如何为 Azure 信息保护配置策略设置How to configure the policy settings for Azure Information Protection

适用范围:Azure 信息保护Applies to: Azure Information Protection

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

备注

这些说明适用于 Azure 信息保护客户端(经典版),而不是 Azure 信息保护统一标记客户端。These instructions apply to the Azure Information Protection client (classic) and not the Azure Information Protection unified labeling client. 不确定这些客户端之间有何区别?Not sure of the difference between these clients? 请参见常见问题解答See this FAQ.

如果你正在寻找信息来为统一标签客户端配置策略设置,请参阅 Microsoft 365 符合性文档。If you are looking for information to configure policy settings for the unified labeling client, see the Microsoft 365 Compliance documentation. 例如,了解敏感度标签For example, Learn about sensitivity labels.

除了信息保护栏标题和工具提示,Azure 信息保护策略中还有一些可以在标签中单独配置的设置:In addition to the Information Protection bar title and tooltip, there are some settings in the Azure Information Protection policy that you can configure independently from the labels:

Azure 信息保护策略全局设置

请注意,策略设置的默认值可能不同,具体取决于购买 Azure 信息保护订阅的时间。Note that your policy settings might have different default values, depending on when you purchased your subscription for Azure Information Protection. 还可以使用自定义客户端设置进行某些设置。Some settings might also be set by a custom client setting.

配置策略设置To configure the policy settings

  1. 如果尚未这样做,请打开新的浏览器窗口,登录到 Azure 门户If you haven't already done so, open a new browser window and sign in to the Azure portal. 然后导航到“Azure 信息保护”**** 窗格。Then navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”**** 并选择“Azure 信息保护”****。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. 从 "分类 > 策略" 菜单选项:在 " Azure 信息保护-策略" 窗格中,如果要配置的设置将应用于所有用户,请选择 "全局"。From the Classifications > Policies menu option: On the Azure Information Protection - Policies pane, select Global if the settings that you want to configure will apply to all users.

    如果要配置的设置位于作用域内策略中,为了使其仅应用于所选用户,请改为选择你的作用域内策略。If the settings that you want to configure are in a scoped policy so that they apply to selected users only, select your scoped policy instead.

  3. 在 "策略" 窗格中,配置以下设置:On the Policy pane, configure the settings:

    • 选择默认标签:当设置此选项时,选择标签以分配给没有标签的文档和电子邮件。Select the default label: When you set this option, select the label to assign to documents and emails that do not have a label. 如果具有子标签,则不能将标签设置为默认标签。You cannot set a label as the default if it has sublabels.

      此设置适用于 Office 应用和扫描程序。This setting applies to Office apps and the scanner. 不适用于文件资源管理器或 PowerShell。It does not apply to File Explorer, or PowerShell.

    • 将审核数据发送到 Azure 信息保护分析:创建 azure信息分析的 azure Log Analytics 工作区之前,此设置的值显示为 "已关闭" 和 "未配置"。Send audit data to Azure Information Protection analytics: Before you create an Azure Log Analytics workspace for Azure Information analytics, the values for this setting display Off and Not configured. 创建工作区时,值将更改为“关闭”**** 和“打开”****。When you create the workspace, the values change to Off and On.

      当设置为On时,支持集中报表的客户端将数据发送到 Azure 信息保护服务。When the setting is On, clients that support central reporting send data to the Azure Information Protection service. 此信息包括应用的标签、用户选择具有较低分类的标签或删除标签。This information includes what labels are applied and when a user selects a label with a lower classification, or removes a label. 有关发送和存储的信息的详细信息,请参阅中央报表文档中的收集和发送到 Microsoft部分。For more information about what information is sent and stored, see the Information collected and sent to Microsoft section in the central reporting documentation. 将此策略设置设置为 "关闭" 可阻止发送此数据。Set this policy setting to Off to prevent this data from being sent.

    • 所有文档和电子邮件都必须有标签:此选项设置为“打开”时,所有已保存的文档和发送的电子邮件都必须应用标签。All documents and emails must have a label: When you set this option to On, all saved documents and sent emails must have a label applied. 标记可能由用户手动分配,或因条件自动分配,或(通过设置“选择默认标签”选项)默认分配。The labeling might be manually assigned by a user, automatically as a result of a condition, or be assigned by default (by setting the Select the default label option).

      如果在用户保存文档或发送电子邮件时未分配标签,系统会提示用户选择一个标签。If a label is not assigned when users save a document or send an email, they are prompted to select a label. 例如:For example:

      Azure 信息保护提示(如果强制实施了标记)

      使用带有 RemoveLabel 参数的 Set-AIPFileLabel PowerShell cmdlet 删除标签时,此选项不适用**。This option does not apply when you remove a label by using the Set-AIPFileLabel PowerShell cmdlet with the RemoveLabel parameter.

    • 用户必须提供理由以设置较低分类标签、删除标签或删除保护:此选项设置为“开”**** 时,如果用户执行下列任一操作(例如,将“公共”**** 标签更改为“个人”****),则系统会提示用户提供此操作的理由。Users must provide justification to set a lower classification label, remove a label, or remove protection: When you set this option to On and a user does any of these actions (for example, change the Public label to Personal), the user is prompted to provide an explanation for this action. 例如,用户可能会解释该文档不再包含敏感信息。For example, the user might explain that the document no longer contains sensitive information. 操作及其理由原因记录在其本地 Windows 事件日志中:应用程序和服务日志 > Azure 信息保护The action and its justification reason are logged in their local Windows event log: Applications and Services Logs > Azure Information Protection.

      Azure 信息保护提示新分类是否较低

      此选项不适用于降低同一父标签下子标签的分类。This option is not applicable for lowering the classification of sublabels under the same parent label.

    • 对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签:将此选项设置为“推荐”**** 时,系统会提示用户将标签应用到其电子邮件中。For email messages with attachments, apply a label that matches the highest classification of those attachments: When you set this option to Recommended, users are prompted to apply a label to their email message. 将基于应用于附件的分类标签动态选择标签,并选择最高等级的标签。The label is dynamically chosen, based on the classification labels that are applied to the attachments, and the highest classification label is selected. 附件必须是物理文件,并且不能是指向文件的链接(例如,指向 Microsoft SharePoint 或 OneDrive 上的文件的链接)。The attachment must be a physical file, and cannot be a link to a file (for example, a link to a file on Microsoft SharePoint or OneDrive). 用户可接受或忽略该建议。Users can accept the recommendation or dismiss it. 将此选项设置为“自动”**** 时,将自动应用该标签,但用户可以在发送电子邮件之前删除该标签或选择另一个标签。When you set this option to Automatic, the label is automatically applied but users can remove the label or select a different label before sending the email.

      要在使用此策略设置时考虑子标签的排序,必须配置高级客户端设置To take the ordering of sublabels into consideration when you use this policy setting, you must configure an advanced client setting.

      如果为具有最高分类标签的附件配置了 "用户定义权限的预览" 设置,则为; 如果标签的用户定义权限包括 Outlook (不转发),则应用该标签,并且不会向电子邮件应用 "转发" 保护。When the attachment with the highest classification label is configured for protection with the preview setting of user-defined permissions: - When the label's user-defined permissions include Outlook (Do Not Forward), that label is applied and Do Not Forward protection is applied to the email. 当标签的用户定义权限仅适用于 Word、Excel、PowerPoint 和文件资源管理器时,该标签不会应用于电子邮件,也不会受到保护。When the label's user-defined permissions are just for Word, Excel, PowerPoint, and File Explorer, that label is not applied to the email, and neither is protection.

    • 在 Office 应用中显示信息保护栏:关闭此设置后,用户无法在 Word、Excel、PowerPoint 和 Outlook 中从信息保护栏选择标签。Display the Information Protection bar in Office apps: When this setting is off, users cannot select labels from a bar in Word, Excel, PowerPoint, and Outlook. 在此情况下,用户必须通过功能区上的“保护”按钮选择标签****。Instead, users must select labels from the Protect button on the ribbon. 打开此设置后,用户可以通过信息保护栏或“保护”按钮选择标签。When this setting is on, users can select labels from either the bar or the button.

      打开此设置后,可以将其与高级客户端设置配合使用,因此如果用户选择不显示该栏,可以永久隐藏 Azure 信息保护栏When this setting is on, it can be used in conjunction with an advanced client setting so that users can permanently hide the Azure Information Protection bar if they choose not to show the bar. 从“保护”按钮清除“显示信息保护栏”选项,即可实现此操作********。They can do this by clearing the Show Bar option from the Protect button.

    • 向 Outlook 功能区添加“不转发”按钮:打开此设置后,除了从 Outlook 菜单中选择“不转发”按钮之外,用户也可以从 Outlook 功能区上的“保护”组中选择此按钮********。Add the Do Not Forward button to the Outlook ribbon: When this setting is on, users can select this button from the Protection group on the Outlook ribbon in addition to selecting the Do Not Forward option from Outlook menus. 为了帮助确保用户对电子邮件进行分类并对其进行保护,你可能更倾向于不添加此按钮,而是配置一个用于保护的标签和一个适用于 Outlook 的用户定义权限。To help ensure that users classify their emails as well as protect them, you might prefer to not add this button but instead, configure a label for protection and a user=defined permission for Outlook. 此保护设置的功能与选择“不转发”按钮相同,但当此功能附带标签时,意味着对电子邮件进行了分类和保护****。This protection setting is functionally the same as selecting the Do Not Forward button, but when this functionality is included with a label, emails are classified as well as protected.

      也可以使用高级客户端设置将此策略设置配置为客户端自定义This policy setting can also be configured with an advanced client setting as a client customization.

    • 让自定义权限选项可供用户使用:启用此设置后,用户会看到用于自行设定保护设置的选项,这些设置能够替代标签配置可能自带的任何保护设置。Make the custom permissions option available to users: When this setting is on, users see options to set their own protection settings that can override any protection settings that you might have included with a label configuration. 用户还能看到一个用于删除保护的选项。Users can also see an option to remove protection. 关闭此设置后,用户不再看到这些选项。When this setting is off, users do not see these options.

      请注意,此策略设置对用户可以通过 Office 菜单选项配置的自定义权限没有任何影响。Note that this policy setting has no effect on custom permissions that users can configure from Office menu options. 但是,也可以使用高级客户端设置将其配置为客户端自定义However, it can also be configured with an advanced client setting as a client customization.

      自定义权限选项位于以下位置:The custom permissions options are located in the following places:

      • 在 Office 应用程序中:功能区中的“开始”选项卡 >“保护”组 >“保护” > “自定义权限”****************In Office applications: From the ribbon, Home tab > Protection group > Protect > Custom Permissions

      • 从文件资源管理器:右键单击 >分类并保护 > 自定义权限From File Explorer: Right-click > Classify and protect > Custom permissions

    • 为 Azure 信息保护客户端“告诉我详细信息”网页提供自定义 URL:当用户在其 Office 应用程序中从“开始”选项卡选择“保护” > “帮助和反馈”时,将在“帮助和反馈”部分的“Microsoft Azure 信息保护”对话框中看到此链接********************。Provide a custom URL for the Azure Information Protection client "Tell me more" web page: Users see this link in the Microsoft Azure Information Protection dialog box, Help and Feedback section, when they select Protect > Help and feedback from the Home tab in their Office applications. 默认情况下,此链接将转到 Azure 信息保护网站。By default, this link goes to the Azure Information Protection website. 如果希望此链接转到备选网页,可输入 HTTP 或 HTTPS(推荐)URL。You can enter an HTTP or HTTPS (recommended) URL if you want this link to go to an alternative web page. 不进行检查来验证输入的自定义 URL 是否可供访问或是否可在所有设备上正确显示。No check is made to verify that the custom URL entered is accessible or displays correctly on all devices.

      例如,对于技术支持,你可以输入 Microsoft 文档页,其中包含有关安装和使用客户端的信息: https://docs.microsoft.com/information-protection/rms-client/info-protect-clientAs an example, for your help desk, you might enter the Microsoft documentation page that includes information about installing and using the client: https://docs.microsoft.com/information-protection/rms-client/info-protect-client. 或发布版本信息: https://docs.microsoft.com/information-protection/rms-client/client-version-release-historyOr release version information: https://docs.microsoft.com/information-protection/rms-client/client-version-release-history. 另外,可以发布自己的网页,提供供用户联系支持人员的信息,或提供指导用户如何使用已配置标签的视频。Alternatively, you might publish your own webpage that includes information for users to contact your help desk, or a video that steps users through how to use the labels that you have configured.

  4. 若要保存所做的更改并将它们提供给用户,请单击“保存”****。To save your changes and make them available to users, click Save.

单击“保存”**** 时,更改将会自动提供给用户和服务。When you click Save, your changes are automatically available to users and services. 不再提供单独发布选项。There's no longer a separate publish option.

后续步骤Next steps

若要查看其中某些策略设置如何协同工作,请尝试学习配置协同工作的 Azure 信息保护策略设置教程。To see how some of these policy settings can work together, try the Configure Azure Information Protection policy settings that work together tutorial.

有关配置 Azure 信息保护策略的详细信息,请使用配置组织的策略部分中的链接。For more information about configuring your Azure Information Protection policy, use the links in the Configuring your organization's policy section.