如何将 Azure 信息保护标签迁移到统一敏感度标签How to migrate Azure Information Protection labels to unified sensitivity labels

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

说明: 适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典) 和标签管理 将于 2021 年 3 月 31 日 弃用 。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

将 Azure 信息保护标签迁移到统一的标签平台,以便可以将它们用作 支持统一标签的客户端和服务的敏感度标签。Migrate Azure Information Protection labels to the unified labeling platform so that you can use them as sensitivity labels by clients and services that support unified labeling.

备注

如果你的 Azure 信息保护订阅非常新,则可能无需迁移标签,因为你的租户已在统一标签平台上。If your Azure Information Protection subscription is fairly new, you might not need to migrate labels because your tenant is already on the unified labeling platform. 有关详细信息,请参阅 如何确定我的租户是否在统一标签平台上?For more information, see How can I determine if my tenant is on the unified labeling platform?

迁移标签后,你将看不到 Azure 信息保护客户端 (经典) 的任何差异,因为此客户端将继续从 Azure 门户中的 Azure 信息保护策略下载标签。After you migrate your labels, you won't see any difference with the Azure Information Protection client (classic) because this client continues to download the labels with the Azure Information Protection policy from the Azure portal. 但是,你现在可以将标签用于 Azure 信息保护的统一标签客户端和其他使用敏感度标签的客户端和服务。However, you can now use the labels with the Azure Information Protection unified labeling client and other clients and services that use sensitivity labels.

在阅读迁移标签说明之前,你可能会发现以下常见问题很有用:Before you read the instructions to migrate your labels, you might find the following frequently asked questions useful:

支持统一标签平台的管理角色Administrative roles that support the unified labeling platform

如果你在组织中使用管理员角色来委派管理,则可能需要对统一标签平台进行一些更改:If you use admin roles for delegated administration in your organization, you might need to do some changes for the unified labeling platform:

统一的标签平台不支持Azure 信息保护管理员 ) ( Azure AD 角色The Azure AD role of Azure Information Protection administrator (formerly Information Protection administrator) is not supported by the unified labeling platform. 如果在组织中使用此管理角色来管理 Azure 信息保护,请将具有此角色的用户添加到 符合性管理员符合性数据管理员安全管理员的 Azure AD 角色。If this administrative role is used in your organization to manage Azure Information Protection, add the users who have this role to the Azure AD roles of Compliance administrator, Compliance data administrator, or Security administrator. 如果需要有关此步骤的帮助,请参阅向用户授予对 Office 365 安全与合规中心的访问权限If you need help with this step, see Give users access to the Office 365 Security & Compliance Center. 另外,还可以在 Azure AD 门户、Microsoft 365 安全中心和 Microsoft 365 合规中心分配这些角色。You can also assign these roles in the Azure AD portal, the Microsoft 365 security center, and the Microsoft 365 compliance center.

或者,若要使用角色,可以在管理中心为这些用户创建新角色组,然后向该组中添加“敏感度标签管理员”**** 或“组织配置”**** 角色。Alternatively to using roles, in the admin centers, you can create a new role group for these users and add either Sensitivity Label Administrator or Organization Configuration roles to this group.

如果未使用其中一个配置向这些用户授予对管理中心的访问权限,则在迁移标签后将无法在 Azure 门户中配置 Azure 信息保护。If you do not give these users access to the admin centers by using one of these configurations, they won't be able to configure Azure Information Protection in the Azure portal after your labels are migrated.

迁移标签后,租户的全局管理员可以继续管理 Azure 门户和管理中心中的标签和策略。Global administrators for your tenant can continue to manage labels and policies in both the Azure portal and the admin centers after your labels are migrated.

在开始之前Before you begin

标签迁移具有很多优点,但不可逆。Label migration has many benefits, but is irreversible. 在迁移之前,请确保你已了解以下更改和注意事项:Before you migrate, make sure that you are aware of the following changes and considerations:

统一标签的客户端支持Client support for unified labeling

请确保你的 客户端支持统一标签 ,并且如有必要,请在不支持统一标签的客户端的 Azure 门户 (中做好管理准备,) 和管理中心 (支持统一) 标签的客户端。Make sure that you have clients that support unified labels and if necessary, be prepared for administration in both the Azure portal (for clients that don't support unified labels) and the admin centers (for client that do support unified labels).

策略配置Policy configuration

不会迁移策略,包括策略设置和谁有权访问策略(作用域内策略)以及所有高级客户端设置。Policies, including policy settings and who has access to them (scoped policies), and all advanced client settings are not migrated. 在标签迁移后配置这些设置的选项包括:Your options to configure these settings after your label migration include the following:

重要

管理中心并不支持已迁移标签中的所有设置。Not all settings from a migrated label are supported by the admin centers. 使用管理中心不支持的标签设置部分中的表,来帮助识别这些设置和建议的操作过程。Use the table in the Label settings that are not supported in the admin centers section to help you identify these settings and the recommended course of action.

保护模板Protection templates

  • 使用基于云的密钥和为标签配置的一部分模板也随标签一同迁移。Templates that use a cloud-based key and that are part of a label configuration are also migrated with the label. 不迁移其他保护模板。Other protection templates are not migrated.

  • 如果你的标签已针对预定义的模板进行了配置,请编辑这些标签,并选择“设置权限”选项,配置模板中具有的相同保护设置****。If you have labels that are configured for a predefined template, edit these labels and select the Set permissions option to configure the same protection settings that you had in your template. 具有预定义模板的标签不会阻止标签迁移,但管理中心不支持此标签配置。Labels with predefined templates will not block label migration but this label configuration is not supported in the admin centers.

    提示

    为了帮助您重新配置这些标签,您可能会发现有两个浏览器窗口是非常有用的:一个窗口,您可以在其中选择标签的 " 编辑模板 " 按钮以查看保护设置,另一个窗口用于在选择 " 设置权限" 时配置相同的设置。To help you reconfigure these labels, you might find it useful to have two browser windows: One window in which you select the Edit Template button for the label to view the protection settings, and the other window to configure the same settings when you select Set permissions.

  • 迁移了包含基于云的保护设置的标签后,保护模板的结果范围是 Azure 门户 (中定义的作用域,或者通过使用 AIPService PowerShell 模块) 和在管理中心定义的作用域。After a label with cloud-based protection settings has been migrated, the resulting scope of the protection template is the scoped that is defined in the Azure portal (or by using the AIPService PowerShell module) and the scope that is defined in the admin centers.

显示名称Display names

对于每个标签,Azure 门户仅显示可编辑的标签显示名称。For each label, the Azure portal displays only the label display name, which you can edit. 用户将在其应用中看到此标签名称。Users see this label name in their apps.

管理中心显示标签的显示名称和标签名称。The admin centers show both this display name for a label, and the label name. 标签名称是首次创建标签时指定的初始名称,后端服务使用此属性进行标识。The label name is the initial name that you specify when the label is first created and this property is used by the back-end service for identification purposes. 迁移标签时,显示名称将保持不变,并且标签名称将重命名为 Azure 门户中的标签 ID。When you migrate your labels, the display name remains the same and the label name is renamed to the label ID from the Azure portal.

冲突的显示名称Conflicting display names

在迁移之前,请确保在迁移完成后不会有冲突的显示名称。Before migrating, ensure that you would not have conflicting display names after migration is complete. 标签层次结构中同一位置的显示名称必须是唯一的。Display names in the same place in the labeling hierarchy must be unique.

例如,请考虑以下标签列表:For example, consider the following list of labels:

  • 公共Public
  • 常规General
  • 机密Confidential
    • Confidential\HRConfidential\HR
    • Confidential\FinanceConfidential\Finance
  • 机密Secret
    • Secret\HRSecret\HR
    • Secret\FinanceSecret\Finance

在此列表中," 公用"、 "常规"、" 机密" 和 " 机密 " 均为父标签,并且不能有重复的名称。In this list, Public, General, Confidential, and Secret are all parent labels, and cannot have duplicate names. 此外, Confidential\HRConfidential\Finance 位于层次结构中的同一位置,也不能有重复的名称。Additionally, Confidential\HR and Confidential\Finance are at the same place in the hierarchy, and also cannot have duplicate names.

但是,不同父级之间的子标签(例如 Confidential\HRSecret\HR )不在层次结构中的同一位置,因此可以具有相同的单个名称。However, sub-labels across different parents, such as Confidential\HR and Secret\HR are not at the same place in the hierarchy, and therefore can have the same individual names.

标签中的本地化字符串Localized strings in labels

不迁移标签的任何本地化字符串。Any localized strings for the labels are not migrated. 使用 Office 365 Security & 相容性 PowerShell 为已迁移标签定义新的本地化字符串,并为集标签定义LocaleSettings参数。Define new localized strings for the migrated labels by using Office 365 Security & Compliance PowerShell and the LocaleSettings parameter for Set-Label.

编辑管理中心中的已迁移标签Editing migrated labels in the admin centers

迁移之后,当你在 Azure 门户中编辑已迁移的标签时,相同的更改将会自动反映在管理中心。After the migration, when you edit a migrated label in the Azure portal, the same change is automatically reflected in the admin centers.

但是,当你在某个管理中心内编辑已迁移的标签时,必须返回到 "Azure 门户, Azure 信息保护-统一标签 " 窗格,然后选择 " 发布"。However, when you edit a migrated label in one of the admin centers, you must return to the Azure portal, Azure Information Protection - Unified labeling pane, and select Publish.

Azure 信息保护客户端需要执行此附加操作 (经典) 来选取标签更改。This additional action is needed for the Azure Information Protection clients (classic) to pick up the label changes.

管理中心不支持的标签设置Label settings that are not supported in the admin centers

使用下表来确定已迁移的标签的哪些配置设置不受 Office 365 安全与合规中心、Microsoft 365 安全中心或 Microsoft 合规中心的支持。Use the following table to identify which configuration settings of a migrated label are not supported by the Office 365 Security & Compliance Center, the Microsoft 365 security center, or the Microsoft compliance center. 如果你具有这些设置的标签,则迁移完成后,请先使用最终列中的管理指南,然后再将你的标签发布到一个被引用管理中心。If you have labels with these settings, when the migration is complete, use the administration guidance in the final column before you publish your labels in one of the referenced admin centers.

如果不确定如何配置标签,请在 Azure 门户中查看其设置。If you are not sure how your labels are configured, view their settings in the Azure portal. 如果需要有关此步骤的帮助,请参阅配置 Azure 信息保护策略If you need help with this step, see Configuring the Azure Information Protection policy.

Azure 信息保护客户端 (经典) 可以使用列出的所有标签设置而不会出现任何问题,因为它们会继续从 Azure 门户下载标签。Azure Information Protection clients (classic) can use all label settings listed without any problems because they continue to download the labels from the Azure portal.

标签配置Label configuration 受统一标记客户端的支持Supported by unified labeling clients 管理中心指南Guidance for the admin centers
启用或禁用状态Status of enabled or disabled

此状态不同步到管理中心This status is not synchronized to the admin centers
不适用Not applicable 等效于是否发布标签。The equivalent is whether the label is published or not.
从列表中选择的标签颜色或使用 RGB 代码指定的标签颜色Label color that you select from list or specify by using RGB code 适合Yes 标签颜色没有配置选项。No configuration option for label colors. 相反,你可以在 Azure 门户中配置标签颜色,也可以使用 PowerShellInstead, you can configure label colors in the Azure portal or use PowerShell.
使用预定义模板的基于云的保护或基于 HYOK 的保护Cloud-based protection or HYOK-based protection using a predefined template No 预定义模板没有配置选项。No configuration option for predefined templates. 我们不建议使用此配置发布标签。We do not recommend you publish a label with this configuration.
使用 Word、Excel 和 PowerPoint 的用户定义权限的基于云的保护Cloud-based protection using user-defined permissions for Word, Excel, and PowerPoint 适合Yes 管理中心现在具有用户定义的权限的配置选项。The admin centers now have a configuration option for user-defined permissions.

如果使用此配置发布标签,请查看 下表中应用标签的结果。If you publish a label with this configuration, check the results of applying the label from the following table.
使用 Outlook(不可转发)中用户定义权限的基于 HYOK 的保护HYOK-based protection using user-defined permissions for Outlook (Do Not Forward) No HYOK 没有配置选项。No configuration option for HYOK. 我们不建议使用此配置发布标签。We do not recommend you publish a label with this configuration. 否则,请在下表中查看应用此标签所带来的后果。If you do, the results of applying the label are listed in the following table.
自定义字体名称、大小和自定义字体颜色(由 RGB 代码用于视觉标记 (页眉、页脚、水印) Custom font name, size, and custom font color by RGB code for visual markings (header, footer, watermark) 适合Yes 视觉标记的配置限制为颜色和字体大小列表。Configuration for visual markings is limited to a list of colors and font sizes. 尽管无法看见管理中心中配置的值,仍可以不做任何更改发布此标签。You can publish this label without changes although you cannot see the configured values in the admin centers.

若要更改这些选项,可以使用 Azure 门户或 新的标签 Office 365 Security & 相容性中心 cmdlet。To change these options, you can use the Azure portal, or the New-Label Office 365 Security & Compliance Center cmdlet. 为了便于管理,请考虑将颜色更改为管理中心中列出的选项之一。For easier administration, consider changing the color to one of the listed options in the admin centers.

注意:安全 & 相容性中心管理中心支持预定义的字体定义列表。Note: The Security & Compliance Center admin center supports a predefined list of font definitions. 仅通过 新的标签 Office 365 Security & 相容性中心 cmdlet 支持自定义字体和颜色。Custom fonts and colors are supported only via the New-Label Office 365 Security & Compliance Center cmdlet.
视觉标记(页眉、页脚)中的变量Variables in visual markings (header, footer) 适合Yes 此标签配置仅在 AIP 客户端中受支持,而不受 Office 内置标签支持。This label configuration is supported only by the AIP clients, and not by Office built-in labeling.

如果使用的是内置标签,并在没有更改的情况下发布此标签,则变量将在客户端上显示为文本,而不是显示动态值。If you are working with built-in labeling, and publish this label without changes, variables display as text on clients rather than display the dynamic values.
每个应用的视觉标记Visual markings per app 适合Yes 此标签配置仅在 AIP 客户端中受支持,而不受 Office 内置标签支持。This label configuration is supported only by the AIP clients, and not by Office built-in labeling.

如果使用内置标签,并发布此标签而不进行任何更改,则视觉标记配置将显示为变量文本,而不是已配置为在每个应用中显示的视觉标记。If you are working with built-in labeling, and publish this label without changes, the visual marking configuration displays as variable text instead of the visual markings you've configured to display in each app.
"仅限我" 保护"Just for me" protection 适合Yes 管理中心不允许你保存现在应用的加密设置,而无需指定任何用户。The admin centers do not let you save encryption settings that you apply now, without specifying any users. 在 Azure 门户中,此配置会生成一个标签,该标签适用于 "仅限我" 的保护In the Azure portal, this configuration results in a label that applies "Just for me" protection.

作为替代方法,可以创建应用加密的标签,并指定具有任何权限的用户,然后使用 PowerShell 编辑关联的保护模板。As an alternative, create a label that applies encryption and specify a user with any permissions, and then edit the associated protection template by using PowerShell. 首先,使用AipServiceRightsDefinition cmdlet (参阅示例 3) ,然后使用RightsDefinitions参数AipServiceTemplatePropertyFirst, use the New-AipServiceRightsDefinition cmdlet (see Example 3), and then Set-AipServiceTemplateProperty with the RightsDefinitions parameter.
条件和关联设置Conditions and associated settings

包括自动和建议标签及其工具提示Includes automatic and recommended labeling, and their tooltips
不适用Not applicable 若要重新配置条件,请将自动标记用作标签设置中的独立配置。Reconfigure your conditions by using auto labeling as a separate configuration from label settings.

比较标签保护设置的行为Comparing the behavior of protection settings for a label

使用下表来确定标签的相同保护设置的行为方式不同,具体取决于 Azure 信息保护客户端是 (经典) 、Azure 信息保护统一标签客户端,还是在 (内置的 Office 应用程序(也称为 "本机办公室标签" ) 。Use the following table to identify how the same protection setting for a label behaves differently, depending on whether it's used by the Azure Information Protection client (classic), the Azure Information Protection unified labeling client, or by Office apps that have labeling built in (also known as "native Office labeling"). 标签行为的差异可能会改变您决定是否发布标签,特别是在您的组织中有混合的客户端时。The differences in label behavior might change your decision whether to publish the labels, especially when you have a mix of clients in your organization.

如果你不确定保护设置的配置方式,请在 " 保护 " 窗格的 "Azure 门户中查看其设置。If you are not sure how your protection settings are configured, view their settings in the Protection pane, in the Azure portal. 如果需要有关此步骤的帮助,请参阅配置保护设置标签If you need help with this step, see To configure a label for protection settings.

下表未列出具有相同行为的保护设置,以下情形例外:Protection settings that behave the same way are not listed in the table, with the following exceptions:

  • 使用具有内置标签的 Office 应用时,除非还安装了 Azure 信息保护统一标签客户端,否则标签在文件资源管理器中不可见。When you use Office apps with built-in labeling, labels are not visible in File Explorer unless you also install the Azure Information Protection unified labeling client.
  • 使用具有内置标签的 Office 应用时,如果之前在未使用标签的情况下实施了保护,则保留保护 [1]When you use Office apps with built-in labeling, if protection was previously applied independently from a label, that protection is preserved [1].
标签的保护设置Protection setting for a label Azure 信息保护客户端(经典)Azure Information Protection client (classic) Azure 信息保护统一标识客户端Azure Information Protection unified labeling client 具有内置标签的 Office 应用Office apps with built-in labeling
带有模板的 HYOK (AD RMS):HYOK (AD RMS) with a template: 可在 Word、Excel、PowerPoint、Outlook 和文件资源管理器中查看Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

当应用此标签时:When this label is applied:

- 对文档和电子邮件应用 HYOK 保护- HYOK protection is applied to documents and emails
可在 Word、Excel、PowerPoint、Outlook 和文件资源管理器中查看Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

当应用此标签时:When this label is applied:

- 不应用保护;如果之前通过标签应用了保护,则去除保护 [2]- No protection is applied and protection is removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护- If protection was previously applied independently from a label, that protection is preserved
可在 Word、Excel、PowerPoint 和 Outlook 中查看Visible in Word, Excel, PowerPoint, and Outlook

当应用此标签时:When this label is applied:

- 不应用保护;如果之前通过标签应用了保护,则去除保护 [2]- No protection is applied and protection is removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护 [1]- If protection was previously applied independently from a label, that protection is preserved [1]
HYOK (AD RMS),其中用户定义的权限适用于 Word、Excel、PowerPoint 和文件资源管理器:HYOK (AD RMS) with user-defined permissions for Word, Excel, PowerPoint, and File Explorer: 可在 Word、Excel、PowerPoint 和文件资源管理器中查看Visible in Word, Excel, PowerPoint, and File Explorer

当应用此标签时:When this label is applied:

- 对文档和电子邮件应用 HYOK 保护- HYOK protection is applied to documents and emails
可在 Word、Excel 和 PowerPoint 中查看Visible in Word, Excel, and PowerPoint

当应用此标签时:When this label is applied:

- 不应用保护;如果之前已通过标签应用保护,则删除该保护 [2]- Protection is not applied and protection is removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护- If protection was previously applied independently from a label, that protection is preserved
可在 Word、Excel 和 PowerPoint 中查看Visible in Word, Excel, and PowerPoint

当应用此标签时:When this label is applied:

- 不应用保护;如果之前已通过标签应用保护,则删除该保护 [2]- Protection is not applied and protection is removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护- If protection was previously applied independently from a label, that protection is preserved
HYOK (AD RMS),其中用户定义的权限适用于 Outlook:HYOK (AD RMS) with user-defined permissions for Outlook: 可在 Outlook 中查看Visible in Outlook

当应用此标签时:When this label is applied:

- 通过 HYOK 保护向电子邮件应用“请勿转发”规则- Do Not Forward using HYOK protection is applied to emails
可在 Outlook 中查看Visible in Outlook

当应用此标签时:When this label is applied:

- 不应用保护;如果之前已通过标签应用保护,则删除该保护 [2]- Protection is not applied and removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护- If protection was previously applied independently from a label, that protection is preserved
可在 Outlook 中查看Visible in Outlook

当应用此标签时:When this label is applied:

- 不应用保护;如果之前已通过标签应用保护,则删除该保护 [2]- Protection is not applied and removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护 [1]- If protection was previously applied independently from a label, that protection is preserved [1]
脚注 1Footnote 1

在 Outlook 中,保护已保留,但有一个例外:在使用 "仅加密" 选项保护电子邮件时,将删除该保护。In Outlook, protection is preserved with one exception: When an email has been protected with the Encrypt-Only option, that protection is removed.

脚注 2Footnote 2

如果用户具有支持此操作的使用权限或角色,则去掉保护:Protection is removed if the user has a usage right or role that supports this action:

如果用户没有上述任一使用权限或角色,则不应用标签且保留原始保护。If the user doesn't have one of these usage rights or roles, the label is not applied and the original protection is preserved.

若要迁移 Azure 信息保护标签To migrate Azure Information Protection labels

使用以下说明将租户和 Azure 信息保护标签迁移到使用统一标签存储。Use the following instructions to migrate your tenant and Azure Information Protection labels to use the unified labeling store.

必须是符合性管理员、合规性数据管理员、安全管理员或全局管理员才能迁移标签。You must be a Compliance administrator, Compliance data administrator, Security administrator, or Global administrator to migrate your labels.

  1. 如果尚未这样做,请打开新的浏览器窗口,登录到 Azure 门户If you haven't already done so, open a new browser window and sign in to the Azure portal. 然后导航到“Azure 信息保护”窗格。Then navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. 从 " 管理 " 菜单选项中,选择 " 统一标签"。From the Manage menu option, select Unified labeling.

  3. 在 " Azure 信息保护-统一标签 " 窗格中,选择 " 激活 ",并按照联机说明进行操作。On the Azure Information Protection - Unified labeling pane, select Activate and follow the online instructions.

    如果激活选项不可用,请检查 统一标签状态:如果你看到 "已 激活",则你的租户已在使用统一标签存储,并且无需迁移标签。If the option to activate is not available, check the Unified labeling status: If you see Activated, your tenant is already using the unified labeling store and there is no need to migrate your labels.

成功迁移的标签现在可被支持统一标签的客户端和服务使用。For the labels that successfully migrated, they can now be used by clients and services that support unified labeling. 但是,必须首先将 这些标签发布 到某个管理中心: Office 365 安全 & 符合性中心、Microsoft 365 安全中心或 Microsoft 365 符合性中心。However, you must first publish these labels in one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center.

重要

如果在 Azure 门户之外编辑标签,对于 Azure 信息保护客户端 (经典) ,返回到此 Azure 信息保护-统一标签 窗格,然后选择 " 发布"。If you edit the labels outside the Azure portal, for Azure Information Protection clients (classic), return to this Azure Information Protection - Unified labeling pane, and select Publish.

复制策略Copy policies

备注

此选项处于预览阶段,可能会发生更改。This option is in preview and subject to change.

迁移标签后,可以选择用于复制策略的选项。After you have migrated your labels, you can select an option to copy policies. 如果选择此选项,策略的一次性副本及其 策略设置 和任何 高级客户端设置 将发送到管理标签的管理中心: Office 365 security & 相容中心、Microsoft 365 安全中心、Microsoft 365 合规中心。If you select this option, a one-time copy of your policies with their policy settings and any advanced client settings is sent to the admin center where you manage your labels: Office 365 Security & Compliance Center, Microsoft 365 security center, Microsoft 365 compliance center.

已成功复制策略及其设置和标签之后,会自动将其发布到分配到 Azure 门户中的策略的用户和组。Successfully copied policies with their settings and labels are then automatically published to the users and groups that were assigned to the policies in the Azure portal. 请注意,对于全局策略,这意味着所有用户。Note that for the Global policy, this means all users. 如果尚未准备好在要发布的复制策略中迁移的标签,则在复制策略后,你可以从管理员标签中心中的标签策略删除标签。If you're not ready for the migrated labels in the copied policies to be published, after the policies are copied, you can remove the labels from the label policies in your admin labeling center.

在 " Azure 信息保护-统一标签" 窗格上选择 "**复制策略 (预览") **选项之前,请注意以下事项:Before you select the Copy policies (preview) option on the Azure Information Protection - Unified labeling pane, be aware of the following:

  • 在为租户激活统一标签之前," **复制策略 (预览") ** "选项不可用。The Copy policies (Preview) option is not available until unified labeling is activated for your tenant.

  • 你无法有选择地选择要复制的策略和设置。You cannot selectively choose policies and settings to copy. 全局策略 (的所有策略和所有作用域内策略) 会自动选择复制,并会复制支持作为标签策略设置的所有设置。All policies (the Global policy and any scoped policies) are automatically selected to be copied, and all settings that are supported as label policy settings are copied. 如果已具有同名的标签策略,则会使用 Azure 门户中的策略设置来覆盖它。If you already have a label policy with the same name, it will be overwritten with the policy settings in the Azure portal.

  • 不会复制某些高级客户端设置,因为对于 Azure 信息保护统一标签客户端,这些设置支持作为 标签高级设置 ,而不是策略设置。Some advanced client settings are not copied because for the Azure Information Protection unified labeling client, these are supported as label advanced settings rather than policy settings. 可以通过 Office 365 Security & 相容性中心 PowerShell配置这些标签高级设置。You can configure these label advanced settings with Office 365 Security & Compliance Center PowerShell. 未复制的高级客户端设置:The advanced client settings that are not copied:

  • 不同于标签迁移(对标签的后续更改进行同步)," 复制策略 " 操作不会同步任何对策略或策略设置的后续更改。Unlike label migration where subsequent changes to labels are synchronized, the Copy policies action doesn't synchronize any subsequent changes to your policies or policy settings. 在 Azure 门户中进行更改后,你可以重复 "复制策略" 操作,并且将再次覆盖任何现有策略及其设置。You can repeat the copy policy action after making changes in the Azure portal, and any existing policies and their settings will be overwritten again. 或者,将 LabelPolicy 或设置标签 cmdlet 与 Office 365 Security & 相容性中心 PowerShell 中的 AdvancedSettings 参数一起使用。Or, use the Set-LabelPolicy or Set-Label cmdlets with the AdvancedSettings parameter from Office 365 Security & Compliance Center PowerShell.

  • 复制 策略 操作在复制每个策略之前验证以下各项:The Copy policies action verifies the following for each policy before it is copied:

    • 分配给策略的用户和组目前处于 Azure AD。Users and groups assigned to the policy are currently in Azure AD. 如果缺少一个或多个帐户,则不会复制此策略。If one or more account is missing, the policy is not copied. 不检查组成员身份。Group membership is not checked.

    • 全局策略包含至少一个标签。The Global policy contains at least one label. 由于管理员标签中心不支持不带标签的标签策略,因此不会复制不带标签的全局策略。Because the admin labeling centers don't support label policies without labels, a Global policy without labels is not copied.

  • 如果复制策略,然后将其从管理标签中心删除,请在使用 " 复制策略 " 操作之前至少等待两个小时,以确保有足够的时间来复制删除。If you copy policies and then delete them from your admin labeling center, wait at least two hours before you use the Copy policies action again to ensure sufficient time for the deletion to replicate.

  • 从 Azure 信息保护复制的策略不具有相同的名称,而是使用 AIP_ 的前缀来命名。Policies copied from Azure Information Protection will not have the same name, they will instead be named with a prefix of AIP_. 以后不能更改策略名称。Policy names cannot be subsequently changed.

有关为 Azure 信息保护统一标签客户端配置策略设置、高级客户端设置和标签设置的详细信息,请参阅管理员指南中 的 Azure 信息保护统一标签客户端的自定义配置For more information about configuring the policy settings, advanced client settings, and label settings for the Azure Information Protection unified labeling client, see Custom configurations for the Azure Information Protection unified labeling client from the admin guide.

支持统一标签的客户端和服务Clients and services that support unified labeling

若要确认你使用的客户端和服务是否支持统一标签,请参阅其文档,检查它们是否可以使用从某个管理中心发布的敏感度标签: Office 365 Security & 相容性中心、Microsoft 365 安全中心或 Microsoft 365 合规中心。To confirm whether the clients and services you use support unified labeling, refer to their documentation to check whether they can use sensitivity labels that are published from one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center.

当前支持统一标签的客户端包括:Clients that currently support unified labeling include:
当前支持统一标签的服务包括:Services that currently support unified labeling include:

后续步骤Next steps

有关我们的客户体验团队的其他指导和技巧,请参阅以下资源:For additional guidance and tips from our Customer Experience team, see the following resources:

若要详细了解现在可以在一个标签管理中心内配置和发布的标签,请参阅 了解敏感度标签创建和配置敏感度标签及其策略For more information about your migrated labels that can now be configured and published in one of the labeling admin centers, see Learn about sensitivity labels and Create and configure sensitivity labels and their policies.

如果尚未这样做,请安装 Azure 信息保护统一标签客户端。If you haven't already done so, install the Azure Information Protection unified labeling client. 有关发布信息、管理员指南和用户指南,请参阅适用 于 Windows 的 Azure 信息保护统一标签客户端For release information, an admin guide, and user guide, see Azure Information Protection unified labeling client for Windows.