在 AD RMS 时为 Azure Rights Management 准备环境Prepare the environment for Azure Rights Management when you have AD RMS

适用于: Azure 信息保护Office 365Applies to: Azure Information Protection, Office 365

重要

使用 Active Directory Rights Management Services (AD RMS) 时的指南Guidance if you are using Active Directory Rights Management Services (AD RMS)

如果 Azure Rights Management 服务已激活,且同时还要使用 AD RMS,这样的组合不兼容。If the Azure Rights Management service is activated and you are also using AD RMS, this combination isn't compatible. 无需执行额外的步骤,一些计算机即可能会自动开始使用 Azure Rights Management 服务,并且还连接到你的 AD RMS 群集。Without additional steps, some computers might automatically start using the Azure Rights Management service and also connect to your AD RMS cluster. 这种方案不受支持,且结果不可靠,因此请务必采取其他措施。This scenario isn't supported and has unreliable results, so it's important that you take additional steps.

若要检查是否已部署 AD RMS,请执行以下操作:To check whether you have deployed AD RMS:

  1. 虽然是可选的,但大多数 AD RMS 部署都会将服务连接点 (SCP) 发布到 Active Directory,以便域计算机能够发现 AD RMS 群集。Although optional, most AD RMS deployments publish the service connection point (SCP) to Active Directory so that domain computers can discover the AD RMS cluster.

    使用 ADSI 编辑功能,确定是否已在 Active Directory 中发布 SCP:CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCPUse ADSI Edit to see whether you have an SCP published in Active Directory: CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP

  2. 如果不要使用 SCP,必须使用以下 Windows 注册表来配置连接到 AD RMS 群集的 Windows 计算机,以实现客户端服务发现或授权重定向:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocationHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServiceLocationIf you are not using an SCP, Windows computers that connect to an AD RMS cluster must be configured for client-side service discovery or licensing redirection by using the Windows registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServiceLocation

    若要详细了解这些注册表配置,请参阅使用 Windows 注册表启用客户端服务发现重定向授权服务器流量For more information about these registry configurations, see Enabling client-side service discovery by using the Windows registry and Redirecting licensing server traffic.

如果为组织部署了 AD RMS,请考虑能否迁移到 Azure 信息保护。If AD RMS is deployed for your organization, consider whether you can migrate to Azure Information Protection. 与 AD RMS 相比,Azure 信息保护有许多优势。Azure Information Protection has many advantages over AD RMS. 例如,可以更好地支持移动设备,并与 Office 365 服务以及 Exchange Server 和 SharePoint Server 集成。For example, better support for mobile devices and integration with Office 365 services as well as with Exchange Server and SharePoint Server. 有关详细信息,请参阅比较 Azure 信息保护和 AD RMSFor more information, see Comparing Azure Information Protection and AD RMS.

迁移到 Azure 信息保护时,你将不会失去对以前受保护内容的访问权限,并且你无需取消保护内容。When you migrate to Azure Information Protection, you won't lose access to previously protected content and you don't have to un-protect or re-protect your content. 即使已取消预配 AD RMS,仍可打开 AD RMS 保护的文档和电子邮件。Documents and emails that were protected by AD RMS can still be opened even after you have de-provisioned AD RMS.

无论决定是迁移到 Azure 信息保护,还是接受使用当前 AD RMS 部署存在的限制,都必须先确保已停用 Azure Rights Management 服务。Whether you decide to migrate to Azure Information Protection or you decide to accept the limitations in using your current AD RMS deployment, you must first ensure that the Azure Rights Management service is deactivated. 有关说明,请按照适用的方案步骤操作:For instructions, follow the steps for the scenario that applies to you:

你的订阅是在 2018 年 2 月期间或之后购买的Your subscription was purchased during or after February 2018

至 2018 年 2 月底,包含 Azure 信息保护的新订阅默认激活 Azure 权限管理服务。Towards the end of February 2018, new subscriptions that include Azure Information Protection now activate the Azure Rights Management service by default. 如果此服务已自动激活,且同时还要使用 Active Directory Rights Management Services (AD RMS),这样的组合不兼容。因此,请务必尽快停用 Azure Rights Management 服务。If this service is automatically activated for you and you are also using Active Directory Rights Management Services (AD RMS), this combination isn't compatible so it's important that you deactivate the Azure Rights Management service as soon as possible.

步骤 1:停用 Azure Rights ManagementStep 1: Deactivate Azure Rights Management

使用以下某个过程来停用 Azure Rights Management。Use one of the following procedures to deactivate Azure Rights Management.

提示

你还可以使用 Windows PowerShell cmdlet AipService来停用 Azure Rights Management 服务。You can also use the Windows PowerShell cmdlet, Disable-AipService, to deactivate the Azure Rights Management service.

从 Microsoft 365 管理中心停用权限管理To deactivate Rights Management from the Microsoft 365 admin center

  1. 转到 Office 365 管理员的 Rights Management 页Go to the Rights Management page for Office 365 administrators.

    如果系统提示登录,请使用 Office 365 的全局管理员帐户。If you are prompted to sign in, use an account that is a global administrator for Office 365.

  2. 在“权限管理”**** 页中,单击“停用”****。On the rights management page, click deactivate.

  3. 当看到“是否要停用 Rights Management?”的提示时,请单击“停用”********。When you see the prompt Do you want to deactivate Rights Management? click deactivate.

现在,应会显示“权限管理未激活”**** 和用于激活的选项。You should now see Rights Management is not activated and the option to activate.

从 Azure 门户停用 Rights ManagementTo deactivate Rights Management from the Azure portal

  1. 如果尚未这样做,请打开新的浏览器窗口,登录到 Azure 门户If you haven't already done so, open a new browser window and sign in to the Azure portal. 然后导航到“Azure 信息保护”窗格。Then navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

    如果你之前未访问过 Azure 信息保护窗格,请参阅将此窗格添加到门户中的一次性附加步骤If you haven't accessed the Azure Information Protection pane before, see the one-time additional steps to add this pane to the portal.

  2. 选择菜单选项中的“保护激活”****。Select Protection activation from the menu options.

  3. 在 " Azure 信息保护-保护激活" 窗格上,选择 "停用"。On the Azure Information Protection - Protection activation pane, select Deactivate. 选择“是”**** 以确认你的选择。Select Yes to confirm your choice.

信息栏会显示“停用已成功完成”**** 且“停用”**** 现在已替换为“激活”****。The information bar displays Deactivation finished successfully and Deactivate is now replaced with Activate.

步骤 2:开始规划迁移Step 2: Start planning for migration

请参阅迁移指南:从 AD RMS 迁移到 Azure 信息保护See the migration guidance: Migrating from AD RMS to Azure Information Protection

订阅是在 2018 年 2 月之前或期间购买,且已安装 Exchange OnlineYour subscription was purchased before or during February 2018 and you have Exchange Online

Microsoft 即将开始为包含 Azure Rights Management 或 Azure 信息保护的订阅以及使用 Exchange Online 的租户激活 Azure Rights Management 服务。Microsoft is starting to activate the Azure Rights Management service for subscriptions that include Azure Rights Management or Azure Information Protection, and the tenants are using Exchange Online. 对于这些租户,自动激活将于 2018 年 8 月 1 日开始推出。For these tenants, automatic activation is starting to roll out August 1, 2018.

如果此服务已自动激活,且同时还要使用 AD RMS,这样的组合不兼容。因此,请务必让租户选择退出自动服务更新。If the service is automatically activated for you and you are also using AD RMS, this combination isn't compatible so it's important that your tenant is opted out from the automatic service update.

第 1 步:选择退出自动服务更新Step 1: Opt out from the automatic service update

运行以下 Set-IRMConfiguration Exchange Online PowerShell 命令:Set-IRMConfiguration -AutomaticServiceUpdateEnabled $falseUse the following Set-IRMConfiguration Exchange Online PowerShell command:Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false

详细信息More information

步骤 2:开始规划迁移Step 2: Start planning for migration

请参阅迁移指南:从 AD RMS 迁移到 Azure 信息保护See the migration guidance: Migrating from AD RMS to Azure Information Protection

配置 Azure 信息保护时,可看到“激活保护”的选项You see an option to activate protection when you configure Azure Information Protection

" Azure 信息保护-保护激活" 窗格提供激活 azure Rights Management 服务的选项。The Azure Information Protection - Protection activation pane has an option to activate the Azure Rights Management service.

如果还要使用 AD RMS,请勿选择“激活”**** 选项。If you are also using AD RMS, do not select the Activate option. 当 Azure Rights Management 服务未激活时,仍然可以对仅应用分类的标签使用 Azure 信息保护。When the Azure Rights Management service isn't activated, you can still use Azure Information Protection for labels that apply classification only. 将为你创建不包含数据保护的特殊默认策略,并且在激活 Azure Rights Management 服务之前,这些配置选项仍然不可用。A special default policy is created for you that does not include data protection and those configuration options remain unavailable until the Azure Rights Management service is activated.

步骤 1:为分类和标签配置 Azure 信息保护策略 - 不带保护Step 1: Configure your Azure Information Protection policy for classification and labeling - without protection

从 " Azure 信息保护-标签" 窗格中,查看和配置不包含用于数据保护的选项的标签。From the Azure Information Protection - Labels pane, view and configure the labels that do not include options for data protection. 若要详细了解如何配置标签和策略设置,请参阅配置 Azure 信息保护策略For more information about how to configure the labels and policy settings, see Configuring Azure Information Protection policy.

步骤 2:开始规划迁移Step 2: Start planning for migration

请参阅迁移指南:从 AD RMS 迁移到 Azure 信息保护See the migration guidance: Migrating from AD RMS to Azure Information Protection

第 3 步:为实现保护而配置标签Step 3: Configure labels for protection

在迁移过程中激活 Azure Rights Management 服务后,可以为数据保护配置标签。After you have activated the Azure Rights Management service as part of the migration process, you can configure labels for data protection. 但是,如果分批迁移用户,请确保应用保护的标签的适用范围仅为已迁移用户。However, if you migrate users in batches, make sure that labels that apply protection are scoped to migrated users only.