管理员指南:配置和使用 Azure 信息保护的文档跟踪Admin Guide: Configuring and using document tracking for Azure Information Protection

适用于: Azure 信息保护,windows 10,Windows 8.1,windows 8,windows server 2019,windows server 2016,windows Server 2012 R2,windows server 2012Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

如果你的某个订阅支持文档跟踪,则默认情况下,已经为你组织中的所有用户启用了文档跟踪站点。If you have a subscription that supports document tracking, the document tracking site is enabled by default for all users in your organization. 文档跟踪为用户和管理员提供有关受保护文档访问时间的信息,如有必要,可以撤销已跟踪的文档。Document tracking provides information for users and administrators about when a protected document was accessed and if necessary, a tracked document can be revoked.

使用 PowerShell 管理文档跟踪站点Using PowerShell to manage the document tracking site

以下各节包含有关如何使用 PowerShell 管理文档跟踪站点的信息。The following sections contain information about how you can manage the document tracking site by using PowerShell. 有关 PowerShell 模块的安装说明,请参阅安装 AIPService PowerShell 模块For installation instructions for the PowerShell module, see Installing the AIPService PowerShell module.

有关每个 cmdlet 的详细信息,请使用提供的链接。For more information about each of the cmdlets, use the links provided.

文档跟踪站点的隐私控制Privacy controls for your document tracking site

如果在你的组织中由于隐私要求而禁止显示所有文档跟踪信息,你可以使用AipServiceDocumentTrackingFeature cmdlet 禁用文档跟踪。If displaying all document tracking information is prohibited in your organization because of privacy requirements, you can disable document tracking by using the Disable-AipServiceDocumentTrackingFeature cmdlet.

此 cmdlet 禁用对文档跟踪站点的访问,使组织中的所有用户无法跟踪或撤销对已保护文档的访问权限。This cmdlet disables access to the document tracking site so that all users in your organization cannot track or revoke access to documents that they have protected. 你可以随时使用AipServiceDocumentTrackingFeature重新启用文档跟踪,还可以使用 AipServiceDocumentTrackingFeature 检查当前是否启用或禁用了文档跟踪。You can re-enable document tracking any time, by using the Enable-AipServiceDocumentTrackingFeature, and you can check whether document tracking is currently enabled or disabled by using Get-AipServiceDocumentTrackingFeature.

启用文档跟踪站点后,它会默认显示尝试访问受保护文档的人员的电子邮件地址、这些人员尝试访问这些文档的时间以及他们所在的位置等信息。When the document tracking site is enabled, by default, it shows information such as the email addresses of the people who attempted to access the protected documents, when these people tried to access them, and their location. 这个级别的信息有助于确定使用共享文档的方式,以及在发现可疑活动时,是否应撤销这些文档。This level of information can be helpful to determine how the shared documents are used and whether they should be revoked if suspicious activity is seen. 但是,出于隐私原因,可能需要为部分或所有用户禁用此用户信息。However, for privacy reasons, you might need to disable this user information for some or all users.

如果你有不应由其他用户跟踪此活动的用户,请将其添加到存储在 Azure AD 中的组,并使用AipServiceDoNotTrackUserGroup cmdlet 指定此组。If you have users who should not have this activity tracked by other users, add them to a group that is stored in Azure AD, and specify this group with the Set-AipServiceDoNotTrackUserGroup cmdlet. 运行此 cmdlet 时,必须指定单个组。When you run this cmdlet, you must specify a single group. 不过,该组可以包含嵌套组。However, the group can contain nested groups.

对于这些组成员,当相应活动与这些组成员与用户共享的文档相关时,用户在文档跟踪站点上看不到任何活动。For these group members, users cannot see any activity on the document tracking site when that activity is related to documents that they shared with them. 另外,不会向共享文档的用户发送电子邮件通知。In addition, no email notifications are sent to the user who shared the document.

如果使用此配置,所有用户仍可以使用文档跟踪站点,以及撤销对已保护文档的访问权限。When you use this configuration, all users can still use the document tracking site and revoke access to documents that they have protected. 但是,他们看不到使用 AipServiceDoNotTrackUserGroup cmdlet 指定的用户的活动。However, they do not see activity for the users who you have specified by using the Set-AipServiceDoNotTrackUserGroup cmdlet.

此设置仅会影响最终用户。This setting affects end users only. Azure 信息保护的管理员可以始终跟踪所有用户的活动,即使这些用户是使用 AipServiceDoNotTrackUserGroup 指定的。Administrators for Azure Information Protection can always track activities of all users, even when those users are specified by using Set-AipServiceDoNotTrackUserGroup. 有关管理员如何跟踪用户文档的详细信息,请参阅跟踪和撤销用户文档部分。For more information about how administrators can track documents for users, see the Tracking and revoking documents for users section.

文档跟踪站点中的日志记录信息Logging information from the document tracking site

你可以使用以下 cmdlet 从文档跟踪站点下载日志记录信息:You can use the following cmdlets to download logging information from the document tracking site:

  • AipServiceTrackingLogGet-AipServiceTrackingLog

    此 cmdlet 向指定用户返回有关受保护文档的跟踪信息,该用户为文档提供保护(Rights Management 颁发者)或已访问受保护的文档。This cmdlet returns tracking information about protected documents for a specified user who protected documents (the Rights Management issuer) or who accessed protected documents. 使用此 cmdlet 来帮助回答问题“指定用户跟踪或访问了哪些受保护的文档?”Use this cmdlet to help answer the question "Which protected documents did a specified user track or access?"

  • AipServiceDocumentLogGet-AipServiceDocumentLog

    如果用户为文档提供保护(Rights Management 颁发者)或者是文档的 Rights Management 所有者,或者受保护的文档被配置为直接授予该用户访问权限,那么此 cmdlet 会对该指定用户返回有关跟踪文档的保护信息。This cmdlet returns protection information about the tracked documents for a specified user if that user protected documents (the Rights Management issuer) or was the Rights Management owner for documents, or protected documents were configured to grant access directly to the user. 使用此 cmdlet 来帮助回答问题“如何保护指定用户的文档?”Use this cmdlet to help answer the question "How are documents protected for a specified user?"

文档跟踪站点使用的目标 URLDestination URLs used by the document tracking site

以下 Url 用于文档跟踪,必须在运行 Azure 信息保护客户端和 internet 的客户端之间的所有设备和服务上允许。The following URLs are used for document tracking and must be allowed on all devices and services between the clients that run the Azure Information Protection client and the internet. 例如,如果使用的是具有增强安全性的 Internet Explorer,请将这些 URL 添加到防火墙,或添加到受信任的站点。For example, add these URLs to firewalls, or to your Trusted Sites if you're using Internet Explorer with Enhanced Security.

  • https://*.azurerms.com

  • https://*.microsoftonline.com

  • https://*.microsoftonline-p.com

  • https://ecn.dev.virtualearth.net

这些 URL 是 Azure Rights Management 服务的标准,但用于必应地图以显示用户位置的 virtualearth.net URL 除外。These URLs are standard for the Azure Rights Management service, with the exception of the virtualearth.net URL that is used for Bing maps to display the user location.

为用户跟踪和撤销文档Tracking and revoking documents for users

用户登录到文档跟踪站点时,他们可以通过使用 Azure 信息保护客户端跟踪和撤销保护的文档。When users sign in to the document tracking site, they can track and revoke documents that they have protected by using the Azure Information Protection client. 以租户的 Azure AD 全局管理员身份登录时,可以单击“管理员”图标,以切换到管理员模式。When you sign in as an Azure AD global administrator for your tenant, you can click the Admin icon, which switches to Administrator mode. 其他管理员角色不支持对文档跟踪网站使用此模式。Other administrator roles do not support this mode for the document tracking site.

文档跟踪站点中的“管理员”图标

通过管理员模式,可以查看组织用户选择通过 Azure 信息保护客户端进行跟踪的文档。The Administrator mode lets you see the documents that users in your organization have selected to track by using the Azure Information Protection client.

备注

如果是全局管理员,但仍看不到此图标,原因是尚未自行分享任何文档。If you do not see this icon, despite being a global administrator, it's because you haven't yet shared any documents yourself. 在这种情况下,请使用以下 URL 访问文档跟踪站点:https://portal.azurerms.com/#/adminIn this case, use the following URL to access the document tracking site: https://portal.azurerms.com/#/admin

在管理员模式下执行的操作会经过审核并记录在使用情况日志文件中,必须确认后才能继续。Actions that you take in Administrator mode are audited and logged in the usage log files, and you must confirm to continue. 有关此日志记录的详细信息,请参阅下一部分。For more information about this logging, see the next section.

处于管理员模式时,可以按用户或文档进行搜索。When you are in Administrator mode, you can then search by user or document. 如果按用户进行搜索,可以查看指定用户通过 Azure 信息保护客户端选择进行跟踪的所有文档。If you search by user, you see all the documents that the specified user has selected to track by using the Azure Information Protection client.

如果按文档进行搜索,可以查看组织中通过 Azure 信息保护客户端跟踪该文档的所有用户。If you search by document, you see all the users in your organization who tracked that document by using the Azure Information Protection client. 之后,如有必要,可以钻取到搜索结果,以便跟踪用户保护的文档以及撤销这些文档。You can then drill into the search results to track the documents that users have protected and revoke these documents, if necessary.

若要离开管理员模式,请单击“退出管理员模式”旁边的“X”:********To leave the Administrator mode, click X next to Exit administrator mode:

在文档跟踪站点中退出管理员模式

有关如何使用文档跟踪站点的说明,请参阅用户指南中的跟踪和撤销文档For instructions how to use the document tracking site, see Track and revoke your documents from the user guide.

使用 PowerShell 向文档跟踪站点注册标记的文档Using PowerShell to register labeled documents with the document tracking site

若要跟踪和撤销文档,必须首先在文档跟踪站点中进行注册。To be able to track and revoke a document, it must first be registered with the document tracking site. 当用户在使用 Azure 信息保护客户端时从文件资源管理器或其 Office 应用中选择“跟踪和撤销”**** 选项时,将执行此操作。This action occurs when users select the Track and revoke option from File Explorer or their Office apps when they use the Azure Information Protection client.

如果使用 Set-AIPFileLabel cmdlet 为用户标记和保护文件,可以使用 EnableTracking** 参数将文件注册到文档跟踪站点。If you label and protect files for users by using the Set-AIPFileLabel cmdlet, you can use the EnableTracking parameter to register the file with the document tracking site. 例如:For example:

Set-AIPFileLabel -Path C:\Projects\ -LabelId ade72bf1-4714-4714-4714-a325f824c55a -EnableTracking

文档跟踪站点的使用情况日志记录Usage logging for the document tracking site

使用情况日志文件中的以下两个字段适用于文档跟踪:AdminActionActingAsUserTwo fields in the usage log files are applicable to document tracking: AdminAction and ActingAsUser.

AdminAction - 当管理员在管理员模式下使用文档跟踪站点时,例如,代表用户撤销文档或查看其共享时间,此字段的值为 true。AdminAction - This field has a value of true when an administrator uses the document tracking site in Administrator mode, for example, to revoke a document on a user's behalf or to see when it was shared. 当用户登录到文档跟踪站点时,此字段为空。This field is empty when a user signs in to the document tracking site.

ActingAsUser - 当 AdminAction 字段为 true 时,此字段包含管理员代表的所搜索的用户或文档所有者的用户名。ActingAsUser - When the AdminAction field is true, this field contains the user name that the administrator is acting on behalf of as the searched for user or document owner. 当用户登录到文档跟踪站点时,此字段为空。This field is empty when a user signs in to the document tracking site.

此外,还有记录用户和管理员如何使用文档跟踪站点的请求类型。There are also request types that log how users and administrators are using the document tracking site. 例如,RevokeAccess 是用户或代表用户的管理员已撤销文档跟踪站点中的文档时的请求类型。For example, RevokeAccess is the request type when a user or an administrator on behalf of a user has revoked a document in the document tracking site. 通过将此请求类型与 AdminAction 字段结合使用,可确定是用户撤销了自己的文档(AdminAction 字段为空),还是管理员代表用户撤销了文档(AdminAction 为 true)。Use this request type in combination with the AdminAction field to determine whether the user revoked their own document (the AdminAction field is empty) or an administrator revoked a document on behalf of a user (the AdminAction is true).

有关使用日志记录的详细信息,请参阅记录和分析 Azure 信息保护中的保护使用情况For more information about usage logging, see Logging and analyzing the protection usage from Azure Information Protection

后续步骤Next steps

配置 Azure 信息保护客户端的文档跟踪站点后,请参阅以下主题,了解支持此客户端所需的其他信息:Now that you've configured the document tracking site for the Azure Information Protection client, see the following for additional information that you might need to support this client: