如何配置标签以进行 Rights Management 保护How to configure a label for Rights Management protection

适用范围:Azure 信息保护Applies to: Azure Information Protection

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

备注

这些说明适用于 Azure 信息保护客户端(经典版),而不是 Azure 信息保护统一标记客户端。These instructions apply to the Azure Information Protection client (classic) and not the Azure Information Protection unified labeling client. 不确定这些客户端之间有何区别?Not sure of the difference between these clients? 请参见常见问题解答See this FAQ.

如果你正在寻找信息来配置敏感度标签以应用 Rights Management 保护,请参阅 Microsoft 365 相容性文档。If you are looking for information to configure a sensitivity label to apply Rights Management protection, see the Microsoft 365 Compliance documentation. 例如,通过在敏感度标签中使用加密来限制对内容的访问For example, Restrict access to content by using encryption in sensitivity labels.

可通过使用 Rights Management 服务保护最敏感的文档和电子邮件。You can protect your most sensitive documents and emails by using a Rights Management service. 此服务使用加密、标识和身份验证策略,有助于防止数据丢失。This service uses encryption, identity, and authorization policies to help prevent data loss. 保护应用于配置为使用 Rights Management 保护文档和电子邮件的标签,用户还可以在 Outlook 中选择“不可转发”按钮。****The protection is applied with a label that is configured to use Rights Management protection for documents and emails, and users can also select the Do not forward button in Outlook.

当标签配置了“Azure (云密钥)”**** 保护设置,此操作会在后台创建并配置一个保护模板,集成了 Rights Management 模板的服务和应用程序都可以访问该模板。When your label is configured with the protection setting of Azure (cloud key), under the covers, this action creates and configures a protection template that can then be accessed by services and applications that integrate with Rights Management templates. 例如,Exchange Online 和邮件流规则,以及 Outlook 网页版。For example, Exchange Online and mail flow rules, and Outlook on the web.

保护的工作原理How the protection works

当文档或电子邮件受 Rights Management 服务保护时,它会在处于静态时和传输过程中进行加密,When a document or email is protected by a Rights Management service, it is encrypted at rest and in transit. 而且只能由授权用户进行解密。It can then be decrypted only by authorized users. 文档或电子邮件的这种加密保持不变,即使将其重命名。This encryption stays with the document or email, even if it is renamed. 此外,可以配置使用权限和限制,如下面的示例:In addition, you can configure usage rights and restrictions, such as the following examples:

  • 只有组织中的用户才能打开公司机密文档或电子邮件。Only users within your organization can open the company-confidential document or email.

  • 只有市场营销部门的用户才能编辑和打印促销通知文档或电子邮件,而组织中的所有其他用户只能阅读该文档或电子邮件。Only users in the marketing department can edit and print the promotion announcement document or email, while all other users in your organization can only read this document or email.

  • 用户不能转发包含内部重组相关新闻的电子邮件或从中复制信息。Users cannot forward an email or copy information from it that contains news about an internal reorganization.

  • 不能在指定日期后打开发送给业务合作伙伴的当前价目表。The current price list that is sent to business partners cannot be opened after a specified date.

若要深入了解 Azure Rights Management 保护及其工作原理,请参阅什么是 Azure Rights Management?For more information about the Azure Rights Management protection and how it works, see What is Azure Rights Management?

重要

若要配置标签来应用此保护,必须为组织激活 Azure Rights Management 服务。To configure a label to apply this protection, the Azure Rights Management service must be activated for your organization. 有关详细信息,请参阅激活 Azure 信息保护的保护服务For more information, see Activating the protection service from Azure Information Protection.

标签应用保护时,受保护的文档不适合保存在 SharePoint 或 OneDrive 中。When the label applies protection, a protected document is not suitable to be saved on SharePoint or OneDrive. 对于受保护的文件,这些位置不支持以下功能:共同创作、Office 用于 web、搜索、文档预览、缩略图、电子数据展示和数据丢失防护(DLP)。These locations do not support the following features for protected files: Co-authoring, Office for the web, search, document preview, thumbnail, eDiscovery, and data loss prevention (DLP).

提示

当你将标签迁移到统一的敏感性标签,并从标签管理中心(例如 Microsoft 365 合规中心)将其发布时,这些位置支持应用保护的标签。When you migrate your labels to unified sensitivity labels and publish them from one of the labeling admin centers such as the Microsoft 365 compliance center, labels that apply protection are then supported for these locations. 有关详细信息,请参阅在 SharePoint 和 OneDrive 中启用 Office 文件的敏感度标签For more information, see Enable sensitivity labels for Office files in SharePoint and OneDrive.

用户不必事先为 Azure 信息保护配置 Exchange 即可在 Outlook 中应用标签保护其电子邮件。Exchange does not have to be configured for Azure Information Protection before users can apply labels in Outlook to protect their emails. 但是,在为 Azure 信息保护配置 Exchange 之前,你无法获得将 Exchange 与 Azure Rights Management 保护配合使用的完整功能。However, until Exchange is configured for Azure Information Protection, you do not get the full functionality of using Azure Rights Management protection with Exchange. 例如,用户无法在移动电话上或通过 Outlook 网页版查看受保护的电子邮件,无法将受保护的电子邮件编入索引用于搜索,并且无法为 Rights Management 保护配置 Exchange Online DLP。For example, users cannot view protected emails on mobile phones or with Outlook on the web, protected emails cannot be indexed for search, and you cannot configure Exchange Online DLP for Rights Management protection. 若要确保 Exchange 支持这些其他方案,请参阅以下资源:To ensure that Exchange can support these additional scenarios, see the following resources:

若要配置保护设置标签To configure a label for protection settings

  1. 如果尚未这样做,请打开新的浏览器窗口,登录到 Azure 门户If you haven't already done so, open a new browser window and sign in to the Azure portal. 然后导航到“Azure 信息保护”窗格。Then navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. 从 "分类 > 标签" 菜单选项:在 " Azure 信息保护-标签" 窗格中,选择要更改的标签。From the Classifications > Labels menu option: On the Azure Information Protection - Labels pane, select the label you want to change.

  3. 在“标签”**** 窗格上,找到“为包含此标签的文档和电子邮件设置权限”**** 并选择以下选项之一:On the Label pane, locate Set permissions for documents and emails containing this label, and select one of the following options:

    • 未配置:如果标签当前配置为应用保护,而不再需要所选的标签应用保护,请选择此选项。Not configured: Select this option if the label is currently configured to apply protection and you no longer want the selected label to apply protection. 然后转到步骤 11。Then go to step 11.

      先前配置的保护设置将保留为存档的保护模板,如果将选项更改回“保护”,则会再次显示****。The previously configured protection settings are retained as an archived protection template, and will be displayed again if you change the option back to Protect. Azure 门户中不会显示此模板,但如有需要,仍可通过 PowerShell 管理该模板。You do not see this template in the Azure portal but if necessary, you can still manage the template by using PowerShell. 这一行为表示,如果内容具有先前应用了保护设置的此标签,则仍可以访问该内容。This behavior means that content remains accessible if it has this label with the previously applied protection settings.

      当标签应用“未配置”保护设置时****:When a label with this Not configured protection setting is applied:

      • 如果内容之前未使用标签进行保护,则将保留该保护。If the content was previously protected without using a label, that protection is preserved.

      • 如果内容之前使用标签进行保护,如果用户应用的标签有权删除权限管理保护,则将删除该保护。If the content was previously protected with a label, that protection is removed if the user applying the label has permissions to remove Rights Management protection. 此要求意味着用户必须具有 "导出" 或 "完全控制" 的使用权限This requirement means that the user must have the Export or Full Control usage right. 或者,成为权限管理所有者(自动授予完全控制使用权限)或者成为 Azure 权限管理的超级用户Or, be the Rights Management owner (which automatically grants the Full Control usage right), or a super user for Azure Rights Management.

        如果用户没有删除保护的权限,则无法应用该标签,并显示以下消息: Azure 信息保护无法应用此标签。如果此问题仍然存在,请与您的管理员联系If the user doesn't have permissions to remove protection, the label cannot be applied and the following message is displayed: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.

    • 保护****:选择此选项应用保护,然后转到步骤 4。Protect: Select this option to apply protection, and then go to step 4.

    • 删除保护:如果文档或电子邮件受到保护,选择此选项可删除保护。Remove Protection: Select this option to remove protection if a document or email is protected. 然后转到步骤 11。Then go to step 11.

      如果使用标签或保护模板应用保护,则保护设置将保留为存档的保护设置,且如果将选项更改回“保护”,则会再次显示****。If the protection was applied with a label or protection template, the protection settings are retained as an archived protection template, and will be displayed again if you change the option back to Protect. Azure 门户中不会显示此模板,但如有需要,仍可通过 PowerShell 管理该模板。You do not see this template in the Azure portal but if necessary, you can still manage the template by using PowerShell. 这一行为表示,如果内容具有先前应用了保护设置的此标签,则仍可以访问该内容。This behavior means that content remains accessible if it has this label with the previously applied protection settings.

      请注意,用户必须具有删除权限管理保护的权限,才能成功应用具有此选项的标签。Note that for a user to successfully apply a label that has this option, that user must have permissions to remove Rights Management protection. 此要求意味着用户必须具有 "导出" 或 "完全控制" 的使用权限This requirement means that the user must have the Export or Full Control usage right. 或者,成为权限管理所有者(自动授予完全控制使用权限)或者成为 Azure 权限管理的超级用户Or, be the Rights Management owner (which automatically grants the Full Control usage right), or a super user for Azure Rights Management.

      如果应用标签的用户不具有删除 Rights Management 保护的权限,则无法应用该标签,并显示以下消息: Azure 信息保护无法应用此标签。如果此问题仍然存在,请与您的管理员联系。If the user applying the label with this setting does not have permissions to remove Rights Management protection, the label cannot be applied and the following message is displayed: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.

  4. 如果提前选中了“保护”,则会在选择其他选项之一时自动打开“保护”窗格********。If you selected Protect, the Protection pane automatically opens if one of the other options were previously selected. 如果新的窗格未自动打开,请选择“保护”****:If this new pane does not automatically open, select Protection:

    为 Azure 信息保护标签配置保护

  5. 在“保护”窗格上,选择“Azure (云密钥)”或“HYOK (AD RMS)”************。On the Protection pane, select Azure (cloud key) or HYOK (AD RMS).

    大多数情况下,为权限设置选择“Azure (云密钥)”。****In most cases, select Azure (cloud key) for your permission settings. 请勿选择“HYOK (AD RMS)”,除非已阅读并了解此“自留密钥”(HYOK) 配置随附的先决条件和限制。******Do not select HYOK (AD RMS) unless you have read and understood the prerequisites and restrictions that accompany this "hold your own key" (HYOK) configuration. 有关详细信息,请参阅 AD RMS 保护的自留密钥 (HYOK) 要求和限制For more information, see Hold your own key (HYOK) requirements and restrictions for AD RMS protection. 若要继续配置 HYOK (AD RMS),请转到步骤 9。To continue the configuration for HYOK (AD RMS), go to step 9.

  6. 选择下列选项之一:Select one of the following options:

    • 设置权限:在此门户中定义新的保护设置。Set permissions: To define new protection settings in this portal.

    • “设置用户定义的权限(预览)”****:允许用户指定应向其授予权限的人员并指定具体的权限。Set user-defined permissions (Preview): To let users specify who should be granted permissions and what those permissions are. 然后,可优化此选项并选择仅 Outlook 或 Word、Excel、PowerPoint 和文件资源管理器。You can then refine this option and choose Outlook only, or Word, Excel, PowerPoint, and File Explorer. 如果为自动分类配置标签,则此选项不受支持且无法使用。This option is not supported, and does not work, when a label is configured for automatic classification.

      如果选择 Outlook 选项:标签显示在 Outlook 中,并且用户应用该标签时产生的行为与 "不转发" 选项相同。If you choose the option for Outlook: The label is displayed in Outlook and the resulting behavior when users apply the label is the same as the Do Not Forward option.

      如果为 Word、Excel、PowerPoint 和文件资源管理器选择此选项:设置此选项后,标签将显示在这些应用程序中。If you choose the option for Word, Excel, PowerPoint, and File Explorer: When this option is set, the label is displayed in these applications. 用户应用标签时产生的行为是显示对话框,以便用户选择自定义权限。The resulting behavior when users apply the label is to display the dialog box for users to select custom permissions. 在此对话框中,用户选择其中一个预定义权限级别,浏览或指定用户或组,并可选择设置到期日期。In this dialog box, users choose one of the predefined permissions levels, browse to or specify the users or groups, and optionally, set an expiry date. 确保用户具有关于如何提供这些值的说明和指导。Make sure that users have instructions and guidance how to supply these values.

    • 选择预定义的模板:使用已配置的一个默认模板或自定义模板。Select a predefined template: To use one of the default templates or a custom template that you've configured. 请注意,如果正在编辑的标签之前曾使用“设置权限”选项,则不会对新标签显示此选项****。Note that this option does not display for new labels, or if you are editing a label that previously used the Set permissions option.

      若要选择预定义的模板,此模板必须为已发布(未存档),且必须未链接到另一个标签。To select a predefined template, the template must be published (not archived) and must not be linked already to another label. 选中此选项后,可以使用“编辑模板”按钮将模板转换为标签。****When you select this option, you can use an Edit Template button to convert the template into a label.

      如果习惯于创建和编辑自定义模板,请参考曾使用 Azure 经典门户执行的任务获取帮助。If you are used to creating and editing custom templates, you might find it useful to reference Tasks that you used to do with the Azure classic portal.

  7. 如果为“Azure (云密钥)”选择了“设置权限”********,可以使用此选项选择用户和使用权限。If you selected Set permissions for Azure (cloud key), this option lets you select users and usage rights.

    如果未选择任何用户并在此窗格中选择 "确定",然后在"标签" 窗格中选择 "确定" ,则会将标签配置为应用保护,以便仅应用标签的人员可以打开文档或电子邮件,而不会受到任何限制。If you don't select any users and select OK on this pane, followed by Save on the Label pane: The label is configured to apply protection such that only the person who applies the label can open the document or email with no restrictions. 有时,此配置称为“只为我执行此操作”,这可能是必需的结果,这样用户便可将文件保存到任何位置,并确保只有他们能够打开它。This configuration is sometimes referred to as "Just for me" and might be the required outcome, so that a user can save a file to any location and be assured that only they can open it. 如果此结果符合你的要求,并且其他人不需要协作处理受保护内容,请不要选择“添加权限”****。If this outcome matches your requirement and others are not required to collaborate on the protected content, do not select Add permissions. 保存标签后,下次打开此“保护”窗格时,会看到“用户”显示“IPC_USER_ID_OWNER”,“权限”显示“共同所有者”以反映此配置********************。After saving the label, the next time you open this Protection pane, you see IPC_USER_ID_OWNER displayed for Users, and Co-Owner displayed for Permissions to reflect this configuration.

    要指定希望能够打开受保护文档和电子邮件的用户,请选择“添加权限”****。To specify the users you want to be able to open protected documents and emails, select Add permissions. 然后,在“添加权限”**** 窗格上,选择有权使用所选标签保护的内容的第一组用户和组:Then on the Add permissions pane, select the first set of users and groups who will have rights to use the content that will be protected by the selected label:

    • 从列表中选择 "选择" ,然后选择 "全部添加 <organization name> 成员",然后从组织添加所有用户。Choose Select from the list where you can then add all users from your organization by selecting Add <organization name> - All members. 此设置不包括来宾帐户。This setting excludes guest accounts. 或者,也可以选择“添加任何身份已验证的用户”**** 或浏览目录。Or, you can select Add any authenticated users, or browse the directory.

      选择所有成员或浏览目录时,用户和组必须有电子邮件地址。When you choose all members or browse the directory, the users or groups must have an email address. 在生产环境中,他们几乎都有电子邮件地址,但在简单的测试环境中,可能需要为用户帐户或组添加电子邮件地址。In a production environment, users and groups nearly always have an email address, but in a simple testing environment, you might need to add email addresses to user accounts or groups.

      详细了解如何添加任何身份已验证的用户More information about Add any authenticated users

      此设置不限制谁能访问标签保护的内容,同时仍加密内容,并提供限制内容使用方式(权限)和访问方式(到期和脱机访问)的选项。This setting doesn't restrict who can access the content that the label protects, while still encrypting the content and providing you with options to restrict how the content can be used (permissions), and accessed (expiry and offline access). 不过,打开受保护内容的应用程序必须能够支持所使用的身份验证。However, the application opening the protected content must be able to support the authentication being used. 鉴于此,Google 等联合社交提供程序以及一次性密码身份验证应仅在你使用 Exchange Online 和 Office 365 邮件加密的新功能时,才只用于电子邮件。For this reason, federated social providers such as Google, and onetime passcode authentication should be used for email only, and only when you use Exchange Online and the new capabilities from Office 365 Message Encryption. 可以将 Microsoft 帐户与 Azure 信息保护查看器和 Office 365 应用(即点即用)结合使用。Microsoft accounts can be used with the Azure Information Protection viewer and Office 365 apps (Click-to-Run).

      任何经过身份验证的用户设置的一些典型方案:Some typical scenarios for the any authenticated users setting:

      • 不介意谁查看内容,但希望限制内容的使用方式。You don't mind who views the content, but you want to restrict how it is used. 例如,不希望对内容执行编辑、复制或打印操作。For example, you do not want the content to be edited, copied, or printed.
      • 无需限制谁有权访问内容,但要能够跟踪谁打开和可能撤销了内容。You don't need to restrict who accesses the content, but you want to be able to track who opens it and potentially, revoke it.
      • 有要求必须加密内容(无论是静态还是传输中),但无需执行访问控制。You have a requirement that the content must be encrypted at rest and in transit, but it doesn't require access controls.
    • 选择“输入详细信息”以手动为单个用户或组(内部或外部)指定电子邮件地址。****Choose Enter details to manually specify email addresses for individual users or groups (internal or external). 或者,使用此选项,通过输入另一个组织的任何域名来指定该组织中的所有用户。Or, use this option to specify all users in another organization by entering any domain name from that organization. 还可以通过输入社交提供程序程序的域名(例,如 gmail.com、hotmail.com 或 outlook.com),将此选项用于这些程序************。You can also use this option for social providers, by entering their domain name such as gmail.com, hotmail.com, or outlook.com.

      备注

      如果在选择用户或组后某个电子邮件地址发生更改,请参阅计划文档中的电子邮件地址发生更改情况下的注意事项部分。If an email address changes after you select the user or group, see the Considerations if email addresses change section from the planning documentation.

      最佳做法是使用组,而不是使用用户。As a best practice, use groups rather than users. 此策略可简化配置,且可降低以后更新标签配置并重新保护内容的可能性。This strategy keeps your configuration simpler and makes it less likely that you have to update your label configuration later and then reprotect content. 但是,如果对组进行更改则请注意,出于性能原因,Azure Rights Management 将缓存组成员身份However, if you make changes to the group, keep in mind that for performance reasons, Azure Rights Management caches the group membership.

    指定第一组用户和组后,选择要授予这些用户和组的权限。When you have specified the first set of users and groups, select the permissions to grant these users and groups. 若要深入了解可选择的权限,请参阅为 Azure 信息保护配置使用权限For more information about the permissions that you can select, see Configuring usage rights for Azure Information Protection. 但是,支持此保护的应用程序可能在实现这些权限的方式方面有所不同。However, applications that support this protection might vary in how they implement these permissions. 请查阅其文档,并在为用户部署模板之前,对用户使用的应用程序执行自己的测试以检查其行为。Consult their documentation and do your own testing with the applications that users use to check the behavior before you deploy the template for users.

    如有必要,现在可以添加另一组具有使用权限的用户和组。If required, you can now add a second set of users and groups with usage rights. 重复此操作,直到指定所有用户和组及其各自的权限。Repeat until you have specified all the users and groups with their respective permissions.

    提示

    请考虑添加“另存为,导出 (EXPORT)”自定义权限,并向数据恢复管理员或其他拥有信息恢复职责的人员授予此权限****。Consider adding the Save As, Export (EXPORT) custom permission and grant this permission to data recovery administrators or personnel in other roles that have responsibilities for information recovery. 如有必要,这些用户可删除要使用此标签或模板保护的文件和电子邮件中的保护。If needed, these users can then remove protection from files and emails that will be protected by using this label or template. 这种可以在权限级别删除对文档或电子邮件的保护的功能可提供比超级用户功能更精细的控制。This ability to remove protection at the permission level for a document or email provides more fine-grained control than the super user feature.

    对于指定的所有用户和组,在“保护”**** 窗格上,立即检查是否想要对以下设置进行任何更改。For all the users and groups that you specified, on the Protection pane, now check whether you want to make any changes to the following settings. 请注意,这些设置和权限一样,它们并不适用于 Rights Management 颁发者或 Rights Management 所有者,也不适用于任何已分配的超级用户Note that these settings, as with the permissions, do not apply to the Rights Management issuer or Rights Management owner, or any super user that you have assigned.

    有关保护设置的信息Information about the protection settings
    设置Setting 详细信息More information 建议的设置Recommended setting
    文件内容有效期限File Content Expiration 定义一个日期或天数,在此期间不应为选定的用户打开受模板保护的文档。Define a date or number of days for when documents that are protected by these settings should not open for the selected users. 对于电子邮件,由于某些电子邮件客户端使用的缓存机制,并不总是强制执行过期。For emails, expiration isn't always enforced because of caching mechanisms used by some email clients.

    可以指定一个日期,也可以指定对内容应用保护后所经历的天数。You can specify a date or specify a number of days starting from the time that the protection is applied to the content.

    如果指定日期,它将在当前时区的午夜生效。When you specify a date, it is effective midnight, in your current time zone.
    除非内容具有特定的时间限制要求,否则内容永不过期Content never expires unless the content has a specific time-bound requirement.
    允许脱机访问Allow offline access 使用此设置在你的任何安全需求(包括吊销后的访问权限)与所选用户在没有 Internet 连接的情况下是否能够打开受保护的内容之间实现平衡。Use this setting to balance any security requirements that you have (includes access after revocation) with the ability for the selected users to open protected content when they don't have an internet connection.

    如果你指定内容在没有 Internet 连接的情况下不可用,或者指定内容仅在指定天数内可用,则在到达该阈值时,这些用户必须重新进行身份验证,他们的访问也将被记录。If you specify that content is not available without an internet connection or that content is only available for a specified number of days, when that threshold is reached, these users must be reauthenticated and their access is logged. 发生这种情况时,如果用户的凭据不缓存,他们会收到提示,指示登录后才能打开文档或电子邮件。When this happens, if their credentials are not cached, the users are prompted to sign in before they can open the document or email.

    除了重新进行身份验证之外,还会重新评估策略和用户组成员身份。In addition to reauthentication, the policy and the user group membership is reevaluated. 这意味着,如果策略或组成员身份相比用户上一次访问文档或电子邮件时发生变化,则他们可能获得与上一次访问相同内容时不同的访问结果。This means that users could experience different access results for the same document or email if there are changes in the policy or group membership from when they last accessed the content. 如果文档已被撤销,则可能不包含访问权限。That could include no access if the document has been revoked.
    取决于内容的敏感程度:Depending on how sensitive the content is:

    - 在没有 internet 连接 = 的情况下内容可用的天数7对于可能导致业务损失的敏感业务数据,如果与未经授权的人员共享。- Number of days the content is available without an internet connection = 7 for sensitive business data that could cause damage to the business if shared with unauthorized people. 此建议提供灵活性和安全性之间的平衡折中。This recommendation offers a balanced compromise between flexibility and security. 例如合同、安全报告、预测摘要和销售帐户数据。Examples include contracts, security reports, forecast summaries, and sales account data.

    - 禁止访问对于高度敏感的业务数据,如果与未经授权的人员共享将会导致业务损失。- Never for very sensitive business data that would cause damage to the business if it was shared with unauthorized people. 此建议优先考虑安全性而不是灵活性,并确保一旦文档被撤销,那么所有授权用户都无法打开文档。This recommendation prioritizes security over flexibility, and ensures that if the document is revoked, all authorized users immediately cannot open the document. 例如员工和客户信息、密码、源代码和预先公布的财务报表。Examples include employee and customer information, passwords, source code, and pre-announced financial reports.

    完成权限和设置配置后,单击“确定”****。When you have finished configuring the permissions and settings, click OK.

    此设置分组为 Azure Rights Management 服务创建一个自定义模板。This grouping of settings creates a custom template for the Azure Rights Management service. 这些模板可用于与 Azure Rights Management 集成的应用程序和服务。These templates can be used with applications and services that integrate with Azure Rights Management. 有关计算机和服务如何下载并刷新这些模板的信息,请参阅为用户和服务刷新模板For information about how computers and services download and refresh these templates, see Refreshing templates for users and services.

  8. 如果为“Azure (云密钥)”选择了“选择预配模板”,请单击下拉框,然后选择要用于保护包含此标签的文档和电子邮件的模板。********If you selected Select a predefined template for Azure (cloud key), click the drop-down box and select the template that you want to use to protect documents and emails with this label. 看不到已存档的模板或已为另一个标签选择的模板。You do not see archived templates or templates that are already selected for another label.

    如果选择“部门模板”,或者如果已配置加入控制机制:****If you select a departmental template, or if you have configured onboarding controls:

    • 配置的模板作用域外的用户或从应用 Azure Rights Management 保护中排除的用户仍将看到该标签,但不能应用该标签。Users who are outside the configured scope of the template or who are excluded from applying Azure Rights Management protection still see the label but cannot apply it. 如果他们选择该标签,则会看到以下消息: Azure 信息保护无法应用此标签。如果此问题仍然存在,请与您的管理员联系。If they select the label, they see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.

      请注意,将始终显示所有已发布的模板,即使正在配置作用域内策略。Note that all published templates are always shown, even if you are configuring a scoped policy. 例如,正在为市场营销组配置作用域内策略。For example, you are configuring a scoped policy for the Marketing group. 可选择的模板不限于作用域为“营销”组的模板,还可以选择所选用户不能使用的部门模板。The templates that you can select are not restricted to templates that are scoped to the Marketing group and it's possible to select a departmental template that your selected users cannot use. 为了方便配置和尽量减少故障排除,请考虑命名部门模板以匹配作用域内策略中的标签。For ease of configuration and to minimize troubleshooting, consider naming the departmental template to match the label in your scoped policy.

  9. 如果选择了“HYOK (AD RMS)”,请选择“设置 AD RMS 模板详细信息”或“设置用户定义的权限(预览)”。************If you selected HYOK (AD RMS), select either Set AD RMS templates details or Set user defined permissions (Preview). 然后指定 AD RMS 群集的授权 URL。Then specify the licensing URL of your AD RMS cluster.

    有关指定模板 GUID 和授权 URL 的说明,请参阅查找相关信息以使用 Azure 信息保护标签指定 AD RMS 保护For instructions to specify a template GUID and your licensing URL, see Locating the information to specify AD RMS protection with an Azure Information Protection label.

    “用户定义的权限”选项允许用户指定应向其授予权限的人员并指定具体的权限。The user-defined permissions option lets users specify who should be granted permissions and what those permissions are. 然后,可以优化此选项并选择仅 Outlook(默认)或 Word、Excel、PowerPoint 和文件资源管理器。You can then refine this option and choose Outlook only (the default), or Word, Excel, PowerPoint, and File Explorer. 如果为自动分类配置标签,则此选项不受支持且无法使用。This option is not supported, and does not work, when a label is configured for automatic classification.

    如果选择 Outlook 选项:标签显示在 Outlook 中,并且用户应用该标签时产生的行为与 "不转发" 选项相同。If you choose the option for Outlook: The label is displayed in Outlook and the resulting behavior when users apply the label is the same as the Do Not Forward option.

    如果为 Word、Excel、PowerPoint 和文件资源管理器选择此选项:设置此选项后,标签将显示在这些应用程序中。If you choose the option for Word, Excel, PowerPoint, and File Explorer: When this option is set, the label is displayed in these applications. 用户应用标签时产生的行为是显示对话框,以便用户选择自定义权限。The resulting behavior when users apply the label is to display the dialog box for users to select custom permissions. 在此对话框中,用户选择其中一个预定义权限级别,浏览或指定用户或组,并可选择设置到期日期。In this dialog box, users choose one of the predefined permissions levels, browse to or specify the users or groups, and optionally, set an expiry date. 确保用户具有关于如何提供这些值的说明和指导。Make sure that users have instructions and guidance how to supply these values.

  10. 单击“确定”关闭“保护”窗格,然后“标签”窗格上的“保护”选项中会显示你选择的“用户定义的模板”或模板********************。Click OK to close the Protection pane and see your choice of User defined or your chosen template display for the Protection option in the Label pane.

  11. 在“标签”窗格上,单击“保存”********。On the Label pane, click Save.

  12. 在“Azure 信息保护”窗格上,使用“保护”列确认标签现在显示你所需的保护设置********:On the Azure Information Protection pane, use the PROTECTION column to confirm that your label now displays the protection setting that you want:

    • 一个复选标记(若已配置保护)。A check mark if you have configured protection.

    • 一个表示取消的 x 标记(若已将标签配置为删除保护)。An x mark to denote cancellation if you have configured a label to remove protection.

    • 未设置保护时,为空白字段。A blank field when protection is not set.

单击“保存”**** 时,更改将会自动提供给用户和服务。When you clicked Save, your changes are automatically available to users and services. 不再提供单独发布选项。There's no longer a separate publish option.

示例配置Example configurations

默认策略的“机密”和“高度机密”标签中的“所有员工”和“仅收件人”子标签提供了一些示例,说明如何配置可应用保护的标签。****************The All Employees and Recipients Only sublabels from the Confidential and High Confidential labels from the default policy provide examples of how you can configure labels that apply protection. 也可使用以下示例,帮助配置适用于不同情况的保护。You can also use the following examples to help you configure protection for different scenarios.

对于下面的每个示例,请在 <label name> 窗格上选择 "保护"。For each example that follows, on your <label name> pane, select Protect. 如果“保护”**** 窗格不会自动打开,请选择“保护”**** 打开此窗格,以便选择保护配置选项:If the Protection pane doesn't automatically open, select Protection to open this pane that lets you select your protection configuration options:

配置 Azure 信息保护标签以进行保护

示例 1:对发送到 Gmail 帐户的受保护电子邮件应用“不要转发”的标签Example 1: Label that applies Do Not Forward to send a protected email to a Gmail account

此标签仅可用于 Outlook,且适用于 Exchange Online 已配置 Office 365 邮件加密新功能的情况。This label is available only in Outlook and is suitable when Exchange Online is configured for the new capabilities in Office 365 Message Encryption. 当用户需要向使用 Gmail 帐户的人员(或组织外部任何其他电子邮件帐户)发送受保护电子邮件时,指示用户选择此标签。Instruct users to select this label when they need to send a protected email to people using a Gmail account (or any other email account outside your organization).

用户在“收件人”框中键入 Gmail 电子邮件地址。****Your users type the Gmail email address in the To box. 然后,用户选择此标签,“不要转发”选项自动添加到电子邮件。Then, they select the label and the Do Not Forward option is automatically added to the email. 结果是收件人无法转发电子邮件、打印邮件、从中复制电子邮件,或使用 "另存为" 选项将电子邮件保存到邮箱外。The result is that recipients cannot forward the email, or print it, copy from it, or save the email outside their mailbox by using the Save As option.

  1. 在“保护”窗格上,确保选中“Azure (云密钥)” 。On the Protection pane, make sure that Azure (cloud key) is selected.

  2. 选择“设置用户定义的权限(预览)”****。Select Set user-defined permissions (Preview).

  3. 确保选中以下选项:“在 Outlook 中应用‘不要转发’”。****Make sure that the following option is selected: In Outlook apply Do Not Forward.

  4. 如果已选中,请清除以下选项:“在 Word、Excel、PowerPoint 和文件资源管理器中提示用户获取自定义权限”。****If selected, clear the following option: In Word, Excel, PowerPoint and File Explorer prompt user for custom permissions.

  5. 单击“保护”**** 窗格上的“确定”****,再单击“标签”**** 窗格上的“保存”****。Click OK on the Protection pane, and then click Save on the Label pane.

示例 2:将只读权限限制到其他组织中所有用户并且支持即时撤销的标签Example 2: Label that restricts read-only permission to all users in another organization, and that supports immediate revocation

此标签适用于共享(只读)非常敏感的文档,这类文档始终需要 Internet 连接才可进行查看。This label is suitable for sharing (read-only) very sensitive documents that always require an internet connection to view it. 如果被撤销权限,用户下次打开文档时将无法进行查看。If revoked, users will not be able to view the document the next time they try to open it.

此标签不适用于电子邮件。This label is not suitable for emails.

  1. 在“保护”窗格上,确保选中“Azure (云密钥)” 。On the Protection pane, make sure that Azure (cloud key) is selected.

  2. 确保选中“设置权限”选项,然后选择“添加权限”。********Make sure that the Set permissions option is selected, and then select Add permissions.

  3. 在“添加权限”窗格,选择“输入详细信息”********。On the Add permissions pane, select Enter details.

  4. 输入其他组织的域名,例如 fabrikam.comEnter the name of a domain from the other organization, for example, fabrikam.com. 然后选择“添加”。Then select Add.

  5. 在“从预设中选择权限”中,选择“查看器”,然后选择“确定”。************From Choose permissions from preset, select Viewer, and then select OK.

  6. 回到“保护”窗格,为“允许脱机访问设置”选择“从不”************。Back on the Protection pane, for Allow offline access setting, select Never.

  7. 单击“保护”**** 窗格上的“确定”****,再单击“标签”**** 窗格上的“保存”****。Click OK on the Protection pane, and then click Save on the Label pane.

示例 3:将外部用户添加到用于保护内容的现有标签Example 3: Add external users to an existing label that protects content

新添加的用户可打开已使用此标签进行保护的文档和电子邮件。The new users that you add will be able open documents and emails that have already been protected with this label. 授予这些用户的权限可能与现有用户具有的权限有所不同。The permissions that you grant these users can be different from the permissions that the existing users have.

  1. 在“保护”窗格,确保选中“Azure (云密钥)”********。On the Protection pane, make sure Azure (cloud key) is selected.

  2. 确保选中“设置权限”,然后选择“添加权限”。********Ensure that Set permissions is selected, and then select Add permissions.

  3. 在“添加权限”窗格,选择“输入详细信息”********。On the Add permissions pane, select Enter details.

  4. 输入要添加的第一个用户或组的电子邮件地址,然后选择“添加”。****Enter the email address of the first user (or group) to add, and then select Add.

  5. 为此用户(或组)选择权限。Select the permissions for this user (or group).

  6. 为每个要添加此标签的用户(或组)重复步骤 4 和 5。Repeat steps 4 and 5 for each user (or group) that you want to add to this label. Then click OK.

  7. 单击“保护”**** 窗格上的“确定”****,再单击“标签”**** 窗格上的“保存”****。Click OK on the Protection pane, and then click Save on the Label pane.

示例 4:针对受保护电子邮件并提供限制性低于“不要转发”的权限的标签Example 4: Label for protected email that supports less restrictive permissions than Do Not Forward

此标签不可限制到 Outlook,但可提供限制性低于“不要转发”的控制。This label cannot be restricted to Outlook but does provide less restrictive controls than using Do Not Forward. 例如,希望收件人能够复制电子邮件或附件,或者保存和编辑附件。For example, you want the recipients to be able to copy from the email or an attachment, or save and edit an attachment.

如果指定 Azure AD 中没有帐户的外部用户:If you specify external users who do not have an account in Azure AD:

  • 当 Exchange Online 使用 Office 365 邮件加密中的新功能时,此标签适用于电子邮件。The label is suitable for email when Exchange Online is using the new capabilities in Office 365 Message Encryption.

  • 对于自动受保护的 Office 附件,可以在浏览器中查看这些文档。For Office attachments that are automatically protected, these documents are available to view in a browser. 若要编辑这些文档,请使用 Office 365 应用(即点即用)和使用相同电子邮件地址的 Microsoft 帐户下载和编辑它们。To edit these documents, download and edit them with Office 365 apps (Click-to-Run), and a Microsoft account that uses the same email address. 详细信息More information

备注

Exchange Online 即将推出新选项 - 仅加密Exchange Online is rolling out a new option, Encrypt-Only. 此选项不可用于标签配置。This option is not available for label configuration. 不过,如果知道收件人是谁,可以使用此示例来配置拥有同一组使用权限的标签。However, when you know who the recipients will be, you can use this example to configure a label with the same set of usage rights.

用户在“收件人”框中指定电子邮件地址时,该地址必须与为此标签配置指定的用户地址相同。****When your users specify the email addresses in the To box, the addresses must be for the same users that you specify for this label configuration. 因为用户可能属于组并且拥有多个电子邮件地址,所以他们指定的电子邮件地址不必与针对权限指定的电子邮件地址完全匹配,Because users can belong to groups and have more than one email address, the email address that they specify does not have to match the email address that you specify for the permissions. 虽然这是确保成功对收件人授权的最简单方法。However, specifying the same email address is the easiest way to ensure that the recipient will be successfully authorized. 若要详细了解如何向用户授予权限,请参阅准备用户和组以便使用 Azure 信息保护For more information about how users are authorized for permissions, see Preparing users and groups for Azure Information Protection.

  1. 在“保护”窗格上,确保选中“Azure (云密钥)” 。On the Protection pane, make sure that Azure (cloud key) is selected.

  2. 确保选中“设置权限”,然后选择“添加权限”。********Make sure Set permissions is selected, and select Add permissions.

  3. 在 "添加权限" 窗格中:要向组织中的用户授予权限,请选择 "添加 <organization name> -所有成员" 以选择租户中的所有用户。On the Add permissions pane: To grant permissions to users in your organization, select Add <organization name> - All members to select all users in your tenant. 此设置不包括来宾帐户。This setting excludes guest accounts. 或者,选择“浏览目录”**** 以选择特定组。Or, select Browse directory to select a specific group. 若要向外部用户授予权限或者键入电子邮件地址,请选择“输入详细信息”,然后键入用户或 Azure AD 组的电子邮件地址或键入域名****。To grant permissions to external users or if you prefer to type the email address, select Enter details and type the email address of the user, or Azure AD group, or a domain name.

    重复此步骤,指定其他应具有相同权限的用户。Repeat this step to specify additional users who should have the same permissions.

  4. 对于“从预设中选择权限”,可选择“共有者”、“合著者”、“审阅者”或“自定义”,以选择希望授予的权限。********************For Choose permissions from preset, select Co-Owner, Co-Author, Reviewer, or Custom to select the permissions that you want to grant.

    注意:请勿对电子邮件选择“查看器”,并且如果选择“自定义”,请确保包括“编辑和保存”。************Note: Do not select Viewer for emails and if you do select Custom, make sure that you include Edit and Save.

    要从 Exchange Online 中选择与新的“仅加密”选项匹配的相同权限,请选择“自定义”********。To select the same permissions that match the new Encrypt-Only option from Exchange Online, select Custom. 然后选择“另存为,导出(导出)”和“完全控制(所有者)”之外的所有权限********。Then select all permissions except Save As, Export (EXPORT) and Full Control (OWNER).

  5. 若要指定其他应具有不同权限的用户,请重复步骤 3 和 4。To specify additional users who should have different permissions, repeat steps 3 and 4.

  6. 在“添加权限”窗格上单击“确定”********。Click OK on the Add permissions pane.

  7. 单击“保护”**** 窗格上的“确定”****,再单击“标签”**** 窗格上的“保存”****。Click OK on the Protection pane, and then click Save on the Label pane.

示例 5:加密内容但不限制谁能访问内容的标签Example 5: Label that encrypts content but doesn't restrict who can access it

此配置的优势在于,无需指定用户、组或域来保护电子邮件或文档。This configuration has the advantage that you don't need to specify users, groups, or domains to protect an email or document. 仍可以加密内容,并指定使用权限、到期日期和脱机访问。The content will still be encrypted and you can still specify usage rights, an expiry date, and offline access. 仅当无需限制谁能打开受保护文档或电子邮件时,才使用此配置。Use this configuration only when you do not need to restrict who can open the protected document or email. 详细了解此设置More information about this setting

  1. 在“保护”窗格,确保选中“Azure (云密钥)”********。On the Protection pane, make sure Azure (cloud key) is selected.

  2. 请务必依次选择“设置权限”**** 和“添加权限”****。Make sure Set permissions is selected, and then select Add permissions.

  3. 在“添加权限”**** 窗格上的“从列表中选择”**** 选项卡中,选择“添加任何身份已验证的用户”****。On the Add permissions pane, on the Select from the list tab, select Add any authenticated users.

  4. 选择相应权限,再单击“确定”****。Select the permissions you want, and click OK.

  5. 如有需要,返回到“保护”窗格,配置“文件内容有效期限”和“允许脱机访问”设置,再单击“确定”****************。Back on the Protection pane, configure settings for File Content Expiration and Allow offline access, if needed, and then click OK.

  6. 在“标签”**** 窗格上,选择“保存”****。On the Label pane, select Save.

示例6:适用于 "仅限我" 保护的标签Example 6: Label that applies "Just for me" protection

此配置为文档提供与安全协作相对的方式:超级用户除外,只有应用标签的人员才能打开受保护的内容,而不会受到任何限制。This configuration offers the opposite of secure collaboration for documents: With the exception of a super user, only the person who applies the label can open the protected content, without any restrictions. 此配置通常被称为“只为我执行”保护,适用于用户想要将文件保存到任何位置并确保只有他们可以打开它的情况。This configuration is often referred to as "Just for me" protection and is suitable when a user wants to save a file to any location and be assured that only they can open it.

标签配置看似简单:The label configuration is deceptively simple:

  1. 在“保护”窗格,确保选中“Azure (云密钥)”********。On the Protection pane, make sure Azure (cloud key) is selected.

  2. 选择“确定”,而不选择任何用户,或在此窗格上配置任何设置****。Select OK without selecting any users, or configuring any settings on this pane.

    虽然可以配置“文件内容过期”和“允许脱机访问”的设置,但如果未指定用户及其权限,则这些访问设置不适用********。Although you can configure settings for File Content Expiration and Allow offline access, when you do not specify users and their permisisons, these access settings are not applicable. 这是因为应用保护的人是内容的 Rights Management 颁发方,这个角色没有这些访问限制。That's because the person who applies the protection is the Rights Management issuer for the content, and this role is exempt from these access restrictions.

  3. 在“标签”**** 窗格上,选择“保存”****。On the Label pane, select Save.

后续步骤Next steps

有关配置 Azure 信息保护策略的详细信息,请使用配置组织的策略部分中的链接。For more information about configuring your Azure Information Protection policy, use the links in the Configuring your organization's policy section.

Exchange 邮件流规则还能根据标签应用保护。Exchange mail flow rules can also apply protection, based on your labels. 有关详细信息和示例,请参阅配置 Azure 信息保护标签的 Exchange Online 邮件流规则For more information and examples, see Configuring Exchange Online mail flow rules for Azure Information Protection labels.