仅限保护的 Azure 信息保护部署路线图Azure Information Protection deployment roadmap for protection only

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

如果你只想要实施数据保护,请使用以下步骤作为建议来帮助你为你的组织准备、实施和管理 Azure 信息保护。Use the following steps as recommendations to help you prepare for, implement, and manage Azure Information Protection for your organization, when you want to implement data protection only.

对于订阅不支持分类和标签的客户,建议使用此路线图,但不支持标签。This roadmap is recommended for customers with a subscription that doesn't support both classification and labels, but does support protection without labels. 必须安装 AIP 经典客户端。You must have the AIP classic client installed.

部署过程Deployment process

执行以下步骤:Perform the following steps:

  1. 确认你有包含 AIP 保护服务的订阅[Confirm that you have a subscription that includes the AIP protection service [
  2. 准备租户以使用 Azure 信息保护Prepare your tenant to use Azure Information Protection
  3. 安装 Azure 信息保护经典和客户端配置应用程序和服务以实现 Rights ManagementInstall the Azure Information Protection classic and client configure applications and services for Rights Management
  4. 使用和监视数据保护解决方案Use and monitor your data protection solutions
  5. 根据需要管理租户帐户的保护服务Administer the protection service for your tenant account as needed

确认你有包含 AIP 保护服务的订阅Confirm that you have a subscription that includes the AIP protection service

验证你的组织是否具有包含所需功能和功能的订阅。Verify that your organization has a subscription that includes the functionality and features you expect. 可以使用Azure 信息保护定价页面上的订阅信息和功能列表。You can use the subscription information and feature list on the Azure Information Protection Pricing page.

将此订阅的许可证分配给组织中将保护文档和电子邮件的每个用户。Assign a license from this subscription to each user in your organization who will protect documents and emails.

重要

不要从个人订阅的免费 RMS 手动分配用户许可证,不要使用此许可证来管理组织的 Azure Rights Management 服务。Do not manually assign user licenses from the free RMS for individuals subscription and do not use this license to administer the Azure Rights Management service for your organization.

这些许可证在 Microsoft 365 管理中心显示为“权限管理即席”****,当运行 Azure AD PowerShell cmdlet Get-MsolAccountSku 时显示为 RIGHTSMANAGEMENT_ADHOCThese licenses display as Rights Management Adhoc in the Microsoft 365 admin center, and RIGHTSMANAGEMENT_ADHOC when you run the Azure AD PowerShell cmdlet, Get-MsolAccountSku.

有关如何将个人订阅 RMS 自动授权和分配给用户的详细信息,请参阅个人 RMS 和 Azure 信息保护For more information about how the RMS for individuals subscription is automatically granted and assigned to users, see RMS for individuals and Azure Information Protection.

准备租户以使用 Azure 信息保护Prepare your tenant to use Azure Information Protection

开始使用 Azure 信息保护提供的保护服务之前,请执行以下准备工作:Before you begin using the protection service from Azure Information Protection, do the following preparation:

  1. 为 AIP 设置用户帐户和组。Set up your user accounts and groups for AIP.

    确保 Office 365 租户包含 Azure 信息保护用来对组织中的用户进行身份验证和授权的用户帐户和组。Make sure that your Office 365 tenant contains the user accounts and groups that will be used by Azure Information Protection to authenticate and authorize users from your organization. 如有必要,请创建这些帐户和组,或者从本地目录同步这些帐户和组。If necessary, create these accounts and groups, or synchronize them from your on-premises directory.

    有关详细信息,请参阅准备用户和组以便使用 Azure 信息保护For more information, see Preparing users and groups for Azure Information Protection.

  2. 确定要管理租户密钥的方式。Decide how you want to manage your tenant key.

    决定你是希望 Microsoft 管理你的租户密钥(默认设置),还是自行生成和管理你的租户密钥(也称为“自带密钥”,简称 BYOK)。Decide whether you want Microsoft to manage your tenant key (the default), or generate and manage your tenant key yourself (known as bring your own key, or BYOK). 为了进一步提高安全性,请实现 "拥有自己的密钥" (HYOK)保护。For additional security, implement "hold your own key" (HYOK) protection.

    有关详细信息,请参阅规划和实现 Azure 信息保护租户密钥For more information, see Planning and implementing your Azure Information Protection tenant key.

  3. 安装适用于 AIP 的 PowerShellInstall PowerShell for AIP.

    在至少一台具有 internet 访问权限的计算机上安装适用于 AIPService 的 PowerShell 模块。Install the PowerShell module for AIPService on at least one computer that has internet access. 你可以立即执行此步骤,也可以稍后执行。You can do this step now, or later.

    有关详细信息,请参阅安装 AIPService PowerShell 模块For more information, see Installing the AIPService PowerShell module.

  4. 仅 AD RMS:将数据迁移到云AD RMS only: Migrate your data to the cloud.

    如果当前正在使用 AD RMS:请进行迁移,将密钥、模板和 URL 移动到云中。If you are currently using AD RMS: Perform a migration to move the keys, templates, and URLs to the cloud.

    有关详细信息,请参阅从 AD RMS 迁移到 Azure 信息保护For more information, see Migrating from AD RMS to Azure Information Protection.

  5. 激活保护Activate protection.

    确保保护服务已激活,以便开始保护文档和电子邮件。Make sure that the protection service is activated so that you can begin to protect documents and emails. 如果要分阶段部署,请配置用户载入控制以限制用户应用保护。If you are deploying in phases, configure user onboarding controls to restrict users' ability to apply protection.

    有关详细信息,请参阅激活 Azure 信息保护的保护服务For more information, see Activating the protection service from Azure Information Protection.

  6. 根据需要配置可选功能Configure optional features as needed.

    考虑现在或之后配置以下任一功能。Consider configuring either of the following features, either now or later.

    FeatureFeature 描述Description
    用于保护设置的自定义模板Custom templates for protection settings 如果默认模板不足以满足你的组织的需要,请配置自定义模板。If the default templates are not sufficient for your organization, configure custom templates.
    有关详细信息,请参阅配置和管理 Azure 信息保护的模板For more information, see Configuring and managing templates for Azure Information Protection.
    使用情况日志记录Usage logging 配置使用日志记录,以监视组织如何使用保护服务。Configure usage logging to monitor how your organization is using the protection service.
    有关详细信息,请参阅记录和分析 Azure 信息保护中的保护使用情况For more information, see Logging and analyzing the protection usage from Azure Information Protection.

安装 Azure 信息保护经典和客户端配置应用程序和服务以实现 Rights ManagementInstall the Azure Information Protection classic and client configure applications and services for Rights Management

执行以下步骤:Perform the following steps:

  1. 部署 Azure 信息保护经典客户端Deploy the Azure Information Protection classic client

    为用户安装经典客户端以支持 Office 2010,以保护除 Office 文档和电子邮件之外的文件,以及跟踪受保护的文档,并为此客户端提供用户培训。Install the classic client for users to support Office 2010, to protect files other than Office documents and emails, and to track protected documents, and provide user training for this client.

    有关详细信息,请参阅适用于 Windows 的 Azure 信息保护客户端For more information, see Azure Information Protection client for Windows.

  2. 配置 Office 应用程序和服务Configure Office applications and services

    为 SharePoint 或 Exchange Online 中的信息权限管理(IRM)功能配置 Office 应用程序和服务。Configure Office applications and services for the information rights management (IRM) features in SharePoint or Exchange Online.

    有关详细信息,请参阅配置适用于 Azure Rights Management 的应用程序For more information, see Configuring applications for Azure Rights Management.

  3. 为数据恢复配置超级用户功能Configure the super user feature for data recovery

    如果现有 IT 服务(例如数据泄露防护 (DLP) 解决方案、内容加密网关 (CEG) 和反恶意软件产品)需要检查 Azure 信息保护将保护的文件,请将服务帐户配置为 Azure Rights Management 的超级用户。If you have existing IT services that need to inspect files that Azure Information Protection will protect—such as data leak prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products—configure the service accounts to be super users for Azure Rights Management.

    有关详细信息,请参阅为 Azure 信息保护和发现服务或数据恢复配置超级用户For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.

  4. 批量保护现有文件Protect existing files in bulk

    可以使用 PowerShell cmdlet 批量保护或批量取消保护多种文件类型。You can use PowerShell cmdlets to bulk-protect or bulk-unprotect multiple file types.

    有关详细信息,请参阅管理员指南中的将 PowerShell 与 Azure 信息保护客户端配合使用For more information, see Using PowerShell with the Azure Information Protection client from the admin guide.

    对于基于 Windows 的文件服务器上的文件,可以将这些 cmdlet 与脚本和 Windows Server 文件分类基础结构一起使用。For files on Windows-based file servers, you can use these cmdlets with a script and Windows Server File Classification Infrastructure. 有关详细信息,请参阅使用 Windows Server 文件分类基础结构 (FCI) 进行 RMS 保护For more information, see RMS protection with Windows Server File Classification Infrastructure (FCI).

  5. 部署适用于本地服务器的连接器Deploy the connector for on-premises servers

    如果你拥有想要与保护服务共同使用的本地服务,请安装和配置 Rights Management 连接器。If you have on-premises services that you want to use with the protection service, install and configure the Rights Management connector.

    有关详细信息,请参阅部署 Azure Rights Management 连接器For more information, see Deploying the Azure Rights Management connector.

使用和监视数据保护解决方案Use and monitor your data protection solutions

现在,你可以保护数据,并记录公司如何使用保护服务。You're now ready to protect your data, and log how your company is using the protection service.

有关详细信息,请参阅:For more information, see:

根据需要管理租户帐户的保护服务Administer the protection service for your tenant account as needed

开始使用保护服务时,可以利用 PowerShell 帮助编写脚本或自动执行管理更改。As you begin to use the protection service, you might find PowerShell useful to help script or automate administrative changes. 某些高级配置可能还需要使用 PowerShell。PowerShell might also be needed for some of the advanced configurations.

有关详细信息,请参阅使用 PowerShell 管理 Azure 信息保护中的保护For more information, see Administering protection from Azure Information Protection by using PowerShell.

后续步骤Next steps

部署 Azure 信息保护时,你可能会发现检查常见问题,以及其他资源的信息和支持页面非常有用。As you deploy Azure Information Protection, you might find it helpful to check the frequently asked questions, and the information and support page for additional resources.