Azure 信息保护的常见问题Frequently asked questions for Azure Information Protection

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典) 和标签管理 将于 2021 年 3 月 31 日 弃用 。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

是否有关于 Azure 信息保护或 Azure Rights Management 服务 (Azure RMS) 的问题?Have a question about Azure Information Protection, or about the Azure Rights Management service (Azure RMS)? 请查看此处是否有答案。See if it's answered here.

Azure 信息保护和 Microsoft 信息保护之间有何不同?What's the difference between Azure Information Protection and Microsoft Information Protection?

与 Azure 信息保护不同, Microsoft 信息保护 不是可以购买的订阅或产品。Unlike Azure Information Protection, Microsoft Information Protection isn't a subscription or product that you can buy. 它是一个框架,适用于产品和集成功能,可帮助你保护组织的敏感信息。Instead, it's a framework for products and integrated capabilities that help you protect your organization's sensitive information.

Microsoft 信息保护产品包括:Microsoft Information Protection products include:

  • Azure 信息保护Azure Information Protection
  • Office 365 信息保护,如 Office 365 DLPOffice 365 Information Protection, such as Office 365 DLP
  • Windows 信息保护Windows Information Protection
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security

Microsoft 信息保护功能包括:Microsoft Information Protection capabilities include:

  • 统一标签管理Unified label management
  • Office 应用中内置的最终用户标签体验End-user labeling experiences built into Office apps
  • Windows 了解统一标签并对数据应用保护的能力The ability for Windows to understand unified labels and apply protection to data
  • Microsoft 信息保护 SDKThe Microsoft Information Protection SDK
  • Adobe Acrobat Reader 中的功能,用于查看标签和受保护的 PdfFunctionality in Adobe Acrobat Reader to view labeled and protected PDFs

有关详细信息,请参阅 信息保护功能,帮助保护敏感数据For more information, see Information protection capabilities to help protect your sensitive data.

Azure 信息保护中的标签与 Office 365 中标签之间的区别是什么?What's the difference between labels in Azure Information Protection and labels in Office 365?

最初,Office 365 只包含 保留标签 ,使你能够对文档和电子邮件进行分类,以便在 Office 365 服务中存储文档和电子邮件以进行审核和保留。Originally, Office 365 had just retention labels that enabled you to classify documents and emails for auditing and retention when that content was stored in Office 365 services.

与此相反,启用 Azure 信息保护标签可对文档和电子邮件应用一致的分类和保护策略,无论它们是存储在本地还是存储在云中。In contrast, Azure Information Protection labels enabled you apply a consistent classification and protection policy for documents and emails whether they were stored on-premises or in the cloud.

Office 365 现已在 Microsoft Ignite 2018 的奥兰多发布,其中除了保留标签外,还可以创建和配置 敏感度标签Announced at Microsoft Ignite 2018 in Orlando, Office 365 now has the option to create and configure sensitivity labels, in addition to retention labels. 可以在以下管理中心创建和配置敏感度标签:Sensitivity labels can be created and configured in the following admin centers:

  • Office 365 安全与合规中心Office 365 Security & Compliance Center
  • Microsoft 365 安全中心Microsoft 365 security center
  • Microsoft 365 合规中心Microsoft 365 compliance center

通过将 AIP 标签迁移到统一标签存储,将 Azure 信息保护标签用作 Office 365 应用的敏感度标签。Use Azure Information Protection labels as sensitivity labels with Office 365 apps by migrating your AIP labels to the unified labeling store.

有关统一标签管理和支持的详细信息,请参阅 宣布信息保护功能的可用性,以帮助保护敏感数据For more information about unified labeling management and support, see Announcing availability of information protection capabilities to help protect your sensitive data.

如何确定我的租户是否在统一的标签平台上?How can I determine if my tenant is on the unified labeling platform?

如果你的租户位于统一的标签平台上,则它支持可由 支持统一标签的客户端和服务使用的敏感度标签。When your tenant is on the unified labeling platform, it supports sensitivity labels that can be used by clients and services that support unified labeling. 如果在2019年6月版或更高版本中获取了 Azure 信息保护订阅,则租户会自动在统一的标签平台上,无需执行其他操作。If you obtained your subscription for Azure Information Protection in June 2019 or later, your tenant is automatically on the unified labeling platform and no further action is needed. 你的租户还可能在此平台上,因为有人迁移了你的 Azure 信息保护标签。Your tenant might also be on this platform because somebody migrated your Azure Information Protection labels.

如果你的租户不在统一的标签平台上,你会在 " Azure 信息保护 " 窗格上的 "Azure 门户中看到以下信息横幅:If your tenant is not on the unified labeling platform, you'll see the following information banner in the Azure portal, on the Azure Information Protection panes:

迁移信息横幅

你还可以通过转到Azure 信息保护 > 管理 > 统一标签来进行检查,并查看统一标签状态:You can also check by going to Azure Information Protection > Manage > Unified labeling, and view the Unified labeling status:

状态Status 描述Description
已激活Activated 你的租户在统一的标签平台上。Your tenant is on the unified labeling platform.
你可以从 "Microsoft 365 相容性中心" 创建、配置和发布标签You can create, configure, and publish labels from the Microsoft 365 compliance center.
未激活Not activated 你的租户不在统一的标签平台上。Your tenant is not on the unified labeling platform.
有关迁移说明和指南,请参阅 如何将 Azure 信息保护标签迁移到统一的敏感度标签For migration instructions and guidance, see How to migrate Azure Information Protection labels to unified sensitivity labels.

Azure 信息保护经典和统一标签客户端之间有何区别?What's the difference between the Azure Information Protection classic and unified labeling clients?

原始客户端(称为 Azure 信息客户端经典 客户端)将从 Azure 下载标签和策略设置,并使你能够从 Azure 门户配置 AIP 策略The original client, referred to as the Azure Information client or the classic client, downloads labels and policy settings from Azure and enables you to configure the AIP policy from the Azure portal.

统一标签客户端是一种最新的补充,它支持多个应用程序和服务使用的统一标记存储。The unified labeling client is a more recent addition and supports the unified labeling store used by multiple applications and services. 统一标签客户端从以下管理中心下载 灵敏度标签 和策略设置:The unified labeling client downloads sensitivity labels and policy settings from the following admin centers:

  • Office 365 安全与合规中心Office 365 Security & Compliance Center
  • Microsoft 365 安全中心Microsoft 365 security center
  • Microsoft 365 合规中心Microsoft 365 compliance center

如果你是管理员并且不确定要使用的客户端,请参阅 选择要使用的 Azure 信息保护客户端If you're an admin and aren't sure which client to use, see Choose which Azure Information Protection client to use.

识别已安装的客户端Identify the client you have installed

如果你是想要理解的用户,请选择 " 帮助和反馈 " 以显示 " Microsoft Azure 信息保护 " 对话框。If you are a user who wants to understand verify whether you have the classic or unified labeling client installed, select Help and Feedback to show the Microsoft Azure Information Protection dialog box.

例如:For example:

确定是否安装了经典或统一的客户端

版本号指示客户端,如下所示:The version number indicates the client, as follows:

  • 版本 1.x 表示你具有经典客户端。Versions 1.x indicate that you have the classic client. 示例: 1.54.59.0Example: 1.54.59.0
  • 版本 2.x 表明你具有统一的标签客户端。Versions 2.x indicate that you have the unified labeling client. 示例: 2.6.111.0Example: 2.6.111.0

使用以下方法之一访问此对话框:Access this dialog using one of the following methods:

  • 在文件资源管理器中,右键单击文件、文件或文件夹,选择 "分类和保护 > 帮助和反馈"。In the File Explorer, right-click a file, files, or folder, select Classify and protect > Help and Feedback.
  • 在 Office 应用程序中,经典客户端具有 " 保护 " 按钮,而统一的标签客户端具有 " 敏感度 " 按钮。In Office applications, the classic client has a Protect button, and the unified labeling client has a Sensitivity button. 选择其中一个按钮,然后选择 " 帮助和反馈"。Select either of these buttons and then select Help and Feedback.

何时将标签迁移到正确的时间?When is the right time to migrate my labels?

建议将 Azure 信息保护标签迁移到统一的标签平台,以便可以将它们用作 支持统一标签的其他客户端和服务的敏感度标签。We recommend that you migrate your Azure Information Protection labels to the unified labeling platform so that you can use them as sensitivity labels with other clients and services that support unified labeling.

有关详细信息和说明,请参阅 如何将 Azure 信息保护标签迁移到统一的敏感度标签For more information and instructions, see How to migrate Azure Information Protection labels to unified sensitivity labels.

迁移我的标签后,该使用哪个管理门户?After I've migrated my labels, which management portal do I use?

在 Azure 门户中迁移标签后,请根据你安装的客户端,继续将其管理到以下位置之一:After you've migrated your labels in the Azure portal, continue managing them in one of the following locations, depending on the clients you have installed:

客户端Client Column2Column2
仅限客户端和服务的统一标签Unified labeling clients and services only 如果只安装了统一的标记客户端,请在某个管理中心中管理标签: Office 365 Security & 相容性中心、Microsoft 365 安全中心或 Microsoft 365 合规中心。If you only have unified labeling clients installed, manage your labels in one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center. 统一标签客户端从这些管理中心下载标签和策略设置。Unified labeling clients download the labels and policy settings from these admin centers.

有关说明,请参阅 创建和配置敏感度标签及其策略For instructions, see Create and configure sensitivity labels and their policies.
经典客户端Classic client only 如果已迁移标签,但仍安装了经典客户端,请继续使用 Azure 门户编辑标签和策略设置。If you've migrated your labels, but still have the classic client installed, continue to use the Azure portal to edit labels and policy settings. 经典客户端继续从 Azure 下载标签和策略设置。The classic client continues to download labels and policy settings from Azure.
AIP 经典客户 端和 统一标签 客户端Both the AIP classic client and unified labeling clients 如果同时安装了两个客户端,请使用管理中心或 Azure 门户来更改标签。If you have both of the clients installed, use the admin centers or the Azure portal to make label changes.

要使经典客户端选择管理中心所做的标签更改,请返回到 Azure 门户进行发布。For the classic clients to pick up label changes made in the admin centers, return to the Azure portal to publish them. 在 "Azure 门户 > Azure 信息保护-统一标签 " 窗格中,选择 " 发布"。In the Azure portal > Azure Information Protection - Unified labeling pane, select Publish.

继续使用 Azure 门户进行集中报告扫描程序Continue to use the Azure portal for central reporting and the scanner.

Azure 信息保护和 Azure Rights Management 之间有何不同?What's the difference between Azure Information Protection and Azure Rights Management?

Azure 信息保护 (AIP) 为组织的文档和电子邮件提供分类、标签和保护。Azure Information Protection (AIP) provides classification, labeling, and protection for an organization's documents and emails.

使用 Azure Rights Management 服务(现为 AIP 的组件)保护内容。Content is protected using the Azure Rights Management service, which is now a component of AIP.

有关详细信息,请参阅 数据的保护方式Azure Rights Management?For more information, see How data is protected and What is Azure Rights Management?.

Azure 信息保护的身份管理的作用是什么?What's the role of identity management for Azure Information Protection?

标识管理是 AIP 的重要组成部分,因为用户必须具有有效的用户名和密码才能访问受保护的内容。Identity management is an important component of AIP, as users must have a valid user name and password to access protected content.

要详细了解 Azure 信息保护如何帮助保护数据,请参阅 Azure 信息保护在保护数据方面的角色To read more about how Azure Information Protection helps to secure your data, see The role of Azure Information Protection in securing data.

需要为 Azure 信息保护准备哪个订阅,以及它包括哪些功能?What subscription do I need for Azure Information Protection and what features are included?

若要了解有关 AIP 订阅的详细信息,请参阅 Azure 信息保护定价 页上的订阅信息和功能列表。To understand more about AIP subscriptions, see the subscription information and feature list on the Azure Information Protection pricing page.

如果有包含 Azure Rights Management 数据保护的 Office 365 订阅,请下载 Azure 信息保护许可数据表 ,详细了解如何与 AIP 集成。If you have an Office 365 subscription that includes Azure Rights Management data protection, download the Azure Information Protection licensing datasheet for more details about integrating with AIP.

还有关于许可的问题吗?Still have questions about licensing? 查看许可的常见问答解答部分是否有答案。See if they are answered in the frequently asked questions for licensing section.

Azure 信息保护客户端是否只适用于包含分类和标记的订阅?Is the Azure Information Protection client only for subscriptions that include classification and labeling?

不行。No. 经典 AIP 客户端还可用于仅包含 Azure Rights Management 服务的订阅,以实现数据保护。The classic AIP client can also be used with subscriptions that include just the Azure Rights Management service, for data protection only.

如果在未安装 Azure 信息保护策略的情况下安装经典客户端,客户端将自动在 仅保护模式下运行,这使用户可以应用 Rights Management 模板和自定义权限。When the classic client is installed without an Azure Information Protection policy, the client automatically operates in protection-only mode, which enables users to apply Rights Management templates and custom permissions.

如果以后购买确实包含分类和标记的订阅,客户端会在下载 Azure 信息保护策略后自动切换到标准模式。If you later purchase a subscription that does include classification and labeling, the client automatically switches to standard mode when it downloads the Azure Information Protection policy.

是否必须是全局管理员才能配置 Azure 信息保护?我可以委派给其他管理员吗?Do you need to be a global admin to configure Azure Information Protection, or can I delegate to other administrators?

很显然,Office 365 租户或 Azure AD 租户的全局管理员可以运行 Azure 信息保护的所有管理任务。Global administrators for an Office 365 tenant or Azure AD tenant can obviously run all administrative tasks for Azure Information Protection.

但是,如果要将管理权限分配给其他用户,请使用以下角色:However, if you want to assign administrative permissions to other users, do so using the following roles:

此外,在管理管理任务和角色时,请注意以下事项:Additionally, note the following when managing administrative tasks and roles:

主题Topic 详细信息Details
支持的帐户类型Supported account types Microsoft 帐户不支持 Azure 信息保护的委派管理,即使这些帐户分配给列出的某个管理角色。Microsoft accounts are not supported for delegated administration of Azure Information Protection, even if these accounts are assigned to one of the administrative roles listed.
载入控件Onboarding controls 如果配置了加入控制,此配置不会影响管理 Azure 信息保护的能力(RMS 连接器除外)。If you have configured onboarding controls, this configuration does not affect the ability to administer Azure Information Protection, except the RMS connector.

例如,如果你配置了加入控制以便保护内容的能力限制为 IT 部门 组,则用于安装和配置 RMS 连接器的帐户必须是该组的成员。For example, if you have configured onboarding controls so that the ability to protect content is restricted to the IT department group, the account used to install and configure the RMS connector must be a member of that group.
删除保护Removing protection 管理员无法自动删除受 Azure 信息保护保护的文档或电子邮件的保护。Administrators cannot automatically remove protection from documents or emails that were protected by Azure Information Protection.

只有被分配为超级用户的用户才可以删除保护,并且仅当启用超级用户功能时。Only users who are assigned as super users can do remove protection, and only when the super user feature is enabled.

具有 Azure 信息保护管理权限的任何用户都可以启用超级用户功能,并将用户分配为超级用户,包括其自己的帐户。Any user with administrative permissions to Azure Information Protection can enable the super user feature, and assign users as super users, including their own account.

这些操作记录在管理员日志中。These actions are recorded in an administrator log.

有关详细信息,请参阅 为 Azure 信息保护和发现服务或数据恢复配置超级用户中的 "最佳安全做法" 部分。For more information, see the security best practices section in Configuring super users for Azure Information Protection and discovery services or data recovery.
迁移到统一的标签存储Migrating to the unified labeling store 如果要将 Azure 信息保护标签迁移到统一的标签存储,请务必参阅标签迁移文档中的以下部分:If you are migrating your Azure Information Protection labels to the unified labeling store, be sure to read the following section from the label migration documentation:
支持统一标签平台的管理角色Administrative roles that support the unified labeling platform.

Azure 信息保护管理员Azure Information Protection administrator

此 Azure Active Directory 管理员角色允许管理员配置 Azure 信息保护,但不能配置其他服务。This Azure Active Directory administrator role lets an administrator configure Azure Information Protection but not other services.

具有此角色的管理员可以:Administrators with this role can:

若要将用户分配到此管理角色,请参阅将用户分配到 Azure Active Directory 中的管理员角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

备注

此角色不支持跟踪和撤消用户的文档,如果你的租户在 统一的标签平台上,则不支持在 Azure 门户中。This role doesn't support tracking and revoking documents for users, and is not supported in the Azure portal if your tenant is on the unified labeling platform.

合规性管理员或合规性数据管理员Compliance administrator or Compliance data administrator

这些 Azure Active Directory 管理员角色使管理员能够:These Azure Active Directory administrator roles enable administrators to:

  • 配置 Azure 信息保护,包括激活和停用 Azure Rights Management 保护服务Configure Azure Information Protection, including activating and deactivating the Azure Rights Management protection service
  • 配置保护设置和标签Configure protection settings and labels
  • 配置 Azure 信息保护策略Configure the Azure Information Protection policy
  • 运行 Azure 信息保护客户端AIPService 模块的所有 PowerShell cmdlet。Run all the PowerShell cmdlets for the Azure Information Protection client and from the AIPService module.

若要将用户分配到此管理角色,请参阅将用户分配到 Azure Active Directory 中的管理员角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

若要查看具有这些角色的用户具有哪些其他权限,请参阅 Azure Active Directory 文档中的 " 可用角色 " 部分。To see what other permissions a user with these roles have, see the Available roles section from the Azure Active Directory documentation.

备注

这些角色不支持跟踪和撤消用户的文档。These roles don't support tracking and revoking documents for users.

安全读取器或全局读取器Security reader or Global reader

这些角色仅用于 Azure 信息保护分析 ,并使管理员能够:These roles are used for Azure Information Protection analytics only, and enable administrators to:

  • 查看标签的使用方式View how your labels are being used
  • 监视用户对标记文档和电子邮件的访问权限Monitor user access to labeled documents and emails
  • 查看对分类所做的更改View changes made to classification
  • 确定包含必须受到保护的敏感信息的文档Identify documents that contain sensitive information that must be protected

由于此功能使用 Azure Monitor,因此还必须具有支持的 RBAC 角色Because this feature uses Azure Monitor, you must also have a supporting RBAC role.

安全管理员Security administrator

此 Azure Active Directory 管理员角色使管理员能够在 Azure 门户以及其他 Azure 服务的某些方面配置 Azure 信息保护。This Azure Active Directory administrator role enables administrators to configure Azure Information Protection in the Azure portal as well as some aspects of other Azure services.

具有此角色的管理员不能 从 AIPService 模块运行任何 PowerShell cmdlet,也不能为用户跟踪和撤销文档。Administrators with this role cannot run any of the PowerShell cmdlets from the AIPService module, or track and revoke documents for users.

若要将用户分配到此管理角色,请参阅将用户分配到 Azure Active Directory 中的管理员角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

若要查看具有此角色的用户还拥有哪些其他权限,请参阅 Azure Active Directory 文档的可用角色部分。To see what other permissions a user with this role has, see the Available roles section from the Azure Active Directory documentation.

Azure Rights Management 全局管理员和连接器管理员Azure Rights Management Global Administrator and Connector Administrator

全局管理员角色使用户能够 从 AIPService 模块运行所有 PowerShell cmdlet ,而无需使其成为其他云服务的全局管理员。The Global Administrator role enables users to run all PowerShell cmdlets from the AIPService module without making them a global administrator for other cloud services.

连接器管理员角色使用户能够仅运行 Rights Management (RMS) 连接器。The Connector Administrator role enables users to run only the Rights Management (RMS) connector.

这些管理角色不会授予对管理控制台的权限,也不支持跟踪和撤消用户的文档。These administrative roles don't grant permissions to management consoles, or support tracking and revoking documents for users.

若要分配其中任一管理角色,请使用 AIPService PowerShell cmdlet AipServiceRoleBasedAdministratorTo assign either of these administrative roles, use the AIPService PowerShell cmdlet, Add-AipServiceRoleBasedAdministrator.

Azure 信息保护是否支持本地和混合方案?Does Azure Information Protection support on-premises and hybrid scenarios?

是。Yes. 尽管 Azure 信息保护是基于云的解决方案,但它可对存储在本地和云中的文档和电子邮件进行分类、标签设置和保护。Although Azure Information Protection is a cloud-based solution, it can classify, label, and protect documents and emails that are stored on-premises, as well as in the cloud.

如果你有 Exchange Server、SharePoint Server 和 Windows 文件服务器,请使用以下方法中的一种或两种:If you have Exchange Server, SharePoint Server, and Windows file servers, use one or both of the following methods:

  • 部署 Rights Management 连接器 ,以便这些本地服务器可以使用 Azure Rights Management 服务来保护你的电子邮件和文档Deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents
  • 使用 Azure AD 同步和联合 Active Directory 域控制器,以便为用户提供更无缝的身份验证体验。Synchronize and federate your Active Directory domain controllers with Azure AD for a more seamless authentication experience for users. 例如,使用 Azure AD ConnectFor example, use Azure AD Connect.

Azure Rights Management 服务根据需要自动生成并管理 XrML 证书,因此它不使用本地 PKI。The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn't use an on-premises PKI.

有关 Azure Rights Management 如何使用证书的详细信息,请参阅 Azure RMS 工作原理的演练:首次使用、内容保护、内容使用For more information about how Azure Rights Management uses certificates, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption.

Azure 信息保护可以分类和保护哪些类型的数据?What types of data can Azure Information Protection classify and protect?

Azure 信息保护可以分类和保护电子邮件和文档,无论它们是位于本地还是云中。Azure Information Protection can classify and protect email messages and documents, whether they are located on-premises or in the cloud. 这些文档包括 Word 文档、Excel 电子表格,PowerPoint 演示文稿、PDF 文档、基于文本的文件和图像文件。These documents include Word documents, Excel spreadsheets, PowerPoint presentations, PDF documents, text-based files, and image files.

有关详细信息,请参阅支持的完整列表 文件类型For more information, see the full list file types supported.

备注

Azure 信息保护无法对结构化数据(例如数据库文件、日历项、Yammer 帖子、Sway 内容和 OneNote 笔记本)进行分类和保护。Azure Information Protection cannot classify and protect structured data such as database files, calendar items, Yammer posts, Sway content, and OneNote notebooks.

提示

Power BI 现在支持通过使用敏感度标签进行分类,并且可以将这些标签中的保护应用于导出为以下文件格式的数据: .pdf、.xls 和 .ppt。Power BI now supports classification by using sensitivity labels and can apply protection from those labels to data that is exported to the following file formats: .pdf, .xls, and .ppt. 有关详细信息,请参阅 Power BI 中的数据保护For more information, see Data protection in Power BI.

我看到 Azure 信息保护被列为可用于条件访问的云应用 - 工作原理是什么?I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?

是,作为预览版产品/服务,现可为 Azure 信息保护配置 Azure AD 条件访问。Yes, as a preview offering, you can now configure Azure AD conditional access for Azure Information Protection.

当用户打开受 Azure 信息保护保护的文档时,管理员现可基于标准条件访问控制,阻止其租户中用户的访问或授予他们访问权限。When a user opens a document that is protected by Azure Information Protection, administrators can now block or grant access to users in their tenant, based on the standard conditional access controls. 最常见的请求条件之一是需要多重身份验证 (MFA)。Requiring multi-factor authentication (MFA) is one of the most commonly requested conditions. 另一常见请求条件是,设备必须遵守 Intune 策略(以便移动设备满足密码要求和最低操作系统版本),并且计算机必须已加入域。Another one is that devices must be compliant with your Intune policies so that for example, mobile devices meet your password requirements and a minimum operating system version, and computers must be domain-joined.

有关详细信息和演练示例,请参阅以下博客文章:Conditional Access policies for Azure Information Protection(Azure 信息保护的条件访问策略)。For more information and some walk-through examples, see the following blog post: Conditional Access policies for Azure Information Protection.

其他信息:Additional information:

主题Topic 详细信息Details
评估频率Evaluation frequency 对于 Windows 计算机和当前预览版本,在 初始化用户环境 时会评估 Azure 信息保护的条件性访问策略 (此过程也称为 "引导) ,然后每30天一次。For Windows computers, and the current preview release, the conditional access policies for Azure Information Protection are evaluated when the user environment is initialized (this process is also known as bootstrapping), and then every 30 days.

若要微调条件访问策略的计算频率,请 配置令牌生存期To fine-tune how often your conditional access policies get evaluated, configure the token lifetime.
管理员帐户Administrator accounts 建议你不要将管理员帐户添加到条件访问策略,因为这些帐户将无法访问 Azure 门户中的 "Azure 信息保护" 窗格。We recommend that you do not add administrator accounts to your conditional access policies because these accounts will not be able to access the Azure Information Protection pane in the Azure portal.
MFA 和 B2B 协作MFA and B2B collaboration 如果在条件访问策略中使用 MFA 与其他组织展开协作 (B2B),则必须使用 Azure AD B2B 协作,并为要在其他组织中共享的用户创建来宾帐户。If you use MFA in your conditional access policies for collaborating with other organizations (B2B), you must use Azure AD B2B collaboration and create guest accounts for the users you want to share with in the other organization.
使用条款提示Terms of Use prompts 使用 Azure AD 12 月2018预览版,你现在可以提示用户在首次打开受保护文档之前 接受使用条款With the Azure AD December 2018 preview release, you can now prompt users to accept a terms of use before they open a protected document for the first time.
云应用Cloud apps 如果针对条件访问使用许多云应用,则列表中可能不会显示“Microsoft Azure 信息保护”选项,因此无法进行选择****。If you use many cloud apps for conditional access, you might not see Microsoft Azure Information Protection displayed in the list to select.

在这种情况下,可使用列表顶部的搜索框。In this case, use the search box at the top of the list. 开始键入“Microsoft Azure 信息保护”,筛选可用应用。Start typing "Microsoft Azure Information Protection" to filter the available apps. 如果已有受支持的订阅,则可以看到“Microsoft Azure 信息保护”选项,可进行选择****。Providing you have a supported subscription, you'll then see Microsoft Azure Information Protection to select.

我看到 Azure 信息保护被列为 Microsoft Graph 安全提供商,它是如何工作的?我将收到哪些警报?I see Azure Information Protection is listed as a security provider for Microsoft Graph Security—how does this work and what alerts will I receive?

是,作为公共预览版产品/服务,现可收到有关 Azure 信息保护异常数据访问的警报。Yes, as a public preview offering, you can now receive an alert for Azure Information Protection anomalous data access. 当尝试访问由 Azure 信息保护进行保护的数据存在异常时,将触发此警报。This alert is triggered when there are unusual attempts to access data that is protected by Azure Information Protection. 例如,访问大量的数据,在某天的异常时间访问或者从未知位置访问。For example, accessing an unusually high volume of data, at an unusual time of day, or access from an unknown location.

此类警报可以帮助你检测环境中与数据相关的高级攻击和内部威胁。Such alerts can help you to detect advanced data-related attacks and insider threats in your environment. 这些警报使用机器学习来分析访问受保护数据的用户的行为。These alerts use machine learning to profile the behavior of users who access your protected data.

可以通过使用 Microsoft Graph 安全 API 来访问 Azure信息保护警报,也可以使用 Azure Monitor 将警报流式传输到 SIEM 解决方案,例如 Splunk 和 IBM Qradar。The Azure Information Protection alerts can be accessed by using the Microsoft Graph Security API, or you can stream alerts to SIEM solutions, such as Splunk and IBM Qradar, by using Azure Monitor.

有关 Microsoft Graph 安全 API 的详细信息,请参阅 Microsoft Graph 安全 API 概述For more information about the Microsoft Graph Security API, see Microsoft Graph Security API overview.

Windows Server FCI 和 Azure 信息保护扫描程序之间的区别是什么?What's the difference between Windows Server FCI and the Azure Information Protection scanner?

Windows Server 文件分类基础结构在过去一直都有一个选项:对文档进行分类,然后使用 Rights Management 连接器(仅 Office 文档)或 PowerShell 脚本(所有文件类型)保护文档。Windows Server File Classification Infrastructure has historically been an option to classify documents and then protect them by using the Rights Management connector (Office documents only) or a PowerShell script (all file types).

我们现在建议你使用 Azure 信息保护扫描程序We now recommend you use the Azure Information Protection scanner. 扫描程序使用 Azure 信息保护客户端和 Azure 信息保护策略来为文档(所有文件类型)添加标签,然后可以对这些文档进行分类并且还可根据需要保护文档。The scanner uses the Azure Information Protection client and your Azure Information Protection policy to label documents (all file types) so that these documents are then classified and optionally, protected.

这两种解决方案的主要差异是:The main differences between these two solutions:

Windows Server FCIWindows Server FCI Azure 信息保护扫描程序Azure Information Protection scanner
支持的数据存储Supported data stores Windows Server 上的本地文件夹Local folders on Windows Server - Windows 文件共享和网络连接存储- Windows file shares and network-attached storage

- SharePoint Server 2016 和 SharePoint Server 2013。- SharePoint Server 2016 and SharePoint Server 2013. 对于具有对此版本 SharePoint 的延长支持的客户,还支持 SharePoint Server 2010。SharePoint Server 2010 is also supported for customers who have extended support for this version of SharePoint.
操作模式Operational mode 真实数据Real time 系统地对数据存储进行一次或重复爬网Systematically crawls the data stores once or repeatedly
支持的文件类型Supported file types - 默认保护所有文件类型- All file types are protected by default

- 通过编辑注册表,可以从保护配置中排除特定文件类型- Specific file types can be excluded from protection by editing the registry
对文件类型的支持:Support for file types:

- 默认保护 Office 文件类型和 PDF 文档- Office file types and PDF documents are protected by default

- 通过编辑注册表,可以将其他文件类型纳入保护- Additional file types can be included for protection by editing the registry

设置 Rights Management 所有者Setting Rights Management owners

默认情况下,对于 Windows Server FCI 和 Azure 信息保护扫描程序, Rights Management 所有者 设置为保护文件的帐户。By default, for both Windows Server FCI and the Azure Information Protection scanner, the Rights Management owner is set to the account that protects the file.

覆盖默认设置,如下所示:Override the default settings as follows:

  • Windows SERVER FCI:将 Rights Management 所有者设置为所有文件的单个帐户,或者为每个文件动态设置 Rights Management 所有者。Windows Server FCI: Set the Rights Management owner to be a single account for all files, or dynamically set the Rights Management owner for each file.

    若要动态设置 Rights Management 所有者,请使用 -OwnerMail [源文件所有者电子邮件] 参数和值****。To dynamically set the Rights Management owner, use the -OwnerMail [Source File Owner Email] parameter and value. 此配置使用文件“所有者”属性中的用户帐户名从 Active Directory 检索用户的电子邮件地址。This configuration retrieves the user's email address from Active Directory by using the user account name in the file's Owner property.

  • Azure 信息保护扫描程序: 对于新保护的文件,请通过在扫描程序配置文件中指定 默认所有者 设置,将 Rights Management 所有者设置为指定数据存储中所有文件的单个帐户。Azure Information Protection scanner: For newly protected files, set the Rights Management owner to be a single account for all files on a specified data store, by specifying the -Default owner setting in the scanner profile.

    不支持为每个文件动态设置 Rights Management 所有者,也不会更改以前受保护文件的 Rights Management 所有者。Dynamically setting the Rights Management owner for each file is not supported, and the Rights Management owner is not changed for previously protected files.

    备注

    扫描程序保护 SharePoint 网站和库上的文件时,通过使用 SharePoint 编辑者值来动态地设置每个文件的 Rights Management 所有者。When the scanner protects files on SharePoint sites and libraries, the Rights Management owner is dynamically set for each file by using the SharePoint Editor value.

我听说过,Azure 信息保护即将推出新版本,何时发布?I've heard a new release is going to be available soon, for Azure Information Protection—when will it be released?

本技术文档不包含即将发布的版本的相关信息。The technical documentation does not contain information about upcoming releases. 对于这种类型的信息,请使用 Microsoft 365 路线图查看 企业移动性 + 安全性博客For this type of information, use the Microsoft 365 Roadmap, check the Enterprise Mobility + Security Blog.

Azure 信息保护是否适用于我所在的国家/地区?Is Azure Information Protection suitable for my country?

不同国家/地区的要求和法规不同。Different countries have different requirements and regulations. 要帮助你的组织回答此问题,请参阅针对不同国家/地区的适用性To help you answer this question for your organization, see Suitability for different countries.

Azure 信息保护如何帮助你符合 GDPR?How can Azure Information Protection help with GDPR?

要了解 Azure 信息保护如何帮助你满足一般数据保护条例 (GDPR) 的要求,请参阅包含视频的下列博客文章公告:To see how Azure Information Protection can help you meet the General Data Protection Regulation (GDPR), see the following blog post announcement, with video:

Microsoft 365 提供了一种信息保护策略来帮助 GDPRMicrosoft 365 provides an information protection strategy to help with the GDPR

请参阅 Azure 信息保护的合规性和支持信息See Compliance and supporting information for Azure Information Protection.

如何针对 Azure 信息保护报告问题或发送反馈?How can I report a problem or send feedback for Azure Information Protection?

若要获取技术支持,请使用标准支持渠道或联系 Microsoft 支持For technical support, use your standard support channels or contact Microsoft Support.

我们还邀请你加入我们的工程团队:Azure 信息保护 Yammer 站点We also invite you to engage with our engineering team, on their Azure Information Protection Yammer site.

如果我的问题不在这里,我该怎么办?What do I do if my question isn't here?

首先,查看下面列出的常见问题,这些问题特定于分类和标签,或特定于数据保护。First, review the frequently asked questions listed below, which are specific to classification and labeling, or specific to data protection. Azure Rights Management 服务 (Azure RMS) 为 Azure 信息保护提供数据保护技术。The Azure Rights Management service (Azure RMS) provides the data protection technology for Azure Information Protection. Azure RMS 可与分类和标签结合使用,也可单独使用。Azure RMS can be used with classification and labeling, or by itself.

如果你的问题未得到解答,请参阅 Azure 信息保护的信息和支持中列出的链接和资源。If your question isn't answered, see the links and resources listed in Information and support for Azure Information Protection.

此外,我们还为最终用户制作了常见问题解答:In addition, there are FAQs designed for end users: