教程:配置 Azure 信息保护以使用 Outlook 控制信息的过度共享Tutorial: Configure Azure Information Protection to control oversharing of information using Outlook

适用范围: Azure 信息保护Applies to: Azure Information Protection

说明: 适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典) 和标签管理 将于 2021 年 3 月 31 日 弃用 。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

若要部署 AIP 经典客户端,请打开支持票证以获取下载访问权限。To deploy the AIP classic client, open a support ticket to get download access.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 配置在 Outlook 中实现警告、证明或阻止弹出邮件的设置Configure settings that implement warn, justify, or block popup messages in Outlook
  • 在实际操作中查看设置See your settings in action
  • 查看事件日志中记录的用户消息和操作Review the logged user messages and actions in the Event Log

用户共享信息最常见的方法之一就是通过电子邮件进行共享,但无论是以电子邮件本身还是以附件形式,这种方法都不太妥当。Email is one of the most common methods by which users inappropriately share information—whether it's in the email message itself or in attachments. 可以使用数据丢失防护 (DLP) 解决方案来识别已知的敏感信息,并帮助防止敏感信息流出组织边界。You might use data loss prevention (DLP) solutions that can identify known sensitive information and help prevent it from leaving your organization boundaries. 但还可以将 Azure 信息保护客户端与一些高级客户端设置一起使用,以帮助防止过度共享,并以提供实时反馈的交互式消息引导用户。However, you can also use the Azure Information Protection client with some advanced client settings to help prevent oversharing and also educate your users with interactive messages that provide feedback in real time.

本教程将指导你完成一个基本配置,该配置仅使用一个标签来说明警告、证明以及用户可查看和答复的阻止邮件。This tutorial steps you through a basic configuration that uses just one label to illustrate the warn, justify, and block messages that users can see and respond to.

完成本教程需要 15 分钟。You can finish this tutorial in about 15 minutes.

必备条件Prerequisites

若要完成本教程,你需要:To complete this tutorial, you need:

  1. 包含 Azure 信息保护计划 2 的订阅。A subscription that includes Azure Information Protection Plan 2.

    如果没有包含此计划的订阅,可以为组织创建一个免费帐户。If you don't have a subscription that includes this plan, you can create a free account for your organization.

  2. “Azure 信息保护”窗格已添加到 Azure 门户,并在 Azure 信息保护全局策略中发布了至少一个标签。The Azure Information Protection pane is added to the Azure portal and you have at least one label published in the Azure Information Protection global policy.

    虽然本教程使用默认标签“常规”,但如果你愿意,可以将此标签替换为另一个标签****。Although this tutorial uses the default label, General, you can substitute this label for another one if you prefer. 如果在添加“Azure 信息保护”窗格时需要帮助,或者还没有向全局策略发布任何标签,请参阅快速入门:将 Azure 信息保护添加到 Azure 门户和查看策略If you need help adding the Azure Information Protection pane, or don't yet have any labels published to the global policy, see Quickstart: Add Azure Information Protection to the Azure portal and view the policy.

  3. 一台运行 Windows(最低配置为 Windows 7 Service Pack 1)的计算机,并在此计算机上,你可以登录 Outlook。A computer running Windows (minimum of Windows 7 with Service Pack 1), and on this computer, you can sign in to Outlook. 做好在本教程中多次重启 Outlook 的准备。Be prepared to restart Outlook multiple times during this tutorial.

  4. Azure 信息保护客户端(经典)安装在 Windows 计算机上(最低版本为 Windows 7 Service Pack 1)。The Azure Information Protection client (classic) installed on your Windows computer (minimum of Windows 7 with Service Pack 1).

提示

有关使用 Azure 信息保护的先决条件的完整列表,请参阅 Azure 信息保护的要求For a full list of prerequisites to use Azure Information Protection, see Requirements for Azure Information Protection.

让我们开始吧。Let's get started. 继续标识用于测试的标签 IDContinue with Identify a label ID for testing.

统一标记客户端Unified labeling client

如果使用的是统一标签客户端而不是经典客户端,请参阅以下说明,其中讲解了如何对本教程中的等效配置使用 PowerShell 高级设置:If are using the unified labeling client instead of the classic client, see the following instructions that explain how to use PowerShell advanced settings for the equivalent configurations in this tutorial:

标识用于测试的标签 IDIdentify a label ID for testing

对于本教程,我们将只使用一个标签来查看用户引发的行为。For this tutorial, we'll use just one label to see the resulting behavior for users. 可使用任何标签,但建议使用名为“常规”的默认标签进行测试,该标签通常适用于不打算供公众使用且不应用保护的业务数据****。You can use any label, but a good example for testing is the default label named General, which is typically suitable for business data that is not intended for public consumption, and does not apply protection.

若要指定所选标签,必须知道其在 Azure 门户中标识的 ID:To specify your chosen label, you must know its ID, which you identify from the Azure portal:

  1. 打开新的浏览器窗口,以全局管理员身份登录到 Azure 门户。然后导航到“Azure 信息保护”。Open a new browser window and sign in to the Azure portal as a global admin. Then navigate to Azure Information Protection.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

    如果你不是全局管理员,请使用以下链接获取替代角色:登录到 Azure 门户If you are not the global admin, use the following link for alternative roles: Signing in to the Azure portal

  2. 选择“分类” > “标签”,然后选择“常规”边栏选项卡以打开“标签: 。Select Classifications > Labels and then select the General label to open the Label: General pane.

  3. 找到窗格底部的标签 ID:Locate the label ID at the bottom of the pane:

    Azure 信息保护教程 - 找到标签 ID

  4. 复制标签 ID 值并将其粘贴到临时文件中,以便在以后的步骤中可轻松复制该值。Copy and paste the label ID value into a temporary file so that this value can be easily copied for a later step. 在本示例中,此标签 ID 值是“0e421e6d-ea17-4fdb-8f01-93a3e71333b8”****。In our example, this label ID value is 0e421e6d-ea17-4fdb-8f01-93a3e71333b8.

  5. 关闭“标签: 常规”窗格,但不要关闭 Azure 门户。Close the Label: General pane, but do not close the Azure portal.

创建作用域内策略以测试新的高级客户端设置Create a scoped policy to test the new advanced client settings

我们将创建新的作用域内策略,以便新的高级客户端设置仅应用于你进行测试。We'll create a new scoped policy so that the new advanced client settings will apply to just you, for testing.

  1. 在“Azure 信息保护 - 策略”窗格上,选择“添加新策略”********。On the Azure Information Protection - Policies pane, select Add a new policy. 然后,你会看到“策略”窗格,它显示现有全局策略中的标签和设置****。You then see the Policy pane that displays labels and settings from your existing global policy.

  2. 指定“过度共享教程”的策略名称,可选择指定“使用 Outlook 控制过度共享的高级客户端设置”的说明********。Specify the policy name of Oversharing tutorial and optionally, a description of Advanced client settings to control oversharing using Outlook.

  3. 选择“指定获取此策略的用户/组”,并使用后续窗格指定你自己的用户帐户****。Select Specify which users/groups get this policy, and using the subsequent panes, specify your own user account.

  4. 帐户名显示在“策略”窗格上后,请选择“保存”且不对此窗格上的标签或设置进行其他更改********。With your account name now displayed on the Policy pane, select Save without making additional changes to the labels or settings on this pane. 系统可能会提示你确认你的选择。You might be prompted to confirm your choice.

此作用域内策略现已准备就绪,可添加高级客户端设置。This scoped policy is now ready to add advanced client settings. 关闭“策略: 过度共享教程”窗格,但不要关闭 Azure 门户。Close the Policy: Oversharing tutorial pane, but do not close the Azure portal.

配置并测试以下高级客户端设置:警告、提示提供理由或阻止具有“常规”标签的电子邮件。Configure and test advanced client settings to warn, prompt for justification, or block emails that have the General label

对于本教程的此步骤,我们将指定以下高级客户端设置,并依次测试每个设置:For this step of the tutorial, we'll specify the following advanced client settings, and test each in turn:

  • OutlookWarnUntrustedCollaborationLabelOutlookWarnUntrustedCollaborationLabel
  • OutlookJustifyUntrustedCollaborationLabelOutlookJustifyUntrustedCollaborationLabel
  • OutlookBlockUntrustedCollaborationLabelOutlookBlockUntrustedCollaborationLabel

创建用以警告用户电子邮件或附件具有“常规”标签的高级客户端设置Create the advanced client setting to warn users if an email or attachment has the General label

使用新创建的作用域内策略,我们将添加一个名为“OutlookWarnUntrustedCollaborationLabel”的新高级客户端设置,其中包含“常规”标签的 ID********:Using the newly created scoped policy, we'll add a new advanced client setting named OutlookWarnUntrustedCollaborationLabel with the ID of your General label:

  1. 返回到“Azure信息保护 - 策略”窗格,选择“过度共享教程”旁边的上下文菜单 (...)************。Back on the Azure Information Protection - Policies pane, select the context menu (...) next to Oversharing tutorial. 再选择“高级设置”****。Then select Advanced settings.

  2. 在“高级设置”窗格上,键入高级设置名称“OutlookWarnUntrustedCollaborationLabel”,并为该值粘贴自己的标签 ID********。On the Advanced settings pane, type the advanced setting name, OutlookWarnUntrustedCollaborationLabel, and paste your own label ID for the value. 使用示例标签 ID:Using our example label ID:

    Azure 信息保护教程 - 创建 OutlookWarnUntrustedCollaborationLabel 高级客户端设置Azure Information Protection tutorial - create OutlookWarnUntrustedCollaborationLabel advanced client setting

  3. 选择“保存并关闭”。Select Save and close.

不要关闭“策略”窗格或 Azure 门户****。Do not close the Policies pane, or the Azure portal.

如果电子邮件或附件具有“常规”标签,请测试用以警告用户的高级客户端设置Test the advanced client setting to warn users if an email or attachment has the General label

在客户端计算机上,我们现在将看到配置此高级客户端设置的结果。On your client computer, we'll now see the results of configuring this advanced client setting.

  1. 在客户端计算机上,打开 Outlook。On your client computer, open Outlook.

    如果 Outlook 已打开,则重启它。If Outlook is already open, restart it. 需要重启才能下载我们刚刚进行的更改。The restart is needed to download the change we just made.

  2. 创建新的电子邮件,并应用“常规”标签****。Create a new email message, and apply the General label. 例如,在“文件”选项卡中,选择“保护”按钮,然后选择“常规”************。For example, from the File tab, select the Protect button, and then select General.

  3. 为“收件人”字段指定自己的电子邮件地址,并为主题键入“测试警告消息的常规标签”********。Specify your own email address for the To field, and for the subject, type Testing the General label for the Warn message. 然后,发送电子邮件。Then send the email.

  4. 作为高级客户端设置的结果,你会看到以下警告,要求在发送电子邮件之前进行确认。As a result of the advanced client setting, you see the following warning, asking you to confirm before sending the email. 例如:For example:

    Azure 信息保护教程 - 请参阅 OutlookWarnUntrustedCollaborationLabel 高级客户端设置Azure Information Protection tutorial - see OutlookWarnUntrustedCollaborationLabel advanced client setting

  5. 如果作为用户,你失误地尝试通过电子邮件发送标记为“常规”的内容,请选择“取消”********。As if you are a user who has mistakenly tried to email something that was labeled General, select Cancel. 你将看到没有发送电子邮件,但是电子邮件消息仍然存在,因此可以进行更改,例如更改内容或标签。You see that the email is not sent but the email message remains so you can make changes, such as change the content or the label.

  6. 不做任何更改,再次选择“发送”****。Without making any changes, select Send again. 这一次,如果你已确认内容适合发送,请选择“确认并发送”****。This time, as if you are a user who acknowledges that the content is appropriate for sending, select Confirm and Send. 电子邮件已发送。The email is sent.

更改提示用户证明电子邮件具有“常规”标签的高级客户端设置Change the advanced client setting to prompt users to justify if an email has the General label

我们将编辑现有的高级客户端设置以保留你的“常规”标签 ID,但会将名称更改为“OutlookJustifyUntrustedCollaborationLabel”********:We'll edit the existing advanced client setting to keep your General label ID, but change the name to OutlookJustifyUntrustedCollaborationLabel:

  1. 在“Azure信息保护 - 策略”窗格上,选择“过度共享教程”旁边的上下文菜单 (...)************。On the Azure Information Protection - Policies pane, select the context menu (...) next to Oversharing tutorial. 再选择“高级设置”****。Then select Advanced settings.

  2. 在“高级设置”窗格上,使用新名称“OutlookJustifyUntrustedCollaborationLabel”替换你先前创建的高级设置名称“OutlookWarnUntrustedCollaborationLabel”************:On the Advanced settings pane, replace the previous advanced setting name you created, OutlookWarnUntrustedCollaborationLabel, with the new name of OutlookJustifyUntrustedCollaborationLabel:

    Azure 信息保护教程 - 创建 OutlookJustifyUntrustedCollaborationLabel 高级客户端设置Azure Information Protection tutorial - create OutlookJustifyUntrustedCollaborationLabel advanced client setting

  3. 选择“保存并关闭”。Select Save and close.

不要关闭“策略”窗格或 Azure 门户****。Do not close the Policies pane, or the Azure portal.

测试提示用户证明电子邮件具有“常规”标签的高级客户端设置Test the advanced client setting to prompt users to justify if an email has the General label

在客户端计算机上,我们现在将看到此新高级客户端设置的结果。On your client computer, we'll now see the results of this new advanced client setting.

  1. 在客户端计算机上,重启 Outlook 以下载我们刚刚进行的更改。On your client computer, restart Outlook to download the change we just made.

  2. 创建新的电子邮件,并像以前一样,应用“常规”标签****。Create a new email message, and as before, apply the General label. 例如,在“文件”选项卡中,选择“保护”按钮,然后选择“常规”************。For example, from the File tab, select the Protect button, and then select General.

  3. 为“收件人”字段指定自己的电子邮件地址,并为主题键入“测试证明消息的常规标签”********。Specify your own email address for the To field, and for the subject, type Testing the General label for the Justify message. 然后,发送电子邮件。Then send the email.

  4. 此时,你会看到以下消息,要求在发送电子邮件之前提供理由。This time, you see the following message, asking you to provide justification before sending the email. 例如:For example:

    Azure 信息保护教程 - 请参阅 OutlookJustifyUntrustedCollaborationLabel 高级客户端设置Azure Information Protection tutorial - see OutlookJustifyUntrustedCollaborationLabel advanced client setting

  5. 如果作为用户,你失误地尝试通过电子邮件发送标记为“常规”的内容,请选择“取消”********。As if you are a user who has mistakenly tried to email something that was labeled as General, select Cancel. 你将看到没有发送电子邮件,但是电子邮件消息本身仍然存在,因此可以进行更改,例如更改内容或标签。You see that the email is not sent but the email message itself remains so you can make changes, such as change the content or the label.

  6. 不做任何更改,再次选择“发送”****。Without making any changes, select Send again. 此时,选择其中一个理由选项,例如“我确认收件人已获得批准,有权共享此内容”,然后选择“确认并发送”********。This time, select one of the justification options, such as I confirm the recipients are approved for sharing this content, and then select Confirm and Send. 电子邮件已发送。The email is sent.

更改阻止用户发送具有“常规”标签的电子邮件的高级客户端设置Change the advanced client setting to block users from sending an email that has the General label

我们将再次编辑现有的高级客户端设置以保留你的“常规”标签 ID,但会将名称更改为“OutlookBlockUntrustedCollaborationLabel”********:We'll edit the existing advanced client setting one more time, to keep your General label ID, but change the name to OutlookBlockUntrustedCollaborationLabel:

  1. Azure 门户中,在“Azure信息保护 - 策略”窗格上,选择“过度共享教程”旁边的上下文菜单 (...)************。In the Azure portal, on the Azure Information Protection - Policies pane, select the context menu (...) next to Oversharing tutorial. 再选择“高级设置”****。Then select Advanced settings.

  2. 在“高级设置”窗格上,使用新名称“OutlookBlockUntrustedCollaborationLabel”替换你先前创建的高级设置名称“OutlookJustifyUntrustedCollaborationLabel”************:On the Advanced settings pane, replace the previous advanced setting name you created, OutlookJustifyUntrustedCollaborationLabel, with the new name of OutlookBlockUntrustedCollaborationLabel:

    Azure 信息保护教程 - 创建 OutlookBlockUntrustedCollaborationLabel 高级客户端设置Azure Information Protection tutorial - create OutlookBlockUntrustedCollaborationLabel advanced client setting

  3. 选择“保存并关闭”。Select Save and close.

不要关闭“策略”窗格或 Azure 门户****。Do not close the Policies pane, or the Azure portal.

测试阻止用户发送具有“常规”标签的电子邮件的高级客户端设置Test the advanced client setting to block users from sending an email that has the General label

在客户端计算机上,我们现在将看到此新高级客户端设置的结果。On your client computer, we'll now see the results of this new advanced client setting.

  1. 在客户端计算机上,重启 Outlook 以下载我们刚刚进行的更改。On your client computer, restart Outlook to download the change we just made.

  2. 创建新的电子邮件,并像以前一样,应用“常规”标签****。Create a new email message, and as before, apply the General label. 例如,在“文件”选项卡中,选择“保护”按钮,然后选择“常规”************。For example, from the File tab, select the Protect button, and then select General.

  3. 为“收件人”字段指定自己的电子邮件地址,并为主题键入“测试阻止消息的常规标签”********。Specify your own email address for the To field, and for the subject, type Testing the General label for the Block message. 然后,发送电子邮件。Then send the email.

  4. 此时,会显示阻止发送电子邮件的以下消息。This time, you see the following message that prevents the email from being sent. 例如:For example:

    Azure 信息保护教程 - 阻止电子邮件弹出消息

  5. 作为你的用户,你会看到唯一可用的选项是“确定”,该选项将你带回到可进行更改的电子邮件中****。Acting as your user, you see the only option available is OK, which takes you back to the email message where you can make changes. 选择“确定”,并取消这封电子邮件****。Select OK, and cancel this email message.

使用“事件日志”标识“常规”标签的消息和用户操作Use Event Log to identify the messages and user actions for the General label

在我们转到下一个方案之前,当电子邮件或附件没有标签时,请启动事件查看器并导航到“应用程序和服务日志” > Azure 信息保护 。Before we move on to the next scenario for when an email or attachment doesn't have a label, start Event Viewer and navigate to Applications and Services Logs > Azure Information Protection.

对于执行的每个测试,都会创建信息事件以记录消息和用户响应:For each of the tests that you did, information events are created to record both the message and the user response:

  • 警告消息:信息 ID 301Warn messages: Information ID 301

  • 验证消息:信息 ID 302Justify messages: Information ID 302

  • 阻止邮件:信息 ID 303Block messages: Information ID 303

例如,第一个测试是警告用户,你选择了“取消”,因此第一个事件 301 中的“用户响应”显示为“已取消”************。For example, the first test was to warn the user, and you selected Cancel, so the User Response displays Dismissed in the first Event 301. 例如:For example:

Client Version: 1.53.10.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing the General label for the Warn message.msg
Item Name: Testing the General label for the Warn message
Process Name: OUTLOOK
Action: Warn
Label After Action: General
Label ID After Action: 0e421e6d-ea17-4fdb-8f01-93a3e71333b8
Action Source: 
User Response: Dismissed

但随后你选择了“确认并发送”,这反映在下一个事件 301 中,其中“用户响应”显示为“已确认”************:However, you then selected Confirm and Send, which is reflected in the next Event 301, where the User Response displays Confirmed:

Client Version: 1.53.10.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing the General label for the Warn message.msg
Item Name: Testing the General label for the Warn message
Process Name: OUTLOOK
Action: Warn
Label After Action: General
Label ID After Action: 0e421e6d-ea17-4fdb-8f01-93a3e71333b8
Action Source: 
User Response: Confirmed

对于证明消息重复相同的模式,其具有事件 302。The same pattern is repeated for the justify message, which has an Event 302. 第一个事件的“用户响应”为“已取消”,第二个事件显示所选的理由********。The first event has a User Response of Dismissed, and the second shows the justification that was selected. 例如:For example:

Client Version: 1.53.10.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing the General label for the Justify message.msg
Item Name: Testing the General label for the Justify message
Process Name: OUTLOOK
Action: Justify
Label After Action: General
Label ID After Action: 0e421e6d-ea17-4fdb-8f01-93a3e71333b8
User Justification: I confirm the recipients are approved for sharing this content
Action Source: 
User Response: Confirmed

在事件日志的顶部,可以看到已记录的阻止邮件,其中有一个事件 303。At the top of the event log, you see the block message logged, which has an Event 303. 例如:For example:

Client Version: 1.53.10.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing the General label for the Block message.msg
Item Name: Testing the General label for the Block message
Process Name: OUTLOOK
Action: Block
Label After Action: General
Label ID After Action: 0e421e6d-ea17-4fdb-8f01-93a3e71333b8
Action Source: 

可选:创建附加高级客户端设置,以便为内部收件人免除这些邮件Optional: Create an additional advanced client setting to exempt these messages for internal recipients

使用自己的电子邮件地址作为收件人测试了警告、证明邮件的合理性并阻止邮件。You tested your warn, justify, and block messages by using your own email address as the recipient. 在生产环境中,只有当收件人位于组织外部时,才可以选择仅为指定的标签显示这些邮件。In a production environment, you might choose to display these messages for your specified labels only if recipients are external to your organization. 可以将该免除扩展到组织经常与之合作的合作伙伴。You might extend that exemption to partners that your organization regularly works with.

为了说明这个过程,我们将创建一个名为“OutlookBlockTrustedDomains”的附加高级客户端设置,并从电子邮件地址指定你自己的域名****。To illustrate how this works, we'll create an additional advanced client setting named OutlookBlockTrustedDomains and specify your own domain name from your email address. 这样可以防止你之前看到的阻止邮件向在其电子邮件地址中共享你的域名的收件人显示,但仍会向其他收件人显示。This will prevent the block message you saw previously from displaying for recipients that share your domain name in their email address, but will still be shown for other recipients. 同样,可以为“OutlookWarnTrustedDomains”和“OutlookJustifyTrustedDomains”创建附加高级客户端设置********。You can similarly create additional advanced client settings for OutlookWarnTrustedDomains and OutlookJustifyTrustedDomains.

  1. Azure 门户中,在“Azure信息保护 - 策略”窗格上,选择“过度共享教程”旁边的上下文菜单 (...)************。In the Azure portal, on the Azure Information Protection - Policies pane, select the context menu (...) next to Oversharing tutorial. 再选择“高级设置”****。Then select Advanced settings.

  2. 在“高级设置”窗格上,键入高级设置名称“OutlookBlockTrustedDomains”,然后从电子邮件地址中粘贴域名以获取该值********。On the Advanced settings pane, type the advanced setting name, OutlookBlockTrustedDomains, and paste your domain name from your email address for the value. 例如:For example:

    Azure 信息保护教程 - 创建 OutlookBlockTrustedDomains 高级客户端设置

  3. 选择“保存并关闭”。Select Save and close. 不要关闭“策略”窗格或 Azure 门户****。Do not close the Policies pane, or the Azure portal.

  4. 现在重复上一个测试以阻止用户发送包含“常规”标签的电子邮件,当你使用自己的电子邮件地址时,不再看到阻止邮件。Now repeat the previous test to block users from sending an email that has the General label, and you no longer see the block message when you use your own email address. 电子邮件不间断地发送。The email is sent without interruption.

    要确认仍然显示外部收件人的阻止邮件,请再次重复测试,但这次指定一个组织外部的收件人。To confirm that the block message is still shown for external recipients, repeat the test one more time but specify a recipient from outside your organization. 此时,你再次看到阻止邮件,同时将新收件人地址列为不可信。This time, you see the block message again, listing the new recipient address as untrusted.

配置和测试以下高级客户端设置:警告、提示提供理由或阻止没有标签的电子邮件Configure and test an advanced client setting to warn, prompt for justification, or block emails that don't have a label

对于本教程的此步骤,我们将指定一个具有不同值的新高级客户端设置,并依次测试每个设置:For this step of the tutorial, we'll specify a new advanced client setting with different values, and test each in turn:

  • OutlookUnlabeledCollaborationActionOutlookUnlabeledCollaborationAction

如果电子邮件没有标签,请创建用以警告用户的高级客户端设置Create the advanced client setting to warn users if an email doesn't have a label

此名为“OutlookUnlabeledCollaborationAction”的新高级客户端设置不需要标签 ID,但指定了对未标记内容采取的操作****:This new advanced client setting named OutlookUnlabeledCollaborationAction doesn't need a label ID but specifies the action to take for unlabeled content:

  1. Azure 门户中,返回到“Azure信息保护 - 策略”窗格上,选择“过度共享教程”旁边的上下文菜单 (...)************。In the Azure portal, back on the Azure Information Protection - Policies pane, select the context menu (...) next to Oversharing tutorial. 再选择“高级设置”****。Then select Advanced settings.

  2. 在“高级设置”窗格上,键入高级设置名称“OutlookUnlabeledCollaborationAction”,并为值指定“警告”************:On the Advanced settings pane, type the advanced setting name, OutlookUnlabeledCollaborationAction, and for the value, specify Warn:

    Azure 信息保护教程 - 使用警告值创建 OutlookUnlabeledCollaborationAction 高级客户端设置Azure Information Protection tutorial - create OutlookUnlabeledCollaborationAction advanced client setting with Warn value

  3. 选择“保存并关闭”。Select Save and close.

不要关闭“策略”窗格或 Azure 门户****。Do not close the Policies pane, or the Azure portal.

如果电子邮件没有标签,请测试用以警告用户的高级客户端设置Test the advanced client setting to warn users if an email doesn't have a label

在客户端计算机上,我们现在将看到在内容没有标签时配置此新的高级客户端设置的结果:On your client computer, we'll now see the results of configuring this new advanced client setting for when content doesn't have a label:

  1. 在客户端计算机上,重启 Outlook 以下载我们刚刚进行的更改。On your client computer, restart Outlook to download the change we just made.

  2. 创建新的电子邮件,这次不要应用标签。Create a new email message, and this time, do not apply a label.

  3. 为“收件人”字段指定自己的电子邮件地址,并为主题键入“测试发送不带警告消息的标签的电子邮件”********。Specify your own email address for the To field, and for the subject, type Testing send an email without a label for the Warn message. 然后,发送电子邮件。Then send the email.

  4. 这次可看到“需要确认”消息,可选择“确认并发送”或“取消”************:This time, you see a Confirmation Required message that you can Confirm and Send or Cancel:

    Azure 信息保护教程 - 请参阅使用警告值的 OutlookUnlabeledCollaborationAction 高级客户端设置

  5. 选择“确认并发送”****。Select Confirm and Send.

更改提示用户证明电子邮件为未标记的高级客户端设置Change the advanced client setting to prompt users to justify if an email is unlabeled

我们将编辑现有的高级客户端设置以保留“OutlookUnlabeledCollaborationAction”的名称,但将值更改为“证明”********:We'll edit the existing advanced client setting to keep the name of OutlookUnlabeledCollaborationAction, but change the value to Justify:

  1. 在“Azure信息保护 - 策略”窗格上,选择“过度共享教程”旁边的上下文菜单 (...)************。On the Azure Information Protection - Policies pane, select the context menu (...) next to Oversharing tutorial. 再选择“高级设置”****。Then select Advanced settings.

  2. 在“高级设置”窗格上,找到“OutlookUnlabeledCollaborationAction”设置,并使用新值“证明”替换之前的“警告”值****************:On the Advanced settings pane, locate the OutlookUnlabeledCollaborationAction setting and replace the previous value of Warn with new value Justify:

    Azure 信息保护教程 - 将 OutlookUnlabeledCollaborationAction 高级客户端设置更改为证明值

  3. 选择“保存并关闭”。Select Save and close.

不要关闭“策略”窗格或 Azure 门户****。Do not close the Policies pane, or the Azure portal.

测试提示用户证明电子邮件为未标记的高级客户端设置Test the advanced client setting to prompt users to justify if an email isn't labeled

在客户端计算机上,我们现在将看到更改此高级客户端设置的值的结果。On your client computer, we'll now see the results of changing the value for this advanced client setting.

  1. 在客户端计算机上,重启 Outlook 以下载我们刚刚进行的更改。On your client computer, restart Outlook to download the change we just made.

  2. 创建新的电子邮件,与以前一样,不要应用标签。Create a new email message, and as before, do not apply a label.

  3. 为“收件人”字段指定自己的电子邮件地址,并为主题键入“测试发送不带证明消息的标签的电子邮件”********。Specify your own email address for the To field, and for the subject, type Testing send an email without a label for the Justify message. 然后,发送电子邮件。Then send the email.

  4. 这次,会显示“所需理由”消息,其中包含不同的选项****:This time, you see a Justification Required message with different options:

    Azure 信息保护教程 - 请参阅使用证明值的 OutlookUnlabeledCollaborationAction 高级客户端设置

  5. 选择一个选项,例如“我的经理批准共享此内容”****。Select an option, such as My manager approved sharing of this content. 然后,选择“确认并发送”****。Then select Confirm and Send.

更改阻止用户发送未标记的电子邮件的高级客户端设置Change the advanced client setting to block users from sending an email that isn't labeled

和之前一样,我们将编辑现有的高级客户端设置以保留“OutlookUnlabeledCollaborationAction”的名称,但将值更改为“阻止”********:As before, we'll edit the existing advanced client setting to keep the name of OutlookUnlabeledCollaborationAction, but change the value to Block:

  1. 在“Azure信息保护 - 策略”窗格上,选择“过度共享教程”旁边的上下文菜单 (...)************。On the Azure Information Protection - Policies pane, select the context menu (...) next to Oversharing tutorial. 再选择“高级设置”****。Then select Advanced settings.

  2. 在“高级设置”窗格上,找到“OutlookUnlabeledCollaborationAction”设置,并将上一个值“证明”替换为新值“阻止”****************:On the Advanced settings pane, locate the OutlookUnlabeledCollaborationAction setting and replace the previous value of Justify with the new value of Block:

    Azure 信息保护教程 - 将 OutlookUnlabeledCollaborationAction 高级客户端设置更改为阻止值

  3. 选择“保存并关闭”。Select Save and close.

不要关闭“策略”窗格或 Azure 门户****。Do not close the Policies pane, or the Azure portal.

测试阻止用户发送未标记电子邮件的高级客户端设置Test the advanced client setting to block users from sending an email that isn't labeled

在客户端计算机上,我们现在将看到更改此高级客户端设置的值的结果。On your client computer, we'll now see the results of changing the value of this advanced client setting.

  1. 在客户端计算机上,重启 Outlook 以下载我们刚刚进行的更改。On your client computer, restart Outlook to download the change we just made.

  2. 创建新的电子邮件,与以前一样,不要应用标签。Create a new email message, and as before, do not apply a label.

  3. 为“收件人”字段指定自己的电子邮件地址,并为主题键入“测试发送不带阻止消息的标签的电子邮件”********。Specify your own email address for the To field, and for the subject, type Testing send an email without a label for the Block message. 然后,发送电子邮件。Then send the email.

  4. 此时,会显示以下消息,以阻止发送电子邮件,并附有用户说明。This time, you see the following message that prevents the email from being sent, with an explanation for the user. 例如:For example:

    Azure 信息保护教程 - 请参阅使用“阻止”值的 OutlookWarnUntrustedCollaborationLabel 高级客户端设置

  5. 作为你的用户,你会看到唯一可用的选项是“确定”,该选项将带你回到可以选择标签的电子邮件中****。Acting as your user, you see the only option available is OK, which takes you back to the email message where you can select a label.

    选择“确定”,并取消这封电子邮件****。Select OK, and cancel this email message.

使用“事件日志”标识未标记电子邮件的消息和用户操作Use Event Log to identify the messages and user actions for the unlabeled email

与以前一样,消息和用户响应记录在事件查看器“应用程序和服务日志” > “Azure 信息保护”中,并具有相同的事件 ID 。As before, the messages and user responses are logged in Event Viewer, Applications and Services Logs > Azure Information Protection, with the same event IDs.

  • 警告消息:信息 ID 301Warn messages: Information ID 301

  • 验证消息:信息 ID 302Justify messages: Information ID 302

  • 阻止邮件:信息 ID 303Block messages: Information ID 303

例如,电子邮件没有标签时,理由提示会显示以下结果:For example, the results of our justification prompt when the email didn't have a label:

Client Version: 1.53.10.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Testing send an email without a label for the Justify message.msg
Item Name: Testing send an email without a label for the Justify message
Process Name: OUTLOOK
Action: Justify
User Justification: My manager approved sharing of this content
Action Source: 
User Response: Confirmed

清理资源Clean up resources

如果你不想保留在本教程中所做的更改,请执行以下操作:Do the following if you don't want to keep the changes that you made in this tutorial:

  1. Azure 门户中,在“Azure信息保护 - 策略”窗格上,选择“过度共享教程”旁边的上下文菜单 (...)************。In the Azure portal, on the Azure Information Protection - Policies pane, select the context menu (...) next to Oversharing tutorial. 然后选择“删除策略”****。Then select Delete policy.

  2. 如果系统提示你确认,请选择“确定”****。If you are prompted to confirm, select OK.

重启 Outlook,以便不再为我们为本教程配置的设置进行配置。Restart Outlook so it's no longer configured for the settings we configured for this tutorial.

后续步骤Next steps

为了更快地进行测试,本教程使用电子邮件发送给单个收件人,并且没有附件。For quicker testing, this tutorial used an email message to a single recipient, and without attachments. 但是,你可以对多个收件人、多个标签应用相同的方法,并将相同的逻辑应用于电子邮件附件,其标签状态通常对用户不太明显。But you can apply the same method with multiple recipients, multiple labels, and also apply the same logic to email attachments whose labeling status is often less obvious to users. 例如,电子邮件本身标记为“公共”,但附加的 PowerPoint 演示文稿标记为“常规”。For example, the email message itself is labeled Public but the PowerPoint presentation attached is labeled General. 有关配置选项的详细信息,请参阅管理指南中的以下部分:在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止For more information about the configuration options, see the following section from the admin guide: Implement pop-up messages in Outlook that warn, justify, or block emails being sent

管理指南还包含有关可用于自定义客户端行为的其他高级客户端设置的信息。The admin guide also contains information about other advanced client settings that you can use to customize the behavior of the client. 有关完整列表,请参阅可用的高级客户端设置For a full list, see Available advanced client settings.