为 Azure 信息保护准备用户和组Preparing users and groups for Azure Information Protection

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

在为组织部署 Azure 信息保护之前,请确保组织租户在 Azure AD 中具有用户和组帐户。Before you deploy Azure Information Protection for your organization, make sure that you have accounts for users and groups in Azure AD for your organization's tenant.

创建这些用户和组的帐户有多种方法,其中包括:There are different ways to create these accounts for users and groups, which include:

  • 在 Microsoft 365 管理中心创建用户,在 Exchange Online 管理中心创建组。You create the users in the Microsoft 365 admin center, and the groups in the Exchange Online admin center.

  • 在 Azure 门户中创建用户和组。You create the users and groups in the Azure portal.

  • 使用 Azure AD PowerShell 和 Exchange Online cmdlet 创建用户和组。You create the users and group by using Azure AD PowerShell and Exchange Online cmdlets.

  • 在本地 Active Directory 中创建用户和组,并将其同步到 Azure AD。You create the users and groups in your on-premises Active Directory and synchronize them to Azure AD.

  • 在其他目录中创建用户和组,并将其同步到 Azure AD。You create the users and groups in another directory and synchronize them to Azure AD.

当你使用此列表中的前三种方法创建用户和组后,它们便会在 Azure AD 中自动创建,且 Azure 信息保护可以直接使用这些帐户(只有一种例外情况)。When you create users and groups by using the first three methods from this list, with one exception, they are automatically created in Azure AD, and Azure Information Protection can use these accounts directly. 然而,许多企业网络使用本地目录来创建和管理用户和组。However, many enterprise networks use an on-premises directory to create and manage users and groups. Azure 信息保护不能直接使用这些帐户;必须将它们同步到 Azure AD。Azure Information Protection cannot use these accounts directly; you must synchronize them to Azure AD.

上一段落中提到的例外情况是,可以为 Exchange Online 创建的动态通讯组列表。The exception referred to in the previous paragraph is dynamic distribution lists that you can create for Exchange Online. 与静态通讯组列表不同,这些组不会复制到 Azure AD,因此 Azure 信息保护不能使用它们。Unlike static distribution lists, these groups are not replicated to Azure AD and so cannot be used by Azure Information Protection.

Azure 信息保护如何使用用户和组How users and groups are used by Azure Information Protection

Azure 信息保护使用用户和组的方式有三种:There are three scenarios for using users and groups with Azure Information Protection:

配置 Azure 信息保护策略时,用于将标签分配给用户,以便将标签应用于文档和电子邮件。For assigning labels to users when you configure the Azure Information Protection policy so that labels can be applied to documents and emails. 只有管理员可以选择这些用户和组:Only administrators can select these users and groups:

  • 默认的 Azure 信息保护策略将自动分配给租户的 Azure AD 中的所有用户。The default Azure Information Protection policy is automatically assigned to all users in your tenant's Azure AD. 但是,也可以使用作用域策略为指定用户或组分配其他标签。However, you can also assign additional labels to specified users or groups by using scoped policies.

在使用 Azure Rights Management 服务保护文档和电子邮件时,用于分配使用权限和访问控制权限For assigning usage rights and access controls when you use the Azure Rights Management service to protect documents and emails. 管理员和用户均可选择这些用户和组:Administrators and users can select these users and groups:

  • 使用权限可决定用户是否能够打开文档或电子邮件以及如何使用它们。Usage rights determine whether a user can open a document or email and how they can use it. 例如,用户是只能阅读、可以阅读并打印,还是可以阅读并编辑。For example, whether they can only read it, or read and print it, or read and edit it.

  • 访问控制包括到期日期以及是否需要连接到 internet 才能访问。Access controls include an expiry date and whether a connection to the internet is required for access.

用于配置 Azure Rights Management 服务以支持特定方案,因此只有管理员可以选择这些组。For configuring the Azure Rights Management service to support specific scenarios, and therefore only administrators select these groups. 示例包括配置下列各项:Examples include configuring the following:

  • 超级用户,以便指定的服务或人员可以打开加密的内容(如果电子数据展示或数据恢复需要)。Super users, so that designated services or people can open encrypted content if required for eDiscovery or data recovery.

  • Azure Rights Management 服务的委派管理。Delegated administration of the Azure Rights Management service.

  • 支持分阶段部署的加入控制机制。Onboarding controls to support a phased deployment.

用户帐户 Azure 信息保护要求Azure Information Protection requirements for user accounts

用于分配标签:For assigning labels:

  • Azure AD 中的所有用户帐户都可用于配置为用户分配其他标签的作用域策略。All user accounts in Azure AD can be used to configure scoped policies that assign additional labels to users.

用于分配使用权限和访问控制,以及配置 Azure Rights Management 服务:For assigning usage rights and access controls, and configuring the Azure Rights Management service:

  • 若要授权用户,请使用 Azure AD 中的两个属性:proxyAddressesuserPrincipalNameTo authorize users, two attributes in Azure AD are used: proxyAddresses and userPrincipalName.

  • Azure AD proxyAddresses 属性存储帐户的所有电子邮件地址,并能以不同的方式填充。The Azure AD proxyAddresses attribute stores all email addresses for an account and can be populated in different ways. 例如,Office 365 中具有 Exchange Online 邮箱的用户自动具有存储在此属性中的电子邮件地址。For example, a user in Office 365 that has an Exchange Online mailbox automatically has an email address that is stored in this attribute. 如果为 Office 365 用户分配了备用电子邮件地址,那么该地址也会保存在此属性中。If you assign an alternative email address for an Office 365 user, it is also saved in this attribute. 它也可以由从本地帐户同步的电子邮件地址填充。It can also be populated by the email addresses that are synchronized from on-premises accounts.

    如果已将域添加到租户(“已验证的域”),Azure 信息保护可以使用此 Azure AD proxyAddresses 属性中的任何值。Azure Information Protection can use any value in this Azure AD proxyAddresses attribute, providing the domain has been added to your tenant (a "verified domain"). 有关验证域的详细信息,请参阅:For more information about verifying domains:

  • 仅当租户中的帐户在 Azure AD proxyAddresses 属性中没有值时,才会使用 Azure AD userPrincipalName 属性。The Azure AD userPrincipalName attribute is used only when an account in your tenant doesn't have values in the Azure AD proxyAddresses attribute. 例如,可以在 Azure 门户中创建用户,或者创建没有邮箱的 Office 365 用户。For example, you create a user in the Azure portal, or create a user for Office 365 that doesn't have a mailbox.

向外部用户分配使用权限和访问控制权限Assigning usage rights and access controls to external users

除了对租户中的用户使用 Azure AD proxyAddresses 和 Azure AD userPrincipalName 之外,Azure 信息保护还以同样的方式使用这些属性来授权其他租户的用户。In addition to using the Azure AD proxyAddresses and Azure AD userPrincipalName for users in your tenant, Azure Information Protection also uses these attributes in the same way to authorize users from another tenant.

其他授权方法:Other authorization methods:

  • 对于 Azure AD 中不存在的电子邮件地址,Azure 信息保护可以在使用 Microsoft 帐户对这些电子邮件地址进行 身份验证后对它们进行授权。For email addresses that are not in Azure AD, Azure Information Protection can authorize these when they are authenticated with a Microsoft account. 但是,并非所有应用程序都可以在使用 Microsoft 帐户进行身份验证时打开受保护的内容。However, not all applications can open protected content when a Microsoft account is used for authentication. 详细信息More information

  • 使用具有新功能的 Office 365 邮件加密向 Azure AD 中没有帐户的用户发送电子邮件时,会通过社交标识提供者使用联合身份验证或使用一次性密码对此用户进行身份验证。When an email is sent by using Office 365 Message Encryption with new capabilities to a user who doesn't have an account in Azure AD, the user is first authenticated by using federation with a social identity provider or by using a one-time passcode. 然后使用受保护电子邮件中指定的电子邮件地址向此用户授权。Then the email address specified in the protected email is used to authorize the user.

组帐户 Azure 信息保护要求Azure Information Protection requirements for group accounts

用于分配标签:For assigning labels:

  • 若要配置将其他标签分配给组成员的作用域策略,可以使用 Azure AD 中的任何类型的组,但需要具有包含用户租户的已验证域的电子邮件地址。To configure scoped policies that assign additional labels to group members, you can use any type of group in Azure AD that has an email address that contains a verified domain for the user's tenant. 具有电子邮件地址的组通常称为启用邮件的组。A group that has an email address is often referred to as a mail-enabled group.

    例如,可使用启用邮件的安全组、静态通讯组和 Office 365 组。For example, you can use a mail-enabled security group, a static distribution group, and an Office 365 group. 不能使用安全组(动态或静态),因为该组类型没有电子邮件地址。You cannot use a security group (dynamic or static) because this group type doesn't have an email address. 另外,不能从 Exchange Online 使用动态通讯组列表,因为此组不会复制到 Azure AD。You also cannot use a dynamic distribution list from Exchange Online because this group isn't replicated to Azure AD.

对于分配使用权限和访问控制权限:For assigning usage rights and access controls:

  • 可以使用 Azure AD 中的任何类型的组,但需要具有包含用户租户的已验证域的电子邮件地址。You can use any type of group in Azure AD that has an email address that contains a verified domain for the user's tenant. 具有电子邮件地址的组通常称为启用邮件的组。A group that has an email address is often referred to as a mail-enabled group.

对于配置 Azure Rights Management 服务:For configuring the Azure Rights Management service:

  • 可以使用 Azure AD 中的任何类型的组,其中包含租户中已验证域的电子邮件地址,但有一个例外。You can use any type of group in Azure AD that has an email address from a verified domain in your tenant, with one exception. 即,在配置加入控制机制来使用某个组时,该组必须是租户的 Azure AD 中的一个安全组。That exception is when you configure onboarding controls to use a group, which must be a security group in Azure AD for your tenant.

  • 可以从租户中的已验证域使用 Azure AD 中的任何组(无论是否具有电子邮件地址),以进行 Azure Rights Management 服务的委派管理。You can use any group in Azure AD (with or without an email address) from a verified domain in your tenant for delegated administration of the Azure Rights Management service.

向外部组分配使用权限和访问控制权限Assigning usage rights and access controls to external groups

除了为租户中的组使用 Azure AD proxyAddresses 之外,Azure 信息保护还以同样的方式使用此属性来授权其他租户的组。In addition to using the Azure AD proxyAddresses for groups in your tenant, Azure Information Protection also uses this attribute in the same way to authorize groups from another tenant.

将 Active Directory 本地帐户用于 Azure 信息保护Using accounts from Active Directory on-premises for Azure Information Protection

若要将本地托管的帐户用于 Azure 信息保护,必须将其同步到 Azure AD。If you have accounts that are managed on-premises that you want to use with Azure Information Protection, you must synchronize these to Azure AD. 为方便部署,我们建议使用 Azure AD ConnectFor ease of deployment, we recommend that you use Azure AD Connect. 但是,可以使用可实现相同结果的任何目录同步方法。However, you can use any directory synchronization method that achieves the same result.

同步帐户时,无需同步所有属性。When you synchronize your accounts, you do not need to synchronize all attributes. 有关必须同步的属性列表,请参阅 Azure Active Directory 文档中的 Azure RMS 部分For a list of the attributes that must be synchronized, see the Azure RMS section from the Azure Active Directory documentation.

从 Azure Rights Management 的属性列表中可以看到,对于用户而言,需要本地 AD属性 mailproxyAddressesuserPrincipalName 进行同步。From the attributes list for Azure Rights Management, you see that for users, the on-premises AD attributes of mail, proxyAddresses, and userPrincipalName are required for synchronization. mailproxyAddresses 的值同步到 Azure AD proxyAddresses 属性。Values for mail and proxyAddresses are synchronized to the Azure AD proxyAddresses attribute. 有关详细信息,请参阅如何在 Azure AD 中填充 proxyAddresses 属性For more information, see How the proxyAddresses attribute is populated in Azure AD

确认已准备好用户和组以使用 Azure 信息保护Confirming your users and groups are prepared for Azure Information Protection

可以使用 Azure AD PowerShell 确认用户和组可用于 Azure 信息保护。You can use Azure AD PowerShell to confirm that users and groups can be used with Azure Information Protection. 此外,还可以使用 PowerShell 确认可用于向他们授权的值。You can also use PowerShell to confirm the values that can be used to authorize them.

例如,在 PowerShell 会话中使用 Azure Active Directory 的 V1 PowerShell 模块 MSOnline,首先连接到服务并提供全局管理员凭据:For example, using the V1 PowerShell module for Azure Active Directory, MSOnline, in a PowerShell session, first connect to the service and supply your global admin credentials:

Connect-MsolService

注意:如果此命令不起作用,可以运行 Install-Module MSOnline 安装 MSOnline 模块。Note: If this command doesn't work, you can run Install-Module MSOnline to install the MSOnline module.

接下来,配置 PowerShell 会话,以便它不会截断该值:Next, configure your PowerShell session so that it doesn't truncate the values:

$Formatenumerationlimit =-1

确认已准备好用户帐户用于 Azure 信息保护Confirm user accounts are ready for Azure Information Protection

若要确认用户帐户,请运行以下命令:To confirm the user accounts, run the following command:

Get-Msoluser | select DisplayName, UserPrincipalName, ProxyAddresses

首先查看并确保显示要用于 Azure 信息保护的用户。Your first check is to make sure that the users you want to use with Azure Information Protection are displayed.

然后查看是否填充了 ProxyAddresses 列。Then check whether the ProxyAddresses column is populated. 如果是,可使用此列中的电子邮件值授权用户以使用 Azure 信息保护。If it is, the email values in this column can be used to authorize the user for Azure Information Protection.

如果 ProxyAddresses 列未填充,则使用 UserPrincipalName 中的值授权用户以用于 Azure Rights Management 服务。If the ProxyAddresses column is not populated, the value in the UserPrincipalName is used to authorize the user for the Azure Rights Management service.

例如:For example:

显示名称Display Name UserPrincipalNameUserPrincipalName ProxyAddressesProxyAddresses
Jagannath ReddyJagannath Reddy jagannathreddy@contoso.com {}
Ankur RoyAnkur Roy ankurroy@contoso.com {SMTP:ankur.roy@contoso.com, smtp: ankur.roy@onmicrosoft.contoso.com}{SMTP:ankur.roy@contoso.com, smtp: ankur.roy@onmicrosoft.contoso.com}

在本示例中:In this example:

  • Jagannath Reddy 的用户帐户将通过进行授权 jagannathreddy@contoso.comThe user account for Jagannath Reddy will be authorized by jagannathreddy@contoso.com.

  • Ankur Roy 的用户帐户可以使用 ankur.roy@contoso.comankur.roy@onmicrosoft.contoso.com (而不是)进行授权 ankurroy@contoso.comThe user account for Ankur Roy can be authorized by using ankur.roy@contoso.com and ankur.roy@onmicrosoft.contoso.com, but not ankurroy@contoso.com.

在大多数情况下,UserPrincipalName 的值匹配 ProxyAddresses 字段中的一个值。In most cases, the value for UserPrincipalName matches one of the values in the ProxyAddresses field. 这是建议的配置,但如果无法更改 UPN 以匹配电子邮件地址,则必须执行以下步骤:This is the recommended configuration but if you cannot change your UPN to match the email address, you must take the following steps:

  1. 如果 UPN 值中的域名是 Azure AD 租户的已验证域,请添加该 UPN 值作为 Azure AD 中的另一个电子邮件地址,以便现在可以使用 UPN 值授权用户帐户用于 Azure 信息保护。If the domain name in the UPN value is a verified domain for your Azure AD tenant, add the UPN value as another email address in Azure AD so that the UPN value can now be used to authorize the user account for Azure Information Protection.

    如果 UPN 值中的域名不是租户的已验证域,则不能用于 Azure 信息保护。If the domain name in the UPN value is not a verified domain for your tenant, it cannot be used with Azure Information Protection. 但是,当组电子邮件地址使用已验证域名时,用户仍然可以被授权为组成员。However, the user can still be authorized as a member of a group when the group email address uses a verified domain name.

  2. 如果 UPN 不可路由(例如, ankurroy@contoso.local ),请为用户配置备用登录 ID,并指导他们使用此备用登录方式登录 Office。If the UPN is not routable (for example, ankurroy@contoso.local), configure alternate login ID for users and instruct them how to sign in to Office by using this alternate login. 还必须为 Office 设置注册表项。You must also set a registry key for Office.

    有关详细信息,请参阅配置备用登录 IDOffice 应用程序定期提示输入 SharePoint、OneDrive 和 Lync Online 的凭据For more information, see Configuring Alternate Login ID and Office applications periodically prompt for credentials to SharePoint, OneDrive, and Lync Online.

提示

可以使用 Export-Csv cmdlet 将结果导出到电子表格,以便于进行管理,例如搜索和批量编辑以进行导入。You can use the Export-Csv cmdlet to export the results to a spreadsheet for easier management, such as searching and bulk-editing for import.

例如: Get-MsolGroup | select DisplayName, ProxyAddresses | Export-Csv -Path UserAccounts.csvFor example: Get-MsolGroup | select DisplayName, ProxyAddresses | Export-Csv -Path UserAccounts.csv

确认已准备好组帐户用于 Azure 信息保护Confirm group accounts are ready for Azure Information Protection

若要确认组帐户,请使用以下命令:To confirm group accounts, use the following command:

Get-MsolGroup | select DisplayName, ProxyAddresses

确保显示要用于 Azure 信息保护的组。Make sure that the groups you want to use with Azure Information Protection are displayed. 对于显示的组,可以使用 ProxyAddresses 列中的电子邮件地址授权组成员使用 Azure Rights Management 服务。For the groups displayed, the email addresses in the ProxyAddresses column can be used to authorize the group members for the Azure Rights Management service.

然后查看组是否包含要用于 Azure 信息保护的用户(或其他组)。Then check that the groups contain the users (or other groups) that you want to use for Azure Information Protection. 可以使用 PowerShell 来执行此操作(例如,Get-MsolGroupMember),或使用管理门户。You can use PowerShell to do this (for example, Get-MsolGroupMember), or use your management portal.

对于使用安全组的两个 Azure Rights Management 服务配置方案,可以使用以下 PowerShell 命令查找对象 ID 并显示可用于标识这些组的名称。For the two Azure Rights Management service configuration scenarios that use security groups, you can use the following PowerShell command to find the object ID and display name that can be used to identify these groups. 还可以使用 Azure 门户查找这些组,复制对象 ID 的值并显示名称:You can also use the Azure portal to find these groups and copy the values for the object ID and the display name:

Get-MsolGroup | where {$_.GroupType -eq "Security"}

电子邮件地址更改情况下的 Azure 信息保护注意事项Considerations for Azure Information Protection if email addresses change

如果更改用户或组的电子邮件地址,我们建议向用户或组添加旧电子邮件地址作为第二个电子邮件地址(也称为代理地址、别名或备用电子邮件地址)。If you change the email address of a user or group, we recommend that you add the old email address as a second email address (also known as a proxy address, alias, or alternate email address) to the user or group. 执行此操作后,旧电子邮件地址将添加到 Azure AD proxyAddresses 属性。When you do this, the old email address is added to the Azure AD proxyAddresses attribute. 此帐户管理功能可确保在使用旧电子邮件地址时保存的任何使用权限或其他配置的业务连续性。This account administration ensures business continuity for any usage rights or other configurations there were saved when the old email address was in use.

如果无法执行此操作,则具有新电子邮件地址的用户或组可能无法访问先前受旧电子邮件地址保护的文档和电子邮件。If you cannot do this, the user or group with the new email address risks being denied access to documents and emails that were previously protected with the old email address. 此情况下,必须重复保护配置以保护新的电子邮件地址。In this case, you must repeat the protection configuration to save the new email address. 例如,如果向用户或组授予了模板或标签的使用权限,则他们可使用与向旧电子邮件地址授予的相同使用权限编辑这些模板或标签,还可按相同权限指定新的电子邮件地址。For example, if the user or group was granted usage rights in templates or labels, edit those templates or labels and specify the new email address with same usage rights as you granted to the old email address.

请注意,一个组更改其电子邮件地址的情况很少见,如果为某个组而不是单个用户分配使用权限,则用户的电子邮件地址是否更改无关紧要。Note that it's rare for a group to change its email address and if you assign usage rights to a group rather to than individual users, it doesn't matter if the user's email address changes. 在这种情况下,使用权限分配给组电子邮件地址,而不是单个用户电子邮件地址。In this scenario, the usage rights are assigned to the group email address and not individual user email addresses. 这是管理员在配置可保护文档和电子邮件的使用权限时最有可能采用的方法,同时也是建议的方法。This is the most likely (and recommended) method for an administrator to configure usage rights that protect documents and emails. 但是,用户通常更有可能为单个用户分配自定义权限。However, users might more typically assign custom permissions for individual users. 由于无法随时了解用户帐户或组是否已用于授予访问权限,因此,始终添加旧电子邮件地址作为第二个电子邮件地址是最安全的做法。Because you cannot always know whether a user account or group has been used to grant access, it's safest to always add the old email address as a second email address.

Azure 信息保护缓存组成员身份Group membership caching by Azure Information Protection

出于性能原因,组成员身份由 Azure 信息保护缓存。For performance reasons, Azure Information Protection caches group membership. 这意味着,Azure 信息保护使用这些组时,对 Azure AD 中的组成员身份所做的任何更改将在三小时内生效,并且此时间段可能会发生变化。This means that any changes to group membership in Azure AD can take up to three hours to take effect when these groups are used by Azure Information Protection and this time period is subject to change.

请注意,此延迟归因于将组用于 Azure Rights Management 时执行的任何更改或测试,例如分配使用权限或配置 Azure Rights Management 服务。Remember to factor this delay into any changes or testing that you do when you use groups for granting usage rights or configuring the Azure Rights Management service, or when you configure scoped policies.

后续步骤Next steps

在已确认可将 Azure 信息保护用于你的用户和组,并已准备好开始保护文档和电子邮件后,请检查是否需要激活 Azure Rights Management 服务。When you have confirmed that your users and groups can be used with Azure Information Protection and you are ready to start protecting documents and emails, check whether you need to activate the Azure Rights Management service. 必须首先激活此服务才能开始保护你组织的文档和电子邮件:This service must be activated before you can protect your organization's documents and emails:

  • 从 2018 年 2 月开始:如果包含 Azure Rights Management 或 Azure 信息保护的订阅是在当月或之后获取的,将自动为你激活此服务。Beginning with February 2018: If your subscription that includes Azure Rights Management or Azure Information Protection was obtained during or after this month, the service is automatically activated for you.

  • 如果你的订阅是在 2018 年 2 月之前获取的:必须自己激活此服务。If your subscription was obtained before February 2018: You must activate the service yourself.

有关详细信息,包括检查激活状态,请参阅从 Azure 信息保护中激活保护服务For more information, which includes checking the activation status, see Activating the protection service from Azure Information Protection.