Office 应用程序和服务如何支持 Azure 权限管理How Office applications and services support Azure Rights Management

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

最终用户 Office 应用程序和 Office 服务可使用 Azure 信息保护中的 Azure 权限管理服务来帮助保护组织的数据。End-user Office applications and Office services can use the Azure Rights Management service from Azure Information Protection to help protect your organization’s data. Office 应用程序包括 Word、Excel、PowerPoint 和 Outlook。These Office applications are Word, Excel, PowerPoint, and Outlook. Office 服务是 Exchange 和 Microsoft SharePoint。The Office services are Exchange and Microsoft SharePoint. 支持 Azure 权限管理服务的 Office 配置通常使用术语“信息权限管理 (IRM)”****。The Office configurations that support the Azure Rights Management service often use the term information rights management (IRM).

Office 应用程序:Word、Excel、PowerPoint、OutlookOffice applications: Word, Excel, PowerPoint, Outlook

这些应用程序可以本机方式支持 Azure 权限管理,让用户能够将保护应用于已保存文档,或者应用于要发送的电子邮件。These applications natively support Azure Rights Management and let users apply protection to a saved document or to an email message to be sent. 用户可以应用模板以应用保护。Users can apply templates to apply the protection. 或者,在 Word、Excel 和 PowerPoint 中,用户还可以针对访问、权限和使用限制选择自定义设置。Or, for Word, Excel, and PowerPoint, users can choose customized settings for access, rights, and usage restrictions.

例如,用户可以配置 Word 文档,使仅组织中的人员可以访问该文档。For example, users can configure a Word document so that it can be accessed only by people in your organization. 或者,控制 Excel 电子表格是否可以编辑,或限制为只读,或者禁止打印。Or, control whether an Excel spreadsheet can be edited, or restricted to read-only, or prevent it from being printed. 对于时间敏感型文件,可以配置一个过期时间,在过期之后无法再访问该文件。For time-sensitive files, an expiration time can be configured for when the file can no longer be accessed. 此配置可由用户或通过应用保护模板直接执行。This configuration can be made directly by users or by applying a protection template. 对于 Outlook,用户还可以选择“不要转发”选项来帮助防止数据泄漏****。For Outlook, users can also choose the Do Not Forward option to help prevent data leakage.

如果已准备好配置 Office 应用,请参阅 office 应用:客户端配置If you are ready to configure Office apps see Office apps: Configuration for clients.

有关相关的已知问题,请参阅 AIP Office 应用程序中的已知问题For relevant known issues, see AIP known issues in Office applications.

Exchange Online 和 Exchange ServerExchange Online and Exchange Server

使用 Exchange Online 或 Exchange 服务器 时,可以配置 Azure 信息保护的选项。When you use Exchange Online or Exchange Server, you can configure options for Azure Information Protection. 此配置允许 Exchange 提供以下保护解决方案:This configuration lets Exchange provide the following protection solutions:

  • Exchange ActiveSync IRM,让移动设备能够保护和使用受保护的电子邮件。Exchange ActiveSync IRM so that mobile devices can protect and consume protected email messages.

  • 针对“Outlook 网页版”**** 的电子邮件保护支持,其实现方式类似于 Outlook 客户端。Email protection support for Outlook on the web, which is implemented similarly to the Outlook client. 此配置允许用户通过使用保护模板或选项来保护电子邮件。This configuration lets users protect email messages by using protection templates or options. 用户可以阅读和使用他们接收到的受保护的电子邮件。Users can read and use protected email messages that are sent to them.

  • 管理员可以配置适用于 Outlook 客户端的“保护规则”,以便自动将保护模板和选项应用于发送给指定收件人的电子邮件****。Protection rules for Outlook clients that an administrator configures to automatically apply protection templates and options to email messages for specified recipients. 例如,在将内部电子邮件发送至法律部门时,只允许法律部门成员阅读这些邮件,而且不能转发。For example, when internal emails are sent to your legal department, they can only be read by members of the legal department and cannot be forwarded. 在发送电子邮件之前,用户可以看到应用于电子邮件的保护,而默认情况下,如果他们确定不需要这种保护,则可将其删除。Users see the protection applied to the email message before sending it, and by default, they can remove this protection if they decide it is not necessary. 电子邮件在发送之前进行了加密。Emails are encrypted before they are sent. 有关详细信息,请参阅 Exchange 库中的 Outlook 保护规则创建 Outlook 保护规则For more information, see Outlook Protection Rules and Create an Outlook Protection Rule in the Exchange library.

  • 管理员可以配置“邮件流规则”,以便将保护模板自动应用于电子邮件****。Mail flow rules that an administrator configures to automatically apply protection templates or options to email messages. 该规则基于发件人、收件人、邮件主题和内容等属性。These rules are based on properties such as sender, recipient, message subject, and content. 这些规则在概念上与保护规则类似,但不允许用户删除保护,因为保护是由 Exchange 服务而不是客户端设置的。These rules are similar in concept to protection rules but don't allow users to remove the protection because the protection is set by the Exchange service rather than by the client. 由于保护是由服务设置的,因此用户使用何种设备或操作系统并不重要。Because protection is set by the service, it doesn't matter what device or what operating system the users have. 有关详细信息,请参阅针对 Exchange 本地部署的 Exchange Online 中的电子邮件流规则(传输规则)创建传输保护规则For more information, see Mail flow rules (transport rules) in Exchange Online and Create a Transport Protection Rule for Exchange on-premises.

  • “数据丢失预防 (DLP) 策略”包含一系列筛选邮件的条件,有助于防止机密或敏感内容的数据丢失****。Data loss prevention (DLP) policies that contain sets of conditions to filter email messages and take actions, to help prevent data loss for confidential or sensitive content. 其中,可以指定的操作之一是通过指定一个保护模板或选项来应用加密作为保护。One of the actions that you can specify is to apply encryption as protection, by specifying one of the protection templates or options. 检测到敏感数据时,可以使用策略提示,警告用户他们可能需要应用保护。Policy Tips can be used when sensitive data is detected, to alert users that they might need to apply protection. 有关详细信息,请参阅 Exchange Online 文档中的数据丢失防护For more information, see Data loss prevention in the Exchange Online documentation.

  • Office 365 邮件加密支持以附件形式向任何设备上的任何电子邮件地址发送受保护的电子邮件和受保护的 Office 文档****。Office 365 Message Encryption that supports sending a protected email message and protected Office documents as attachments to any email address on any device. 对于没有使用 Azure AD 的用户帐户,Web 体验支持社交标识提供者或一次性密码。For user accounts that don't use Azure AD, a web experience supports social identity providers or a one-time passcode. 有关详细信息,请参阅 Office 365 文档在 Azure 信息保护上设置全新的 Office 365 邮件加密功能For more information, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection from the Office 365 documentation. 如需查找与此配置相关的其他信息,请参阅 Office 365 邮件加密To help you find additional information that is related to this configuration, see Office 365 Message Encryption.

如果使用本地 Exchange,可以通过部署 Azure 权限管理连接器结合使用 Azure 权限管理服务和 IRM 功能。If you use Exchange on-premises, you can use the IRM features with the Azure Rights Management service by deploying the Azure Rights Management connector. 此连接器充当本地服务器和 Azure 权限管理服务之间的中继。This connector acts as a relay between your on-premises servers and the Azure Rights Management service.

有关保护模板的详细信息,请参阅配置和管理 Azure 信息保护的模板For more information about the protection templates, see Configuring and managing templates for Azure Information Protection.

如需深入了解可用于保护电子邮件的电子邮件选项,请参阅电子邮件的“不得转发”选项电子邮件的“仅加密”选项For more information about the email options that you can use to protect emails, see Do Not Forward option for emails and Encrypt-Only option for emails.

如果已准备好配置 Exchange 以保护电子邮件:If you're ready to configure Exchange to protect emails:

Microsoft 365 和 SharePoint Server 中的 SharePointSharePoint in Microsoft 365 and SharePoint Server

在 Microsoft 365 或 SharePoint Server 中使用 SharePoint 时,可以使用 SharePoint 信息权限管理 (IRM) 功能来保护文档。When you use SharePoint in Microsoft 365 or SharePoint Server, you can protect documents by using the SharePoint information rights management (IRM) feature. 通过此功能,管理员可以保护列表或库,这样当用户签出文档时,所下载的文件将会受到保护,如此只有授权人员能够根据指定的信息保护策略来查看和使用文件。This feature lets administrators protect lists or libraries so that when a user checks out a document, the downloaded file is protected so that only authorized people can view and use the file according to the information protection policies that you specify. 例如,文件可能是只读的,可能会禁用文本复制,可能会阻止保存本地副本,可能会阻止打印文件。For example, the file might be read-only, disable the copying of text, prevent saving a local copy, and prevent printing the file.

Word、PowerPoint、Excel 和 PDF 文档均支持此 SharePoint IRM 保护。Word, PowerPoint, Excel, and PDF documents support this SharePoint IRM protection. 默认情况下,保护仅限于下载文档的人员。By default, the protection is restricted to the person who downloads the document. 可以使用名为“允许组保护”**** 的配置选项更改此默认值,该选项将保护扩展到你指定的组。You can change this default with a configuration option named Allow group protection, which extends the protection to a group that you specify. 例如,可以指定一个具有编辑库中文档权限的组,以便同一组用户可以在 SharePoint 的外部编辑该文档,而不考虑是哪个用户下载了该文档。For example, you could specify a group that has permission to edit documents in the library so that the same group of users can edit the document outside SharePoint, regardless of which user downloaded the document. 或者,可以指定未在 SharePoint 中授予权限的组,但该组中的用户需要从 SharePoint 外部访问该文档。Or, you could specify a group that isn't granted permissions in SharePoint but users in this group need to access the document outside SharePoint. 对于 SharePoint 列表和库,始终由管理员(绝不会是最终用户)配置此保护。For SharePoint lists and libraries, this protection is always configured by an administrator, never an end user. 在站点级别设置权限,默认情况下,这些权限将由该站点中的任何列表或库继承。You set the permissions at the site level, and these permissions, by default, are inherited by any list or library in that site. 如果在 Microsoft 365 中使用 SharePoint,则用户还可以配置其 Microsoft OneDrive 库以进行 IRM 保护。If you use SharePoint in Microsoft 365, users can also configure their Microsoft OneDrive library for IRM protection.

若要实现更精细的控制,可以配置该站点中的列表或库,使其停止从其父级继承权限。For more fine-grained control, you can configure a list or library in the site to stop inheriting permissions from its parent. 然后,可以在该级别(列表或库)配置 IRM 权限,并将其称为“唯一权限”。You can then configure IRM permissions at that level (list or library) and they are then referred to as "unique permissions." 但是,应始终在容器级别设置权限;不能在单个文件上设置权限。However, permissions are always set at the container level; you cannot set permissions on individual files.

必须首先为 SharePoint 启用 IRM 服务。The IRM service must first be enabled for SharePoint. 然后,为库指定 IRM 权限。Then, you specify IRM permissions for a library. 对于 SharePoint 和 OneDrive,用户还可以为其 OneDrive 库指定 IRM 权限。For SharePoint and OneDrive, users can also specify IRM permissions for their OneDrive library. SharePoint 不使用权限策略模板,虽然可以选择的 SharePoint 配置设置与可以在模板中指定的某些设置相匹配。SharePoint does not use rights policy templates, although there are SharePoint configuration settings that you can select that match some settings that you can specify in the templates.

如果使用 SharePoint Server,可通过部署 Azure 权限管理连接器,使用此 IRM 保护。If you use SharePoint Server, you can use this IRM protection by deploying the Azure Rights Management connector. 此连接器充当本地服务器和权限管理云服务之间的中继。This connector acts as a relay between your on-premises servers and the Rights Management cloud service. 有关详细信息,请参阅 部署 Azure Rights Management 连接器For more information, see Deploying the Azure Rights Management connector.

备注

使用 SharePoint IRM 时有一些限制:There are some limitations when you use SharePoint IRM:

  • 不能使用在 Azure 门户中管理的默认模板或自定义保护模板。You cannot use the default or custom protection templates that you manage in the Azure portal.

  • 不支持带 .ppdf 文件扩展名的受保护 PDF 文件。Files that have a .ppdf file name extension for protected PDF files are not supported. 有关查看受保护的 PDF 文档的详细信息,请参阅 Microsoft 信息保护的受保护 PDF 阅读器For more information about viewing protected PDF documents, see Protected PDF readers for Microsoft Information Protection.

  • 不支持共同创作(多人同时对文档进行编辑)。Coauthoring, when more than one person edits a document at the same time, is not supported. 若要在受 IRM 保护的库中编辑文档,必须首先签出和下载文档,然后在 Office 应用程序中编辑该文档。To edit a document in an IRM-protected library, you must first check out the document and download it, and then edit it in your Office application. 因此,一次只能有一人编辑文档。Consequently, only one person can edit the document at a time.

对于不受 IRM 保护的库,如果你将保护仅应用于随后上传到 SharePoint 或 OneDrive 的文件,则以下操作不会使用此文件:共同创作、用于 web 的 Office、搜索、文档预览、缩略图、电子数据展示和数据丢失防护 (DLP) 。For libraries that are not IRM-protected, if you apply protection-only to a file that you then upload to SharePoint or OneDrive, the following do not work with this file: Co-authoring, Office for the web, search, document preview, thumbnail, eDiscovery, and data loss prevention (DLP).

重要

SharePoint IRM 可以与应用保护的敏感度标签结合使用。SharePoint IRM can be used in combination with sensitivity labels that apply protection. 同时使用这两个功能时,受保护的文件的行为会发生更改。When you use both features together, the behavior changes for protected files. 有关详细信息,请参阅 在 SharePoint 和 OneDrive 中启用 Office 文件的敏感度标签For more information, see Enable sensitivity labels for Office files in SharePoint and OneDrive.

使用 SharePoint IRM 保护时,Azure Rights Management 服务会在从 SharePoint 下载文档时为文档应用使用限制和数据加密,而不是在 SharePoint 中首次创建文档或将其上传到库时进行此操作。When you use SharePoint IRM protection, the Azure Rights Management service applies usage restrictions and data encryption for documents when they are downloaded from SharePoint, and not when the document is first created in SharePoint or uploaded to the library. 有关如何在下载文档前对其进行保护的信息,请参阅 SharePoint 文档 中的 OneDrive 和 sharepoint 中的数据加密For information about how documents are protected before they are downloaded, see Data Encryption in OneDrive and SharePoint from the SharePoint documentation.

虽然不再是新的,但以下来自 Office 365 博客的文章中提供了一些额外信息,你可能会发现这些信息很有用: SharePoint 中的信息 Rights Management 的新增功能Although no longer new, the following post from the Office 365 blog has some additional information that you might find useful: What’s New with Information Rights Management in SharePoint

对于即将发生的更改,请参阅 SharePoint 安全性、管理和迁移更新For changes that are coming, see Updates to SharePoint security, administration, and migration.

如果已准备好为 SharePoint 配置 IRM :If you are ready to configure SharePoint for IRM:

后续步骤Next steps

如果你有 Office 365,则可能有兴趣查看 Office 365 中的文件保护解决方案,其中提供了用于保护 Office 365 中的文件的建议功能。If you have Office 365, you might be interested in reviewing File Protection Solutions in Office 365, which provides recommended capabilities for protecting files in Office 365.

若要查看其他应用程序和服务如何支持 Azure 信息保护中的 Azure Rights Management 服务,请参阅应用程序如何支持 Azure Rights Management 服务To see how other applications and services support the Azure Rights Management service from Azure Information Protection, see How applications support the Azure Rights Management service.

如果已准备好开始部署(包括配置这些应用程序和服务),请参阅 Azure 信息保护部署路线图If you are ready to start deployment, which includes configuring these applications and services, see the Azure Information Protection deployment roadmap.