Keep the default text or specify your own string.

单击“保存”**** 时,更改将会自动提供给用户和服务。When you click Save, your changes are automatically available to users and services. 不再提供单独发布选项。There's no longer a separate publish option.

需要最低版本客户端的敏感信息类型Sensitive information types that require a minimum version of the client

以下敏感信息类型需要 Azure 信息保护客户端的1.48.204.0 的最低版本:The following sensitive information types require a minimum version of 1.48.204.0 of the Azure Information Protection client:

  • Azure 服务总线连接字符串Azure Service Bus Connection String
  • Azure IoT 连接字符串Azure IoT Connection String
  • Azure 存储帐户Azure Storage Account
  • Azure IAAS 数据库连接字符串和 Azure SQL 连接字符串Azure IAAS Database Connection String and Azure SQL Connection String
  • Azure Redis 缓存连接字符串Azure Redis Cache Connection String
  • Azure SASAzure SAS
  • SQL Server 连接字符串SQL Server Connection String
  • Azure DocumentDB 身份验证密钥Azure DocumentDB Auth Key
  • Azure 发布设置密码Azure Publish Setting Password
  • Azure 存储帐户密钥(通用)Azure Storage Account Key (Generic)

有关这些敏感信息类型的详细信息,请参阅以下博客文章: Azure 信息保护通过自动发现凭据帮助提高安全性For more information about these sensitive information types, see the following blog post: Azure Information Protection helps you to be more secure by automatically discovering credentials

此外,从 Azure 信息保护客户端的1.48.204.0 开始,以下敏感信息类型不受支持,并且不再显示在 Azure 门户中。Additionally, beginning with 1.48.204.0 of the Azure Information Protection client, the following sensitive information types are not supported and no longer display in the Azure portal. 如果你有使用这些敏感信息类型的标签,则建议你删除它们,因为我们无法确保对它们进行正确的检测,并且应忽略对扫描程序报告中的任何引用:If you have labels that use these sensitive information types, we recommend that you remove them because we cannot ensure correct detection for them and any references to them in the scanner reports should be ignored:

  • 欧盟电话号码EU Phone Number
  • 欧盟 GPS 坐标EU GPS Coordinates

后续步骤Next steps

请考虑部署 Azure 信息保护扫描程序,它可使用自动分类规则发现和保护网络共享和本地文件存储中的文件并对其进行分类。Consider deploying the Azure Information Protection scanner, which can use your automatic classification rules to discover, classify, and protect files on network shares and on-premises file stores.

有关配置 Azure 信息保护策略的详细信息,请使用配置组织的策略部分中的链接。For more information about configuring your Azure Information Protection policy, use the links in the Configuring your organization's policy section.