分类、标签和保护的 AIP 部署路线图AIP deployment roadmap for classification, labeling, and protection

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365


为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

当你要对数据进行分类、标记和保护时,请使用以下步骤作为建议来帮助你为你的组织准备、实施和管理 Azure 信息保护。Use the following steps as recommendations to help you prepare for, implement, and manage Azure Information Protection for your organization, when you want to classify, label, and protect your data.

对于任何具有支持订阅的客户,建议使用此路线图。This roadmap is recommended for any customers with a supporting subscription. 其他功能包括发现敏感信息以及标记文档和电子邮件以进行分类。Additional capabilities include both discovering sensitive information and labeling documents and emails for classification.

标签还可以应用保护,以便为用户简化此步骤。Labels can also apply protection, simplifying this step for your users.

使用经典客户端创建的 AIP 标签和使用统一标签平台的灵敏度标签都支持此路线图。This roadmap is supported for both AIP labels created with the classic client, and sensitivity labels that use the unified labeling platform.

部署过程Deployment process

执行以下步骤:Perform the following steps:

  1. 确认订阅,分配用户许可证Confirm your subscription and assign user licenses
  2. 准备租户以使用 Azure 信息保护Prepare your tenant to use Azure Information Protection
  3. 配置、部署分类和标记Configure and deploy classification and labeling
  4. 准备数据保护Prepare for data protection
  5. 为数据保护配置标签和设置、应用程序和服务Configure labels and settings, applications, and services for data protection
  6. 使用和监视数据保护解决方案Use and monitor your data protection solutions
  7. 根据需要管理租户帐户的保护服务Administer the protection service for your tenant account as needed


已在使用 Azure 信息保护提供的保护功能?Already using the protection functionality from Azure Information Protection? 可以跳过这些步骤中的许多步骤,重点关注步骤35.1You can skip many of these steps and focus on steps 3 and 5.1.

确认订阅,分配用户许可证Confirm your subscription and assign user licenses

确认你的组织具有包含所需功能和功能的订阅。Confirm that your organization has a subscription that includes the functionality and features you expect. 可以在Azure 信息保护定价页上找到这些详细信息。You can find these details on the Azure Information Protection Pricing page.

然后,将该订阅中的许可证分配给组织中的每位用户,这些用户将对文档和电子邮件进行分类、标记和保护。Then, assign licenses from this subscription to each user in your organization who will classify, label, and protect documents and emails.


不要从免费的个人 RMS 订阅手动分配用户许可证,也不要使用此许可证来管理组织的 Azure Rights Management 服务。Do not manually assign user licenses from the free RMS for individuals subscription, and do not use this license to administer the Azure Rights Management service for your organization.

这些许可证在 Microsoft 365 管理中心显示为“权限管理即席”****,当运行 Azure AD PowerShell cmdlet Get-MsolAccountSku 时显示为 RIGHTSMANAGEMENT_ADHOCThese licenses display as Rights Management Adhoc in the Microsoft 365 admin center, and RIGHTSMANAGEMENT_ADHOC when you run the Azure AD PowerShell cmdlet, Get-MsolAccountSku.

有关详细信息,请参阅个人 RMS 和 Azure 信息保护For more information, see RMS for individuals and Azure Information Protection.

准备租户以使用 Azure 信息保护Prepare your tenant to use Azure Information Protection

在开始使用 Azure 信息保护之前,请确保你的用户帐户和组位于 Office 365 或 Azure Active Directory 中,AIP 可用于对用户进行身份验证和授权。Before you begin using Azure Information Protection, make sure that you have user accounts and groups in Office 365 or Azure Active Directory that AIP can use to authenticate and authorize your users.

如有必要,请创建这些帐户和组,或者从本地目录同步这些帐户和组。If necessary, create these accounts and groups, or synchronize them from your on-premises directory.

有关详细信息,请参阅准备用户和组以便使用 Azure 信息保护For more information, see Preparing users and groups for Azure Information Protection.

配置、部署分类和标记Configure and deploy classification and labeling

确定是使用 AIP 经典还是 AIP 统一标签客户端,或者是否需要这两个客户端。Determine whether you're going to use the AIP classic or the AIP unified labeling client, or if you'll need both clients.

  1. 确定要使用的客户端。Determine which client you want to use.

    确定此时需要的客户端,以便知道在配置标签和策略设置时要使用的管理门户。Decide which client you'll need at this point so that you know which management portal to use when configuring labels and policy settings.

    有关详细信息,请参阅选择要使用的 Azure 信息保护客户端For more information, see Choose which Azure Information Protection client to use.

  2. 扫描文件(可选,但建议使用)。Scan your files (optional but recommended).

    部署并运行 AIP 扫描程序,以发现本地数据存储区上的敏感信息。Deploy and run the AIP scanner to discover the sensitive information you have on your local data stores. 扫描程序找到的信息有助于进行类别分类,提供有关所需的标签类型以及需要保护的文件的重要信息。The information that the scanner finds can help you with your classification taxonomy, provide valuable information about what labels you need, and which files need protecting.

    "扫描程序发现模式" 不需要任何标签配置或分类,因此适用于部署的这一早期阶段。The scanner discovery mode doesn't require any label configuration or taxonomy, and is therefore suitable at this early stage of your deployment. 你还可以在配置建议或自动标记之前,将此扫描程序配置与以下部署步骤并行使用。You can also use this scanner configuration in parallel with the following deployment steps, until you configure recommended or automatic labeling.

  3. 自定义默认的 AIP 策略Customize the default AIP policy.

    如果还没有分类策略,请使用默认的 Azure 信息保护策略作为确定数据所需的标签的基础。If you don't have a classification strategy yet, use the default Azure Information Protection policy as a basis for determining which labels you'll need for your data. 根据需要自定义这些标签以满足你的需求。Customize these labels as needed to meet your needs.

    例如,你可能希望通过以下详细信息重新配置标签:For example, you may want to reconfigure your labels with the following details:

    • 请确保您的标签支持您的分类决定。Make sure that your labels support your classification decisions.
    • 配置用户手动标识的策略Configure policies for manual labeling by users
    • 编写用户指南来帮助说明应在每个方案中应用的标签。Write user guidance to help explain which label should be applied in each scenario.
    • 如果默认策略是使用自动应用保护的标签创建的,则在测试设置时,你可能需要临时删除保护设置或禁用标签。If your default policy was created with labels that automatically apply protection, you may want to temporarily remove the protection settings or disable the label while you test your settings.

    有关如何配置标签和策略设置的详细信息,请参阅:For more information about how to configure the labels and policy settings, see:

  4. 部署客户端Deploy your client

    配置策略后,为用户部署 Azure 信息保护经典和/或统一标签客户端。Once you have a policy configured, deploy the Azure Information Protection classic and/or unified labeling client for your users. 提供用户培训和特定说明,以便选择标签。Provide user training and specific instructions when to select the labels.

    有关详细信息,请参阅:For more information, see:

  5. 引入更高级的配置Introduce more advanced configurations

    请等待用户对文档和电子邮件中的标签更熟悉。Wait for your users to become more comfortable with labels on their documents and emails. 准备就绪后,请引入高级配置,例如:When you're ready, introduce advanced configurations, such as:

    • 应用默认标签Applying default labels
    • 如果用户选择了具有较低分类级别的标签或删除标签,则提示用户提供理由Prompting users for justification if they chose a label with a lower classification level or remove a label
    • 所有文档和电子邮件都具有标签Mandating that all documents and emails have a label
    • 自定义页眉、页脚或水印Customizing headers, footers, or watermarks
    • 建议和自动标记Recommended and automatic labeling

    有关详细信息,请参阅:For more information, see:


    如果已将标签配置为自动标签,请在发现模式下再次在本地数据存储上运行Azure 信息保护扫描程序,并匹配策略。If you've configured labels for automatic labeling, run the Azure Information Protection scanner again on your local data stores in discovery mode and to match your policy.

    如果在发现模式下运行扫描程序,则会告诉你哪些标签将应用于文件,这有助于微调你的标签配置并准备批量分类和保护文件。Running the scanner in discovery mode tells you which labels would be applied to files, which helps you fine-tune your label configuration and prepares you for classifying and protecting files in bulk.

准备数据保护Prepare for data protection

一旦用户对文档和电子邮件进行了舒适的标记,就会为最敏感数据引入数据保护。Introduce data protection for your most sensitive data once users become comfortable labeling documents and emails.

执行以下步骤来准备数据保护:Perform the following steps to prepare for data protection:

  1. 确定要管理租户密钥的方式Determine how you want to manage your tenant key.

    决定你是希望 Microsoft 管理你的租户密钥(默认设置),还是自行生成和管理你的租户密钥(也称为“自带密钥”,简称 BYOK)。Decide whether you want Microsoft to manage your tenant key (the default), or generate and manage your tenant key yourself (known as bring your own key, or BYOK).


    根据你的客户端,可以使用其他选项 "自带密钥(HYOK)" 或双密钥加密来提高安全性。Depending on your client, additional options to "hold your own key (HYOK)", or double-key encryption are available for additional security. ..

    有关详细信息,请参阅计划和实现 Azure 信息保护租户密钥For more information, see Planning and implementing your Azure Information Protection tenant key

  2. 安装适用于 AIP 的 PowerShellInstall PowerShell for AIP.

    在至少一台具有 internet 访问权限的计算机上安装适用于 AIPService 的 PowerShell 模块。Install the PowerShell module for AIPService on at least one computer that has internet access. 你可以立即执行此步骤,也可以稍后执行。You can do this step now, or later.

    有关详细信息,请参阅安装 AIPService PowerShell 模块For more information, see Installing the AIPService PowerShell module.

  3. 仅 AD RMS:将密钥、模板和 url 迁移到云。AD RMS only: Migrate your keys, templates, and URLs to the cloud.

    如果你当前正在使用 AD RMS,请执行迁移,将密钥、模板和 Url 移动到云。If you are currently using AD RMS, perform a migration to move the keys, templates, and URLs to the cloud.

    有关详细信息,请参阅从 AD RMS 迁移到信息保护For more information, see Migrating from AD RMS to Information Protection.

  4. 激活保护Activate protection.

    确保保护服务已激活,以便开始保护文档和电子邮件。Make sure that the protection service is activated so that you can begin to protect documents and emails. 如果要以多个阶段进行部署,请配置用户载入控制以限制用户应用保护。If you're deploying in multiple phases, configure user onboarding controls to restrict users' ability to apply protection.

    有关详细信息,请参阅激活 Azure 信息保护的保护服务For more information, see Activating the protection service from Azure Information Protection.

  5. 请考虑使用日志记录(可选)Consider usage logging (optional).

    请考虑使用日志记录使用情况来监视组织如何使用保护服务。Consider logging usage to monitor how your organization is using the protection service. 你可以立即执行此步骤,也可以稍后执行。You can do this step now, or later.

    有关详细信息,请参阅记录和分析 Azure 信息保护中的保护使用情况For more information, see Logging and analyzing the protection usage from Azure Information Protection.

为数据保护配置标签和设置、应用程序和服务Configure labels and settings, applications, and services for data protection

执行以下步骤:Perform the following steps:

  1. 更新标签以应用保护Update your labels to apply protection

    根据你的客户端,使用以下指南之一:Use one of the following guides, depending on your client:


    即使没有为信息权限管理(IRM)配置 Exchange,用户也可以在应用 Rights Management 保护的 Outlook 中应用标签。Users can apply labels in Outlook that apply Rights Management protection even if Exchange is not configured for information rights management (IRM).

    但是,在为 IRM 或具有新功能的 Office 365 邮件加密配置 Exchange 之前,你的组织将无法获得将 Exchange 与 Azure Rights Management 保护配合使用的完整功能。However, until Exchange is configured for IRM or Office 365 Message Encryption with new capabilities, your organization will not get the full functionality of using Azure Rights Management protection with Exchange. 此附加配置包含在以下列表中(对于 Exchange Online,则为 2;对于 Exchange 本地,则为 5)。This additional configuration is included in the following list (2 for Exchange Online, and 5 for Exchange on-premises).

  2. 配置 Office 应用程序和服务Configure Office applications and services

    为 Microsoft SharePoint 或 Exchange Online 中的信息权限管理(IRM)功能配置 Office 应用程序和服务。Configure Office applications and services for the information rights management (IRM) features in Microsoft SharePoint or Exchange Online.

    有关详细信息,请参阅配置适用于 Azure Rights Management 的应用程序For more information, see Configuring applications for Azure Rights Management.

  3. 为数据恢复配置超级用户功能Configure the super user feature for data recovery

    如果现有 IT 服务(例如数据泄露防护 (DLP) 解决方案、内容加密网关 (CEG) 和反恶意软件产品)需要检查 Azure 信息保护将保护的文件,请将服务帐户配置为 Azure Rights Management 的超级用户。If you have existing IT services that need to inspect files that Azure Information Protection will protect—such as data leak prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products—configure the service accounts to be super users for Azure Rights Management.

    有关详细信息,请参阅为 Azure 信息保护和发现服务或数据恢复配置超级用户For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.

  4. 批量分类和保护现有文件Classify and protect existing files in bulk

    对于本地数据存储,现在以强制模式运行 Azure 信息保护扫描程序,以便自动标记文件。For your on-premises data stores, now run the Azure Information Protection scanner in enforcement mode so that files are automatically labeled.

    对于 Pc 上的文件,请使用 PowerShell cmdlet 来分类和保护文件。For files on PCs, use PowerShell cmdlets to classify and protect files. 有关详细信息,请参阅以下指南,具体取决于你的客户端:For more information, see the following guides, depending on your client:

    对于基于云的数据存储,请使用 Azure Cloud App SecurityFor cloud-based data stores, use Azure Cloud App Security.


    虽然批量分类和保护现有文件不是 cloud app security 的主要用例之一,但文档记录的解决方法可帮助你将文件分类并保护。While classifying and protecting existing files in bulk is not one of the main use cases for cloud app security, documented workarounds can help you get your files classified and protected.

  5. 在 SharePoint Server 上部署受 IRM 保护的库的连接器,为本地 Exchange 部署受 IRM 保护的电子邮件Deploy the connector for IRM-protected libraries on SharePoint Server, and IRM-protected emails for Exchange on-premises

    如果具有本地 SharePoint 和 Exchange 并希望使用其信息权限管理 (IRM) 功能,请安装和配置 Rights Management 连接器。If you have SharePoint and Exchange on-premises and want to use their information rights management (IRM) features, install and configure the Rights Management connector.

    有关详细信息,请参阅部署 Azure Rights Management 连接器For more information, see Deploying the Azure Rights Management connector.

使用和监视数据保护解决方案Use and monitor your data protection solutions

现在,你可以监视你的组织如何使用已配置的标签,并确认你正在保护敏感信息。You're now ready to monitor how your organization is using the labels that you've configured and confirm that you're protecting sensitive information.

有关详细信息,请参阅以下页面:For more information, see the following pages:

根据需要管理租户帐户的保护服务Administer the protection service for your tenant account as needed

开始使用保护服务时,可以利用 PowerShell 帮助编写脚本或自动执行管理更改。As you begin to use the protection service, you might find PowerShell useful to help script or automate administrative changes. 某些高级配置可能还需要使用 PowerShell。PowerShell might also be needed for some of the advanced configurations.

有关详细信息,请参阅使用 PowerShell 管理 Azure 信息保护中的保护For more information, see Administering protection from Azure Information Protection by using PowerShell.

后续步骤Next steps

部署 Azure 信息保护时,你可能会发现检查常见问题,以及其他资源的信息和支持页面非常有用。As you deploy Azure Information Protection, you might find it helpful to check the frequently asked questions, and the information and support page for additional resources.