如何使用作用域内策略为特定用户配置 Azure 信息保护策略How to configure the Azure Information Protection policy for specific users by using scoped policies

适用范围: Azure 信息保护Applies to: Azure Information Protection

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典) 和标签管理 将于 2021 年 3 月 31 日 弃用 。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

当 Azure 信息保护策略下载到已安装了 Azure 信息保护客户端的计算机时,所有用户都从默认策略或你为全局策略配置的更改获取设置和标签。When the Azure Information Protection policy downloads to computers that have installed the Azure Information Protection client, all users get the settings and labels from the default policy or the changes that you configured for the global policy. 如果要使用不同的设置和标签为特定用户补充此配置,则必须创建为这些用户配置的 作用域内策略If you want to supplement this configuration for specific users, by having different settings and labels, you must create a scoped policy that's configured for those users.

作用域内策略的工作方式How scoped policies work

对于支持 Azure 信息保护客户端的应用程序,所有用户都会收到全局策略,其中包含信息保护栏标题和工具提示、全局设置以及全局标签。For applications that support the Azure Information Protection client, all users receive the global policy, which contains the Information Protection bar title and tooltip, global settings, and global labels. 如果为特定用户配置了作用域内策略,则那些用户还会收到那些附加设置和标签。If you have configured scoped policies for specific users, those users then receive those additional settings and labels.

请注意,除支持 Azure 信息保护客户端的 Office 桌面应用程序外,PowerShell 和 Azure 信息保护扫描程序也支持标签。Note that in addition to the Office desktop applications that support the Azure Information Protection client, labels are also supported with PowerShell, and the Azure Information Protection scanner. 也就是说,可以为运行 Powershell 命令或扫描程序的帐户创建和配置范围内策略。This means that you can create and configure scoped policies for accounts that run PowerShell commands, or the scanner.

与标签一样,作用域内策略也排列在 Azure 门户中。Scoped policies, just like labels, are ordered in the Azure portal. 如果为某个用户配置了多个作用域,则会首先为该用户计算有效策略,然后再下载该策略。If a user is configured for multiple scopes, an effective policy is computed for that user before it is downloaded. 根据策略的顺序,将应用最后一个策略设置。According to the order of the policies, the last policy setting is applied. 用户看到的标签是来自全局策略的标签和来自用户所属的作用域内策略的任何附加标签。The labels that the user sees are from the global policy and any additional labels from scoped policies that the user belongs to.

当你的租户中的用户打开标记的文档或电子邮件且此用户不在标签的作用域内时例外。The exception is when a user from your tenant opens a labeled document or email and that user is not in the label's scope. 在此情况下,用户会看到标签集的名称,但标签不会显示为可供选择。In this scenario, the user sees the name of the label set but the label isn't displayed as available to select.

因为作用域内策略始终从全局策略继承标签和设置,因此,在创建或编辑作用域内策略时会显示来自全局策略的标签。Because a scoped policy always inherits the labels and settings and from the global policy, the labels from the global policy are displayed when you create or edit a scoped policy. 不过,在编辑作用域内策略时,无法编辑来自全局策略的标签。However, you cannot edit the labels from the global policy when you edit a scoped policy. 但是,可以向这些继承的标签添加子标签。You can however, add sublabels to these inherited labels.

例如,如果全局策略中有一个名为机密的标签,则所有用户都会看到此标签。For example, if you have a label named Confidential in the global policy, all users see this label. 无法使用作用域内策略删除或重排标签。You cannot remove or reorder it with a scoped policy. 但是,你可能希望为市场营销部创建一个作用域内策略来向“机密”添加一个新的子标签,以便用户可以看到机密\促销But you might want to create a scoped policy for the Marketing department that adds a new sublabel to Confidential, so that these users see Confidential \ Promotions. 你还可以为销售部创建另一个作用域内策略来向“机密”添加一个新的子标签,以便用户可以看到机密\合作伙伴You also create another scoped policy for the Sales department that adds a new sublabel to Confidential, so that these users see Confidential \ Partners. 然后,可以针对不同的设置配置每个子标签,并且只有相应部门中的用户才能看到子标签。Each sublabel can then be configured for different settings and the sublabel is visible only to the users in the respective departments.

配置作用域内策略Configure a scoped policy

  1. 如果尚未这样做,请打开新的浏览器窗口,登录到 Azure 门户If you haven't already done so, open a new browser window and sign in to the Azure portal. 然后导航到“Azure 信息保护”窗格。Then navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. 从 "分类 > 策略" 菜单选项:在 " Azure 信息保护-策略" 窗格中,选择 "添加新策略"。From the Classifications > Policies menu option: On the Azure Information Protection - Policies pane, select Add a new policy. 然后,你会看到 " 策略 " 窗格,其中显示了你的现有全局策略,你现在可以在其中配置新的作用域内策略。You then see the Policy pane that displays your existing global policy, where you can now configure your new, scoped policy.

  3. 指定只有管理员才能在 Azure 门户中看到的策略名称和说明。Specify a policy name and description that only administrators see in the Azure portal. 该名称在你的租户中必须是唯一的。The name must be unique to your tenant. 然后选择 " 指定获取此策略的用户/组",然后在后续窗格中,可以搜索和选择此策略的用户和组。Then select Specify which users/groups get this policy, and in the subsequent panes, you can search and select the users and groups for this policy. 在此作用域内策略中配置的标签和设置将仅应用于这些用户。The labels and settings that you configure in this scoped policy will be applied to these users only.

    出于性能原因,将缓存作用域内策略的组成员关系。For performance reasons, group membership for scoped policies is cached.

    备注

    最多选择200个用户或组。Select up to 200 users or groups. 如果需要的用户数超过200,请创建新组,将相关用户添加到组,然后将策略范围设置为新组。If more than 200 users are needed to get the scoped policy, create a new group, add relevant users to the group, and then set the policy scope to the new group.

  4. 现添加新标签或配置作用域内策略设置。Now add new labels or configure the scoped policy settings. 全局策略始终首先应用,因此,你可以为全局策略补充新标签并且可以覆盖全局设置。The global policy is always applied first, so you can supplement the global policy with new labels and you can override the global settings. 例如,全局策略可能没有指定默认标签,并且你在不同的作用域内策略中为特定部门配置了不同的默认标签。For example, the global policy might have no default label specified and you configure a different default label in different scoped policies for specific departments.

    如果在配置标签或设置时需要帮助,请使用 配置组织的策略 部分中的链接。If you need help with configuring the labels or settings, use the links in the Configuring your organization's policy section.

  5. 就像编辑全局策略时一样,当你在 "Azure 信息保护" 窗格中进行任何更改时,请单击 " 保存 " 以保存更改,或者单击 " 放弃 " 以还原到上次保存的设置。Just as when you edit the global policy, when you make any changes on an Azure Information Protection pane, click Save to save the changes, or click Discard to revert to the last saved settings.

  6. 对此作用域内策略完成所需更改后,在初始 " Azure 信息保护-策略 " 窗格上,确保此作用域内策略按您希望的顺序应用。When you have finished making the changes that you want for this scoped policy, on the initial Azure Information Protection - Policies pane, make sure that this scoped policy is in the order that you want it applied. 为多个作用域内策略选择了同一用户时,这很重要。This is important when you have selected the same user for multiple scoped policies. 若要更改顺序,请选择上下文菜单 (...) 并选择“上移”**** 或“下移”****。To change the order, select the context menu (...) and select Move up or Move down.

每次启动受支持的 Office 应用程序或打开文件资源管理器时,Azure 信息保护客户端都会检查是否进行了任何更改。The Azure Information Protection client checks for any changes whenever a supported Office application starts or File Explorer is opened. 客户端会下载对全局策略或应用于该用户的作用域内策略所做的任何更改。The client downloads any changes to the global policy or scoped policies that apply to that user.

后续步骤Next steps

有关如何自定义默认策略并在 Office 应用程序中查看所产生行为的示例,请尝试学习编辑策略并创建新标签教程。For an example of how to customize the default policy, and see the resulting behavior in an Office application, try the Edit the policy and create a new label tutorial.