管理员指南:Azure 信息保护客户端的自定义配置Admin Guide: Custom configurations for the Azure Information Protection client

适用于: Active Directory Rights Management Services, Azure 信息保护,windows 10,Windows 8.1,windows 8,windows server 2019,windows server 2016,windows Server 2012 R2,windows server 2012Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

请参阅以下高级配置相关信息,在管理 Azure 信息保护客户端时,可能需要用于特定方案或一部分用户。Use the following information for advanced configurations that you might need for specific scenarios or a subset of users when you manage the Azure Information Protection client.

其中一些设置需要编辑注册表,一些使用的是高级设置,必须先在 Azure 门户中进行配置,再发布以供客户端下载。Some of these settings require editing the registry and some use advanced settings that you must configure in the Azure portal, and then publish for clients to download.

在门户中配置高级客户端配置设置的具体步骤How to configure advanced client configuration settings in the portal

  1. 如果尚未这样做,请在新的浏览器窗口中登录到 Azure 门户,然后导航到 " Azure 信息保护" 窗格。If you haven't already done so, in a new browser window, sign in to the Azure portal, and then navigate to the Azure Information Protection pane.

  2. 从 "分类 > 标签" 菜单选项:选择 "策略"。From the Classifications > Labels menu option: Select Policies.

  3. 在 " Azure 信息保护-策略" 窗格中,选择策略旁边的上下文菜单(...),以包含高级设置。On the Azure Information Protection - Policies pane, select the context menu (...) next to the policy to contain the advanced settings. 再选择“高级设置”****。Then select Advanced settings.

    可以为全局策略和作用域内策略配置高级设置。You can configure advanced settings for the Global policy, as well as for scoped policies.

  4. 在 "高级设置" 窗格中,键入高级设置名称和值,然后选择 "保存并关闭"。On the Advanced settings pane, type the advanced setting name and value, and then select Save and close.

  5. 确保此策略的用户重启打开过的任何 Office 应用程序。Make sure that users for this policy restart any Office applications that they had open.

  6. 如果不再需要该设置并且要恢复为默认行为:在 "高级设置" 窗格上,选择不再需要的设置旁边的上下文菜单(...),然后选择 "删除"。If you no longer need the setting and want to revert to the default behavior: On the Advanced settings pane, select the context menu (...) next to the setting you no longer need, and then select Delete. 然后单击“保存并关闭”****。Then click Save and close.

可用高级客户端设置Available advanced client settings

设置Setting 应用场景和说明Scenario and instructions
DisableDNFDisableDNF 在 Outlook 中隐藏或显示“不转发”按钮Hide or show the Do Not Forward button in Outlook
DisableMandatoryInOutlookDisableMandatoryInOutlook 使 Outlook 邮件免于强制标记Exempt Outlook messages from mandatory labeling
CompareSubLabelsInAttachmentActionCompareSubLabelsInAttachmentAction 启用子标签的排序支持Enable order support for sublabels
ContentExtractionTimeoutContentExtractionTimeout 更改扫描程序的超时设置Change the timeout settings for the scanner
EnableBarHidingEnableBarHiding 永久隐藏 Azure 信息保护栏Permanently hide the Azure Information Protection bar
EnableCustomPermissionsEnableCustomPermissions 设置用户是否能够使用自定义权限选项Make the custom permissions options available or unavailable to users
EnableCustomPermissionsForCustomProtectedFilesEnableCustomPermissionsForCustomProtectedFiles 对于受自定义权限保护的文件,始终在文件资源管理器中向用户显示自定义权限For files protected with custom permissions, always display custom permissions to users in File Explorer
EnablePDFv2ProtectionEnablePDFv2Protection 不使用 PDF 加密 ISO 标准来保护 PDF 文件Don't protect PDF files by using the ISO standard for PDF encryption
FileProcessingTimeoutFileProcessingTimeout 更改扫描程序的超时设置Change the timeout settings for the scanner
LabelbyCustomPropertyLabelbyCustomProperty 从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions
LabelToSMIMELabelToSMIME 将标签配置为在 Outlook 中应用 S/MIME 保护Configure a label to apply S/MIME protection in Outlook
LogLevelLogLevel 更改本地日志记录级别Change the local logging level
LogMatchedContentLogMatchedContent 禁止为一部分用户发送信息类型匹配项Disable sending information type matches for a subset of users
OutlookBlockTrustedDomainsOutlookBlockTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookBlockUntrustedCollaborationLabelOutlookBlockUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookDefaultLabelOutlookDefaultLabel 为 Outlook 设置不同的默认标签Set a different default label for Outlook
OutlookJustifyTrustedDomainsOutlookJustifyTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookJustifyUntrustedCollaborationLabelOutlookJustifyUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookRecommendationEnabledOutlookRecommendationEnabled 在 Outlook 中启用建议的分类Enable recommended classification in Outlook
OutlookOverrideUnlabeledCollaborationExtensionsOutlookOverrideUnlabeledCollaborationExtensions 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorOutlookUnlabeledCollaborationActionOverrideMailBodyBehavior 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookWarnTrustedDomainsOutlookWarnTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookWarnUntrustedCollaborationLabelOutlookWarnUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
PostponeMandatoryBeforeSavePostponeMandatoryBeforeSave 使用强制标签时,删除文档的“以后再说”Remove "Not now" for documents when you use mandatory labeling
ProcessUsingLowIntegrityProcessUsingLowIntegrity 禁用扫描程序的低完整性级别Disable the low integrity level for the scanner
PullPolicyPullPolicy 对已断开连接计算机的支持Support for disconnected computers
RemoveExternalContentMarkingInAppRemoveExternalContentMarkingInApp 删除其他标记解决方案中的页眉和页脚Remove headers and footers from other labeling solutions
ReportAnIssueLinkReportAnIssueLink 为用户添加“报告问题”Add "Report an Issue" for users
RunAuditInformationTypesDiscoveryRunAuditInformationTypesDiscovery 禁止将文档中发现的敏感信息发送到 Azure 信息保护分析Disable sending discovered sensitive information in documents to Azure Information Protection analytics
RunPolicyInBackgroundRunPolicyInBackground 开启在后台持续运行的分类Turn on classification to run continuously in the background
ScannerConcurrencyLevelScannerConcurrencyLevel 限制扫描程序使用的线程数Limit the number of threads used by the scanner
SyncPropertyNameSyncPropertyName 使用现有自定义属性标记 Office 文档Label an Office document by using an existing custom property
SyncPropertyStateSyncPropertyState 使用现有自定义属性标记 Office 文档Label an Office document by using an existing custom property

阻止针对仅 AD RMS 计算机出现的登录提示Prevent sign-in prompts for AD RMS only computers

默认情况下,Azure 信息保护客户端会自动尝试连接到 Azure 信息保护服务。By default, the Azure Information Protection client automatically tries to connect to the Azure Information Protection service. 对于只与 AD RMS 通信的计算机,此配置可能导致不必要的用户登录提示。For computers that only communicate with AD RMS, this configuration can result in a sign-in prompt for users that is not necessary. 可以通过编辑注册表来阻止此登录提示。You can prevent this sign-in prompt by editing the registry.

  • 找到以下值名称,然后将值数据设置为“0”****:Locate the following value name, and then set the value data to 0:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\EnablePolicyDownloadHKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\EnablePolicyDownload

无论此设置如何,Azure 信息保护客户端仍遵循标准的 RMS 服务发现流程来查找它的 AD RMS 群集。Regardless of this setting, the Azure Information Protection client still follows the standard RMS service discovery process to find its AD RMS cluster.

以其他用户身份登录Sign in as a different user

在生产环境中,如果用户使用的是 Azure 信息保护客户端,则通常不需要以其他用户身份登录。In a production environment, users wouldn't usually need to sign in as a different user when they are using the Azure Information Protection client. 不过,作为管理员,你在测试阶段可能需要以其他用户身份登录。However, as an administrator, you might need to sign in as a different user during a testing phase.

可以使用“Microsoft Azure 信息保护”**** 对话框验证当前登录的帐户身份:打开 Office 应用程序,在“主页”**** 选项卡上的“保护”**** 组中,单击“保护”****,然后单击“帮助和反馈”****。You can verify which account you're currently signed in as by using the Microsoft Azure Information Protection dialog box: Open an Office application and on the Home tab, in the Protection group, click Protect, and then click Help and feedback. 帐户名称会显示在“客户端状态”**** 部分中。Your account name is displayed in the Client status section.

请确保还要检查所显示的登录帐户的域名。Be sure to also check the domain name of the signed in account that's displayed. 很容易忽视的一点是,使用正确的帐户名登录,但域不正确。It can be easy to miss that you're signed in with the right account name but wrong domain. 使用错误帐户的症状是,无法下载 Azure 信息保护策略,或看不到预期的标签或行为。A symptom of using the wrong account includes failing to download the Azure Information Protection policy, or not seeing the labels or behavior that you expect.

以其他用户身份登录:To sign in as a different user:

  1. 导航到 %localappdata%\Microsoft\MSIP 并删除 TokenCache 文件********。Navigate to %localappdata%\Microsoft\MSIP and delete the TokenCache file.

  2. 重新启动任何打开的 Office 应用程序,并使用其他用户帐户登录。Restart any open Office applications and sign in with your different user account. 如果在 Office 应用程序中没有看到登录到 Azure 信息保护服务的提示,请返回“Microsoft Azure信息保护”**** 对话框,然后从更新的“客户端状态”**** 部分中单击“登录”****。If you do not see a prompt in your Office application to sign in to the Azure Information Protection service, return to the Microsoft Azure Information Protection dialog box and click Sign in from the updated Client status section.

此外:Additionally:

  • 完成这些步骤后,若 Azure 信息保护客户端仍使用旧帐户登录,则从 Internet Explorer 删除所有 cookie,然后重复步骤 1 和步骤 2。If the Azure Information Protection client is still signed in with the old account after completing these steps, delete all cookies from Internet Explorer, and then repeat steps 1 and 2.

  • 如果使用的是单一登录,必须在删除令牌文件后注销 Windows,再使用其他用户帐户登录。If you are using single sign-on, you must sign out from Windows and sign in with your different user account after deleting the token file. 然后,Azure 信息保护客户端会使用当前登录的用户帐户,自动进行身份验证。The Azure Information Protection client then automatically authenticates by using your currently signed in user account.

  • 此解决方案支持以同一租户中的其他用户身份登录。This solution is supported for signing in as another user from the same tenant. 不支持以不同租户中的其他用户身份登录。It is not supported for signing in as another user from a different tenant. 若要使用多个租户测试 Azure 信息保护,请使用不同的计算机。To test Azure Information Protection with multiple tenants, use different computers.

  • 可以使用“帮助和反馈”中的“重置设置”选项注销并删除当前已下载的 Azure 信息保护策略********。You can use the Reset settings option from Help and Feedback to sign out and delete the currently downloaded Azure Information Protection policy.

如果组织拥有组合许可证,则强制执行仅保护模式Enforce protection-only mode when your organization has a mix of licenses

如果组织不具有任何 Azure 信息保护许可证,但有包含用于数据保护的 Azure Rights Management 服务的 Office 365 许可证,则用于 Windows 的 Azure 信息保护客户端会自动在仅保护模式下运行。If your organization does not have any licenses for Azure Information Protection, but does have licenses for Office 365 that include the Azure Rights Management service for protecting data, the Azure Information Protection client for Windows automatically runs in protection-only mode.

但是,如果贵组织已订阅 Azure 信息保护,默认情况下所有 Windows 计算机都可以下载 Azure 信息保护策略。However, if your organization has a subscription for Azure Information Protection, by default all Windows computers can download the Azure Information Protection policy. Azure 信息保护客户端不会进行许可证检查以及强制执行。The Azure Information Protection client does not do license checking and enforcement.

如果某些用户没有 Azure 信息保护许可证,但拥有包含 Azure 权限管理服务的 Office 365 许可证,请在这些用户的计算机上编辑注册表,以防止用户在 Azure 信息保护中运行未经授权的分类和标签功能。If you have some users who do not have a license for Azure Information Protection but do have a license for Office 365 that includes the Azure Rights Management service, edit the registry on these users' computers to prevent users from running the unlicensed classification and labeling features from Azure Information Protection.

找到以下值名称并将值数据设置为 0Locate the following value name and set the value data to 0:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\EnablePolicyDownloadHKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\EnablePolicyDownload

此外,请确保这些计算机的 %LocalAppData%\Microsoft\MSIP**** 文件夹中不具有名为 Policy.msip**** 的文件。In addition, check that these computers do not have a file named Policy.msip in the %LocalAppData%\Microsoft\MSIP folder. 如果此文件存在,请将其删除。If this file exists, delete it. 此文件包含 Azure 信息保护策略,并且可能在编辑注册表之前已下载,如果使用演示选项安装了 Azure 信息保护客户端,那么也可能已下载此文件。This file contains the Azure Information Protection policy and might have downloaded before you edited the registry, or if the Azure Information Protection client was installed with the demo option.

为用户添加“报告问题”Add "Report an Issue" for users

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

当指定以下高级客户端设置时,用户将看到一个“报告问题”选项,他们可以从“帮助和反馈”客户端对话框中选择该选项********。When you specify the following advanced client setting, users see a Report an Issue option that they can select from the Help and Feedback client dialog box. 为链接指定 HTTP 字符串。Specify an HTTP string for the link. 例如,为用户报告问题设置的自定义 Web 页面,或者发送给支持人员的电子邮件地址。For example, a customized web page that you have for users to report issues, or an email address that goes to your help desk.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 密钥:ReportAnIssueLink****Key: ReportAnIssueLink

  • 负值**<HTTP string>**Value: <HTTP string>

网站示例值:https://support.contoso.comExample value for a website: https://support.contoso.com

电子邮件地址示例值:mailto:helpdesk@contoso.comExample value for an email address: mailto:helpdesk@contoso.com

隐藏 Windows 文件资源管理器中的“分类和保护”菜单选项Hide the Classify and Protect menu option in Windows File Explorer

创建以下 DWORD 值名称(以及任何数值数据):Create the following DWORD value name (with any value data):

HKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Microsoft.Azip.RightClick\LegacyDisableHKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Microsoft.Azip.RightClick\LegacyDisable

对断开连接的计算机的支持Support for disconnected computers

默认情况下,Azure 信息保护客户端会自动尝试连接到 Azure 信息保护服务,以下载最新的 Azure 信息保护策略。By default, the Azure Information Protection client automatically tries to connect to the Azure Information Protection service to download the latest Azure Information Protection policy. 如果您的计算机在一段时间内无法连接到 internet,则可以通过编辑注册表来阻止客户端尝试连接到该服务。If you have computers that you know will not be able to connect to the internet for a period of time, you can prevent the client from attempting to connect to the service by editing the registry.

请注意,如果没有 internet 连接,客户端将无法使用组织的基于云的密钥来应用保护(或删除保护)。Note that without an internet connection, the client cannot apply protection (or remove protection) by using your organization's cloud-based key. 相反,客户端只能使用应用分类或 HYOK 保护的标签。Instead, the client is limited to using labels that apply classification only, or protection that uses HYOK.

若要阻止 Azure 信息保护服务登录提示,可使用必须在 Azure 门户中配置的高级客户端设置,然后为计算机下载策略。You can prevent a sign-in prompt to the Azure Information Protection service by using an advanced client setting that you must configure in the Azure portal and then download the policy for computers. 或者,也可以通过编辑注册表来阻止此登录提示。Or, you can prevent this sign-in prompt by editing the registry.

  • 若要配置高级客户端设置,请执行以下操作:To configure the advanced client setting:

    1. 输入以下字符串:Enter the following strings:

      • 键:PullPolicy****Key: PullPolicy

      • 值:False****Value: False

    2. 下载包含此设置的策略,并按照随附的说明操作,将它安装在计算机上。Download the policy with this setting and install it on computers by using the instructions that follow.

  • 或者,若要编辑注册表,请执行以下操作:Alternatively, to edit the registry:

    • 找到以下值名称,然后将值数据设置为“0”****:Locate the following value name, and then set the value data to 0:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\EnablePolicyDownloadHKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\EnablePolicyDownload

客户端必须在 %LocalAppData%\Microsoft\MSIP**** 文件夹中有名为 Policy.msip**** 的有效策略文件。The client must have a valid policy file named Policy.msip, in the %LocalAppData%\Microsoft\MSIP folder.

可以从 Azure 门户中导出全局策略或范围内策略,并将导出的文件复制到客户端计算机。You can export the global policy or a scoped policy from the Azure portal, and copy the exported file to the client computer. 此外,还可以使用此方法,将已过时的策略文件替换为最新策略。You can also use this method to replace an-out-of-date policy file with the latest policy. 不过,如果用户属于多个范围内策略,就不支持导出策略。However, exporting the policy does not support the scenario where a user belongs to more than one scoped policy. 另请注意,如果用户选择“帮助和反馈”中的“重置设置”**** 选项,此操作会删除策略文件,并导致客户端无法正常运行,直到你手动替换策略文件或客户端连接到服务并下载策略为止。Also be aware that if users select the Reset Settings option from Help and feedback, this action deletes the policy file and renders the client inoperable until you manually replace the policy file or the client connects to the service to download the policy.

从 Azure 门户导出策略时,下载的压缩文件包含多个版本的策略。When you export the policy from the Azure portal, a zipped file is downloaded that contains multiple versions of the policy. 这些策略版本对应于 Azure 信息保护客户端的不同版本:These policy versions correspond to different versions of the Azure Information Protection client:

  1. 解压缩文件,然后使用下表来确定所需要的策略文件。Unzip the file and use the following table to identify which policy file you need.

    文件名File name 相应的客户端版本Corresponding client version
    Policy1.1.msipPolicy1.1.msip 版本 1.2version 1.2
    Policy1.2.msipPolicy1.2.msip 版本 1.3 - 1.7version 1.3 - 1.7
    Policy1.3.msipPolicy1.3.msip 版本 1.8 - 1.29version 1.8 - 1.29
    Policy1.4.msipPolicy1.4.msip 版本 1.32 及更高版本version 1.32 and later
  2. 将已标识的文件重命名为 Policy.msip****,再将它复制到已安装 Azure 信息保护客户端的计算机上的 %LocalAppData%\Microsoft\MSIP**** 文件夹。Rename the identified file to Policy.msip, and then copy it to the %LocalAppData%\Microsoft\MSIP folder on computers that have the Azure Information Protection client installed.

如果断开连接的计算机运行的是当前的 Azure 信息保护扫描程序 GA 版本,则需要执行其他配置步骤。If your disconnected computer is running the current GA version of the Azure Information Protection scanner, there are additional configuration steps you must take. 有关详细信息,请参阅限制:扫描仪服务器无法在扫描程序部署先决条件中建立 internet 连接。For more information, see Restriction: The scanner server cannot have internet connectivity in the scanner deployment prerequisites.

在 Outlook 中隐藏或显示“不转发”按钮Hide or show the Do Not Forward button in Outlook

建议使用“向 Outlook 功能区添加‘不转发’按钮”这一策略设置来配置此选项 ****。The recommended method to configure this option is by using the policy setting Add the Do Not Forward button to the Outlook ribbon. 但是,也可以使用在 Azure 门户中配置的高级客户端设置来配置此选项。However, you can also configure this option by using an advanced client setting that you configure in the Azure portal.

配置此设置后,将在 Outlook 功能区中隐藏或显示“不转发”按钮****。When you configure this setting, it hides or shows the Do Not Forward button on the ribbon in Outlook. 此设置对 Office 菜单中的“不转发”选项没有影响。This setting has no effect on the Do Not Forward option from Office menus.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:DisableDNF****Key: DisableDNF

  • 值:输入 True 隐藏按钮,输入 False 显示按钮********Value: True to hide the button, or False to show the button

设置用户是否能够使用自定义权限选项Make the custom permissions options available or unavailable to users

建议使用“设置用户是否能够使用自定义权限选项”这一策略设置来配置此选项 ****。The recommended method to configure this option is by using the policy setting Make the custom permissions option available for users. 但是,也可以使用在 Azure 门户中配置的高级客户端设置来配置此选项。However, you can also configure this option by using an advanced client setting that you configure in the Azure portal.

配置此设置并为用户发布策略后,用户可看到自定义权限选项,它们可用于自行选择保护设置;这些选项也可能隐藏,使得用户无法自行选择保护设置(除非系统出现提示)。When you configure this setting and publish the policy for users, the custom permissions options become visible for users to select their own protection settings, or they are hidden so that users can't select their own protection settings unless prompted.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:EnableCustomPermissions****Key: EnableCustomPermissions

  • 值:输入 True 使自定义权限选项可用,输入 False 隐藏此选项********Value: True to make the custom permissions option visible, or False to hide this option

对于受自定义权限保护的文件,始终在文件资源管理器中向用户显示自定义权限For files protected with custom permissions, always display custom permissions to users in File Explorer

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal. 此设置处于预览状态,并且可能会更改。This setting is in preview and might change.

配置策略设置时,为用户或上一部分中的同等高级客户端设置提供自定义权限选项,用户无法查看或更改已在受保护文档中设置的自定义权限 ****。When you configure the policy setting Make the custom permissions option available for users or the equivalent advanced client setting in the previous section, users are not able to see or change custom permissions that are already set in a protected document.

创建和配置此高级客户端设置时,用户可以在使用文件资源管理器时查看和更改受保护文档的自定义权限,然后右键单击该文件。When you create and configure this advanced client setting, users can see and change custom permissions for a protected document when they use File Explorer, and right-click the file. Office 功能区上的“保护”按钮中的“自定义权限”选项仍处于隐藏状态********。The Custom Permissions option from the Protect button on the Office ribbon remains hidden.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 密钥: EnableCustomPermissionsForCustomProtectedFilesKey: EnableCustomPermissionsForCustomProtectedFiles

  • 值: TrueValue: True

永久隐藏 Azure 信息保护栏Permanently hide the Azure Information Protection bar

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal. 仅当“在 Office 应用中显示信息保护栏”这一项策略设置设置为“开”时,才使用此配置 ********。Use it only when the policy setting Display the Information Protection bar in Office apps is set to On.

默认情况下,如果用户清除“主页”选项卡、“保护”组、“保护”按钮中的“显示数据条”选项,则信息保护栏将不再显示在该 Office 应用中****************。By default, if a user clears the Show Bar option from the Home tab, Protection group, Protect button, the Information Protection bar no longer displays in that Office app. 但是,下次打开 Office 应用时,会自动再次显示该栏。However, the bar automatically displays again the next time an Office app is opened.

若要防止在用户选择隐藏该栏后再次自动显示该栏,请使用此客户端设置。To prevent the bar from displaying again automatically after a user has chosen to hide it, use this client setting. 如果用户使用“关闭信息保护栏”**** 图标关闭此栏,此设置将不起作用。This setting has no effect if the user closes the bar by using the Close this bar icon.

即使 Azure 信息保护栏保持隐藏,如果已配置了推荐分类,或者文档或电子邮件必须有标签,用户仍可以从临时显示的栏中选择标签。Even though the Azure Information Protection bar remains hidden, users can still select a label from a temporarily displayed bar if you have configured recommended classification, or when a document or email must have a label.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:EnableBarHiding****Key: EnableBarHiding

  • 值: TrueValue: True

启用附件子标签的排序支持Enable order support for sublabels on attachments

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

如果具有子标签并已配置以下策略设置,请使用此设置:Use this setting when you have sublabels and you have configured the following policy setting:

  • 对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签For email messages with attachments, apply a label that matches the highest classification of those attachments

配置以下字符串:Configure the following strings:

  • 密钥: CompareSubLabelsInAttachmentActionKey: CompareSubLabelsInAttachmentAction

  • 值: TrueValue: True

如果不进行此设置,则从具有最高分类的父标签找到的第一个标签将应用于电子邮件。Without this setting, the first label that's found from the parent label with the highest classification is applied to the email.

如果进行此设置,则具有最高分类的父标签中排在最后的子标签将应用于电子邮件。With this setting, the sublabel that's ordered last from the parent label with the highest classification is applied to the email. 如果需要对标签重新排序,以便为此方案应用所需的标签,请参阅如何删除或重排 Azure 信息保护的标签If you need to reorder your labels to apply the label that you want for this scenario, see How to delete or reorder a label for Azure Information Protection.

使 Outlook 邮件免于强制标记Exempt Outlook messages from mandatory labeling

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

默认情况下,当你启用 "所有文档和电子邮件都必须具有标签" 的策略设置时,所有已保存的文档和已发送的电子邮件都必须应用标签。By default, when you enable the policy setting All documents and emails must have a label, all saved documents and sent emails must have a label applied. 配置以下高级设置时,策略设置仅适用于 Office 文档,而不适用于 Outlook 邮件。When you configure the following advanced setting, the policy setting applies only to Office documents and not to Outlook messages.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 密钥: DisableMandatoryInOutlookKey: DisableMandatoryInOutlook

  • 值: TrueValue: True

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal. 此设置处于预览状态,并且可能会更改。This setting is in preview and might change.

为建议的分类配置标签时,系统将提示用户接受或关闭 Word、Excel 和 PowerPoint 中建议的标签。When you configure a label for recommended classification, users are prompted to accept or dismiss the recommended label in Word, Excel, and PowerPoint. 此设置将此标签建议扩展到也在 Outlook 中显示。This setting extends this label recommendation to also display in Outlook.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:OutlookRecommendationEnabled****Key: OutlookRecommendationEnabled

  • 值: TrueValue: True

在 Outlook 中实施弹出消息,警告、证明或阻止发送电子邮件Implement pop-up messages in Outlook that warn, justify, or block emails being sent

此配置使用必须在 Azure 门户中配置的多项高级客户端设置This configuration uses multiple advanced client settings that you must configure in the Azure portal.

当创建并配置以下高级客户端设置时,用户可以在 Outlook 中看到弹出消息,这些消息可以在发送电子邮件之前警告他们,或者要求他们提供发送电子邮件的理由,或者在存在以下任何一种情况时阻止他们发送电子邮件:When you create and configure the following advanced client settings, users see pop-up messages in Outlook that can warn them before sending an email, or ask them to provide justification why they are sending an email, or prevent them from sending an email for either of the following scenarios:

  • 其电子邮件或电子邮件附件有一个特定的标签Their email or attachment for the email has a specific label:

    • 附件可以是任何文件类型The attachment can be any file type
  • 其电子邮件或电子邮件的附件没有标签Their email or attachment for the email doesn't have a label:

    • 附件可以是 Office 文档或 PDF 文档The attachment can be an Office document or PDF document

满足这些条件时,用户将看到一个弹出消息,其中包含以下操作之一:When these conditions are met, the user sees a pop-up message with one of the following actions:

  • 警告:用户可以确认并发送或取消。Warn: The user can confirm and send, or cancel.

  • 两端对齐:系统会提示用户提供理由(预定义的选项或自由格式)。Justify: The user is prompted for justification (predefined options or free-form). 然后,用户可以发送或取消电子邮件。The user can then send or cancel the email. 说明理由的文本被写入电子邮件 x - 标头,以便其他系统可以读取。The justification text is written to the email x-header, so that it can be read by other systems. 例如,数据丢失防护 (DLP) 服务。For example, data loss prevention (DLP) services.

  • 阻止:阻止用户发送电子邮件,但条件仍然存在。Block: The user is prevented from sending the email while the condition remains. 该消息包括阻止电子邮件的原因,以便用户可以解决问题。The message includes the reason for blocking the email, so the user can address the problem. 例如,删除特定收件人或标记电子邮件。For example, remove specific recipients, or label the email.

当弹出消息用于特定标签时,可以按域名为收件人配置例外。When the popup-messages are for a specific label, you can configure exceptions for recipients by domain name.

弹出消息中生成的操作将记录到本地 Windows 事件日志应用程序和服务日志中 > Azure Information ProtectionThe resulting actions from the pop-up messages are logged to the local Windows event log Applications and Services Logs > Azure Information Protection:

  • 警告消息:信息 ID 301Warn messages: Information ID 301

  • 调整消息:信息 ID 302Justify messages: Information ID 302

  • 阻止消息:信息 ID 303Block messages: Information ID 303

来自验证消息的事件条目示例:Example event entry from a justify message:

Client Version: 1.53.10.0
Client Policy ID: e5287fe6-f82c-447e-bf44-6fa8ff146ef4
Item Full Path: Price list.msg
Item Name: Price list
Process Name: OUTLOOK
Action: Justify
User Justification: My manager approved sharing of this content
Action Source: 
User Response: Confirmed

以下各节包含每个高级客户端设置的配置说明,你可以使用教程:将 Azure 信息保护配置为使用 Outlook 来控制 oversharing 信息的 "配置 Azure 信息保护"。The following sections contain configuration instructions for each advanced client setting, and you can see them in action for yourself with Tutorial: Configure Azure Information Protection to control oversharing of information using Outlook.

若要针对特定标签实现用于警告、验证或阻止的弹出消息:To implement the warn, justify, or block pop-up messages for specific labels:

若要针对特定标签实现弹出消息,必须知道这些标签的标签 ID。To implement the pop-up messages for specific labels, you must know the label ID for those labels. 在 Azure 门户中查看或配置 Azure 信息保护策略时,标签 ID 值会显示在 "标签" 窗格中。The label ID value is displayed on the Label pane, when you view or configure the Azure Information Protection policy in the Azure portal. 对于应用了标签的文件,还可运行 Get-AIPFileStatus PowerShell cmdlet 标识标签 ID(MainLabelId 或 SubLabelId)。For files that have labels applied, you can also run the Get-AIPFileStatus PowerShell cmdlet to identify the label ID (MainLabelId or SubLabelId). 当标签包含子标签时,请始终指定子标签(而非父标签)的 ID。When a label has sublabels, always specify the ID of just a sublabel and not the parent label.

使用以下键创建以下一个或多个高级客户端设置。Create one or more of the following advanced client settings with the following keys. 对于值,请按 ID 指定一个或多个标签,每个标签用逗号分隔。For the values, specify one or more labels by their IDs, each one separated by a comma.

多个标签 ID 的示例值,采用以逗号分隔的字符串形式:dcf781ba-727f-4860-b3c1-73479e31912b,1ace2cc3-14bc-4142-9125-bf946a70542c,3e9df74d-3168-48af-8b11-037e3021813fExample value for multiple label IDs as a comma-separated string: dcf781ba-727f-4860-b3c1-73479e31912b,1ace2cc3-14bc-4142-9125-bf946a70542c,3e9df74d-3168-48af-8b11-037e3021813f

  • 警告消息:Warn messages:

    • 密钥: OutlookWarnUntrustedCollaborationLabelKey: OutlookWarnUntrustedCollaborationLabel

    • 值:<label IDs, comma-separated>Value: <label IDs, comma-separated>

  • 对齐消息:Justification messages:

    • 密钥: OutlookJustifyUntrustedCollaborationLabelKey: OutlookJustifyUntrustedCollaborationLabel

    • 值:<label IDs, comma-separated>Value: <label IDs, comma-separated>

  • 阻止邮件:Block messages:

    • 密钥: OutlookBlockUntrustedCollaborationLabelKey: OutlookBlockUntrustedCollaborationLabel

    • 值:<label IDs, comma-separated>Value: <label IDs, comma-separated>

为特定标签配置的弹出消息免除域名To exempt domain names for pop-up messages configured for specific labels

对于在这些弹出消息中指定的标签,可以免除特定域名,使用户不会看到其电子邮件地址中包含该域名的收件人的邮件。For the labels that you've specified with these pop-up messages, you can exempt specific domain names so that users do not see the messages for recipients who have that domain name included in their email address. 在这种情况下,发送电子邮件时不会受消息干扰。In this case, the emails are sent without interruption. 若要指定多个域,将其添加为单个字符串,以逗号分隔。To specify multiple domains, add them as a single string, separated by commas.

典型配置是仅针对组织外部的收件人或并非组织授权合作伙伴的收件人显示弹出消息。A typical configuration is to display the pop-up messages only for recipients who are external to your organization or who aren't authorized partners for your organization. 在这种情况下,可以指定组织和合作伙伴使用的所有电子邮件域。In this case, you specify all the email domains that are used by your organization and by your partners.

创建以下高级客户端设置,为该值指定一个或多个域,每个域都由逗号分隔。Create the following advanced client settings and for the value, specify one or more domains, each one separated by a comma.

多个域的示例值,以逗号分隔的字符串表示:contoso.com,fabrikam.com,litware.comExample value for multiple domains as a comma-separated string: contoso.com,fabrikam.com,litware.com

  • 警告消息:Warn messages:

    • 密钥: OutlookWarnTrustedDomainsKey: OutlookWarnTrustedDomains

    • 负值**<domain names, comma separated>**Value: <domain names, comma separated>

  • 对齐消息:Justification messages:

    • 密钥: OutlookJustifyTrustedDomainsKey: OutlookJustifyTrustedDomains

    • 负值**<domain names, comma separated>**Value: <domain names, comma separated>

  • 阻止邮件:Block messages:

    • 密钥: OutlookBlockTrustedDomainsKey: OutlookBlockTrustedDomains

    • 负值**<domain names, comma separated>**Value: <domain names, comma separated>

例如,你为 "机密 \ 所有员工" 标签指定了OutlookBlockUntrustedCollaborationLabel advanced client 设置。For example, you have specified the OutlookBlockUntrustedCollaborationLabel advanced client setting for the Confidential \ All Employees label. 你现在可以指定OutlookBlockTrustedDomainscontoso.com的其他高级客户端设置。You now specify the additional advanced client setting of OutlookBlockTrustedDomains and contoso.com. 因此,用户可以 john@sales.contoso.com 在将其标记为 "机密 \ 所有员工" 时向其发送电子邮件,但会阻止向 Gmail 帐户发送具有相同标签的电子邮件。As a result, a user can send an email to john@sales.contoso.com when it is labeled Confidential \ All Employees but will be blocked from sending an email with the same label to a Gmail account.

若要针对没有标签的电子邮件或附件实现用于警告、验证或阻止的弹出消息:To implement the warn, justify, or block pop-up messages for emails or attachments that don't have a label:

使用以下值之一创建高级客户端设置:Create the following advanced client setting with one of the following values:

  • 警告消息:Warn messages:

    • 密钥: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

    • 值:警告Value: Warn

  • 对齐消息:Justification messages:

    • 密钥: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

    • 值:两端对齐Value: Justify

  • 阻止邮件:Block messages:

    • 密钥: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

    • 值: BlockValue: Block

  • 关闭这些消息:Turn off these messages:

    • 密钥: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

    • 值: OffValue: Off

为不带标签的电子邮件附件定义 "警告"、"对齐" 或 "阻止" 弹出消息的特定文件扩展名To define specific file name extensions for the warn, justify, or block pop-up messages for email attachments that don't have a label

默认情况下,"警告"、"对齐" 或 "阻止" 弹出消息适用于所有 Office 文档和 PDF 文档。By default, the warn, justify, or block pop-up messages apply to all Office documents and PDF documents. 您可以通过指定哪些文件扩展名应显示警告、调整或阻止具有其他高级客户端属性的消息和以逗号分隔的文件扩展名列表,来优化此列表。You can refine this list by specifying which file name extensions should display the warn, justify, or block messages with an additional advanced client property and a comma-separated list of file name extensions.

要定义为逗号分隔字符串的多个文件扩展名的示例值:.XLSX,.XLSM,.XLS,.XLTX,.XLTM,.DOCX,.DOCM,.DOC,.DOCX,.DOCM,.PPTX,.PPTM,.PPT,.PPTX,.PPTMExample value for multiple file name extensions to define as a comma-separated string: .XLSX,.XLSM,.XLS,.XLTX,.XLTM,.DOCX,.DOCM,.DOC,.DOCX,.DOCM,.PPTX,.PPTM,.PPT,.PPTX,.PPTM

在此示例中,未标记的 PDF 文档不会导致警告、对齐或阻止弹出消息。In this example, an unlabeled PDF document will not result in warn, justify, or block pop-up messages.

  • 密钥: OutlookOverrideUnlabeledCollaborationExtensionsKey: OutlookOverrideUnlabeledCollaborationExtensions

  • 负值**<file name extensions to display messages, comma separated>**Value: <file name extensions to display messages, comma separated>

为不带附件的电子邮件指定其他操作To specify a different action for email messages without attachments

默认情况下,你为 OutlookUnlabeledCollaborationAction 指定的值将应用于不带标签的电子邮件或附件。By default, the value that you specify for OutlookUnlabeledCollaborationAction to warn, justify, or block pop-up messages applies to emails or attachments that don't have a label. 可以通过为不带附件的电子邮件指定另一高级客户端设置来优化此配置。You can refine this configuration by specifying another advanced client setting for email messages that don't have attachments.

使用以下值之一创建高级客户端设置:Create the following advanced client setting with one of the following values:

  • 警告消息:Warn messages:

    • 密钥: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

    • 值:警告Value: Warn

  • 对齐消息:Justification messages:

    • 密钥: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

    • 值:两端对齐Value: Justify

  • 阻止邮件:Block messages:

    • 密钥: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

    • 值: BlockValue: Block

  • 关闭这些消息:Turn off these messages:

    • 密钥: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

    • 值: OffValue: Off

如果未指定此客户端设置,则为 OutlookUnlabeledCollaborationAction 指定的值将用于没有附件的未标记电子邮件以及带有附件的未标记电子邮件。If you don't specify this client setting, the value that you specify for OutlookUnlabeledCollaborationAction is used for unlabeled email messages without attachments as well as unlabeled email messages with attachments.

为 Outlook 设置不同的默认标签Set a different default label for Outlook

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

配置此设置时,Outlook 不会应用 Azure 信息保护策略中为“选择默认标签”设置配置的默认标签****。When you configure this setting, Outlook doesn't apply the default label that is configured in the Azure Information Protection policy for the setting Select the default label. 相反,Outlook 可应用不同的默认标签,也可不应用标签。Instead, Outlook can apply a different default label, or no label.

要应用不同的标签,必须指定标签 ID。To apply a different label, you must specify the label ID. 在 Azure 门户中查看或配置 Azure 信息保护策略时,标签 ID 值会显示在 "标签" 窗格中。The label ID value is displayed on the Label pane, when you view or configure the Azure Information Protection policy in the Azure portal. 对于应用了标签的文件,还可运行 Get-AIPFileStatus PowerShell cmdlet 标识标签 ID(MainLabelId 或 SubLabelId)。For files that have labels applied, you can also run the Get-AIPFileStatus PowerShell cmdlet to identify the label ID (MainLabelId or SubLabelId). 当标签包含子标签时,请始终指定子标签(而非父标签)的 ID。When a label has sublabels, always specify the ID of just a sublabel and not the parent label.

因此 Outlook 不会应用默认标签,请指定“无”****。So that Outlook doesn't apply the default label, specify None.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:OutlookDefaultLabel****Key: OutlookDefaultLabel

  • 值: <label ID> 或NoneValue: <label ID> or None

将标签配置为在 Outlook 中应用 S/MIME 保护Configure a label to apply S/MIME protection in Outlook

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

仅当具有有效的 S/MIME 部署,且希望标签自动对电子邮件应用此保护方法(而不是 Azure 信息保护中的权限管理保护)时,才使用此设置。Use this setting only when you have a working S/MIME deployment and want a label to automatically apply this protection method for emails rather than Rights Management protection from Azure Information Protection. 应用的保护与用户通过在 Outlook 中手动选择 S/MIME 选项应用的保护一样。The resulting protection is the same as when a user manually selects S/MIME options from Outlook.

若要使用此配置,必须为要应用 S/MIME 保护的所有 Azure 信息保护标签都指定“LabelToSMIME”**** 高级客户端设置。This configuration requires you to specify an advanced client setting named LabelToSMIME for each Azure Information Protection label that you want to apply S/MIME protection. 然后,使用以下语法设置每个条目的值:Then for each entry, set the value by using the following syntax:

[Azure Information Protection label ID];[S/MIME action]

在 Azure 门户中查看或配置 Azure 信息保护策略时,标签 ID 值会显示在 "标签" 窗格中。The label ID value is displayed on the Label pane, when you view or configure the Azure Information Protection policy in the Azure portal. 若要使用包含子标签的 S/MIME,请始终仅指定子标签(而非父标签)的 ID。To use S/MIME with a sublabel, always specify the ID of just the sublabel and not the parent label. 指定子标签时,父标签必须位于同一范围内,或位于全局策略中。When you specify a sublabel, the parent label must be in the same scope, or in the global policy.

S/MIME 操作可以是:The S/MIME action can be:

  • Sign;Encrypt:应用数字签名和 S/MIME 加密Sign;Encrypt: To apply a digital signature and S/MIME encryption

  • Encrypt:仅应用 S/MIME 加密Encrypt: To apply S/MIME encryption only

  • Sign:仅应用数字签名Sign: To apply a digital signature only

dcf781ba-727f-4860-b3c1-73479e31912b**** 的标签 ID 示例值:Example values for a label ID of dcf781ba-727f-4860-b3c1-73479e31912b:

  • 应用数字签名和 S/MIME 加密:To apply a digital signature and S/MIME encryption:

    dcf781ba-727f-4860-b3c1-73479e31912b;Sign;Encryptdcf781ba-727f-4860-b3c1-73479e31912b;Sign;Encrypt

  • 仅应用 S/MIME 加密:To apply S/MIME encryption only:

    dcf781ba-727f-4860-b3c1-73479e31912b;Encryptdcf781ba-727f-4860-b3c1-73479e31912b;Encrypt

  • 仅应用数字签名:To apply a digital signature only:

    dcf781ba-727f-4860-b3c1-73479e31912b;Signdcf781ba-727f-4860-b3c1-73479e31912b;Sign

使用此配置的结果是,当你对电子邮件应用标签后,除了标签中的分类,系统还会对电子邮件应用 S/MIME 保护。As a result of this configuration, when the label is applied for an email message, S/MIME protection is applied to the email in addition to the label's classification.

如果你在 Azure 门户中为指定的标签配置了权限管理保护,S/MIME 保护仅在 Outlook 中替换权限管理保护。If the label you specify is configured for Rights Management protection in the Azure portal, S/MIME protection replaces the Rights Management protection only in Outlook. 对于支持标记的其他所有情况,应用的都是权限管理保护。For all other scenarios that support labeling, Rights Management protection will be applied.

如果希望标签仅在 Outlook 中可见,请将标签配置为应用“不要转发”**** 的单一用户定义操作,如快速入门:为用户配置标签以便轻松保护包含敏感信息的电子邮件中所述。If you want the label to be visible in Outlook only, configure the label to apply the single user-defined action of Do Not Forward, as described in the Quickstart: Configure a label for users to easily protect emails that contain sensitive information.

使用强制标签时,删除文档的“以后再说”Remove "Not now" for documents when you use mandatory labeling

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

在使用“所有文档和电子邮件都必须有一个标签”**** 的策略设置时,当用户首次保存 Office 文档和发送电子邮件,系统会提示选择标签。When you use the policy setting of All documents and emails must have a label, users are prompted to select a label when they first save an Office document and when they send an email. 对于文档,用户可以选择“以后再说”**** 暂时关闭提示以选择标签,并返回到文档。For documents, users can select Not now to temporarily dismiss the prompt to select a label and return to the document. 但是不能在未选择标签的情况下关闭已保存的文档。However, they cannot close the saved document without labeling it.

在配置此设置时,将删除“以后再说”**** 选项,以便首次保存文档时用户必须选择一个标签。When you configure this setting, it removes the Not now option so that users must select a label when the document is first saved.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:PostponeMandatoryBeforeSave****Key: PostponeMandatoryBeforeSave

  • 值:False****Value: False

开启在后台持续运行的分类Turn on classification to run continuously in the background

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal. 此设置处于预览状态,并且可能会更改。This setting is in preview and might change.

在你配置此设置时,它更改 Azure 信息保护客户端向文档应用自动和建议标签的默认行为When you configure this setting, it changes the default behavior of how the Azure Information Protection client applies automatic and recommended labels to documents:

  • 对于 Word、Excel 和 PowerPoint,自动分类在后台持续运行。For Word, Excel, and PowerPoint, automatic classification runs continuously in the background.

此行为不会对 Outlook 变化。The behavior does not change for Outlook.

当 Azure 信息保护客户端定期检查文档中指定的条件规则时,此行为将为存储在 Microsoft SharePoint 中的文档启用自动和建议的分类和保护。When the Azure Information Protection client periodically checks documents for the condition rules that you specify, this behavior enables automatic and recommended classification and protection for documents that are stored in Microsoft SharePoint. 由于已运行条件规则,因此大型文件可实现更快保存。Large files also save more quickly because the condition rules have already run.

条件规则不会作为用户类型实时运行。The condition rules do not run in real time as a user types. 而会在文档发生修改时作为后台任务定期运行。Instead, they run periodically as a background task if the document is modified.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:RunPolicyInBackground****Key: RunPolicyInBackground

  • 值: TrueValue: True

不使用 PDF 加密 ISO 标准来保护 PDF 文件Don't protect PDF files by using the ISO standard for PDF encryption

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

当 Azure 信息保护客户端的最新版本保护 PDF 文件时,生成的文件扩展名仍为 .pdf 并遵守 PDF 加密 ISO 标准。When the latest version of the Azure Information Protection client protects a PDF file, the resulting file name extension remains as .pdf and adheres to the ISO standard for PDF encryption. 有关此标准的详细信息,请参阅派生自 ISO 32000-1 的文档(由 Adobe Systems Incorporated 发布)中的第 7.6 节加密****。For more information about this standard, see section 7.6 Encryption from the document that is derived from ISO 32000-1 and published by Adobe Systems Incorporated.

如果需要客户端还原为使用 .ppdf 文件扩展名保护 PDF 文件的早期客户端版本行为,请通过输入以下字符串来使用以下高级设置:If you need the client to revert to the behavior in older versions of the client that protected PDF files by using a .ppdf file name extension, use the following advanced setting by entering the following string:

  • 键:EnablePDFv2Protection****Key: EnablePDFv2Protection

  • 值:False****Value: False

例如,如果使用不支持 PDF 加密 ISO 标准的 PDF 阅读器,则可能需要为所有用户配置此设置。For example, you might need this setting for all users if you use a PDF reader that doesn't support the ISO standard for PDF encryption. 或者,在逐步采用支持新格式的 PDF 阅读器中的更改时,可能需要为部分用户配置此设置。Or, you might need to configure it for some users as you gradually phase in a change of PDF reader that supports the new format. 如果需要向已签名的 PDF 文档添加保护,则也可能使用此设置。Another potential reason to use this setting is if you need to add protection to signed PDF documents. 已签名的 PDF 文档可能受到 .ppdf 格式的额外保护,因此该保护是作为文件的包装器实现的。Signed PDF documents can be additionally protected with the .ppdf format because this protection is implemented as a wrapper for the file.

要使 Azure 信息保护扫描程序使用新设置,必须重启扫描程序服务。For the Azure Information Protection scanner to use the new setting, the scanner service must be restarted. 此外,在默认情况下,扫描程序将不再保护 PDF 文档。In addition, the scanner will no longer protect PDF documents by default. 如果希望在EnablePDFv2Protection设置为 False 时由扫描程序保护 PDF 文档 则必须编辑注册表If you want PDF documents to be protected by the scanner when EnablePDFv2Protection is set to False, you must edit the registry.

有关新 PDF 加密的详细信息,请参阅博客文章使用 Microsoft 信息保护进行 PDF 加密的新支持For more information about the new PDF encryption, see the blog post New support for PDF encryption with Microsoft Information Protection.

有关支持用于 PDF 加密的 ISO 标准的 PDF 阅读器以及支持旧格式的阅读器的列表,请参阅用于 Microsoft 信息保护的受支持的 PDF 阅读器For a list of PDF readers that support the ISO standard for PDF encryption, and readers that support older formats, see Supported PDF readers for Microsoft Information Protection.

将现有的 .ppdf 文件转换为受保护的 .pdf 文件To convert existing .ppdf files to protected .pdf files

Azure 信息保护客户端已下载包含该新设置的客户端策略时,可以使用 PowerShell 命令将现有的 .ppdf 文件转换为使用 PDF 加密 ISO 标准的受保护 .pdf 文件。When the Azure Information Protection client has downloaded the client policy with the new setting, you can use PowerShell commands to convert existing .ppdf files to protected .pdf files that use the ISO standard for PDF encryption.

用户必须具有从文件删除保护的权限管理使用权限或者成为超级用户,才能将以下说明用于自己未保护的文件。To use the following instructions for files that you didn't protect yourself, you must have a Rights Management usage right to remove protection from files, or be a super user. 若要启用超级用户功能并将帐户配置为超级用户,请参阅为 Azure Rights Management 和发现服务或数据恢复配置超级用户To enable the super user feature and configure your account to be a super user, see Configuring super users for Azure Rights Management and Discovery Services or Data Recovery.

此外,当将这些说明用于自己未保护的文件时,则会成为 RMS 颁发者In addition, when you use these instructions for files that you didn't protect yourself, you become the RMS Issuer. 在此情况下,最初保护该文档的用户无法再跟踪和撤销它。In this scenario, the user who originally protected the document can no longer track and revoke it. 如果用户需要跟踪和撤销自己受保护的 PDF 文档,他们可以手动删除,然后通过使用文件资源管理器并右击,重新应用此标签。If users need to track and revoke their protected PDF documents, ask them to manually remove and then reapply the label by using File Explorer, right-click.

使用 PowerShell 命令将现有的 .ppdf 文件转换为使用 PDF 加密 ISO 标准的受保护 .pdf 文件:To use PowerShell commands to convert existing .ppdf files to protected .pdf files that use the ISO standard for PDF encryption:

  1. Get-AIPFileStatus 用于 .ppdf 文件。Use Get-AIPFileStatus with the .ppdf file. 例如:For example:

    Get-AIPFileStatus -Path \\Finance\Projectx\sales.ppdf
    
  2. 从输出中记录以下参数值:From the output, take a note of the following parameter values:

    • SubLabelId 的值((GUID),如果有)。****The value (GUID) for SubLabelId, if there is one. 如果此值为空,表明未使用子标签,则改为记录 MainLabelId 的值。****If this value is blank, a sublabel wasn't used, so note the value for MainLabelId instead.

      注意:如果也不存在 MainLabelId 的值,则未标记此文件。****Note: If there is no value for MainLabelId either, the file isn't labeled. 在此情况下,可以使用 Unprotect-RMSFile 命令和 Protect-RMSFile 命令来代替步骤 3 和步骤 4 中的命令。In this case, you can use the Unprotect-RMSFile command and Protect-RMSFile command instead of the commands in step 3 and 4.

    • RMSTemplateId 的值。****The value for RMSTemplateId. 如果此值为“受限访问”,则用户已使用自定义权限保护该文件,而非为此标签配置的保护设置。****If this value is Restricted Access, a user has protected the file using custom permissions rather than the protection settings that are configured for the label. 若继续,该标签的保护设置将覆盖这些自定义权限。If you continue, those custom permissions will be overwritten by the label's protection settings. 决定是继续,还是要求用户(RMSIssuer 的显示值)删除此标签并将此标签和初始自定义权限一起重新应用****。Decide whether to continue or ask the user (value displayed for the RMSIssuer) to remove the label and reapply it, together with their original custom permissions.

  3. 使用 Set-AIPFileLabelRemoveLabel 参数删除此标签。Remove the label by using Set-AIPFileLabel with the RemoveLabel parameter. 如果使用的是包含“用户必须提供理由以设置较低分类标签、删除标签或删除保护”的策略设置,还必须使用原因指定“理由”参数。******If you are using the policy setting of Users must provide justification to set a lower classification label, remove a label, or remove protection, you must also specify the Justification parameter with the reason. 例如:For example:

    Set-AIPFileLabel \\Finance\Projectx\sales.ppdf -RemoveLabel -JustificationMessage 'Removing .ppdf protection to replace with .pdf ISO standard'
    
  4. 为在步骤 1 中标识的标签指定值,重新应用初始标签。Reapply the original label, by specifying the value for the label that you identified in step 1. 例如:For example:

    Set-AIPFileLabel \\Finance\Projectx\sales.pdf -LabelId d9f23ae3-1234-1234-1234-f515f824c57b
    

文件保留了 .pdf 文件扩展名,但它的分类与之前相同,并且通过使用 PDF 加密 ISO 标准对它进行保护。The file retains the .pdf file name extension but is classified as before, and it is protected by using the ISO standard for PDF encryption.

支持受 Secure Islands 保护的文件Support for files protected by Secure Islands

此配置选项处于预览阶段,可能会发生更改。This configuration option is in preview and might change.

如果使用 Secure Islands 保护文档,可能因这种保护产生受保护的文本和图片文件以及通常受保护的文件。If you used Secure Islands to protect documents, you might have protected text and picture files, and generically protected files as a result of this protection. 例如,文件扩展名为 .ptxt、.pjpeg 或 .pfile 的文件。For example, files that have a file name extension of .ptxt, .pjpeg, or .pfile. 按如下方式编辑注册表时,Azure 信息保护可以解密这些文件:When you edit the registry as follows, Azure Information Protection can decrypt these files:

将以下 EnableIQPFormats 的 DWORD 值添加到以下注册表路径,并将值数据设置为 1********:Add the following DWORD value of EnableIQPFormats to the following registry path, and set the value data to 1:

  • 对于 64 位 Windows 版本:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPFor a 64-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP

  • 对于 32 位 Windows 版本:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPFor a 32-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIP

对注册表进行此编辑后,即支持以下方案:As a result of this registry edit, the following scenarios are supported:

  • Azure 信息保护查看器可打开这些受保护的文件。The Azure Information Protection viewer can open these protected files.

  • Azure 信息保护扫描程序可以检查这些文件中的敏感信息。The Azure Information Protection scanner can inspect these files for sensitive information.

  • 文件资源管理器、PowerShell 和 Azure 信息保护扫描程序可以标记这些文件。File Explorer, PowerShell, and the Azure Information Protection scanner can label these files. 因此,可以应用 Azure 信息保护标签来应用来自 Azure 信息保护的新保护,或删除来自 Secure Islands 的现有保护。As a result, you can apply an Azure Information Protection label that applies new protection from Azure Information Protection, or that removes the existing protection from Secure Islands.

  • 可使用标签迁移客户端自定义将这些受保护文件上的 Secure Islands 标签自动转换为 Azure 信息保护标签。You can use the labeling migration client customization to automatically convert the Secure Islands label on these protected files to an Azure Information Protection label.

从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

当前此配置与使用 PDF 加密 ISO 标准来保护 PDF 文件的新默认行为不兼容。This configuration is currently not compatible with the new default behavior that protects PDF files by using the ISO standard for PDF encryption. 在这种情况下,无法通过文件资源管理器、PowerShell 或扫描程序打开 .ppdf 文件。In this scenario, .ppdf files cannot be opened by File Explorer, PowerShell, or the scanner. 若要解决此问题,请使用高级客户端设置而不使用 PDF 加密的 ISO 标准To resolve this, use the advanced client setting to don't use the ISO standard for PDF encryption.

对于 Secure Islands 标记的 Office 文档和 PDF 文档,可以使用所定义的映射,利用 Azure 信息保护标签重新标记这些文档。For Office documents and PDF documents that are labeled by Secure Islands, you can relabel these documents with an Azure Information Protection label by using a mapping that you define. 此外,这种方法还可用于重用其他解决方案对 Office 文档标记的标签。You also use this method to reuse labels from other solutions when their labels are on Office documents.

备注

如果除 PDF 和 Office 文档外,还有其他受 Secure Islands 保护的文件,则可在编辑注册表后重新标记这些文件,如前面部分中所述。If you have files other than PDF and Office documents that are protected by Secure Islands, these can be relabeled after you edit the registry as described in the preceding section.

由于有此配置选项,Azure 信息保护客户端按如下所述应用新 Azure 信息保护标签:As a result of this configuration option, the new Azure Information Protection label is applied by the Azure Information Protection client as follows:

  • 对于 Office 文档:当文档在桌面应用程序中打开时,新 Azure 信息保护标签显示为已设置,并在文档保存时应用。For Office documents: When the document is opened in the desktop app, the new Azure Information Protection label is shown as set and is applied when the document is saved.

  • 对于文件资源管理器:在“Azure 信息保护”对话框中,新 Azure 信息保护标签显示为已设置,并在用户选择“应用”**** 时应用。For File Explorer: In the Azure Information Protection dialog box, the new Azure Information Protection label is shown as set and is applied when the user selects Apply. 如果用户选择“取消”****,新标签就不会应用。If the user selects Cancel, the new label is not applied.

  • 对于 Powershell:Set-AIPFileLabel 应用新 Azure 信息保护标签。For PowerShell: Set-AIPFileLabel applies the new Azure Information Protection label. Get-AIPFileStatus 不会显示新 Azure 信息保护标签,除非标签由另一种方法设置。Get-AIPFileStatus doesn't display the new Azure Information Protection label until it is set by another method.

  • 对于 Azure 信息保护扫描程序:发现功能可报告何时会设置新 Azure 信息保护标签,此标签可以通过强制模式进行应用。For the Azure Information Protection scanner: Discovery reports when the new Azure Information Protection label would be set and this label can be applied with the enforce mode.

若要执行此配置,必须为要映射到旧标签的所有 Azure 信息保护标签都指定“LabelbyCustomProperty”**** 高级客户端设置。This configuration requires you to specify an advanced client setting named LabelbyCustomProperty for each Azure Information Protection label that you want to map to the old label. 然后,使用以下语法设置每个条目的值:Then for each entry, set the value by using the following syntax:

[Azure Information Protection label ID],[migration rule name],[Secure Islands custom property name],[Secure Islands metadata Regex value]

在 Azure 门户中查看或配置 Azure 信息保护策略时,标签 ID 值会显示在 "标签" 窗格中。The label ID value is displayed on the Label pane, when you view or configure the Azure Information Protection policy in the Azure portal. 若要指定子标签,父标签必须位于同一范围中,或位于全局策略中。To specify a sublabel, the parent label must be in the same scope, or in the global policy.

指定所选的迁移规则名称。Specify your choice of a migration rule name. 请使用描述性名称,这有助于确定应如何将旧标记解决方案中的一个或多个标签映射到 Azure 信息保护标签。Use a descriptive name that helps you to identify how one or more labels from your previous labeling solution should be mapped to an Azure Information Protection label. 此名称显示在扫描程序报告和事件查看器中。The name displays in the scanner reports and in Event Viewer. 请注意,此设置不会从文档中删除原始标签,也不会删除可能已应用原始标签的文档中的任何视觉标记。Note that this setting does not remove the original label from the document or any visual markings in the document that the original label might have applied. 若要删除页眉和页脚,请参阅下一部分删除其他标记解决方案中的页眉和页脚To remove headers and footers, see the next section, Remove headers and footers from other labeling solutions.

示例 1:相同标签名称的一对一映射Example 1: One-to-one mapping of the same label name

要求:安全孤岛标签为 "机密" 的文档应由 Azure 信息保护重新标记为 "机密"。Requirement: Documents that have a Secure Islands label of "Confidential" should be relabeled as "Confidential" by Azure Information Protection.

在本示例中:In this example:

  • 要使用的 Azure 信息保护标签名为“Confidential”,标签 ID 为“1ace2cc3-14bc-4142-9125-bf946a70542c”********。The Azure Information Protection label that you want to use is named Confidential and has a label ID of 1ace2cc3-14bc-4142-9125-bf946a70542c.

  • Secure Islands 标签名为“Confidential”,存储在名为“Classification”的自定义属性中********。The Secure Islands label is named Confidential and stored in the custom property named Classification.

高级客户端设置:The advanced client setting:

名称Name Value
LabelbyCustomPropertyLabelbyCustomProperty 1ace2cc3-14bc-4142-9125-bf946a70542c,"Secure Islands label is Confidential",Classification,Confidential1ace2cc3-14bc-4142-9125-bf946a70542c,"Secure Islands label is Confidential",Classification,Confidential

示例 2:不同标签名称的一对一映射Example 2: One-to-one mapping for a different label name

要求:通过安全孤岛标记为 "敏感" 的文档应由 Azure 信息保护重新标记为 "高度机密"。Requirement: Documents labeled as "Sensitive" by Secure Islands should be relabeled as "Highly Confidential" by Azure Information Protection.

在本示例中:In this example:

  • 要使用的 Azure 信息保护标签名为“Highly Confidential”,标签 ID为“3e9df74d-3168-48af-8b11-037e3021813f”********。The Azure Information Protection label that you want to use is named Highly Confidential and has a label ID of 3e9df74d-3168-48af-8b11-037e3021813f.

  • Secure Islands 标签名为“Sensitive”,存储在名为“Classification”的自定义属性中********。The Secure Islands label is named Sensitive and stored in the custom property named Classification.

高级客户端设置:The advanced client setting:

名称Name Value
LabelbyCustomPropertyLabelbyCustomProperty 3e9df74d-3168-48af-8b11-037e3021813f,"Secure Islands label is Sensitive",Classification,Sensitive3e9df74d-3168-48af-8b11-037e3021813f,"Secure Islands label is Sensitive",Classification,Sensitive

示例 3:标签名称的多对一映射Example 3: Many-to-one mapping of label names

要求:你有两个安全孤岛标签,其中包含 "内部" 一词,并且你希望 Azure 信息保护将具有这些安全孤岛标签之一的文档重新标记为 "常规"。Requirement: You have two Secure Islands labels that include the word "Internal" and you want documents that have either of these Secure Islands labels to be relabeled as "General" by Azure Information Protection.

在本示例中:In this example:

  • 要使用的 Azure 信息保护标签名为“General”,标签 ID为“2beb8fe7-8293-444c-9768-7fdc6f75014d”********。The Azure Information Protection label that you want to use is named General and has a label ID of 2beb8fe7-8293-444c-9768-7fdc6f75014d.

  • Secure Islands 标签包含单词“Internal”,存储在名为“Classification”的自定义属性中********。The Secure Islands labels include the word Internal and are stored in the custom property named Classification.

高级客户端设置:The advanced client setting:

名称Name Value
LabelbyCustomPropertyLabelbyCustomProperty 2beb8fe7-8293-444c-9768-7fdc6f75014d,"Secure Islands label contains Internal",Classification,.*Internal.*2beb8fe7-8293-444c-9768-7fdc6f75014d,"Secure Islands label contains Internal",Classification,.*Internal.*

删除其他标记解决方案中的页眉和页脚Remove headers and footers from other labeling solutions

此配置使用必须在 Azure 门户中配置的多项高级客户端设置This configuration uses multiple advanced client settings that you must configure in the Azure portal. 这些设置处于预览状态,并且可能会更改。These settings are in preview and might change.

借助这些设置,可以在其他标记解决方案已应用这些视觉标记的情况下,从文档中删除或替换基于文本的页眉或页脚。The settings let you remove or replace text-based headers or footers from documents when those visual markings have been applied by another labeling solution. 例如,旧页脚包含旧标签的名称,现在使用新的标签名及其自己的页脚将标签迁移到 Azure 信息保护。For example, the old footer contains the name of an old label that you have now migrated to Azure Information Protection with a new label name and its own footer.

当客户端在其策略中获取此配置时,如果文档在 Office 应用中打开并且任何 Azure 信息保护标签已应用到该文档,则删除或替换旧的页眉和页脚。When the client gets this configuration in its policy, the old headers and footers are removed or replaced when the document is opened in the Office app and any Azure Information Protection label is applied to the document.

Outlook 不支持此配置,并且请注意,在 Word、Excel 和 PowerPoint 中使用它时,会对这些应用的性能产生负面影响。This configuration is not supported for Outlook, and be aware that when you use it with Word, Excel, and PowerPoint, it can negatively affect the performance of these apps for users. 该配置允许你根据应用程序来定义设置,例如,搜索 Word 文档页眉和页脚中的文本,而不是 Excel 电子表格或 PowerPoint 演示文稿中的。The configuration lets you define settings per application, for example, search for text in the headers and footers of Word documents but not Excel spreadsheets or PowerPoint presentations.

因为模式匹配会影响用户的性能,所以建议将 Office 应用程序类型(WOrd、EX项、 PowerPoint)限制为只需搜索的内容:Because the pattern matching affects the performance for users, we recommend that you limit the Office application types (Word, EXcel, PowerPoint) to just those that need to be searched:

  • 键:RemoveExternalContentMarkingInApp****Key: RemoveExternalContentMarkingInApp

  • 值:<Office application types WXP>Value: <Office application types WXP>

示例:Examples:

  • 若要仅搜索 Word 文档,请指定 W****。To search Word documents only, specify W.

  • 若要搜索 Word 文档和 PowerPoint 演示文稿,请指定 WP****。To search Word documents and PowerPoint presentations, specify WP.

然后需要至少一个高级客户端设置 ExternalContentMarkingToRemove,**** 指定页眉或页脚的内容以及如何删除或替换它们。You then need at least one more advanced client setting, ExternalContentMarkingToRemove, to specify the contents of the header or footer, and how to remove or replace them.

如何配置 ExternalContentMarkingToRemoveHow to configure ExternalContentMarkingToRemove

指定 ExternalContentMarkingToRemove 键的字符串值时,拥有三个使用正则表达式的选项****:When you specify the string value for the ExternalContentMarkingToRemove key, you have three options that use regular expressions:

  • 用以删除页眉或页脚中所有内容的部分匹配。Partial match to remove everything in the header or footer.

    示例:页眉或页脚包含字符串 TEXT TO REMOVE****。Example: Headers or footers contain the string TEXT TO REMOVE. 想要完全删除这些页面或页脚。You want to completely remove these headers or footers. 可指定值:*TEXT*You specify the value: *TEXT*.

  • 用以删除页眉或页脚中特定字词的完全匹配。Complete match to remove just specific words in the header or footer.

    示例:页眉或页脚包含字符串 TEXT TO REMOVE****。Example: Headers or footers contain the string TEXT TO REMOVE. 只想删除单词 TEXT,结果使页眉或页脚字符串变为 TO REMOVE********。You want to remove the word TEXT only, which leaves the header or footer string as TO REMOVE. 可指定值:TEXT You specify the value: TEXT .

  • 用以删除页眉或页脚中所有内容的完全匹配。Complete match to remove everything in the header or footer.

    示例:页眉或页脚包含字符串 TEXT TO REMOVE****。Example: Headers or footers have the string TEXT TO REMOVE. 想要删除其字符串为 TEXT TO REMOVE 的页眉或页脚。You want to remove headers or footers that have exactly this string. 可指定值:^TEXT TO REMOVE$You specify the value: ^TEXT TO REMOVE$.

指定的字符串的匹配模式不区分大小写。The pattern matching for the string that you specify is case-insensitive. 最大字符串长度为 255 个字符。The maximum string length is 255 characters.

因为某些文档可能包括不可见字符或者不同类型的空格或制表符,可能检测不到指定的短语或句子的字符串。Because some documents might include invisible characters or different kinds of spaces or tabs, the string that you specify for a phrase or sentence might not be detected. 只要有可能,指定单个易区分的单词作为值,并确保在生产环境中部署之前测试结果。Whenever possible, specify a single distinguishing word for the value and be sure to test the results before you deploy in production.

  • 键:ExternalContentMarkingToRemove****Key: ExternalContentMarkingToRemove

  • 值:<string to match, defined as regular expression>Value: <string to match, defined as regular expression>

多行页眉或页脚Multiline headers or footers

如果页眉或页脚文本不只一行,则为每行创建一个键和值。If a header or footer text is more than a single line, create a key and value for each line. 例如,下面是具有两行文本的页脚:For example, you have the following footer with two lines:

The file is classified as Confidential****The file is classified as Confidential

Label applied manually****Label applied manually

若要删除这个多行页脚,可以创建以下两个条目:To remove this multiline footer, you create the following two entries:

  • 键 1:ExternalContentMarkingToRemove****Key 1: ExternalContentMarkingToRemove

  • 密钥值1: ** * 机密***Key Value 1: *Confidential*

  • 键 2:ExternalContentMarkingToRemove****Key 2: ExternalContentMarkingToRemove

  • 键值2: ** * 应用标签***Key Value 2: *Label applied*

针对 PowerPoint 的优化Optimization for PowerPoint

PowerPoint 中的页脚以形状的形式实现。Footers in PowerPoint are implemented as shapes. 若要避免删除那些你指定的但不属于页面或页脚的形状,可使用以下附加高级客户端设置:PowerPointShapeNameToRemove****。To avoid removing shapes that contain the text that you have specified but are not headers or footers, use an additional advanced client setting named PowerPointShapeNameToRemove. 我们还建议使用此设置来避免检查所有形状中的文本,因为这将占用大量资源。We also recommend using this setting to avoid checking the text in all shapes, which is a resource-intensive process.

如果未指定这项附加的高级客户端设置,并且 PowerPoint 包括在 RemoveExternalContentMarkingInApp **** 键值中,将对所有形状检查你在 ExternalContentMarkingToRemove 值中指定的文本****。If you do not specify this additional advanced client setting, and PowerPoint is included in the RemoveExternalContentMarkingInApp key value, all shapes will be checked for the text that you specify in the ExternalContentMarkingToRemove value.

查找用作页眉或页脚的形状的名称:To find the name of the shape that you're using as a header or footer:

  1. 在 PowerPoint 中,显示“选择”窗格:“格式”选项卡 >“排列”组 >“选择”窗格****************。In PowerPoint, display the Selection pane: Format tab > Arrange group > Selection Pane.

  2. 选择幻灯片上包含页眉或页脚的形状。Select the shape on the slide that contains your header or footer. 所选形状的名称现在突出显示在“选择”**** 窗格中。The name of the selected shape is now highlighted in the Selection pane.

使用形状的名称为 PowerPointShapeNameToRemove**** 键指定一个字符串字。Use the name of the shape to specify a string value for the PowerPointShapeNameToRemove key.

示例:形状名称是 fc****。Example: The shape name is fc. 若要删除具有此名称的形状,则指定值:fcTo remove the shape with this name, you specify the value: fc.

  • 键:PowerPointShapeNameToRemove****Key: PowerPointShapeNameToRemove

  • 值:<PowerPoint shape name>Value: <PowerPoint shape name>

若要删除多个 PowerPoint 形状,则有多少要删除的形状就创建多少个 PowerPointShapeNameToRemove**** 键。When you have more than one PowerPoint shape to remove, create as many PowerPointShapeNameToRemove keys as you have shapes to remove. 对于每个条目,指定要删除的形状的名称。For each entry, specify the name of the shape to remove.

默认情况下,只检查主幻灯片的页眉和页脚。By default, only the Master slides are checked for headers and footers. 若要将检查范围扩展到所有幻灯片,将占用大量资源,则可以使用 RemoveExternalContentMarkingInAllSlides**** 附加高级客户端设置:To extend this search to all slides, which is a much more resource-intensive process, use an additional advanced client setting named RemoveExternalContentMarkingInAllSlides:

  • 键:RemoveExternalContentMarkingInAllSlides****Key: RemoveExternalContentMarkingInAllSlides

  • 值: TrueValue: True

使用现有自定义属性标记 Office 文档Label an Office document by using an existing custom property

备注

如果结合使用此配置和用于从 Secure Islands 和其他标记解决方案迁移标签的配置,将优先考虑标记迁移设置。If you use this configuration and the configuration to migrate labels from Secure Islands and other labeling solutions, the labeling migration setting takes precedence.

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

配置此设置时,如果 Office 文档具备现有自定义属性且该属性带有与某个标记名称相匹配的值,则可对此文档进行分类(并选择性地保护)。When you configure this setting, you can classify (and optionally, protect) an Office document when it has an existing custom property with a value that matches one of your label names. 此自定义属性可通过另一个分类解决方案进行设置,也可由 SharePoint 设置为属性。This custom property can be set from another classification solution, or can be set as a property by SharePoint.

凭借此配置,如果某用户在 Office 应用中打开并保存未带 Azure 信息保护标记的文档,则进行文档标记,使其与相应的属性值相匹配。As a result of this configuration, when a document without an Azure Information Protection label is opened and saved by a user in an Office app, the document is then labeled to match the corresponding property value.

此配置要求你指定两个相互配合的高级设置。This configuration requires you to specify two advanced settings that work together. 第一个设置名为 SyncPropertyName,它是基于另一分类解决方案设置的自定义属性,或是由 SharePoint 设置的属性****。The first is named SyncPropertyName, which is the custom property name that has been set from the other classification solution, or a property that is set by SharePoint. 第二个名为 SyncPropertyState 且必须设置为“单向”****。The second is named SyncPropertyState and must be set to OneWay.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键 1:SyncPropertyName****Key 1: SyncPropertyName

  • 键1值:<property name>Key 1 Value: <property name>

  • 键 2:SyncPropertyState****Key 2: SyncPropertyState

  • 键 2 值:单向****Key 2 Value: OneWay

仅对一个自定义属性使用这些键和相应的值。Use these keys and corresponding values for only one custom property.

例如,假设有 SharePoint 列“分类”****,此列的可取值为以下三个:“公开”****、“常规”**** 和“高度机密\所有员工”****。As an example, you have a SharePoint column named Classification that has possible values of Public, General, and Highly Confidential All Employees. 文档存储在 SharePoint 中,且“分类 属性值设置为“公开”****、“常规”**** 或“高度机密\所有员工”****。Documents are stored in SharePoint and have Public, General, or Highly Confidential All Employees as values set for the Classification property.

要标记带有上述某个分类值的 Office 文档,请将“SyncPropertyName”设置为“分类”),将“SyncPropertyState”设置为“单向”****************。To label an Office document with one of these classification values, set SyncPropertyName to Classification, and SyncPropertyState to OneWay.

现在,当用户打开和保存这些 Office 文档之一时,文档标记为“公开”****、“常规”**** 或“高度机密\所有员工”****,前提是 Azure 信息保护策略已包含有这些名称的标签。Now, when a user opens and saves one of these Office documents, it is labeled Public, General, or Highly Confidential \ All Employees if you have labels with these names in your Azure Information Protection policy. 如果没有带这些名称的标记,则不会标记文档。If you do not have labels with these names, the document remains unlabeled.

禁止将文档中发现的敏感信息发送到 Azure 信息保护分析Disable sending discovered sensitive information in documents to Azure Information Protection analytics

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

在 Office 应用中使用 Azure 信息保护客户端时,它会在首次保存文档时查找文档中的敏感信息。When the Azure Information Protection client is used in Office apps, it looks for sensitive information in documents when they are first saved. 提供的客户端未配置为不发送审核信息,找到的任何敏感信息类型(预定义或自定义)都将发送到Azure 信息保护分析Providing the client isn't configured to not sent audit information, any sensitive information types found (predefined or custom) are then sent to Azure Information Protection analytics.

用于控制客户端是否发送审核信息的配置是将审核数据发送到 Azure 信息保护日志分析策略设置The configuration that controls whether the client sends audit information is the policy setting of Send audit data to Azure Information Protection log analytics. 当此策略设置为 "打开" 时,如果你想要发送包括标记操作的审核信息,但不希望发送客户端找到的敏感信息类型,请输入以下字符串:When this policy setting is On because you want to send audit information that includes labeling actions but you don't want to send sensitive information types found by the client, enter the following strings:

  • 密钥: RunAuditInformationTypesDiscoveryKey: RunAuditInformationTypesDiscovery

  • 值:False****Value: False

如果你设置此高级客户端设置,则仍可以从客户端发送审核信息,但该信息仅限于标记活动。If you set this advanced client setting, auditing information can still be sent from the client but the information is limited to labeling activity.

例如:For example:

  • 使用此设置,可以看到用户访问了标记为 "机密 \ 销售" Financial.docx。With this setting, you can see that a user accessed Financial.docx that is labeled Confidential \ Sales.

  • 如果没有此设置,可以看到 Financial.docx 包含6个信用卡号。Without this setting, you can see that Financial.docx contains 6 credit card numbers.

禁止为一部分用户发送信息类型匹配项Disable sending information type matches for a subset of users

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

选中 " Azure 信息保护分析" 的复选框后,可以更深入地分析你的敏感数据,并为你的敏感信息类型或自定义条件收集内容匹配项。默认情况下,所有用户都将发送此信息,其中包括运行 Azure 信息保护扫描程序的服务帐户。When you select the checkbox for Azure Information Protection analytics that enables deeper analytics into your sensitive data collects the content matches for your sensitive information types or your custom conditions, by default, this information is sent by all users, which includes service accounts that run the Azure Information Protection scanner. 如果你有一些不应发送此数据的用户,请在这些用户的作用域内策略中创建以下高级客户端设置:If you have some users who should not send this data, create the following advanced client setting in a scoped policy for these users:

  • 密钥: LogMatchedContentKey: LogMatchedContent

  • 值:禁用Value: Disable

限制扫描程序使用的线程数Limit the number of threads used by the scanner

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

默认情况下,扫描程序使用运行扫描程序服务的计算机上的所有可用处理器资源。By default, the scanner uses all available processor resources on the computer running the scanner service. 如果在扫描此服务时需要限制 CPU 使用率,请创建以下高级设置。If you need to limit the CPU consumption while this service is scanning, create the following advanced setting.

对于该值,请指定扫描程序可以并行运行的并发线程数。For the value, specify the number of concurrent threads that the scanner can run in parallel. 扫描程序为其扫描的每个文件使用单独的线程,因此此限制配置还定义了可以并行扫描的文件数。The scanner uses a separate thread for each file that it scans, so this throttling configuration also defines the number of files that can be scanned in parallel.

首次配置测试值时,建议为每个核心指定 2 个,然后监视结果。When you first configure the value for testing, we recommend you specify 2 per core, and then monitor the results. 例如,如果在具有 4 个核心的计算机上运行扫描程序,请先将值设置为 8。For example, if you run the scanner on a computer that has 4 cores, first set the value to 8. 如有必要,请根据扫描程序计算机所需的最终性能和扫描速率相应增减该数量。If necessary, increase or decrease that number, according to the resulting performance you require for the scanner computer and your scanning rates.

  • 密钥: ScannerConcurrencyLevelKey: ScannerConcurrencyLevel

  • 负值**<number of concurrent threads>**Value: <number of concurrent threads>

禁用扫描程序的低完整性级别Disable the low integrity level for the scanner

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

默认情况下,Azure 信息保护扫描程序在运行时的完整性级别低。By default, the Azure Information Protection scanner runs with a low integrity level. 此设置可以提供更强大的安全隔离,但会牺牲性能。This setting provides higher security isolation but at the cost of performance. 如果你使用具有特权的帐户(例如本地管理员帐户)运行扫描程序,则低完整性级别是适合的,因为此设置有助于保护运行扫描程序的计算机。A low integrity level is suitable if you run the scanner with an account that has privileged rights (such as a local administrator account) because this setting helps to protect the computer running the scanner.

但是,当运行扫描程序的服务帐户仅有在 "扫描程序部署先决条件" 中记录的权限时,不需要较低的完整性级别,不建议这样做,因为这会对性能产生负面影响。However, when the service account that runs the scanner has only the rights documented in the scanner deployment prerequisites, the low integrity level is not necessary and is not recommended because it negatively affects performance.

有关 Windows 完整性级别的详细信息,请参阅 Windows 完整性机制是什么?For more information about the Windows integrity levels, see What is the Windows Integrity Mechanism?

若要配置此高级设置,以便扫描程序以 Windows 自动分配的完整性级别运行(标准用户帐户以中等完整性级别运行),请输入以下字符串:To configure this advanced setting so that the scanner runs with an integrity level that's automatically assigned by Windows (a standard user account runs with a medium integrity level), enter the following strings:

  • 键:ProcessUsingLowIntegrityKey: ProcessUsingLowIntegrity

  • 值:False****Value: False

更改扫描程序的超时设置Change the timeout settings for the scanner

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses advanced client settings that you must configure in the Azure portal.

默认情况下,Azure 信息保护扫描程序的超时期限为00:15:00 (15分钟),用于检查每个文件中是否有敏感信息类型或为自定义条件配置的 regex 表达式。By default, the Azure Information Protection scanner has a timeout period of 00:15:00 (15 minutes) to inspect each file for sensitive information types or the regex expressions that you've configured for custom conditions. 当达到此内容提取过程的超时期限时,将返回超时前的所有结果,并对该文件停止进行进一步检查。When the timeout period is reached for this content extraction process, any results before the timeout are returned and further inspection for the file stops. 在此方案中,将在%localappdata% \ Microsoft\MSIP\Logs\MSIPScanner.iplog 中记录以下错误消息(如果有多个日志,则为 zipped): GetContentParts 失败,操作在详细信息中被取消In this scenario, the following error message is logged in %localappdata%\Microsoft\MSIP\Logs\MSIPScanner.iplog (zipped if there are multiple logs): GetContentParts failed with The operation was canceled in the details.

如果由于文件较大而遇到此超时问题,则可以增加此超时期限以进行完整的内容提取:If you experience this timeout problem because of large files, you can increase this timeout period for full content extraction:

  • 密钥: ContentExtractionTimeoutKey: ContentExtractionTimeout

  • 负值**<hh:min:sec>**Value: <hh:min:sec>

文件类型可影响扫描文件所花费的时间。The file type can influence how long it takes to scan a file. 扫描时间示例:Example scanning times:

  • 典型的 100 MB Word 文件: 0.5-5 分钟A typical 100 MB Word file: 0.5-5 minutes

  • 典型的 100 MB PDF 文件:5-20 分钟A typical 100 MB PDF file: 5-20 minutes

  • 典型的 100 MB Excel 文件:12-30 分钟A typical 100 MB Excel file: 12-30 minutes

对于某些非常大的文件类型(如视频文件),请考虑在扫描程序配置文件中将文件扩展名添加到要扫描的文件类型选项,从扫描中排除它们。For some file types that are very large, such as video files, consider excluding them from the scan by adding the file name extension to the File types to scan option in the scanner profile.

此外,Azure 信息保护扫描程序的每个文件处理的超时期限为00:30:00 (30分钟)。In addition, the Azure Information Protection scanner has a timeout period of 00:30:00 (30 minutes) for each file that it processes. 此值将考虑从存储库中检索文件所需的时间,并暂时将其保存在本地,以执行可包括解密、用于检查、标记和加密的内容提取的操作。This value takes into account the time it can take to retrieve a file from a repository and temporarily save it locally for actions that can include decryption, content extraction for inspection, labeling, and encryption.

尽管 Azure 信息保护扫描程序可以每分钟扫描数十到数百个文件,但如果你的数据存储库包含大量非常大的文件,则扫描程序可以超过此默认超时时间,在 Azure 门户中,将在30分钟后停止。Although the Azure Information Protection scanner can scan dozens to hundreds of files per minute, if you have a data repository that has a high number of very large files, the scanner can exceed this default timeout period and in the Azure portal, seem to stop after 30 minutes. 在此方案中,以下错误消息记录在%localappdata% \ Microsoft\MSIP\Logs\MSIPScanner.iplog (如果有多个日志,则为 zipped)和 scanner .csv 日志文件中:该操作已取消In this scenario, the following error message is logged in %localappdata%\Microsoft\MSIP\Logs\MSIPScanner.iplog (zipped if there are multiple logs) and the scanner .csv log file: The operation was canceled.

默认情况下,具有4核处理器的扫描程序有16个线程用于扫描,在30分钟的时间段内遇到16个大型文件的概率取决于大文件的比率。A scanner with 4 core processors by default has 16 threads for scanning and the probability of encountering 16 large files in a 30 minute time period depends on the ratio of the large files. 例如,如果扫描速率为每分钟200个文件,而1% 的文件超过30分钟超时,则在超过85% 的情况下,扫描程序将遇到30分钟的超时情况。For example, if the scanning rate is 200 files per minute, and 1% of files exceed the 30 minute timeout, there is a probability of more than 85% that the scanner will encounter the 30 minute timeout situation. 这些超时可能会导致更长的扫描时间和更高的内存消耗。These timeouts can result in longer scanning times and higher memory consumption.

在这种情况下,如果无法将更多的核心处理器添加到扫描仪计算机,请考虑缩短超时期限以获得更好的扫描速率和更低的内存消耗,但需确认会排除某些文件。In this situation, if you cannot add more core processors to the scanner computer, consider decreasing the timeout period for better scanning rates and lower memory consumption, but with the acknowledgment that some files will be excluded. 另外,请考虑增加超时期限以获得更准确的扫描结果,但确认此配置可能会导致扫描速率较低且内存消耗更高。Alternatively, consider increasing the timeout period for more accurate scanning results but with the acknowledgment that this configuration will likely result in lower scanning rates and higher memory consumption.

若要更改文件处理的超时时间,请配置以下高级客户端设置:To change the timeout period for file processing, configure the following advanced client setting:

  • 密钥: FileProcessingTimeoutKey: FileProcessingTimeout

  • 负值**<hh:min:sec>**Value: <hh:min:sec>

更改本地日志记录级别Change the local logging level

此配置使用必须在 Azure 门户中配置的高级客户端设置This configuration uses an advanced client setting that you must configure in the Azure portal.

默认情况下,Azure 信息保护客户端会将客户端日志文件写入 %localappdata%\Microsoft\MSIP**** 文件夹。By default, the Azure Information Protection client writes client log files to the %localappdata%\Microsoft\MSIP folder. 这些文件供 Microsoft 支持部门用来排除故障。These files are intended for troubleshooting by Microsoft Support.

若要更改这些文件的日志记录级别,请配置以下高级客户端设置:To change the logging level for these files, configure the following advanced client setting:

  • 密钥: LogLevelKey: LogLevel

  • 负值**<logging level>**Value: <logging level>

将日志记录级别设置为以下值之一:Set the logging level to one of the following values:

  • 关闭:没有本地日志记录。Off: No local logging.

  • 错误:仅限错误。Error: Errors only.

  • Info:最小日志记录,不包括任何事件 id (扫描仪的默认设置)。Info: Minimum logging, which includes no event IDs (the default setting for the scanner).

  • 调试:完整信息。Debug: Full information.

  • 跟踪:详细日志记录(客户端的默认设置)。Trace: Detailed logging (the default setting for clients). 对于扫描程序,此设置会产生很大性能影响,应仅在 Microsoft 支持部门请求时,才为扫描程序启用此设置。For the scanner, this setting has a significant performance impact and should be enabled for the scanner only if requested by Microsoft Support. 如果系统要求为扫描程序设置此日志记录级别,请务必在已收集相关日志后设置其他值。If you are instructed to set this level of logging for the scanner, remember to set a different value when the relevant logs have been collected.

此高级客户端设置不会更改发送到 Azure 信息保护用于集中报告的信息,也不会更改写入本地事件日志的信息。This advanced client setting does not change the information that's sent to Azure Information Protection for central reporting, or change the information that's written to the local event log.

与旧版 Exchange 消息分类的集成Integration with the legacy Exchange message classification

Web 上的 Outlook 现在支持 Exchange Online 的内置标签,这是在 web 上的 Outlook 中标记电子邮件的建议方法。Outlook on the web now supports built-in labeling for Exchange Online, which is the recommended method to label emails in Outlook on the web. 但是,如果需要在 OWA 中标记电子邮件并使用不支持敏感度标签的 Exchange Server,则可以使用 Exchange 邮件分类将 Azure 信息保护标签扩展到 web 上的 Outlook。However, if you need to label emails in OWA and are using Exchange Server, which doesn't yet support sensitivity labels, you can use Exchange message classification to extend Azure Information Protection labels to Outlook on the web.

Outlook Mobile 不支持 Exchange 邮件分类。Outlook Mobile does not support Exchange message classification.

要实现此解决方案:To achieve this solution:

  1. 使用 New-MessageClassification Exchange PowerShell cmdlet 创建邮件分类,其 Name 属性映射到 Azure 信息保护策略中的标签名称。Use the New-MessageClassification Exchange PowerShell cmdlet to create message classifications with the Name property that maps to your label names in your Azure Information Protection policy.

  2. 为每个标签创建 Exchange 邮件流规则:在邮件属性包括配置的分类时应用规则,并将邮件属性修改为设置邮件头。Create an Exchange mail flow rule for each label: Apply the rule when the message properties include the classification that you configured, and modify the message properties to set a message header.

    对于邮件头,可通过检查通过使用 Azure 信息保护标签发送和分类的电子邮件的 internet 标头来确定要指定的信息。For the message header, you find the information to specify by inspecting the internet headers of an email that you sent and classified by using your Azure Information Protection label. 查找标头msip_labels和紧跟在分号后面的字符串。Look for the header msip_labels and the string that immediately follows, up to and excluding the semicolon. 例如:For example:

    msip_labels: MSIP_Label_0e421e6d-ea17-4fdb-8f01-93a3e71333b8_Enabled = Truemsip_labels: MSIP_Label_0e421e6d-ea17-4fdb-8f01-93a3e71333b8_Enabled=True

    然后,对于此规则中的邮件头,将 msip_labels 指定为邮件头,此字符串的其余部分指定为邮件头的值。Then, for the message header in the rule, specify msip_labels for the header, and the remainder of this string for the header value. 例如:For example:

    示例 Exchange Online 邮件流规则,用于为特定 Azure 信息保护标签设置邮件头

    注意:如果标签为子标签,还必须以相同的格式在标头值中的子标签之前指定父标签。Note: When the label is a sublabel, you must also specify the parent label before the sublabel in the header value, using the same format. 例如,如果你的子标签含有全局唯一标识符 27efdf94-80a0-4 d 02 b88c b615c12d69a9,则值可能如下:MSIP_Label_ab70158b-bdcc-42a3-8493-2a80736e9cbd_Enabled=True;MSIP_Label_27efdf94-80a0-4d02-b88c-b615c12d69a9_Enabled=TrueFor example, if your sublabel has a GUID of 27efdf94-80a0-4d02-b88c-b615c12d69a9, your value might look like the following: MSIP_Label_ab70158b-bdcc-42a3-8493-2a80736e9cbd_Enabled=True;MSIP_Label_27efdf94-80a0-4d02-b88c-b615c12d69a9_Enabled=True

测试此配置前,请注意,创建或编辑邮件流规则时通常都会有延迟(例如,等待一小时)。Before you test this configuration, remember that there is often a delay when you create or edit mail flow rules (for example, wait an hour). 如果此规则生效,便会在用户使用 Outlook 网页版时发生以下事件:When the rule is in effect, the following events now happen when users use Outlook on the web:

  • 用户选择 Exchange 邮件分类,并发送电子邮件。Users select the Exchange message classification and send the email.

  • Exchange 规则检测 Exchange 分类,并对应修改邮件头以添加 Azure 信息保护分类。The Exchange rule detects the Exchange classification and accordingly modifies the message header to add the Azure Information Protection classification.

  • 如果内部收件人在 Outlook 中查看电子邮件,且已安装 Azure 信息保护客户端,就会看到已分配的 Azure 信息保护标签。When internal recipients view the email in Outlook and they have the Azure Information Protection client installed, they see the Azure Information Protection label assigned.

如果你的 Azure 信息保护标签应用保护,请将此保护添加到规则配置:选择用于修改邮件安全性的选项,应用权限保护,然后选择保护模板或 "不转发" 选项。If your Azure Information Protection labels apply protection, add this protection to the rule configuration: Selecting the option to modify the message security, apply rights protection, and then select the protection template or Do Not Forward option.

还可以将邮件流规则配置为执行反向映射。You can also configure mail flow rules to do the reverse mapping. 检测到 Azure 信息保护标签时,请设置相应的 Exchange 邮件分类:When an Azure Information Protection label is detected, set a corresponding Exchange message classification:

  • 对于每个 Azure 信息保护标签,请创建在 msip_labels**** 头包含标签名称(例如 General****)时应用的邮件流规则,并应用映射到此标签的邮件分类。For each Azure Information Protection label: Create a mail flow rule that is applied when the msip_labels header includes the name of your label (for example, General), and apply a message classification that maps to this label.

后续步骤Next steps

至此,已自定义 Azure 信息保护客户端。若要了解支持此客户端所需的其他信息,请参阅以下资源:Now that you've customized the Azure Information Protection client, see the following resources for additional information that you might need to support this client: