教程:配置 Azure 信息保护策略设置并创建新标签Tutorial: Configure Azure Information Protection policy settings and create a new label

适用范围:Azure 信息保护Applies to: Azure Information Protection

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

若要部署 AIP 经典客户端,请打开支持票证以获取下载访问权限。To deploy the AIP classic client, open a support ticket to get download access.

提示

如果对经典客户端使用了不同的标签客户端,请参阅 Microsoft 365 符合性文档,了解本教程的等效说明。If are using a different labeling client to the classic client, see the Microsoft 365 Compliance documentation for equivalent instructions to this tutorial.

在本教程中,你将了解如何:In this tutorial, you learn how to:

  • 配置策略设置Configure policy settings
  • 创建新标签Create a new label
  • 配置视觉标记、建议分类和保护的标签Configure the label for visual markings, recommended classification, and protection
  • 在实际操作中查看设置和标签See your settings and labels in action

完成此配置后,用户在创建新文档或电子邮件时会看到应用的默认标签。As a result of this configuration, users see a default label applied when they create a new document or email. 但是,当检测到信用卡信息时,系统会提示用户应用新标签。However, they are prompted to apply the new label when credit card information is detected. 应用新标签时,内容将重新分类并受到保护,还会带有相应的页脚和水印。When the new label is applied, the content is reclassified and protected, with a corresponding footer and watermark.

完成本教程需要 15 分钟。You can finish this tutorial in about 15 minutes.

必备条件Prerequisites

若要完成本教程,你需要:To complete this tutorial, you need:

  1. 包含 Azure 信息保护计划 2 的订阅。A subscription that includes Azure Information Protection Plan 2.

    如果没有包含 Azure 信息保护计划 2 的订阅,可以为组织创建一个免费帐户。If you don't have a subscription that includes Azure Information Protection Plan 2, you can create a free account for your organization.

  2. “Azure 信息保护”窗格已添加到 Azure 门户,保护服务已激活,并在 Azure 信息保护全局策略中发布了一个或多个标签。The Azure Information Protection pane is added to the Azure portal, the protection service is activated, and you have one or more labels published in the Azure Information Protection global policy.

    有关这些步骤,请参阅快速入门:将 Azure 信息保护添加到 Azure 门户和查看策略These steps are covered in the Quickstart: Add Azure Information Protection to the Azure portal and view the policy.

  3. Azure 信息保护客户端(经典)安装在 Windows 计算机上(最低版本为 Windows 7 Service Pack 1)。The Azure Information Protection client (classic) installed on your Windows computer (minimum of Windows 7 with Service Pack 1).

  4. 你已从下列类别之一登录到 Office 应用:You're signed in to Office apps from one of the following categories:

    • Office 应用最低版本 1805,Microsoft 365 商业应用版或 Microsoft 365 商业高级版中的内部版本 9330.2078,前提是已为你分配了 Azure Rights Management(亦称为“适用于 Microsoft 365 的 Azure 信息保护”)许可证。Office apps minimum version 1805, build 9330.2078 from Microsoft 365 Apps for Business or Microsoft 365 Business Premium when you are assigned a license for Azure Rights Management (also known as Azure Information Protection for Microsoft 365).

    • Microsoft 365 企业应用版Microsoft 365 Apps for Enterprise

    • Office 专业增强版 2019。Office Professional Plus 2019.

    • Office Professional Plus 2016。Office Professional Plus 2016.

    • Office Professional Plus 2013 Service Pack 1。Office Professional Plus 2013 with Service Pack 1.

    • Office Professional Plus 2010 Service Pack 2。Office Professional Plus 2010 with Service Pack 2.

提示

有关使用 Azure 信息保护的先决条件的完整列表,请参阅 Azure 信息保护的要求For a full list of prerequisites to use Azure Information Protection, see Requirements for Azure Information Protection.

让我们开始吧。Let's get started. 继续编辑 Azure 信息保护策略Continue with Edit the Azure Information Protection policy.

编辑 Azure 信息保护策略Edit the Azure Information Protection policy

使用 Azure 门户,首先更改几项策略设置,然后创建一个新标签。Using the Azure portal, we'll first change a couple of policy settings, and then create a new label.

编辑策略设置Edit the policy settings

  1. 打开新的浏览器窗口,以全局管理员身份登录到 Azure 门户。然后导航到“Azure 信息保护”。Open a new browser window and sign in to the Azure portal as a global admin. Then navigate to Azure Information Protection.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

    如果你不是全局管理员,请使用以下链接获取替代角色:登录到 Azure 门户If you are not the global admin, use the following link for alternative roles: Signing in to the Azure portal

  2. 选择“分类” > “策略” > “全局”,打开“策略: 全局”边栏选项卡。Select Classifications > Policies > Global to open the Policy: Global pane.

  3. 在“配置要对信息保护最终用户显示和应用的设置”部分中,找到位于标签后面的策略设置。Locate the policy settings after the labels, in the Configure settings to display and apply on Information Protection end users section.

    记下设置的当前配置方式。Make a note of how the settings are currently configured. 具体来说,是“选择默认标签”和“用户必须提供设置较低分类标签、删除标签或删除保护的理由”这两项设置。Specifically, the settings Select the default label and Users must provide justification to set a lower classification label, remove a label, or remove protection. 例如:For example:

    Azure 信息保护教程 - 要更改的策略设置

    我们会在本教程后面使用这些策略设置,你将在实际操作看到相应设置。We'll use these policy settings later in the tutorial when you will see them in action.

  4. 对于“选择默认标签”,请选择其中一个标签,例如“常规”.。For Select the default label, select one of the labels, such as General.

    “常规”标签是 Azure 信息保护可为你创建的默认标签之一。The General label is one of the default labels that Azure Information Protection can create for you. 快速入门中的创建和发布标签部分中介绍了此步骤,即将 Azure 信息保护添加到 Azure 门户。This step is covered in the Create and publish labels section from the quickstart to add Azure Information Protection to the Azure portal.

  5. 对于“用户必须提供设置较低分类标签、删除标签或删除保护的理由”,请将此选项设置为“开”(如果还不是此设置)。For Users must provide justification to set a lower classification label, remove a label, or remove protection, set this option to On if it is not already.

  6. 另外,请务必将“在 Office 应用程序中显示信息保护栏”这一项设置为“开”。In addition, make sure that Display the Information Protection bar in Office apps is set to On.

  7. 选择此“策略: 全局”边栏选项卡上的“保存”,如果系统提示你确认操作,请选择“确定”。Select Save on this Policy: Global pane, and if you're prompted to confirm your action, select OK. 关闭此窗格。Close this pane.

创建保护新标签、视觉标记和分类提示条件Create a new label for protection, visual markers, and a condition to prompt for classification

现在,将为“机密”创建一个新的子标签。We'll now create a new sublabel for Confidential.

  1. 从“分类” > “标签”菜单选项中 :右键单击“机密”标签,然后选择“添加子标签” 。From the Classifications > Labels menu option: Right-click the Confidential label, and select Add a sub-label.

    如果没有名为“机密”的标签,可以选择另一个标签,也可以创建一个新标签,具体操作步骤仍与本教程相同,只存在细微差异。If you don't have a label named Confidential, you can select another label or you can create a new label instead and still follow the tutorial with minor differences.

  2. 在“子标签”窗格上,指定“财务”的标签名称,并添加以下说明:包含财务信息的机密数据仅限员工使用。On the Sub-label pane, specify the label name of Finance and add the following description: Confidential data that contains financial information that is restricted to employees only.

    此文本说明应如何使用所选标签,并显示为一个工具提示,帮助用户确定要选择的标签。This text describes how the selected label is intended to be used and it's visible to users as a tooltip, to help them decide which label to select.

  3. 对于“为包含此标签的文档和电子邮件设置权限”,选择“保护”,这会在为你选择“保护”选项时,自动打开“保护”窗格:For Set permissions for documents and emails containing this label, select Protect, which automatically opens the Protection pane by selecting the Protection option for you:

    配置 Azure 信息保护标签以进行保护

  4. 在“保护”窗格上,确保选中“Azure (云密钥)” 。On the Protection pane, make sure that Azure (cloud key) is selected. 此选项使用 Azure Rights Management 服务保护文档和电子邮件。This option uses the Azure Rights Management service to protect documents and emails. 还请务必选择“设置权限”选项。Also make sure that the Set Permissions option is selected. 然后选择“添加权限”。Then select Add permissions.

  5. 在“添加权限”窗格,选择“添加 <organization name> - 所有成员”。 。On the Add permissions pane, select Add <organization name> - All members. 例如,如果组织名称为 VanArsdel Ltd,则会看到以下选项可供选择:For example, if your organization name is VanArsdel Ltd, you see the following option to select:

    为所有成员授予 Azure 信息保护标签保护权限

    此选项会自动选择组织中可以被授予权限的所有用户。This option automatically selects all the users in your organization who can be granted permissions. 但是,可通过其他选项了解到,能浏览并搜索租户中的组或用户。However, you can see from the other options that you could browse and search for groups or users from your tenant. 或者,选择“输入详细信息”选项时,可以指定单个电子邮件地址,甚至可指定来自另一个组织的所有用户。Or, when you select the Enter details option, you can specify individual email addresses or even all users from another organization.

  6. 对于权限,请在预设选项中选择“审阅者”。For the permissions, select Reviewer from the preset options. 可了解此权限级别如何自动授予部分列出的权限而不是所有权限:You see how this permission level automatically grants some permissions listed but not all permissions:

    为合著者授予 Azure 信息保护标签保护权限

    使用“自定义”选项,可选择不同的权限级别或指定个人使用权限。You can select different permission levels or specify individual usage rights by using the Custom option. 但对于本教程,请保持选中“审阅者”选项。But for this tutorial, keep the Reviewer option. 稍后可以尝试不同的权限,并了解它们如何限制指定用户对受保护文档或电子邮件可执行的操作。You can experiment with different permissions later and read how they restrict what the specified users can do with the protected document or email.

  7. 单击“确定”关闭“添加权限”窗格,可看到“保护”窗格如何更新以反映配置 。Click OK to close this Add permissions pane, and you see how the Protection pane is updated to reflect your configuration. 例如:For example:

    显示 Azure 信息保护标签权限配置的“保护”窗格

    如果选择“添加权限”,此操作会再次打开“添加权限”窗格,以方便添加更多用户,并向他们授予不同的权限。If you select Add permissions, this action opens the Add permissions pane again, so that you can add more users and grant them different permissions. 例如,为特定组授予仅查看访问权限。For example, grant just view access for a specific group. 但对于本教程,将为所有用户保留一组权限。But for this tutorial, we'll keep with one set of permissions for all users.

  8. 查看并保留内容有效期限和脱机访问的默认值,然后单击“确定”,保存并关闭此“保护”窗格 。Review and keep the defaults for content expiration and offline access, and then click OK to save and close this Protection pane.

  9. 返回“子标签”窗格,找到“设置视觉标记”部分 :Back on the Sub-label pane, locate the Set visual marking section:

    对于“包含此标签的文档具有页脚”设置,请单击“开”,然后在“文本”框中键入“分类为机密” 。For the Documents with this label have a footer setting, click On, and then for the Text box, type Classified as Confidential.

    对于“使用该标签的文档具有一个水印”设置:单击“开”,然后在“文本”框中键入你的组织名称。For the Documents with this label have a watermark setting, click On, and then for the Text box, type your organization name. 例如,VanArsdel, LtdFor example, VanArsdel, Ltd

    尽管可以更改视觉标记的外观,但是我们将暂时使用这些设置的默认值。Although you can change the appearance for these visual markers, we'll leave these settings at the defaults for now.

  10. 定位到“配置条件以自动应用该标签”部分:Locate the section Configure conditions for automatically applying this label:

    单击“添加新条件”,然后在“条件”窗格中选择以下选项 :Click Add a new condition and then, on the Condition pane, select the following:

    a.a. 选择条件类型:保留默认值“信息类型”。Choose the type of condition: Keep the default of Information Types.

    b.b. 对于“选择行业”:保留默认值“全部”。For Choose an industry: Keep the default of All.

    c.c. 在“选择信息类型”搜索框中:键入“信用卡卡号”。In the Select information types search box: Type credit card number. 然后,从搜索结果中选择“信用卡号”。Then, from the search results, select Credit Card Number.

    d.d. 最少出现次数:保留默认值“1”。Minimum number of occurrences: Keep the default of 1.

    e.e. 仅计算唯一值的发生次数:保留默认值“关闭”。Count occurrences with unique values only: Keep the default of Off.

    Azure 信息保护教程 - 配置信用卡条件

    单击“保存”返回到“子标签”窗格 。Click Save to return to the Sub-label pane.

  11. 在“子标签”窗格上,会看到“信用卡号”显示为“条件名称”,“出现次数”为“1”:On the Sub-label pane, you see that Credit Card Number is displayed as the CONDITION NAME, with 1 OCCURRENCES:

    Azure 信息保护教程 - 信用卡条件摘要

  12. 对于选择应用此标签的方式:保留默认设置“推荐”,并且不要更改默认策略提示。For Select how this label is applied: Keep the default of Recommended, and don't change the default policy tip.

  13. 在“添加备注以供管理员使用”框中,键入“仅用于测试目的”。In the Add notes for administrator use box, type For testing purposes only.

  14. 在此“子标签”窗格上单击“保存” 。Click Save on this Sub-label pane. 如果系统提示你确认,请单击“确定”。If you're prompted to confirm, click OK. 将创建和保存新标签,但尚未将其添加到策略。The new label is created and saved, but not yet added to a policy.

  15. 从“分类” > “策略”菜单选项中 :再次选择“全局”,然后选择标签后的“添加或删除标签”链接。From the Classifications > Policies menu option: Select Global again, and then select the Add or remove labels link after the labels.

  16. 从“策略: 添加或删除标签”窗格中,选择刚刚创建的标签(名为“财务”的子标签),然后单击“确定”。From the Policy: Add or remove labels pane, select the label that you've just created, the sublabel named Finance, and click OK.

  17. 在“策略:全局”窗格上,现在可以在全局策略中看到针对视觉标记和保护配置的新子标签。On the Policy: Global pane, you now see your new sublabel in your global policy, which is configured for visual markings and protection. 例如:For example:

    Azure 信息保护教程 - 新建子标签

    还可以看到对默认标签和理由配置的设置:You also see that the settings are configured for the default label and justification:

    Azure 信息保护教程 - 配置的设置

  18. 单击此“策略: 全局”边栏选项卡上的“保存” 。Click Save on this Policy: Global pane. 如果系统提示你确认此操作,请单击“确定”。If you're prompted to confirm this action, click OK.

完成本教程后,可以关闭 Azure 门户,也可以将其保留为打开状态以尝试其他配置选项。You can either close the Azure portal, or leave it open to try additional configuration options after you've finished this tutorial.

你已准备好尝试更改结果。You're ready to try out the results of your changes.

在实际操作中查看分类、标签设置和保护See classification, labeling, and protection in action

你所做的策略更改以及你创建的新标签适用于 Word、Excel、PowerPoint 和 Outlook。The policy changes you made and the new label you created applies to Word, Excel, PowerPoint, and Outlook. 我们在本教程中使用 Word 进行实际操作。But for this tutorial, we'll use Word to see them in action.

在 Word 中打开一个新文档。Open a new document in Word. 由于已安装 Azure 信息保护客户端,可以看到以下视图:Because the Azure Information Protection client is installed, you see the following:

Azure 信息保护教程 - 客户端已安装

  • 在“主页”选项卡上,有一个“保护”组,其中有一个名为“保护”的按钮。On the Home tab, a Protection group, with a button named Protect.

    依次单击“保护” > “帮助和反馈”,然后在“Microsoft Azure 信息保护”对话框中,确认客户端状态。Click Protect > Help and Feedback, and in the Microsoft Azure Information Protection dialog box, confirm your client status. 它应显示“连接为”和你的用户名。It should display Connected as and your user name. 此外,还应该看到上次连接的最近时间和日期以及信息保护策略的下载时间。In addition, you should also see a recent time and date for the last connection and when the Information Protection policy was downloaded. 验证对于租户显示的用户名是否正确。Verify that your displayed user name is correct for your tenant.

  • 功能区下方有一个新栏:信息保护栏。A new bar under the ribbon; the Information Protection bar. 其显示“敏感度”的标题及我们在 Azure 门户中看到的标签。It displays the title of Sensitivity, and the labels that we saw in the Azure portal.

手动更改默认标签To manually change our default label

  1. 在信息保护栏上,选择最后一个标签,然后可看到子标签是如何排列的:On the Information Protection bar, select the last label and you see how sublabels display:

    Azure 信息保护教程 - 查看子标签

  2. 选择其中任一子标签,将看到其他标签如何不再显示在栏上,因为已为本文档选择标签。Select one of these sublabels, and you see how the other labels no longer display on the bar now that you've selected a label for this document. “敏感级别”值将更改,以显示标签和子标签名称,标签颜色也会相应更改。The Sensitivity value changes to show the label and sublabel name, with a corresponding change in label color. 例如:For example:

    Azure 信息保护教程 - 已选择子标签

  3. 在信息保护栏上,单击当前所选标签值旁边的“编辑标签”图标:On the Information Protection bar, click the Edit Label icon next to the currently selected label value:

    Azure 信息保护教程 -“编辑标签”图标

    此操作将再次显示可用的标签。This action displays the available labels again.

  4. 现在,选择第一个标签:“个人”。Now select the first label, Personal. 由于所选标签的分类低于之前为此文档选择的标签分类,因此将会看到阐明为什么要降低分类级别的提示:Because you've selected a label that's a lower classification than the previously selected label for this document, you're prompted to justify why you're lowering the classification level:

    Azure 信息保护教程 - 确认降低理由的提示

    选择“不再应用以前的标签”,然后单击“确认”。Select The previous label no longer applies, and click Confirm. “敏感度”值将更改为“个人”,其他标签将再次隐藏。The Sensitivity value changes to Personal and the other labels are hidden again.

完全删除分类To remove the classification completely

  1. 在信息保护栏上,再次单击“编辑标签”图标。On the Information Protection bar, click the Edit Label icon again. 不要选择某个标签,而是单击“删除标签”图标:But instead of choosing one of the labels, click the Delete Label icon:

    Azure 信息保护教程 -“删除”图标

  2. 系统提示时,这一次请键入“此文档不需要分类”,然后单击“确认”。This time when you're prompted, type "This document doesn't need classifying", and click Confirm.

    可看到“敏感度”值显示为“未设置”(这是在未将默认标签设置为策略设置时用户最初看到的新文档设置)。You see the Sensitivity value display Not set, which is what users see initially for new documents if you don't set a default label as a policy setting.

查看标签和自动保护的推荐提示To see a recommendation prompt for labeling and automatic protection

  1. 在 Word 文档中,键入有效的信用卡号,例如:4242-4242-4242-4242In the Word document, type a valid credit card number, for example: 4242-4242-4242-4242.

  2. 使用任意文件名在本地保存文档。Save the document locally, with any file name.

  3. 现在,检测到信用卡卡号时,将看到一条提示,提示用户使用针对保护配置的标签。You now see a prompt to apply the label that you configured for protection when credit card numbers are detected. 如果不同意这条建议,可通过选择“忽略”来拒绝这一建议。If we didn't agree with the recommendation, our policy setting lets us reject it, by selecting Dismiss. 提供建议同时允许用户重写,可帮助减少使用自动分类时的误报。Giving a recommendation but letting a user override it helps to reduce false positives when you're using automatic classification. 在本教程中,请单击“立即更改”。For this tutorial, click Change now.

    Azure 信息保护教程 - 推荐提示

    此时,除了表明已应用所配置标签(例如“机密\财务”)的文档外,还可立即在整个页面上看到组织名称的水印,并且还应用了页脚“分类为机密” 。In addition to the document now showing that our configured label is applied (for example, Confidential \ Finance), you immediately see the watermark of your organization name across the page, and the footer of Classified as Confidential is also applied.

    该文档还受到为此标签指定的权限的保护。The document is also protected with the permissions that you specified for this label. 单击“文件”选项卡可以确认文档是否处于受保护状态,然后查看“保护文档”的信息 。You can confirm that the document is protected by clicking the File tab and view the information for Protect Document. 看到该文档受“机密\财务”的保护以及标签说明。You see that the document is protected by Confidential \ Finance and the label description.

    由于标签的保护配置,只有员工可以打开该文档,且其某些操作受限。Because of the protection configuration of the label, only employees can open the document and some actions are restricted for them. 例如,由于他们没有打印、复制和提取内容权限,因此,无法打印文档或从中复制内容。For example, because they don't have the Print and the Copy and extract content permissions, they can't print the document or copy from it. 这样的限制有助于防止数据丢失。Such restrictions help to prevent data loss. 作为文档所有者,你可以打印它并从中进行复制。As the owner of the document, you can print it and copy from it. 但是,如果你将该文档以电子邮件的形式发送给组织中的其他用户,他们将无法执行这些操作。However, if you email the document to another user in your organization, they cannot do these actions.

  4. 现在可以关闭此文档。You can now close this document.

清理资源Clean up resources

如果你不想保留在本教程中所做的更改,请执行以下操作:Do the following if you don't want to keep the changes that you made in this tutorial:

  1. 选择“分类” > “策略” > “全局”,打开“策略: 全局”边栏选项卡。Select Classifications > Policies > Global to open the Policy: Global pane.

  2. 将策略设置恢复为你记下的原始值,然后选择“保存”。Return the policy settings to their original values that you took a note of, and then select Save.

  3. 从“分类” > “标签”菜单选项中:在“Azure 信息保护 - 标签”窗格上,选择创建的“财务”标签的上下文菜单 (...)。From the Classifications > Label menu option: On the Azure Information Protection - Label pane, select the context menu (...) for the Finance label you created.

  4. 选择“删除此标签”,如果系统提示你进行确认,请选择“确定”。Select Delete this label and if you're asked to confirm, select OK.

重新启动 Word,下载这些更改。Restart Word to download these changes.

后续步骤Next steps

若要详细了解如何编辑 Azure 信息保护策略,请参阅配置 Azure 信息保护策略For more information about editing the Azure Information Protection policy, see Configuring Azure Information Protection policy.

若要详细了解记录标签活动的位置,请参阅 Azure 信息保护客户端的使用日志记录For more information about where the labeling activity is logged, see Usage logging for the Azure Information Protection client.