用户指南:通过 Azure 信息保护客户端进行分类和保护User Guide: Classify and protect with the Azure Information Protection client

适用于: Active Directory Rights Management Services、 Azure 信息保护、windows 10、Windows 8.1、Windows 8Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8

说明: 适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典) 和标签管理 将于 2021 年 3 月 31 日 弃用 。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

备注

借助这些说明,对文档和电子邮件进行分类和保护。Use these instructions to help you classify and protect your documents and emails. 如果只需对文档和电子邮件进行分类(但不保护),请参阅仅分类说明If you need to only classify and not protect your documents and emails, see the classify-only instructions. 如果不确定应使用哪组说明,请与管理员或支持人员核实。If you are not sure which set of instructions to use, check with your administrator or help desk.

在 Office 桌面应用中(WordExcelPowerPointOutlook)创建和编辑文档和电子邮件时对其进行分类和保护最为简单。The easiest way to classify and protect your documents and emails is when you are creating or editing them from within your Office desktop apps: Word, Excel, PowerPoint, Outlook.

但是,还可以使用文件资源管理器**** 对文件进行分类和保护。However, you can also classify and protect files by using File Explorer. 此方法支持其他文件类型,此方法是一种一次性对多个文件进行分类和保护的便捷方法。This method supports additional file types and is a convenient way to classify and protect multiple files at once. 此方法支持保护 Office 文档、PDF 文件、文本和图像文件,以及各种其他文件。This method supports protecting Office documents, PDF files, text and image files, and a wide range of other files.

如果标签将保护应用于文档,则受保护的文档不适合保存在 SharePoint 或 OneDrive 中。If your label applies protection to a document, the protected document is not suitable to be saved on SharePoint or OneDrive. 对于受保护的文件,这些位置不支持以下内容:共同创作、Office for web、搜索、文档预览、缩略图和电子数据展示。These locations do not support the following for protected files: Co-authoring, Office for the web, search, document preview, thumbnail, and eDiscovery.

提示

如果为敏感标签启用了 SharePoint,请询问管理员是否将标签迁移到这些位置支持的统一敏感度标签。Ask your administrator about migrating your labels to unified sensitivity labels that are supported for these locations when SharePoint is enabled for sensitivity labels.

与组织外部人员安全共享文件Safely share a file with people outside your organization

受保护文件可安全地与他人共享。Files that are protected are safe to share with others. 例如,你将受保护的文档附加到一封电子邮件。For example, you attach a protected document to an email.

在与组织外部人员共享文件之前,请咨询你的支持人员或管理员如何为外部用户保护文件。Before you share files with people outside your organization, check with your help desk or administrator how to protect files for external users.

例如,如果你的组织定期与另一组织中的用户通信,则你的管理员可能已配置了标签,以便这些用户可以读取和使用受保护的文档。For example, if your organization regularly communicates with people in another organization, your administrator might have configured labels such that these people can read and use protected documents. 如果是这种情况,请选择这些标签来分类和保护要共享的文档。If that's the case, select these labels to classify and protect the documents to share.

或者,如果外部用户具有为其创建的 企业到企业 (B2B) 帐户,你可以在共享文档之前,使用 Office 应用设置自定义权限或使用文件资源管理器设置自定义权限Alternatively, if the external users have business-to-business (B2B) accounts created for them, you can use your Office app to set custom permissions or use File Explorer to set custom permissions for a document before you share it. 如果设置你自己的自定义权限,并且文档已受到保护以供内部使用,请先创建一个副本来保留原始权限。If you set your own custom permissions and the document is already protected for internal use, first make a copy of it to retain the original permissions. 然后,使用此副本设置自定义权限。Then use the copy to set the custom permissions.

使用 Office 应用对文档和电子邮件进行分类和保护Using Office apps to classify and protect your documents and emails

使用 Azure 信息保护栏或功能区上的“保护”按钮,选择已为你配置的某一个标签****。Use the Azure Information Protection bar or the Protect button on the ribbon to select one of the labels that has been configured for you.

例如,在下图中,因为 Azure 信息保护栏上的“敏感度”显示“未设置”,因此尚未标记文档********。For example, the following picture shows that the document hasn't yet been labeled because the Sensitivity shows Not set on the Azure Information Protection bar. 要设置标签,例如“常规”,请单击“常规”****。To set a label, such as "General", click General. 如果你不确定要将哪种标签应用于当前文档或电子邮件,请使用标签工具提示详细了解每种标签及其应用情况。If you're not sure which label to apply to the current document or email, use the label tooltips to learn more about each label and when to apply it.

Azure 信息保护栏示例

如果已将某种标签应用于文档,并且想要进行更改,可以选择其他标签。If a label is already applied to the document and you want to change it, you can select a different label. 如果标签没有显示在栏上,请首先单击当前标签值旁边的“编辑标签”**** 图标。If the labels are not displayed on the bar, first click the Edit Label icon, next to the current label value.

除了手动选择标签,还可通过以下方式应用标签:In addition to manually selecting labels, labels can also be applied in the following ways:

  • 管理员配置了默认标签,你可保留或更改该标签。Your administrator configured a default label, which you can keep or change.

  • 管理员配置了建议提示,当检测到敏感数据时将提示选择特定标签。Your administrator configured recommended prompts to select a specific label when sensitive data is detected. 你可以接受此建议(应用标签),或拒绝建议(不应用建议标签)。You can accept the recommendation (and the label is applied), or reject it (the recommended label is not applied).

Azure 信息保护栏的异常Exceptions for the Azure Information Protection bar

你的 Office 应用程序中看不到此信息保护栏?Don't see this Information Protection bar in your Office apps?

可能的原因:Possible reasons:

  • 安装 Azure 信息保护客户端。You don't have the Azure Information Protection client installed.

  • 安装了客户端,但管理员配置的设置不显示信息保护栏。You have the client installed, but your administrator has configured a setting that doesn't display the bar. 可改为从 Office 功能区“文件”选项卡上的“保护”按钮选择标签********。Instead, select labels from the Protect button, on the File tab from the Office ribbon.

  • 客户端正以仅保护模式运行。Your client is running in protection-only mode.

没有显示希望看到的标签?Is the label that you expect to see not displayed?

可能的原因:Possible reasons:

  • 如果管理员最近为你配置了新标签,请尝试关闭 Office 应用程序的所有实例,然后重新打开。If your administrator has recently configured a new label for you, try closing all instances of your Office app and reopening it. 此操作将检查对你的标签所做的更改。This action checks for changes to your labels.

  • 如果缺少应用保护的标签,那么可能你使用的 Office 版本不支持应用 Rights Management 保护。If the missing label applies protection, you might have an edition of Office that does not support applying Rights Management protection. 若要验证,请单击 "保护 > 帮助和反馈"。To verify, click Protect > Help and Feedback. 在对话框中,检查“客户端状态”**** 部分中是否显示消息“此客户端未获许可使用 Office Professional Plus”****。In the dialog box, check if you have a message in the Client status section that says This client is not licensed for Office Professional Plus.

    如果你有 Office 365 商业版或 Microsoft 365 商业版中的 Office 应用,则无需使用 Office 专业增强版,前提是已为用户分配了 Azure Rights Management(亦称为“适用于 Office 365 的 Azure 信息保护”)许可证。You do not need Office Professional Plus if you have Office apps from Office 365 Business or Microsoft 365 Business when the user is assigned a license for Azure Rights Management (also known as Azure Information Protection for Office 365).

  • 此标签采用的作用域策略可能不包括你的帐户。The label might be in a scoped policy that doesn't include your account. 请与你的技术支持或管理员一起检查。Check with your help desk or administrator.

设置文档的自定义权限Set custom permissions for a document

如果得到管理员的允许,可以指定你自己的文档保护设置,而不使用管理员可能已包含在所选标签中的保护设置。If allowed by your administrator, you can specify your own protection settings for documents rather than use the protection settings that your administrator might have included with your selected label. 此选项特定于文档,不适用于 Outlook。This option is specific to documents and is not available with Outlook.

  1. 在“开始”选项卡上的“保护”组中,依次单击“保护” > “自定义权限”:On the Home tab, in the Protection group, click Protect > Custom Permissions:

    自定义权限选项

    如果看不到“自定义权限”,则表示管理员禁止你使用此选项****。If you do not see Custom Permissions, your administrator does not allow you to use this option.

    请注意,你指定的任何自定义权限将替换(而不是补充)管理员可能已为选定标签定义的保护设置。Note that any custom permissions that you specify replace rather than supplement protection settings that your administrator might have defined for your chosen label.

  2. 在“Microsoft Azure 信息保护”对话框中,指定以下内容:In the Microsoft Azure Information Protection dialog box, specify the following:

    • 使用自定义权限进行保护:请务必选中此选项,这样才能指定并应用自定义权限。Protect with custom permissions: Make sure that this is selected so that you can specify and apply your custom permissions. 取消选中此选项即撤销任何自定义权限。Clear this option to remove any custom permissions.

    • 选择权限:如果要保护文件,以便只有你可以访问,请选中“仅限自己访问”。Select permissions: If you want to protect the file so that only you can access it, select Only for me. 否则,请选中“希望对象拥有的访问级别”。Otherwise, select the level of access that you want people to have.

    • 选择用户、组或组织:指定哪些人应拥有你为一个或多个文件选择的权限。Select users, groups, or organizations: Specify the people who should have the permissions you selected for your file or files. 键入他们的完整电子邮件地址、组电子邮件地址或相应组织中所有用户的组织域名。Type their full email address, a group email address, or a domain name from the organization for all users in that organization.

      此外,还可以使用“通讯簿”图标从 Outlook 通讯簿选择用户或组。You can also use the address book icon to select users or groups from the Outlook address book.

    • 过期访问:仅为时间敏感的文件选择此选项,以使指定的人员无法在设置日期后打开选定的文件。Expire access: Select this option only for time-sensitive files so that the people you specified can't open your selected file or files after a date that you set. 仍可以打开原始文件,但在设置日期的午夜(当前时区)过后,指定的人员将无法打开该文件。You will still be able to open the original file but after midnight (your current time zone), on the day that you set, the people that you specified will not be able to open the file.

  3. 单击“应用”,然后等待“已应用自定义权限”消息。Click Apply and wait for the Custom permissions applied message. 然后单击 “关闭”Then click Close.

通过电子邮件实现安全共享Safely sharing by email

通过电子邮件共享 Office 文档时,可将文档附加到所保护的电子邮件中,应用到此电子邮件的相同限制会自动保护此文档。When you share Office documents by email, you can attach the document to an email that you protect, and the document is automatically protected with the same restrictions that apply to the email.

但是,我们建议首先保护文档,然后再将它附加到电子邮件中。However, we recommend that you protect the document first, and then attach it to the email. 如果电子邮件中包含敏感信息,也需要保护电子邮件。Protect the email as well if the email message contains sensitive information. 将文档附加到电子邮件前保护它有两个好处:Two benefits of protecting the document before you attach it to an email:

  • 通过电子邮件发送文档后可以跟踪并根据需要撤消此文档。You can track and if necessary, revoke the document after you have emailed it.

  • 可以对文档应用不同于电子邮件的权限。You can apply different permissions to the document than to the email message.

使用文件资源管理器对文件进行分类和保护Using File Explorer to classify and protect files

使用文件资源管理器时,可快速对单个文件、多个文件或文件夹进行分类和保护。When you use File Explorer, you can quickly classify and protect a single file, multiple files, or a folder.

选择文件夹时,将自动为你设置的分类和保护选项选择该文件夹及其所有子文件夹中的所有文件。When you select a folder, all the files in that folder and any subfolders it has are automatically selected for the classification and protection options that you set. 但是,在该文件夹或子文件夹中创建的新文件不会自动配置这些选项。However, new files that you create in that folder or subfolders are not automatically configured with those options.

使用文件资源管理器对文件进行分类和保护时,如果一个或多个标签显示为灰色,则你选择的文件不支持分类。When you use File Explorer to classify and protect your files, if one or more of the labels appear dimmed, the files that you selected do not support classification. 对于这些文件,只有在管理员已将标签配置为应用保护时,你才能选择标签。For these files, you can select a label only if your administrator has configured the label to apply protection. 或者,你可以指定自己的保护设置。Or, you can specify your own protection settings.

分类和保护会自动排除一些文件,因为更改这些文件可能会导致电脑停止运行。Some files are automatically excluded from classification and protection, because changing them might stop your PC from running. 尽管你可以选择这些文件,但系统会将其作为排除的文件夹或文件跳过。Although you can select these files, they are skipped as an excluded folder or file. 示例包括可执行文件和你的 Windows 文件夹。Examples include executable files and your Windows folder.

管理员指南包含受支持文件类型的完整列表以及自动排除的文件和文件夹的完整列表:受 Azure 信息保护客户端支持的文件类型The admin guide contains a full list of the file types supported and the files and folders that are automatically excluded: File types supported by the Azure Information Protection client.

使用文件资源管理器对文件进行分类和保护To classify and protect a file by using File Explorer

  1. 在文件资源管理器中,选择你的文件、多个文件或文件夹。In File Explorer, select your file, multiple files, or a folder. 右键单击,然后选择“分类和保护”****。Right-click, and select Classify and protect. 例如:For example:

    在文件资源管理器中,右键单击“使用 Azure 信息保护进行分类和保护”

  2. 在“分类和保护 - Azure信息保护”**** 对话框中,请像在 Office 应用程序中那样使用标签,这样可以按管理员定义的方式设置分类和保护。In the Classify and protect - Azure Information Protection dialog box, use the labels as you would do in an Office application, which sets the classification and protection as defined by your administrator.

    • 如果无法选择标签(它们显示为灰色):则所选文件不支持分类,但你可以通过自定义权限保护它(步骤 3)。If none of the labels can be selected (they appear dimmed): The selected file does not support classification but you can protect it with custom permissions (step 3). 例如:For example:

      “分类和保护 - Azure 信息保护”对话框中无可用标签

    • 如果你看不到标签,但是“公司预定义的保护”**** 选项出现在此对话框中,表明:客户端正以仅保护模式运行。If you do not see labels but an option for Company pre-defined protection in this dialog box: The client is running in protection-only mode. 选择模板以应用管理员为你配置的保护,或者选择“自定义权限”**** 指定自己的保护设置,然后转到步骤 4.Either select a template to apply protection that your administrator has configured for you, or, select Custom permissions to specify your own protection settings and go to step 4.

      “分类和保护 - Azure 信息保护”对话框中无任何标签

  3. 如果得到管理员的准许,则可自行指定保护设置,而不使用管理员可能在所选标签中随附的保护设置。If allowed by your administrator, you can specify your own protection settings rather than use the protection settings that your administrator might have included with your selected label. 若要执行此操作,请选择“使用自定义权限进行保护”****。To do this, select Protect with custom permissions.

    如果看不到“使用自定义权限进行保护”,则表示管理员禁止你使用此选项****。If you do not see Protect with custom permissions, your administrator does not allow you to use this option.

    指定的任何自定义权限将替换而不是补充管理员可能已为所选标签定义的保护设置。Any custom permissions that you specify replace rather than supplement protection settings that your administrator might have defined for your chosen label.

  4. 如果已选择自定义权限选项,此时指定以下项:If you selected the custom permissions option, now specify the following:

    • 选择权限:选择你希望用户在保护所选文件时具有的访问级别。Select permissions: Select the level of access that you want people to have when you protect the selected file or files.

    • 选择用户、组或组织:指定哪些人应拥有你为一个或多个文件选择的权限。Select users, groups, or organizations: Specify the people who should have the permissions you selected for your file or files. 键入他们的完整电子邮件地址、组电子邮件地址或相应组织中所有用户的组织域名。Type their full email address, a group email address, or a domain name from the organization for all users in that organization.

      或者,可以使用“通讯簿”图标从 Outlook 通讯簿选择用户或组。Alternatively, you can use the address book icon to select users or groups from the Outlook address book.

    • 过期访问****:仅为时间敏感文件选择此选项,以便你指定的人员在你设定的日期后无法打开所选文件。你仍然可以打开原始文件,但是在所设定日期的午夜后(当前时区),你指定的用户将无法打开文件。Expire access: Select this option only for time-sensitive files so that the people you specified will not be able to open your selected file or files after a date that you set You will still be able to open the original file but after midnight (your current time zone), on the day that you set, the people that you specified will not be able to open the file.

      请注意,如果此设置此前通过 Office 2010 应用的自定义权限配置,则指定到期日期不会显示在此对话框中,但仍然会设置到期日期。Note that if this setting was previously configured by using custom permissions from an Office 2010 app, the specified expiry date does not display in this dialog box but the expiry date is still set. 此显示问题仅适用于在 Office 2010 中配置了到期日期的情况。This is a display issue only for when the expiry date was configured in Office 2010.

  5. 单击“应用”****,然后等到“工作完成”**** 消息出现即可查看结果。Click Apply and wait for the Work finished message to see the results. 然后单击 “关闭”Then click Close.

根据你的选择,现已对所选择的一个或多个文件进行分类和保护。The selected file or files are now classified and protected, according to your selections. 在某些情况下(添加的保护更改了文件扩展名时),文件资源管理器中的原始文件将替换为具有 Azure 信息保护锁状图标的新文件。In some cases (when adding protection changes the file name extension), the original file in File Explorer is replaced with a new file that has the Azure Information Protection lock icon. 例如:For example:

Azure 信息保护中具有锁状图标的受保护文件

如果改变了有关分类和保护的想法,或稍后需要更改设置,仅需通过重复此过程进行新的设置。If you change your mind about the classification and protection, or later need to modify your settings, simply repeat this process with your new settings.

指定的分类和保护会保留在文件中,即使你通过电子邮件发送文件或将其保存到其他位置也是如此。The classification and protection that you specified stays with the file, even if you email the file or save it to another location. 如果已保护该文件,则可跟踪用户如何使用它,如果有必要,还可撤销对它的访问。If you protected the file, you can track how people are using it and if necessary, revoke access to it. 有关详细信息,请参阅使用 Azure 信息保护时跟踪和撤销已保护的文档For more information, see Track and revoke your protected documents when you use Azure Information Protection.

其他说明Other instructions

有关操作方法说明的详细信息,请参阅 Azure 信息保护用户指南:More how-to instructions from the Azure Information Protection user guide:

为管理员提供的其他信息Additional information for administrators

有关启用“让自定义权限选项可供用户使用”策略设置的配置说明,请参阅配置 Azure 信息保护策略设置****。For configuration instructions to enable the policy setting Make the custom permissions option available to users, see Configuring the Azure Information Protection policy settings.

其他配置说明:配置 Azure 信息保护策略Other configuration instructions: Configuring the Azure Information Protection policy.