管理员指南:Azure 信息保护统一标记客户端的自定义配置Admin Guide: Custom configurations for the Azure Information Protection unified labeling client

适用于: Azure 信息保护,windows 10,Windows 8.1,windows 8,windows server 2019,windows server 2016,windows Server 2012 R2,windows server 2012Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

如果你具有 Windows 7 或 Office 2010,请参阅 AIP For Windows And office 版本中的扩展支持If you have Windows 7 or Office 2010, see AIP for Windows and Office versions in extended support.

适用于以下内容的说明: Azure 信息保护适用于 Windows 的统一标签客户端Instructions for: Azure Information Protection unified labeling client for Windows

在管理 Azure 信息保护统一标签客户端时,请使用以下信息来了解特定方案或用户子集可能需要的高级配置。Use the following information for advanced configurations that you might need for specific scenarios or a subset of users when you manage the Azure Information Protection unified labeling client.

这些设置需要编辑注册表或指定高级设置。These settings require editing the registry or specifying advanced settings. 高级设置使用 Office 365 Security & 相容性中心 PowerShellThe advanced settings use Office 365 Security & Compliance Center PowerShell.

如何使用 Office 365 Security & 相容性中心 PowerShell 配置客户端的高级设置How to configure advanced settings for the client by using Office 365 Security & Compliance Center PowerShell

使用 Office 365 Security & 相容性中心 PowerShell 时,可以配置支持标签策略和标签自定义的高级设置。When you use Office 365 Security & Compliance Center PowerShell, you can configure advanced settings that support customizations for label policies and labels. 例如:For example:

  • 在 Office 应用中显示信息保护栏的设置是 " 标签策略" 高级设置The setting to display the Information Protection bar in Office apps is a label policy advanced setting.
  • 用于指定标签颜色的设置是 " 标签高级" 设置The setting to specify a label color is a label advanced setting.

在这两种情况下,在 连接到 Office 365 Security & 相容性中心 PowerShell后,请使用策略或标签的标识 (名称或 GUID) 指定 AdvancedSettings 参数,并在 哈希表中指定键/值对。In both cases, after you connect to Office 365 Security & Compliance Center PowerShell, specify the AdvancedSettings parameter with the identity (name or GUID) of the policy or label, and specify key/value pairs in a hash table. 使用以下语法:Use the following syntax:

对于 "标签" 策略设置,单个字符串值:For a label policy setting, single string value:

Set-LabelPolicy -Identity <PolicyName> -AdvancedSettings @{Key="value1,value2"}

对于 "标签" 策略设置,相同键的多个字符串值:For label policy settings, multiple string values for the same key:

Set-LabelPolicy -Identity <PolicyName> -AdvancedSettings @{Key=ConvertTo-Json("value1", "value2")}

对于标签设置,则为单个字符串值:For a label setting, single string value:

Set-Label -Identity <LabelGUIDorName> -AdvancedSettings @{Key="value1,value2"}

对于标签设置,相同键的多个字符串值:For label settings, multiple string values for the same key:

Set-Label -Identity <LabelGUIDorName> -AdvancedSettings @{Key=ConvertTo-Json("value1", "value2")}

若要删除高级设置,请使用相同的语法,但指定空字符串值。To remove an advanced setting, use the same syntax but specify a null string value.

重要

使用字符串中的空格将阻止应用标签。Use of white spaces in the string will prevent application of the labels.

设置高级设置的示例Examples for setting advanced settings

示例1:为单个字符串值设置标签策略高级设置:Example 1: Set a label policy advanced setting for a single string value:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions="False"}

示例2:为单个字符串值设置标签高级设置:Example 2: Set a label advanced setting for a single string value:

Set-Label -Identity Internal -AdvancedSettings @{smimesign="true"}

示例3:为多个字符串值设置标签高级设置:Example 3: Set a label advanced setting for multiple string values:

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties=ConvertTo-Json("Migrate Confidential label,Classification,Confidential", "Migrate Secret label,Classification,Secret")}

示例4:通过指定空字符串值删除标签策略高级设置:Example 4: Remove a label policy advanced setting by specifying a null string value:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions=""}

为标签策略或标签指定标识Specifying the identity for the label policy or label

指定 PowerShell 标识 参数的标签策略名称很简单,因为在管理标签策略的管理中心,你只会看到一个策略名称。Specifying the label policy name for the PowerShell Identity parameter is straightforward because you see only one policy name in the admin center where you manage your label policies. 但对于标签,你会在 "管理中心" 中看到 " 名称 " 和 " 显示名称 "。However, for labels, you see both a Name and Display name in the admin centers. 在某些情况下,两者的值都是相同的,但它们可能不同:In some cases, the value for both will be the same but they can be different:

  • Name 是标签的原始名称,在所有标签中都是唯一的。Name is the original name of the label and it is unique across all your labels. 如果在创建标签之后更改其名称,此值保持不变。If you change the name of your label after it is created, this value remains the same. 对于从 Azure 信息保护迁移的标签,你可能会看到 "Azure 门户中的标签的标签 ID。For labels that have been migrated from Azure Information Protection, you might see the label ID of the label from the Azure portal.

  • 显示名称 是用户看到的标签名称,并且在所有标签中不必唯一。Display name is the name of the label that users see and it doesn't have to be unique across all your labels. 例如,用户会看到一个 员工 子标签了 " 机密 " 标签,而另一个 员工子标签 " 高度机密 " 标签。For example, users see one All Employees sublabel for the Confidential label, and another All Employees sublabel for the Highly Confidential label. 这些子标签都显示相同的名称,但不是相同的标签,并且具有不同的设置。These sublabels both display the same name, but are not the same label and have different settings.

若要配置标签高级设置,请使用 " 名称 " 值。For configuring your label advanced settings, use the Name value. 例如,若要标识下图中的标签,请指定 -Identity "All Company"For example, to identify the label in the following picture, you would specify -Identity "All Company":

使用 "Name" 而不是 "Display Name" 标识敏感度标签

如果希望指定标签 GUID,此值不会显示在管理标签的管理中心。If you prefer to specify the label GUID, this value is not displayed in the admin center where you manage your labels. 不过,你可以使用以下 Office 365 Security & 相容性中心 PowerShell 命令来查找此值:However, you can use the following Office 365 Security & Compliance Center PowerShell command to find this value:

Get-Label | Format-Table -Property DisplayName, Name, Guid

优先顺序-如何解决冲突的设置Order of precedence - how conflicting settings are resolved

使用管理你的敏感度标签的管理中心之一,你可以配置以下标签策略设置:Using one of the admin centers where you manage your sensitivity labels, you can configure the following label policy settings:

  • 默认情况下将此标签应用于文档和电子邮件Apply this label by default to documents and emails

  • 用户必须提供理由以删除标签或较低分类标签Users must provide justification to remove a label or lower classification label

  • 要求用户将标签应用于其电子邮件或文档Require users to apply a label to their email or document

  • 为用户提供自定义帮助页的链接Provide users with a link to a custom help page

如果为用户配置了多个标签策略,每个都有可能不同的策略设置,则将根据管理中心中策略的顺序应用最后一个策略设置。When more than one label policy is configured for a user, each with potentially different policy settings, the last policy setting is applied according to the order of the policies in the admin center. 有关详细信息,请参阅 标签策略优先级 (订单问题) For more information, see Label policy priority (order matters)

标签高级设置遵循相同的优先级逻辑:当标签位于多个标签策略中并且标签具有高级设置时,将根据管理中心中策略的顺序应用上一个高级设置。Label advanced settings follow the same logic for precedence: When a label is in multiple label policies and that label has advanced settings, the last advanced setting is applied according to the order of the policies in the admin center.

标签策略高级设置按相反顺序应用:除了一个例外,还会根据 "管理中心" 中策略的顺序,应用第一个策略的高级设置。Label policy advanced settings are applied in the reverse order: With one exception, the advanced settings from the first policy are applied, according to the order of the policies in the admin center. 例外情况是高级设置 OutlookDefaultLabel,它为 Outlook 设置不同的默认标签。The exception is the advanced setting OutlookDefaultLabel, which sets a different default label for Outlook. 对于此标签策略的高级设置,将根据管理中心中策略的顺序应用最后一个设置。For this label policy advanced setting only, the last setting is applied according to the order of the policies in the admin center.

标签策略的可用高级设置Available advanced settings for label policies

AdvancedSettings 参数与 LabelPolicyLabelPolicy一起使用。Use the AdvancedSettings parameter with New-LabelPolicy and Set-LabelPolicy.

设置Setting 应用场景和说明Scenario and instructions
AdditionalPPrefixExtensionsAdditionalPPrefixExtensions 支持更改 <EXT> 。<EXT> 使用此高级属性 .pfile 到 PSupport for changing <EXT>.PFILE to P<EXT> by using this advanced property
AttachmentActionAttachmentAction 对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签For email messages with attachments, apply a label that matches the highest classification of those attachments
AttachmentActionTipAttachmentActionTip 对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签For email messages with attachments, apply a label that matches the highest classification of those attachments
DisableMandatoryInOutlookDisableMandatoryInOutlook 使 Outlook 邮件免于强制标记Exempt Outlook messages from mandatory labeling
EnableAuditEnableAudit 禁止向 Azure 信息保护分析发送审核数据Disable sending audit data to Azure Information Protection analytics
EnableContainerSupportEnableContainerSupport 允许从 PST、rar、7zip 和 MSG 文件中删除保护Enable removal of protection from PST, rar, 7zip and MSG files
EnableCustomPermissionsEnableCustomPermissions 在文件资源管理器中禁用自定义权限Disable custom permissions in File Explorer
EnableCustomPermissionsForCustomProtectedFilesEnableCustomPermissionsForCustomProtectedFiles 对于受自定义权限保护的文件,始终在文件资源管理器中向用户显示自定义权限For files protected with custom permissions, always display custom permissions to users in File Explorer
EnableLabelByMailHeaderEnableLabelByMailHeader 从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions
EnableLabelBySharePointPropertiesEnableLabelBySharePointProperties 从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions
HideBarByDefaultHideBarByDefault 在 Office 应用程序中显示“信息保护”栏Display the Information Protection bar in Office apps
JustificationTextForUserTextJustificationTextForUserText 自定义已修改标签的理由提示文本Customize justification prompt texts for modified labels
LogMatchedContentLogMatchedContent 向 Azure 信息保护分析发送信息类型匹配项Send information type matches to Azure Information Protection analytics
OutlookBlockTrustedDomainsOutlookBlockTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookBlockUntrustedCollaborationLabelOutlookBlockUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookCollaborationRuleOutlookCollaborationRule 自定义 Outlook 弹出消息Customize Outlook popup messages
OutlookDefaultLabelOutlookDefaultLabel 为 Outlook 设置不同的默认标签Set a different default label for Outlook
OutlookJustifyTrustedDomainsOutlookJustifyTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookJustifyUntrustedCollaborationLabelOutlookJustifyUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookRecommendationEnabledOutlookRecommendationEnabled 在 Outlook 中启用建议的分类Enable recommended classification in Outlook
OutlookOverrideUnlabeledCollaborationExtensionsOutlookOverrideUnlabeledCollaborationExtensions 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookSkipSmimeOnReadingPanePropertyOutlookSkipSmimeOnReadingPaneProperty 阻止 S/MIME 电子邮件的 Outlook 性能问题Prevent Outlook performance issues with S/MIME emails
OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorOutlookUnlabeledCollaborationActionOverrideMailBodyBehavior 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookWarnTrustedDomainsOutlookWarnTrustedDomains 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookWarnUntrustedCollaborationLabelOutlookWarnUntrustedCollaborationLabel 在 Outlook 中实现弹出消息,针对正在发送的电子邮件发出警告、进行验证或阻止Implement pop-up messages in Outlook that warn, justify, or block emails being sent
PFileSupportedExtensionsPFileSupportedExtensions 更改要保护的文件类型Change which file types to protect
PostponeMandatoryBeforeSavePostponeMandatoryBeforeSave 使用强制标签时,删除文档的“以后再说”Remove "Not now" for documents when you use mandatory labeling
RemoveExternalContentMarkingInAppRemoveExternalContentMarkingInApp 删除其他标记解决方案中的页眉和页脚Remove headers and footers from other labeling solutions
ReportAnIssueLinkReportAnIssueLink 为用户添加“报告问题”Add "Report an Issue" for users
RunPolicyInBackgroundRunPolicyInBackground 开启在后台持续运行的分类Turn on classification to run continuously in the background
ScannerConcurrencyLevelScannerConcurrencyLevel 限制扫描程序使用的线程数Limit the number of threads used by the scanner
ScannerFSAttributesToSkipScannerFSAttributesToSkip 在扫描期间跳过或忽略文件,具体取决于文件属性Skip or ignore files during scans depending on file attributes
SharepointWebRequestTimeoutSharepointWebRequestTimeout 配置 SharePoint 超时Configure SharePoint timeouts
SharepointFileWebRequestTimeoutSharepointFileWebRequestTimeout 配置 SharePoint 超时Configure SharePoint timeouts
UseCopyAndPreserveNTFSOwnerUseCopyAndPreserveNTFSOwner 在标记期间保留 NTFS 所有者Preserve NTFS owners during labeling

用于检查标签策略设置对名为 "Global" 的标签策略有效的示例 PowerShell 命令:Example PowerShell command to check your label policy settings in effect for a label policy named "Global":

(Get-LabelPolicy -Identity Global).settings

标签的可用高级设置Available advanced settings for labels

使用带有新标签设置标签AdvancedSettings参数。Use the AdvancedSettings parameter with New-Label and Set-Label.

设置Setting 应用场景和说明Scenario and instructions
colorcolor 指定标签的颜色Specify a color for the label
customPropertiesByLabelcustomPropertiesByLabel 应用标签时应用自定义属性Apply a custom property when a label is applied
DefaultSubLabelIdDefaultSubLabelId 为父标签指定默认子标签Specify a default sublabel for a parent label
labelByCustomPropertieslabelByCustomProperties 从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions
SMimeEncryptSMimeEncrypt 将标签配置为在 Outlook 中应用 S/MIME 保护Configure a label to apply S/MIME protection in Outlook
SMimeSignSMimeSign 将标签配置为在 Outlook 中应用 S/MIME 保护Configure a label to apply S/MIME protection in Outlook

用于检查标签设置对名为 "Public" 的标签有效的示例 PowerShell 命令:Example PowerShell command to check your label settings in effect for a label named "Public":

(Get-Label -Identity Public).settings

在 Office 应用中显示“信息保护”栏Display the Information Protection bar in Office apps

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,用户必须选择 "敏感度" 按钮中的 "显示栏" 选项,以在 Office 应用中显示信息保护栏。By default, users must select the Show Bar option from the Sensitivity button to display the Information Protection bar in Office apps. 使用 HideBarByDefault 键,并将值设置为 False ,以便为用户自动显示此栏,以便他们可以从栏或按钮中选择标签。Use the HideBarByDefault key and set the value to False to automatically display this bar for users so that they can select labels from either the bar or the button.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 密钥: HideBarByDefaultKey: HideBarByDefault

  • 值:False****Value: False

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{HideBarByDefault="False"}

使 Outlook 邮件免于强制标记Exempt Outlook messages from mandatory labeling

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,当你启用 " 所有文档和电子邮件的标签策略" 设置时,必须具有标签,所有已保存的文档和已发送的电子邮件都必须应用标签。By default, when you enable the label policy setting of All documents and emails must have a label, all saved documents and sent emails must have a label applied. 配置以下高级设置时,策略设置仅适用于 Office 文档,而不适用于 Outlook 邮件。When you configure the following advanced setting, the policy setting applies only to Office documents and not to Outlook messages.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 密钥: DisableMandatoryInOutlookKey: DisableMandatoryInOutlook

  • 值: TrueValue: True

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{DisableMandatoryInOutlook="True"}

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

为建议的分类配置标签时,系统将提示用户接受或关闭 Word、Excel 和 PowerPoint 中建议的标签。When you configure a label for recommended classification, users are prompted to accept or dismiss the recommended label in Word, Excel, and PowerPoint. 此设置将此标签建议扩展到也在 Outlook 中显示。This setting extends this label recommendation to also display in Outlook.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:OutlookRecommendationEnabled****Key: OutlookRecommendationEnabled

  • 值: TrueValue: True

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookRecommendationEnabled="True"}

启用从压缩文件中删除保护Enable removal of protection from compressed files

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

配置此设置时,将启用 PowerShell cmdlet set-aipfilelabel ,以允许从 PST、RAR、7zip 和 MSG 文件中删除保护。When you configure this setting, the PowerShell cmdlet Set-AIPFileLabel is enabled to allow removal of protection from PST, rar, 7zip and MSG files.

  • 密钥: EnableContainerSupportKey: EnableContainerSupport

  • 值: TrueValue: True

启用策略的示例 PowerShell 命令:Example PowerShell command where your policy is enabled:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableContainerSupport="True"}

为 Outlook 设置不同的默认标签Set a different default label for Outlook

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

当你配置此设置时,Outlook 不会应用默认标签,该标签配置为 " 默认情况下将此标签应用于文档和电子邮件" 选项。When you configure this setting, Outlook doesn't apply the default label that is configured as a policy setting for the option Apply this label by default to documents and emails. 相反,Outlook 可应用不同的默认标签,也可不应用标签。Instead, Outlook can apply a different default label, or no label.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:OutlookDefaultLabel****Key: OutlookDefaultLabel

  • 值: <label GUID> 或 NoneValue: <label GUID> or None

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookDefaultLabel="None"}

更改要保护的文件类型Change which file types to protect

这些配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。These configurations use a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,Azure 信息保护的统一标签客户端将保护所有文件类型,并且来自客户端的扫描程序仅保护 Office 文件类型和 PDF 文件。By default, the Azure Information Protection unified labeling client protects all file types, and the scanner from the client protects only Office file types and PDF files.

您可以通过指定下列选项之一来更改所选标签策略的此默认行为:You can change this default behavior for a selected label policy, by specifying one of the following:

PFileSupportedExtensionPFileSupportedExtension

  • 密钥: PFileSupportedExtensionsKey: PFileSupportedExtensions

  • 负值 <string value>Value: <string value>

使用下表来确定要指定的字符串值:Use the following table to identify the string value to specify:

字符串值String value 客户端Client 扫描仪Scanner
* 默认值:将保护应用于所有文件类型Default value: Apply protection to all file types 将保护应用于所有文件类型Apply protection to all file types
<null value> 将保护应用于 Office 文件类型和 PDF 文件Apply protection to Office file types and PDF files 默认值:将保护应用于 Office 文件类型和 PDF 文件Default value: Apply protection to Office file types and PDF files
Convertto-html ( ".jpg",".png" ) ConvertTo-Json(".jpg", ".png") 除了 Office 文件类型和 PDF 文件,还会将保护应用到指定的文件扩展名In addition to Office file types and PDF files, apply protection to the specified file name extensions 除了 Office 文件类型和 PDF 文件,还会将保护应用到指定的文件扩展名In addition to Office file types and PDF files, apply protection to the specified file name extensions

示例1:用于统一客户端的 PowerShell 命令仅保护 Office 文件类型和 PDF 文件,其中标签策略命名为 "客户端":Example 1: PowerShell command for the unified client to protect only Office file types and PDF files, where your label policy is named "Client":

Set-LabelPolicy -Identity Client -AdvancedSettings @{PFileSupportedExtensions=""}

示例2:用于扫描程序的 PowerShell 命令,用于保护所有文件类型,其中标签策略命名为 "Scanner":Example 2: PowerShell command for the scanner to protect all file types, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions="*"}

示例3:用于扫描程序的 PowerShell 命令,用于保护 .txt 文件和 .csv 文件以及 Office 文件和 PDF 文件,其中标签策略命名为 "Scanner":Example 3: PowerShell command for the scanner to protect .txt files and .csv files in addition to Office files and PDF files, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions=ConvertTo-Json(".txt", ".csv")}

利用此设置,你可以更改受保护的文件类型,但不能将默认保护级别从本机更改为通用。With this setting, you can change which file types are protected but you cannot change the default protection level from native to generic. 例如,对于运行统一标签客户端的用户,你可以更改默认设置,以便仅保护 Office 文件和 PDF 文件而不是所有文件类型。For example, for users running the unified labeling client, you can change the default setting so that only Office files and PDF files are protected instead of all file types. 但不能将这些文件类型更改为使用 .pfile 文件扩展名进行常规保护。But you cannot change these file types to be generically protected with a .pfile file name extension.

AdditionalPPrefixExtensionsAdditionalPPrefixExtensions

统一标签客户端支持更改 <EXT> 。<EXT> 使用高级属性 AdditionalPPrefixExtensions.pfile 到 P。The unified labeling client supports changing <EXT>.PFILE to P<EXT> by using the advanced property, AdditionalPPrefixExtensions. 右键单击、PowerShell 和扫描程序支持此高级属性。This advanced property is supported in right-click, PowerShell, and scanner. 所有应用都有类似的行为。All apps have similar behavior.

  • 密钥: AdditionalPPrefixExtensionsKey: AdditionalPPrefixExtensions

  • 负值 <string value>Value: <string value>

使用下表来确定要指定的字符串值:Use the following table to identify the string value to specify:

字符串值String value 客户端和扫描程序Client and Scanner
* 所有 .Pfile 扩展变为 P<EXT>All PFile extensions become P<EXT>
<null value> 默认值的行为类似于默认的保护值。Default value behaves like the default protection value.
Convertto-html ( "dwg",".zip" ) ConvertTo-Json(".dwg", ".zip") 除了前面的列表,"dwg" 和 ".zip" 变为 P<EXT>In addition to the previous list, ".dwg" and ".zip" become P<EXT>

示例1: PowerShell 命令的行为类似于默认行为,即保护 "dwg" 变为 ".pfile":Example 1: PowerShell command to behave like the default behavior where Protect ".dwg" becomes ".dwg.pfile":

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions =""}

示例2: PowerShell 命令:在文件受到保护时,将 (.pfile) 中的所有 .Pfile 扩展更改为纯保护 ( pdwg) :Example 2: PowerShell command to change all PFile extensions from generic protection (dwg.pfile) to native protection (.pdwg) when the files is protected:

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions ="*"}

示例3:使用此服务时将 "dwg" 更改为 "pdwg" 的 PowerShell 命令将保护此文件:Example 3: PowerShell command to change ".dwg" to ".pdwg" when using this service protect this file:

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions =ConvertTo-Json(".dwg")}

对于此设置,以下扩展 ( "。 txt",".xml",".bmp",". jt",".jpg","jpeg",". jpe",". jif","jfif",".",".png",".tif","tiff",".gif" ) 始终变为 P <EXT> 。值得注意的是,".ptxt" 不是 ".pfile"。With this setting, the following extensions ( ".txt", ".xml", ".bmp", ".jt", ".jpg", ".jpeg", ".jpe", ".jif", ".jfif", ".jfi", ".png", ".tif", ".tiff", ".gif") always become P<EXT>. Notable exclusion is that "ptxt" does not become "txt.pfile". 仅当启用了高级属性- PFileSupportedExtension的 pfile 保护时, AdditionalPPrefixExtensions才有效。AdditionalPPrefixExtensions only works if protection of PFiles with the advanced property - PFileSupportedExtension is enabled.

例如,在使用以下命令时:For example, in a case where the following command is used:

Set-LabelPolicy -AdvancedSettings @{PFileSupportedExtensions=""}

不能 .Pfile 保护,而 AdditionalPPrefixExtensions 中的值将被忽略。PFile protection is not possible, and the value in AdditionalPPrefixExtensions is ignored.

使用强制标签时,删除文档的“以后再说”Remove "Not now" for documents when you use mandatory labeling

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

使用 " 所有文档和电子邮件的标签策略" 设置必须具有标签时,用户首次保存 Office 文档和发送电子邮件时,系统将提示用户选择标签。When you use the label policy setting of All documents and emails must have a label, users are prompted to select a label when they first save an Office document and when they send an email. 对于文档,用户可以选择“以后再说”**** 暂时关闭提示以选择标签,并返回到文档。For documents, users can select Not now to temporarily dismiss the prompt to select a label and return to the document. 但是不能在未选择标签的情况下关闭已保存的文档。However, they cannot close the saved document without labeling it.

在配置此设置时,将删除“以后再说”**** 选项,以便首次保存文档时用户必须选择一个标签。When you configure this setting, it removes the Not now option so that users must select a label when the document is first saved.

对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:PostponeMandatoryBeforeSave****Key: PostponeMandatoryBeforeSave

  • 值:False****Value: False

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{PostponeMandatoryBeforeSave="False"}

删除其他标记解决方案中的页眉和页脚Remove headers and footers from other labeling solutions

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

可以通过两种方法从其他标记解决方案中删除分类。There are two methods to remove classifications from other labeling solutions. 第一种方法从 Word 文档中删除任何形状,其中的形状名称与 advanced 属性 WordShapeNameToRemove中定义的名称相匹配,第二种方法允许您从 Word、Excel 和 PowerPoint 文档中删除或替换 RemoveExternalContentMarkingInApp 高级属性中定义的基于文本的标头或表尾。The first method removes any shape from Word documents where the shape name matches the name as defined in the advanced property WordShapeNameToRemove, the second method lets you remove or replace text-based headers or footers from Word, Excel and PowerPoint documents as defined in the RemoveExternalContentMarkingInApp advanced property.

使用 WordShapeNameToRemove 高级属性Use the WordShapeNameToRemove advanced property

版本2.6.101.0 和更高版本支持 WordShapeNameToRemove 高级属性The WordShapeNameToRemove advanced property is supported from version 2.6.101.0 and above

此设置使您可以在其他标签解决方案应用这些视觉标记后,删除或替换 Word 文档中基于形状的标签。This setting lets you remove or replace shape based labels from Word documents when those visual markings have been applied by another labeling solution. 例如,该形状包含旧标签的名称,你现在已将该标签迁移到 "敏感度" 标签,以使用新标签名称及其自己的形状。For example, the shape contains the name of an old label that you have now migrated to sensitivity labels to use a new label name and its own shape.

若要使用此高级属性,需要在 Word 文档中查找该形状的名称,然后在 " WordShapeNameToRemove " 属性的 "形状" 高级属性列表中定义这些名称。To use this advanced property, you'll need to find the shape name in the Word document and then define them in the WordShapeNameToRemove advanced property list of shapes. 服务将删除 Word 中以此高级属性的形状列表中定义的名称开头的任何形状。The service will remove any shape in Word that starts with a name defined in list of shapes in this advanced property.

通过定义要删除的所有形状的名称并避免在所有形状中检查文本(这是一种消耗大量资源的过程),避免删除包含要忽略的文本的形状。Avoid removing shapes that contain the text that you wish to ignore, by defining the name of all shapes to remove and avoid checking the text in all shapes, which is a resource-intensive process.

如果未在此附加高级属性设置中指定 Word 形状,并且 Word 包含在 RemoveExternalContentMarkingInApp 项值中,则将检查在 ExternalContentMarkingToRemove 值中指定的文本的所有形状。If you do not specify Word shapes in this additional advanced property setting, and Word is included in the RemoveExternalContentMarkingInApp key value, all shapes will be checked for the text that you specify in the ExternalContentMarkingToRemove value.

查找要使用的形状的名称并希望排除:To find the name of the shape that you're using and wish to exclude:

  1. 在 Word 中,显示 " 选择 " 窗格: " 主页 " 选项卡 > 编辑 组 > 选择 "选项" > 选择 "窗格In Word, display the Selection pane: Home tab > Editing group > Select option > Selection Pane.

  2. 选择要标记为删除的页面上的形状。Select the shape on the page that you wish to mark for removal. 标记的形状的名称现在会在 选择 窗格中突出显示。The name of the shape you mark is now highlighted in the Selection pane.

使用形状的名称为 * * * * * * * * * * * * * * * * * * * * * * * WordShapeNameToRemove。Use the name of the shape to specify a string value for the ****WordShapeNameToRemove**** key.

示例:形状名称为 dcExample: The shape name is dc. 若要删除具有此名称的形状,则指定值:dcTo remove the shape with this name, you specify the value: dc.

  • 密钥: WordShapeNameToRemoveKey: WordShapeNameToRemove

  • 值:<Word shape name>Value: <Word shape name>

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{WordShapeNameToRemove="dc"}

如果有多个 Word 形状要删除,请指定任意数量的值,以便删除形状。When you have more than one Word shape to remove, specify as many values as you have shapes to remove.

使用 RemoveExternalContentMarkingInApp 高级属性Use the RemoveExternalContentMarkingInApp advanced property

此设置使你可以从文档中删除或替换由其他标签解决方案应用的基于文本的页眉或页脚。This setting lets you remove or replace text-based headers or footers from documents when those visual markings have been applied by another labeling solution. 例如,旧的页脚包含已迁移到敏感度标签的旧标签的名称,以使用新标签名称及其自己的页脚。For example, the old footer contains the name of an old label that you have now migrated to sensitivity labels to use a new label name and its own footer.

当统一标签客户端在其策略中获取此配置时,在 Office 应用中打开文档并将任何敏感度标签应用于该文档时,将删除或替换旧的页眉和页脚。When the unified labeling client gets this configuration in its policy, the old headers and footers are removed or replaced when the document is opened in the Office app and any sensitivity label is applied to the document.

Outlook 不支持此配置,并且请注意,在 Word、Excel 和 PowerPoint 中使用它时,会对这些应用的性能产生负面影响。This configuration is not supported for Outlook, and be aware that when you use it with Word, Excel, and PowerPoint, it can negatively affect the performance of these apps for users. 该配置允许你根据应用程序来定义设置,例如,搜索 Word 文档页眉和页脚中的文本,而不是 Excel 电子表格或 PowerPoint 演示文稿中的。The configuration lets you define settings per application, for example, search for text in the headers and footers of Word documents but not Excel spreadsheets or PowerPoint presentations.

因为模式匹配会影响用户的性能,所以建议你将 Office 应用程序类型 (WOrd、EX项、 PowerPoint) 限制为只需搜索的类型。Because the pattern matching affects the performance for users, we recommend that you limit the Office application types (Word, EXcel, PowerPoint) to just those that need to be searched. 对于所选的标签策略,请指定以下字符串:For the selected label policy, specify the following strings:

  • 键:RemoveExternalContentMarkingInApp****Key: RemoveExternalContentMarkingInApp

  • 值:<Office application types WXP>Value: <Office application types WXP>

示例:Examples:

  • 若要仅搜索 Word 文档,请指定 W****。To search Word documents only, specify W.

  • 若要搜索 Word 文档和 PowerPoint 演示文稿,请指定 WP****。To search Word documents and PowerPoint presentations, specify WP.

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalContentMarkingInApp="WX"}

然后需要至少一个高级客户端设置 ExternalContentMarkingToRemove,**** 指定页眉或页脚的内容以及如何删除或替换它们。You then need at least one more advanced client setting, ExternalContentMarkingToRemove, to specify the contents of the header or footer, and how to remove or replace them.

如何配置 ExternalContentMarkingToRemoveHow to configure ExternalContentMarkingToRemove

指定 ExternalContentMarkingToRemove 键的字符串值时,拥有三个使用正则表达式的选项****:When you specify the string value for the ExternalContentMarkingToRemove key, you have three options that use regular expressions:

  • 用以删除页眉或页脚中所有内容的部分匹配。Partial match to remove everything in the header or footer.

    示例:页眉或页脚包含字符串 TEXT TO REMOVE****。Example: Headers or footers contain the string TEXT TO REMOVE. 想要完全删除这些页面或页脚。You want to completely remove these headers or footers. 可指定值:*TEXT*You specify the value: *TEXT*.

  • 用以删除页眉或页脚中特定字词的完全匹配。Complete match to remove just specific words in the header or footer.

    示例:页眉或页脚包含字符串 TEXT TO REMOVE****。Example: Headers or footers contain the string TEXT TO REMOVE. 只想删除单词 TEXT,结果使页眉或页脚字符串变为 TO REMOVE********。You want to remove the word TEXT only, which leaves the header or footer string as TO REMOVE. 可指定值:TEXT You specify the value: TEXT .

  • 用以删除页眉或页脚中所有内容的完全匹配。Complete match to remove everything in the header or footer.

    示例:页眉或页脚包含字符串 TEXT TO REMOVE****。Example: Headers or footers have the string TEXT TO REMOVE. 想要删除其字符串为 TEXT TO REMOVE 的页眉或页脚。You want to remove headers or footers that have exactly this string. 可指定值:^TEXT TO REMOVE$You specify the value: ^TEXT TO REMOVE$.

指定的字符串的匹配模式不区分大小写。The pattern matching for the string that you specify is case-insensitive. 最大字符串长度为255个字符,且不能包含空格。The maximum string length is 255 characters, and cannot include white spaces.

因为某些文档可能包括不可见字符或者不同类型的空格或制表符,可能检测不到指定的短语或句子的字符串。Because some documents might include invisible characters or different kinds of spaces or tabs, the string that you specify for a phrase or sentence might not be detected. 只要有可能,指定单个易区分的单词作为值,并确保在生产环境中部署之前测试结果。Whenever possible, specify a single distinguishing word for the value and be sure to test the results before you deploy in production.

对于同一标签策略,请指定以下字符串:For the same label policy, specify the following strings:

  • 键:ExternalContentMarkingToRemove****Key: ExternalContentMarkingToRemove

  • 值:<string to match, defined as regular expression>Value: <string to match, defined as regular expression>

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ExternalContentMarkingToRemove="*TEXT*"}

多行页眉或页脚Multiline headers or footers

如果页眉或页脚文本不只一行,则为每行创建一个键和值。If a header or footer text is more than a single line, create a key and value for each line. 例如,下面是具有两行文本的页脚:For example, you have the following footer with two lines:

The file is classified as Confidential****The file is classified as Confidential

Label applied manually****Label applied manually

若要删除此多行页脚,请为同一标签策略创建以下两个条目:To remove this multiline footer, you create the following two entries for the same label policy:

  • 键:ExternalContentMarkingToRemove****Key: ExternalContentMarkingToRemove

  • 密钥值1: ** * 机密***Key Value 1: *Confidential*

  • 键值2: ** * 应用标签***Key Value 2: *Label applied*

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ExternalContentMarkingToRemove="*Confidential*,*Label applied*"}

针对 PowerPoint 的优化Optimization for PowerPoint

PowerPoint 中的页脚以形状的形式实现。Footers in PowerPoint are implemented as shapes. 若要避免删除那些你指定的但不属于页面或页脚的形状,可使用以下附加高级客户端设置:PowerPointShapeNameToRemove****。To avoid removing shapes that contain the text that you have specified but are not headers or footers, use an additional advanced client setting named PowerPointShapeNameToRemove. 我们还建议使用此设置来避免检查所有形状中的文本,因为这将占用大量资源。We also recommend using this setting to avoid checking the text in all shapes, which is a resource-intensive process.

如果未指定这项附加的高级客户端设置,并且 PowerPoint 包括在 RemoveExternalContentMarkingInApp **** 键值中,将对所有形状检查你在 ExternalContentMarkingToRemove 值中指定的文本****。If you do not specify this additional advanced client setting, and PowerPoint is included in the RemoveExternalContentMarkingInApp key value, all shapes will be checked for the text that you specify in the ExternalContentMarkingToRemove value.

查找用作页眉或页脚的形状的名称:To find the name of the shape that you're using as a header or footer:

  1. 在 PowerPoint 中,显示“选择”窗格:“格式”选项卡 >“排列”组 >“选择”窗格****************。In PowerPoint, display the Selection pane: Format tab > Arrange group > Selection Pane.

  2. 选择幻灯片上包含页眉或页脚的形状。Select the shape on the slide that contains your header or footer. 所选形状的名称现在突出显示在“选择”**** 窗格中。The name of the selected shape is now highlighted in the Selection pane.

使用形状的名称为 PowerPointShapeNameToRemove**** 键指定一个字符串字。Use the name of the shape to specify a string value for the PowerPointShapeNameToRemove key.

示例:形状名称是 fc****。Example: The shape name is fc. 若要删除具有此名称的形状,则指定值:fcTo remove the shape with this name, you specify the value: fc.

  • 键:PowerPointShapeNameToRemove****Key: PowerPointShapeNameToRemove

  • 值:<PowerPoint shape name>Value: <PowerPoint shape name>

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{PowerPointShapeNameToRemove="fc"}

如果要删除多个 PowerPoint 形状,请指定任意数量的值,以便删除形状。When you have more than one PowerPoint shape to remove, specify as many values as you have shapes to remove.

默认情况下,只检查主幻灯片的页眉和页脚。By default, only the Master slides are checked for headers and footers. 若要将检查范围扩展到所有幻灯片,将占用大量资源,则可以使用 RemoveExternalContentMarkingInAllSlides**** 附加高级客户端设置:To extend this search to all slides, which is a much more resource-intensive process, use an additional advanced client setting named RemoveExternalContentMarkingInAllSlides:

  • 键:RemoveExternalContentMarkingInAllSlides****Key: RemoveExternalContentMarkingInAllSlides

  • 值: TrueValue: True

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalContentMarkingInAllSlides="True"}

在文件资源管理器中禁用自定义权限Disable custom permissions in File Explorer

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,当用户在文件资源管理器中右键单击并选择 "分类和保护" 时,会看到名为 "使用自定义权限保护" 的选项。By default, users see an option named Protect with custom permissions when they right-click in File Explorer and choose Classify and protect. 使用此选项可以设置自己的保护设置,这些设置可以替代标签配置中可能包含的任何保护设置。This option lets them set their own protection settings that can override any protection settings that you might have included with a label configuration. 用户还能看到一个用于删除保护的选项。Users can also see an option to remove protection. 当你配置此设置时,用户看不到这些选项。When you configure this setting, users do not see these options.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 键:EnableCustomPermissions****Key: EnableCustomPermissions

  • 值:False****Value: False

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions="False"}

对于受自定义权限保护的文件,始终在文件资源管理器中向用户显示自定义权限For files protected with custom permissions, always display custom permissions to users in File Explorer

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

当你将高级客户端设置配置为 在文件资源管理器中禁用自定义权限时,默认情况下,用户将无法查看或更改已在受保护文档中设置的自定义权限。When you configure the advanced client setting to disable custom permissions in File Explorer, by default, users are not able to see or change custom permissions that are already set in a protected document.

但是,还可以指定另一个高级客户端设置,以便在此方案中,用户可以在使用文件资源管理器并右键单击文件时,查看并更改受保护文档的自定义权限。However, there's another advanced client setting that you can specify so that in this scenario, users can see and change custom permissions for a protected document when they use File Explorer and right-click the file.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 密钥: EnableCustomPermissionsForCustomProtectedFilesKey: EnableCustomPermissionsForCustomProtectedFiles

  • 值: TrueValue: True

示例 PowerShell 命令:Example PowerShell command:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissionsForCustomProtectedFiles="True"}

对于带有附件的电子邮件,使用与这些附件的最高等级相匹配的标签For email messages with attachments, apply a label that matches the highest classification of those attachments

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

此设置适用于用户将带标签的文档附加到电子邮件,且未标记电子邮件本身。This setting is for when users attach labeled documents to an email, and do not label the email message itself. 在这种情况下,将根据应用于附件的分类标签为其自动选择标签。In this scenario, a label is automatically selected for them, based on the classification labels that are applied to the attachments. 最大分类标签处于选中状态。The highest classification label is selected.

附件必须是物理文件,并且不能是指向文件的链接 (例如,指向 Microsoft SharePoint 或 OneDrive) 上的文件的链接。The attachment must be a physical file, and cannot be a link to a file (for example, a link to a file on Microsoft SharePoint or OneDrive).

你可以将此设置配置为 " 建议",以使用户可以使用可自定义的工具提示将所选标签应用到其电子邮件。You can configure this setting to Recommended, so that users are prompted to apply the selected label to their email message, with a customizable tooltip. 用户可接受或忽略该建议。Users can accept the recommendation or dismiss it. 或者,你可以将此设置配置为 自动,其中所选标签会自动应用,但用户可以在发送电子邮件之前删除标签或选择其他标签。Or, you can configure this setting to Automatic, where the selected label is automatically applied but users can remove the label or select a different label before sending the email.

备注

如果将具有最高分类标签的附件配置为通过用户定义权限的设置进行保护:When the attachment with the highest classification label is configured for protection with the setting of user-defined permissions:

  • 如果标签的用户定义权限包括 Outlook (请勿转发) ,则选择该标签,并且不会向电子邮件应用 "转发保护"。When the label's user-defined permissions include Outlook (Do Not Forward), that label is selected and Do Not Forward protection is applied to the email.
  • 如果标签的用户定义权限仅用于 Word、Excel、PowerPoint 和文件资源管理器,则该标签不会应用于电子邮件,也不会受到保护。When the label's user-defined permissions are just for Word, Excel, PowerPoint, and File Explorer, that label is not applied to the email message, and neither is protection.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 键1: AttachmentActionKey 1: AttachmentAction

  • 项值1: 建议自动Key Value 1: Recommended or Automatic

  • 密钥2: AttachmentActionTipKey 2: AttachmentActionTip

  • 键值2: " <customized tooltip> "Key Value 2: "<customized tooltip>"

自定义工具提示仅支持一种语言。The customized tooltip supports a single language only.

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{AttachmentAction="Automatic"}

为用户添加“报告问题”Add "Report an Issue" for users

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

当指定以下高级客户端设置时,用户将看到一个“报告问题”选项,他们可以从“帮助和反馈”客户端对话框中选择该选项********。When you specify the following advanced client setting, users see a Report an Issue option that they can select from the Help and Feedback client dialog box. 为链接指定 HTTP 字符串。Specify an HTTP string for the link. 例如,为用户报告问题设置的自定义 Web 页面,或者发送给支持人员的电子邮件地址。For example, a customized web page that you have for users to report issues, or an email address that goes to your help desk.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 密钥:ReportAnIssueLink****Key: ReportAnIssueLink

  • 负值 <HTTP string>Value: <HTTP string>

网站示例值:https://support.contoso.comExample value for a website: https://support.contoso.com

电子邮件地址示例值:mailto:helpdesk@contoso.comExample value for an email address: mailto:helpdesk@contoso.com

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ReportAnIssueLink="mailto:helpdesk@contoso.com"}

在 Outlook 中实施弹出消息,警告、证明或阻止发送电子邮件Implement pop-up messages in Outlook that warn, justify, or block emails being sent

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

当创建并配置以下高级客户端设置时,用户可以在 Outlook 中看到弹出消息,这些消息可以在发送电子邮件之前警告他们,或者要求他们提供发送电子邮件的理由,或者在存在以下任何一种情况时阻止他们发送电子邮件:When you create and configure the following advanced client settings, users see pop-up messages in Outlook that can warn them before sending an email, or ask them to provide justification why they are sending an email, or prevent them from sending an email for either of the following scenarios:

  • 其电子邮件或电子邮件附件有一个特定的标签Their email or attachment for the email has a specific label:

    • 附件可以是任何文件类型The attachment can be any file type
  • 其电子邮件或电子邮件的附件没有标签Their email or attachment for the email doesn't have a label:

    • 附件可以是 Office 文档或 PDF 文档The attachment can be an Office document or PDF document

满足这些条件时,用户将看到一个弹出消息,其中包含以下操作之一:When these conditions are met, the user sees a pop-up message with one of the following actions:

  • 警告:用户可以确认并发送或取消。Warn: The user can confirm and send, or cancel.

  • 两端对齐:系统会提示用户调整 (预定义选项或自由格式) 。Justify: The user is prompted for justification (predefined options or free-form). 然后,用户可以发送或取消电子邮件。The user can then send or cancel the email. 说明理由的文本被写入电子邮件 x - 标头,以便其他系统可以读取。The justification text is written to the email x-header, so that it can be read by other systems. 例如,数据丢失防护 (DLP) 服务。For example, data loss prevention (DLP) services.

  • 阻止:阻止用户发送电子邮件,但条件仍然存在。Block: The user is prevented from sending the email while the condition remains. 该消息包括阻止电子邮件的原因,以便用户可以解决问题。The message includes the reason for blocking the email, so the user can address the problem. 例如,删除特定收件人或标记电子邮件。For example, remove specific recipients, or label the email.

当弹出消息用于特定标签时,可以按域名为收件人配置例外。When the popup-messages are for a specific label, you can configure exceptions for recipients by domain name.

提示

有关如何配置这些设置的演练示例,请参阅视频 Azure 信息保护 Outlook 弹出窗口配置See the video Azure Information Protection Outlook Popup Configuration for a walkthrough example of how to configure these settings.

若要针对特定标签实现用于警告、验证或阻止的弹出消息:To implement the warn, justify, or block pop-up messages for specific labels:

对于所选策略,请创建以下一个或多个具有以下键的高级设置。For the selected policy, create one or more of the following advanced settings with the following keys. 对于值,按其 Guid 指定一个或多个标签,每个标签用逗号分隔。For the values, specify one or more labels by their GUIDs, each one separated by a comma.

以逗号分隔的字符串形式提供的多个标签 Guid 的示例值:Example value for multiple label GUIDs as a comma-separated string:

dcf781ba-727f-4860-b3c1-73479e31912b,1ace2cc3-14bc-4142-9125-bf946a70542c,3e9df74d-3168-48af-8b11-037e3021813f
  • 警告消息:Warn messages:

    • 密钥: OutlookWarnUntrustedCollaborationLabelKey: OutlookWarnUntrustedCollaborationLabel

    • 值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>

  • 对齐消息:Justification messages:

    • 密钥: OutlookJustifyUntrustedCollaborationLabelKey: OutlookJustifyUntrustedCollaborationLabel

    • 值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>

  • 阻止邮件:Block messages:

    • 密钥: OutlookBlockUntrustedCollaborationLabelKey: OutlookBlockUntrustedCollaborationLabel

    • 值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookWarnUntrustedCollaborationLabel="8faca7b8-8d20-48a3-8ea2-0f96310a848e,b6d21387-5d34-4dc8-90ae-049453cec5cf,bb48a6cb-44a8-49c3-9102-2d2b017dcead,74591a94-1e0e-4b5d-b947-62b70fc0f53a,6c375a97-2b9b-4ccd-9c5b-e24e4fd67f73"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookJustifyUntrustedCollaborationLabel="dc284177-b2ac-4c96-8d78-e3e1e960318f,d8bb73c3-399d-41c2-a08a-6f0642766e31,750e87d4-0e91-4367-be44-c9c24c9103b4,32133e19-ccbd-4ff1-9254-3a6464bf89fd,74348570-5f32-4df9-8a6b-e6259b74085b,3e8d34df-e004-45b5-ae3d-efdc4731df24"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="0eb351a6-0c2d-4c1d-a5f6-caa80c9bdeec,40e82af6-5dad-45ea-9c6a-6fe6d4f1626b"}

为特定标签配置的弹出消息免除域名To exempt domain names for pop-up messages configured for specific labels

对于在这些弹出消息中指定的标签,可以免除特定域名,使用户不会看到其电子邮件地址中包含该域名的收件人的邮件。For the labels that you've specified with these pop-up messages, you can exempt specific domain names so that users do not see the messages for recipients who have that domain name included in their email address. 在这种情况下,发送电子邮件时不会受消息干扰。In this case, the emails are sent without interruption. 若要指定多个域,将其添加为单个字符串,以逗号分隔。To specify multiple domains, add them as a single string, separated by commas.

典型配置是仅针对组织外部的收件人或并非组织授权合作伙伴的收件人显示弹出消息。A typical configuration is to display the pop-up messages only for recipients who are external to your organization or who aren't authorized partners for your organization. 在这种情况下,可以指定组织和合作伙伴使用的所有电子邮件域。In this case, you specify all the email domains that are used by your organization and by your partners.

对于相同的标签策略,创建以下高级客户端设置,为该值指定一个或多个域,每个域都由逗号分隔。For the same label policy, create the following advanced client settings and for the value, specify one or more domains, each one separated by a comma.

多个域的示例值,以逗号分隔的字符串表示:contoso.com,fabrikam.com,litware.comExample value for multiple domains as a comma-separated string: contoso.com,fabrikam.com,litware.com

  • 警告消息:Warn messages:

    • 密钥: OutlookWarnTrustedDomainsKey: OutlookWarnTrustedDomains

    • 负值 <domain names, comma separated>Value: <domain names, comma separated>

  • 对齐消息:Justification messages:

    • 密钥: OutlookJustifyTrustedDomainsKey: OutlookJustifyTrustedDomains

    • 负值 <domain names, comma separated>Value: <domain names, comma separated>

  • 阻止邮件:Block messages:

    • 密钥: OutlookBlockTrustedDomainsKey: OutlookBlockTrustedDomains

    • 负值 <domain names, comma separated>Value: <domain names, comma separated>

例如,你为 "机密 \ 所有员工" 标签指定了OutlookBlockUntrustedCollaborationLabel advanced client 设置。For example, you have specified the OutlookBlockUntrustedCollaborationLabel advanced client setting for the Confidential \ All Employees label. 你现在可以指定 OutlookJustifyTrustedDomainscontoso.com的其他高级客户端设置。You now specify the additional advanced client setting of OutlookJustifyTrustedDomains and contoso.com. 因此,用户可以 john@sales.contoso.com 在将其标记为 " 机密 \ 所有员工 " 时向其发送电子邮件,但会阻止向 Gmail 帐户发送具有相同标签的电子邮件。As a result, a user can send an email to john@sales.contoso.com when it is labeled Confidential \ All Employees but will be blocked from sending an email with the same label to a Gmail account.

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell commands, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookBlockTrustedDomains="gmail.com"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookJustifyTrustedDomains="contoso.com,fabrikam.com,litware.com"}

若要针对没有标签的电子邮件或附件实现用于警告、验证或阻止的弹出消息:To implement the warn, justify, or block pop-up messages for emails or attachments that don't have a label:

对于同一标签策略,请创建具有以下值之一的以下高级客户端设置:For the same label policy, create the following advanced client setting with one of the following values:

  • 警告消息:Warn messages:

    • 密钥: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

    • 值: 警告Value: Warn

  • 对齐消息:Justification messages:

    • 密钥: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

    • 值: 两端对齐Value: Justify

  • 阻止邮件:Block messages:

    • 密钥: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

    • 值: BlockValue: Block

  • 关闭这些消息:Turn off these messages:

    • 密钥: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

    • 值: OffValue: Off

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookUnlabeledCollaborationAction="Warn"}

为不带标签的电子邮件附件定义 "警告"、"对齐" 或 "阻止" 弹出消息的特定文件扩展名To define specific file name extensions for the warn, justify, or block pop-up messages for email attachments that don't have a label

默认情况下,"警告"、"对齐" 或 "阻止" 弹出消息适用于所有 Office 文档和 PDF 文档。By default, the warn, justify, or block pop-up messages apply to all Office documents and PDF documents. 可以通过以下方式优化此列表:指定哪些文件扩展名应显示警告、调整或阻止具有其他高级设置的消息,以及以逗号分隔的文件扩展名列表。You can refine this list by specifying which file name extensions should display the warn, justify, or block messages with an additional advanced setting and a comma-separated list of file name extensions.

要定义为逗号分隔字符串的多个文件扩展名的示例值: .XLSX,.XLSM,.XLS,.XLTX,.XLTM,.DOCX,.DOCM,.DOC,.DOCX,.DOCM,.PPTX,.PPTM,.PPT,.PPTX,.PPTMExample value for multiple file name extensions to define as a comma-separated string: .XLSX,.XLSM,.XLS,.XLTX,.XLTM,.DOCX,.DOCM,.DOC,.DOCX,.DOCM,.PPTX,.PPTM,.PPT,.PPTX,.PPTM

在此示例中,未标记的 PDF 文档不会导致警告、对齐或阻止弹出消息。In this example, an unlabeled PDF document will not result in warn, justify, or block pop-up messages.

对于同一标签策略,请输入以下字符串:For the same label policy, enter the following strings:

  • 密钥: OutlookOverrideUnlabeledCollaborationExtensionsKey: OutlookOverrideUnlabeledCollaborationExtensions

  • 负值 <file name extensions to display messages, comma separated>Value: <file name extensions to display messages, comma separated>

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookOverrideUnlabeledCollaborationExtensions=".PPTX,.PPTM,.PPT,.PPTX,.PPTM"}

为不带附件的电子邮件指定其他操作To specify a different action for email messages without attachments

默认情况下,你为 OutlookUnlabeledCollaborationAction 指定的值将应用于不带标签的电子邮件或附件。By default, the value that you specify for OutlookUnlabeledCollaborationAction to warn, justify, or block pop-up messages applies to emails or attachments that don't have a label. 可以通过为不带附件的电子邮件指定另一高级设置来优化此配置。You can refine this configuration by specifying another advanced setting for email messages that don't have attachments.

使用以下值之一创建高级客户端设置:Create the following advanced client setting with one of the following values:

  • 警告消息:Warn messages:

    • 密钥: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

    • 值: 警告Value: Warn

  • 对齐消息:Justification messages:

    • 密钥: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

    • 值: 两端对齐Value: Justify

  • 阻止邮件:Block messages:

    • 密钥: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

    • 值: BlockValue: Block

  • 关闭这些消息:Turn off these messages:

    • 密钥: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

    • 值: OffValue: Off

如果未指定此客户端设置,则为 OutlookUnlabeledCollaborationAction 指定的值将用于没有附件的未标记电子邮件以及带有附件的未标记电子邮件。If you don't specify this client setting, the value that you specify for OutlookUnlabeledCollaborationAction is used for unlabeled email messages without attachments as well as unlabeled email messages with attachments.

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior="Warn"}

禁止向 Azure 信息保护分析发送审核数据Disable sending audit data to Azure Information Protection analytics

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

Azure 信息保护统一标签客户端支持中心报表,并在默认情况下将其审核数据发送到 Azure 信息保护分析The Azure Information Protection unified labeling client supports central reporting and by default, sends its audit data to Azure Information Protection analytics. 有关所发送和存储的信息的详细信息,请参阅中央报表文档中的 收集和发送到 Microsoft 部分的信息。For more information about what information is sent and stored, see the Information collected and sent to Microsoft section from the central reporting documentation.

若要更改此行为,以便统一标签客户端不发送此信息,请为所选标签策略输入以下字符串:To change this behavior so that this information is not sent by the unified labeling client, enter the following strings for the selected label policy:

  • 密钥: EnableAuditKey: EnableAudit

  • 值:False****Value: False

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableAudit="False"}

向 Azure 信息保护分析发送信息类型匹配项Send information type matches to Azure Information Protection analytics

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,统一标签客户端不会将敏感信息类型的内容匹配发送到 Azure 信息保护分析By default, the unified labeling client does not send content matches for sensitive info types to Azure Information Protection analytics. 有关可以发送的其他信息的详细信息,请参阅中央报表文档中的 " 深入分析的内容匹配 " 部分。For more information about this additional information that can be sent, see the Content matches for deeper analysis section from the central reporting documentation.

若要在发送敏感信息类型时发送内容匹配项,请在标签策略中创建以下高级客户端设置:To send content matches when sensitive information types are sent, create the following advanced client setting in a label policy:

  • 密钥: LogMatchedContentKey: LogMatchedContent

  • 值: TrueValue: True

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{LogMatchedContent="True"}

限制 CPU 消耗Limit CPU consumption

从扫描程序版本 2.7. x 开始,我们建议使用以下 ScannerMaxCPUScannerMinCPU 高级设置方法限制 CPU 消耗。Starting from scanner version 2.7.x.x, we recommend limiting CPU consumption using the following ScannerMaxCPU and ScannerMinCPU advanced settings method.

重要

当使用以下线程限制策略时,将忽略 ScannerMaxCPUScannerMinCPU 高级设置。When the following thread limiting policy is in use, ScannerMaxCPU and ScannerMinCPU advanced settings are ignored. 若要使用 ScannerMaxCPUScannerMinCPU 高级设置限制 CPU 消耗,请取消使用限制线程数的策略。To limit CPU consumption using ScannerMaxCPU and ScannerMinCPU advanced settings, cancel use of policies that limit the number of threads.

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

若要限制扫描仪计算机上的 CPU 使用率,可通过创建两个高级设置来管理: ScannerMaxCPUScannerMinCPUTo limit CPU consumption on the scanner machine, it is manageable by creating two advanced settings: ScannerMaxCPU and ScannerMinCPU.

默认情况下, ScannerMaxCPU 设置为100,这意味着不存在最大 CPU 使用量的限制。By default, ScannerMaxCPU is set to 100, which means there is no limit of maximum CPU consumption. 在这种情况下,扫描程序进程将尝试使用所有可用的 CPU 时间,以最大程度地提高扫描速率。In this case, the scanner process will try to use all available CPU time to maximize your scan rates.

如果将 ScannerMaxCPU 设置为小于100,则 scanner 将在过去30分钟内监视 cpu 消耗,并且如果最大 cpu 超过你设置的限制,则将开始减少为新文件分配的线程数。If you set ScannerMaxCPU to less than 100, scanner will monitor the CPU consumption over the past 30 minutes, and if the max CPU crossed the limit you set, it will start to reduce number of threads allocated for new files. 只要 CPU 消耗高于为 ScannerMaxCPU设置的限制,线程数的限制就会继续。The limit on the number of threads will continue as long as CPU consumption is higher than the limit set for ScannerMaxCPU.

ScannerMinCPU,仅当 ScannerMaxCPU 不等于100时才会检查。ScannerMinCPU, is only checked if ScannerMaxCPU is not equal to 100. 不能将ScannerMinCPU设置为大于ScannerMaxCPU数字的数字。ScannerMinCPU cannot be set to a number higher than the ScannerMaxCPU number. 建议将 ScannerMinCPU 设置为至少15个点低于 ScannerMaxCPU的值。We recommend keeping ScannerMinCPU set at least 15 points lower than the value of ScannerMaxCPU.

此设置的默认值为50,这意味着,如果在过去30分钟内 CPU 消耗低于此值,则 scanner 将开始添加新线程以并行扫描更多文件,直到 CPU 使用率达到为 ScannerMaxCPU设置的级别。The default value of this setting is 50, which means that if CPU consumption in last 30 minutes went lower than this value, scanner will start adding new threads to scan more files in parallel, until the CPU consumption reaches the level you have set for ScannerMaxCPU-15.

限制扫描程序使用的线程数Limit the number of threads used by the scanner

重要

当使用以下线程限制策略时,将忽略 ScannerMaxCPUScannerMinCPU 高级设置。When the following thread limiting policy is in use, ScannerMaxCPU and ScannerMinCPU advanced settings are ignored. 若要使用 ScannerMaxCPUScannerMinCPU 高级设置限制 CPU 消耗,请取消使用限制线程数的策略。To limit CPU consumption using ScannerMaxCPU and ScannerMinCPU advanced settings, cancel use of policies that limit the number of threads.

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,扫描程序使用运行扫描程序服务的计算机上的所有可用处理器资源。By default, the scanner uses all available processor resources on the computer running the scanner service. 如果需要限制此服务扫描时的 CPU 消耗,请在标签策略中创建以下高级设置。If you need to limit the CPU consumption while this service is scanning, create the following advanced setting in a label policy.

对于该值,请指定扫描程序可以并行运行的并发线程数。For the value, specify the number of concurrent threads that the scanner can run in parallel. 扫描程序为其扫描的每个文件使用单独的线程,因此此限制配置还定义了可以并行扫描的文件数。The scanner uses a separate thread for each file that it scans, so this throttling configuration also defines the number of files that can be scanned in parallel.

首次配置测试值时,建议为每个核心指定 2 个,然后监视结果。When you first configure the value for testing, we recommend you specify 2 per core, and then monitor the results. 例如,如果在具有 4 个核心的计算机上运行扫描程序,请先将值设置为 8。For example, if you run the scanner on a computer that has 4 cores, first set the value to 8. 如有必要,请根据扫描程序计算机所需的最终性能和扫描速率相应增减该数量。If necessary, increase or decrease that number, according to the resulting performance you require for the scanner computer and your scanning rates.

  • 密钥: ScannerConcurrencyLevelKey: ScannerConcurrencyLevel

  • 负值 <number of concurrent threads>Value: <number of concurrent threads>

示例 PowerShell 命令,其中标签策略命名为 "Scanner":Example PowerShell command, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{ScannerConcurrencyLevel="8"}

从 Secure Islands 和其他标记解决方案迁移标签Migrate labels from Secure Islands and other labeling solutions

此配置使用 "标签 高级" 设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

此配置与文件扩展名为 ppdf 的受保护 PDF 文件不兼容。This configuration is not compatible with protected PDF files that have a .ppdf file name extension. 不能使用文件资源管理器或 PowerShell 通过客户端打开这些文件。These files cannot be opened by the client using File Explorer or PowerShell.

对于标记为 "安全岛" 的 Office 文档,你可以使用你定义的映射通过敏感度标签重新标记这些文档。For Office documents that are labeled by Secure Islands, you can relabel these documents with a sensitivity label by using a mapping that you define. 此外,这种方法还可用于重用其他解决方案对 Office 文档标记的标签。You also use this method to reuse labels from other solutions when their labels are on Office documents.

此配置选项的结果是,Azure 信息保护统一标签客户端会应用新的敏感度标签,如下所示:As a result of this configuration option, the new sensitivity label is applied by the Azure Information Protection unified labeling client as follows:

  • 对于 Office 文档:在桌面应用中打开文档时,新的敏感度标签将显示为 "已设置",并在保存文档时应用。For Office documents: When the document is opened in the desktop app, the new sensitivity label is shown as set and is applied when the document is saved.

  • 对于 PowerShell: set-aipfilelabelAIPFileClassificiation 可以应用新的敏感度标签。For PowerShell: Set-AIPFileLabel and Set-AIPFileClassificiation can apply the new sensitivity label.

  • 对于文件资源管理器:在 "Azure 信息保护" 对话框中,将显示新的敏感度标签,但并不设置。For File Explorer: In the Azure Information Protection dialog box, the new sensitivity label is shown but isn't set.

此配置要求你为要映射到旧标签的每个敏感度标签指定一个名为 labelByCustomProperties 的高级设置。This configuration requires you to specify an advanced setting named labelByCustomProperties for each sensitivity label that you want to map to the old label. 然后,使用以下语法设置每个条目的值:Then for each entry, set the value by using the following syntax:

[migration rule name],[Secure Islands custom property name],[Secure Islands metadata Regex value]

指定所选的迁移规则名称。Specify your choice of a migration rule name. 使用描述性名称可帮助您确定如何将以前标记的解决方案中的一个或多个标签映射到敏感度标签。Use a descriptive name that helps you to identify how one or more labels from your previous labeling solution should be mapped to sensitivity label.

请注意,此设置不会从文档中删除原始标签,也不会删除可能已应用原始标签的文档中的任何视觉标记。Note that this setting does not remove the original label from the document or any visual markings in the document that the original label might have applied. 若要删除页眉和页脚,请参阅前面的部分 标记解决方案,删除页眉和页脚To remove headers and footers, see the earlier section, Remove headers and footers from other labeling solutions.

示例 1:相同标签名称的一对一映射Example 1: One-to-one mapping of the same label name

要求:安全孤岛标签为 "机密" 的文档应由 Azure 信息保护重新标记为 "机密"。Requirement: Documents that have a Secure Islands label of "Confidential" should be relabeled as "Confidential" by Azure Information Protection.

在此示例中:In this example:

  • Secure Islands 标签名为“Confidential”,存储在名为“Classification”的自定义属性中********。The Secure Islands label is named Confidential and stored in the custom property named Classification.

高级设置:The advanced setting:

  • 密钥: labelByCustomPropertiesKey: labelByCustomProperties

  • 值: 安全孤岛标签为机密、分类、机密Value: Secure Islands label is Confidential,Classification,Confidential

示例 PowerShell 命令,其中的标签命名为 "机密":Example PowerShell command, where your label is named "Confidential":

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties="Secure Islands label is Confidential,Classification,Confidential"}

示例 2:不同标签名称的一对一映射Example 2: One-to-one mapping for a different label name

要求:通过安全孤岛标记为 "敏感" 的文档应由 Azure 信息保护重新标记为 "高度机密"。Requirement: Documents labeled as "Sensitive" by Secure Islands should be relabeled as "Highly Confidential" by Azure Information Protection.

在此示例中:In this example:

  • Secure Islands 标签名为“Sensitive”,存储在名为“Classification”的自定义属性中********。The Secure Islands label is named Sensitive and stored in the custom property named Classification.

高级设置:The advanced setting:

  • 密钥: labelByCustomPropertiesKey: labelByCustomProperties

  • 值: 安全孤岛标签敏感、分类、敏感Value: Secure Islands label is Sensitive,Classification,Sensitive

示例 PowerShell 命令,其中标签命名为 "高度机密":Example PowerShell command, where your label is named "Highly Confidential":

Set-Label -Identity "Highly Confidential" -AdvancedSettings @{labelByCustomProperties="Secure Islands label is Sensitive,Classification,Sensitive"}

示例 3:标签名称的多对一映射Example 3: Many-to-one mapping of label names

要求:你有两个安全孤岛标签,其中包含 "内部" 一词,并且你希望 Azure 信息保护统一标签客户端将具有这些安全孤岛标签的文档重新标记为 "常规"。Requirement: You have two Secure Islands labels that include the word "Internal" and you want documents that have either of these Secure Islands labels to be relabeled as "General" by the Azure Information Protection unified labeling client.

在此示例中:In this example:

  • Secure Islands 标签包含单词“Internal”,存储在名为“Classification”的自定义属性中********。The Secure Islands labels include the word Internal and are stored in the custom property named Classification.

高级客户端设置:The advanced client setting:

  • 密钥: labelByCustomPropertiesKey: labelByCustomProperties

  • 值:**安全孤岛标签包含内部、分类、。 *内部。 * **Value: Secure Islands label contains Internal,Classification,.*Internal.*

示例 PowerShell 命令,其中标签命名为 "General":Example PowerShell command, where your label is named "General":

Set-Label -Identity General -AdvancedSettings @{labelByCustomProperties="Secure Islands label contains Internal,Classification,.*Internal.*"}

示例4:针对相同标签的多个规则Example 4: Multiple rules for the same label

如果需要相同标签的多个规则,则为同一键定义多个字符串值。When you need multiple rules for the same label, define multiple string values for the same key.

在此示例中,名为 "机密" 和 "机密" 的安全群岛标签存储在名为 分类的自定义属性中,你希望 Azure 信息保护统一标签客户端应用名为 "机密" 的敏感度标签:In this example, the Secure Islands labels named "Confidential" and "Secret" are stored in the custom property named Classification, and you want the Azure Information Protection unified labeling client to apply the sensitivity label named "Confidential":

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties=ConvertTo-Json("Migrate Confidential label,Classification,Confidential", "Migrate Secret label,Classification,Secret")}

将标签迁移规则扩展到电子邮件Extend your label migration rules to emails

除了通过指定其他标签策略高级设置以外,还可以将 labelByCustomProperties 高级设置与 Outlook 电子邮件一起使用。You can use your labelByCustomProperties advanced settings with Outlook emails in addition to Office documents by specifying an additional label policy advanced setting. 但是,此设置对 Outlook 的性能有一个已知的负面影响,因此,仅当你对其具有强大的业务要求时才配置此附加设置,并记得在你完成从其他标记解决方案的迁移后将其设置为空字符串值。However, this setting has a known negative impact on the performance of Outlook, so configure this additional setting only when you have a strong business requirement for it and remember to set it to a null string value when you have completed the migration from the other labeling solution.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 密钥: EnableLabelByMailHeaderKey: EnableLabelByMailHeader

  • 值: TrueValue: True

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableLabelByMailHeader="True"}

将标签迁移规则扩展到 SharePoint 属性Extend your label migration rules to SharePoint properties

可以将 labelByCustomProperties 高级设置用于 SharePoint 属性,这些属性可能会作为列公开给用户。You can use your labelByCustomProperties advanced settings with SharePoint properties that you might expose as columns to users.

使用 Word、Excel 和 PowerPoint 时,支持此设置。This setting is supported when you use Word, Excel, and PowerPoint.

若要配置此高级设置,请为所选标签策略输入以下字符串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 密钥: EnableLabelBySharePointPropertiesKey: EnableLabelBySharePointProperties

  • 值: TrueValue: True

示例 PowerShell 命令,其中标签策略命名为 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableLabelBySharePointProperties="True"}

应用标签时应用自定义属性Apply a custom property when a label is applied

此配置使用 "标签 高级" 设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

在某些情况下,你可能需要将一个或多个自定义属性应用于文档或电子邮件消息,以及敏感标签应用的元数据。There might be some scenarios when you want to apply one or more custom properties to a document or email message in addition to the metadata that's applied by a sensitivity label.

例如:For example:

  • 正在 从另一个标记解决方案(例如 Secure Islands)进行迁移。You are in the process of migrating from another labeling solution, such as Secure Islands. 为了在迁移过程中实现互操作性,您希望使用敏感性标签同时应用其他标签解决方案使用的自定义属性。For interoperability during the migration, you want sensitivity labels to also apply a custom property that is used by the other labeling solution.

  • 对于内容管理系统 (例如 SharePoint 或其他供应商提供的文档管理解决方案) 你要对标签使用具有不同值的一致自定义属性名称,并使用用户友好名称而不是标签 GUID。For your content management system (such as SharePoint or a document management solution from another vendor) you want to use a consistent custom property name with different values for the labels, and with user-friendly names instead of the label GUID.

对于用户使用 Azure 信息保护统一标签客户端标记的 Office 文档和 Outlook 电子邮件,你可以添加一个或多个定义的自定义属性。For Office documents and Outlook emails that users label by using the Azure Information Protection unified labeling client, you can add one or more custom properties that you define. 你还可以将此方法用于统一标签客户端,以便将自定义属性显示为来自其他解决方案的标签,这些解决方案尚未由统一的标签客户端标记。You can also use this method for the unified labeling client to display a custom property as a label from other solutions for content that isn't yet labeled by the unified labeling client.

由于此配置选项,Azure 信息保护统一标签客户端将应用任何其他自定义属性,如下所示:As a result of this configuration option, any additional custom properties are applied by the Azure Information Protection unified labeling client as follows:

  • 对于 Office 文档:在桌面应用中标记文档时,在保存文档时应用附加的自定义属性。For Office documents: When the document is labeled in the desktop app, the additional custom properties are applied when the document is saved.

  • 对于 Outlook 电子邮件:当电子邮件标记为 Outlook 时,在发送电子邮件时,其他属性将应用于 x 标头。For Outlook emails: When the email message is labeled in Outlook, the additional properties are applied to the x-header when the email is sent.

  • 对于 PowerShell: set-aipfilelabelAIPFileClassificiation 在文档标记并保存时应用其他自定义属性。For PowerShell: Set-AIPFileLabel and Set-AIPFileClassificiation applies the additional custom properties when the document is labeled and saved. 如果未应用敏感性标签,则get-aipfilestatus会将自定义属性显示为映射的标签。Get-AIPFileStatus displays custom properties as the mapped label if a sensitivity label isn't applied.

  • 对于文件资源管理器:当用户右键单击文件并应用标签时,将应用自定义属性。For File Explorer: When the user right-clicks the file and applies the label, the custom properties are applied.

此配置要求你为要应用其他自定义属性的每个敏感度标签指定一个名为 customPropertiesByLabel 的高级设置。This configuration requires you to specify an advanced setting named customPropertiesByLabel for each sensitivity label that you want to apply the additional custom properties. 然后,使用以下语法设置每个条目的值:Then for each entry, set the value by using the following syntax:

[custom property name],[custom property value]

重要

使用字符串中的空格将阻止应用标签。Use of white spaces in the string will prevent application of the labels.

示例1:为标签添加单个自定义属性Example 1: Add a single custom property for a label

要求: Azure 信息保护统一标签客户端标记为 "机密" 的文档应具有名为 "分类" 的附加自定义属性,其值为 "Secret"。Requirement: Documents that are labeled as "Confidential" by the Azure Information Protection unified labeling client should have the additional custom property named "Classification" with the value of "Secret".

在此示例中:In this example:

  • 敏感度标签命名为 " 机密 ",并创建名为 "Secret" 的自定义 属性,其 值为 " 机密"。The sensitivity label is named Confidential and creates a custom property named Classification with the value of Secret.

高级设置:The advanced setting:

  • 密钥: customPropertiesByLabelKey: customPropertiesByLabel

  • 值: 分类、机密Value: Classification,Secret

示例 PowerShell 命令,其中的标签命名为 "机密":Example PowerShell command, where your label is named "Confidential":

    Set-Label -Identity Confidential -AdvancedSettings @{customPropertiesByLabel="Classification,Secret"}

示例2:为标签添加多个自定义属性Example 2: Add multiple custom properties for a label

若要为同一个标签添加多个自定义属性,需要为同一键定义多个字符串值。To add more than one custom property for the same label, you need to define multiple string values for the same key.

示例 PowerShell 命令:标签命名为 "常规",并且你想要添加一个名为 分类 的自定义属性,其值为 " 常规 ",另一个名为 " 敏感度 " 的自定义属性的值为 " 内部":Example PowerShell command, where your label is named "General" and you want to add one custom property named Classification with the value of General and a second custom property named Sensitivity with the value of Internal:

Set-Label -Identity General -AdvancedSettings @{customPropertiesByLabel=ConvertTo-Json("Classification,General", "Sensitivity,Internal")}

将标签配置为在 Outlook 中应用 S/MIME 保护Configure a label to apply S/MIME protection in Outlook

此配置使用必须使用 Office 365 Security & 相容性中心 PowerShell 配置的标签 高级设置This configuration uses label advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

仅当使用的是 S/MIME 部署 并且需要标签以自动将此保护方法应用于电子邮件,而不是从 Azure 信息保护 Rights Management 保护时,才使用这些设置。Use these settings only when you have a working S/MIME deployment and want a label to automatically apply this protection method for emails rather than Rights Management protection from Azure Information Protection. 应用的保护与用户通过在 Outlook 中手动选择 S/MIME 选项应用的保护一样。The resulting protection is the same as when a user manually selects S/MIME options from Outlook.

若要为 S/MIME 数字签名配置高级设置,请为所选标签输入以下字符串:To configure an advanced setting for an S/MIME digital signature, enter the following strings for the selected label:

  • 密钥: SMimeSignKey: SMimeSign

  • 值: TrueValue: True

若要配置 S/MIME 加密的高级设置,请为所选标签输入以下字符串:To configure an advanced setting for S/MIME encryption, enter the following strings for the selected label:

  • 密钥: SMimeEncryptKey: SMimeEncrypt

  • 值: TrueValue: True

如果你指定的标签配置为加密,则对于 Azure 信息保护统一标签客户端,S/MIME 保护仅替换 Outlook 中的 Rights Management 保护。If the label you specify is configured for encryption, for the Azure Information Protection unified labeling client, S/MIME protection replaces the Rights Management protection only in Outlook. 统一标签客户端的正式发行版将继续使用为管理中心的标签指定的加密设置。The general availability version of the unified labeling client continues to use the encryption settings specified for the label in the admin center. 对于带有内置标签的 Office 应用,这些功能不应用 S/MIME 保护,而是应用 "不转发" 保护。For Office apps with built-in labeling, these do not apply the S/MIME protection but instead, apply Do Not Forward protection.

如果希望标签仅在 Outlook 中可见,请将标签配置为仅将加密应用到 outlook 中的电子邮件If you want the label to be visible in Outlook only, configure the label to apply encryption to Only email messages in Outlook.

示例 PowerShell 命令,其中标签命名为 "仅收件人":Example PowerShell commands, where your label is named "Recipients Only":

Set-Label -Identity "Recipients Only" -AdvancedSettings @{SMimeSign="True"}

Set-Label -Identity "Recipients Only" -AdvancedSettings @{SMimeEncrypt="True"}

为父标签指定默认子标签Specify a default sublabel for a parent label

此配置使用 "标签 高级" 设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

将子标签添加到标签时,用户将无法再对文档或电子邮件应用父标签。When you add a sublabel to a label, users can no longer apply the parent label to a document or email. 默认情况下,用户选择父标签以查看他们可以应用的子标签,然后选择其中一个子标签。By default, users select the parent label to see the sublabels that they can apply, and then select one of those sublabels. 如果配置此高级设置,当用户选择父标签时,系统会自动为其选择和应用子标签:If you configure this advanced setting, when users select the parent label, a sublabel is automatically selected and applied for them:

  • 密钥: DefaultSubLabelIdKey: DefaultSubLabelId

  • 值:<sublabel GUID>Value: <sublabel GUID>

示例 PowerShell 命令,其中的父标签命名为 "机密",而 "所有 Employees" 子标签具有8faca7b8-8d20-48a3-8ea2-0f96310a848e 的 GUID:Example PowerShell command, where your parent label is named "Confidential" and the "All Employees" sublabel has a GUID of 8faca7b8-8d20-48a3-8ea2-0f96310a848e:

Set-Label -Identity "Confidential" -AdvancedSettings @{DefaultSubLabelId="8faca7b8-8d20-48a3-8ea2-0f96310a848e"}

开启在后台持续运行的分类Turn on classification to run continuously in the background

此配置使用 "标签 高级" 设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell. 此设置处于预览状态,并且可能会更改。This setting is in preview and might change.

当你配置此设置时,它会更改 Azure 信息保护统一标签客户端如何向文档应用自动和建议标签的默认行为:When you configure this setting, it changes the default behavior of how the Azure Information Protection unified labeling client applies automatic and recommended labels to documents:

对于 Word、Excel 和 PowerPoint,自动分类在后台持续运行。For Word, Excel, and PowerPoint, automatic classification runs continuously in the background.

此行为不会对 Outlook 变化。The behavior does not change for Outlook. 当 Azure 信息保护统一标签客户端定期检查文档中指定的条件规则时,此行为将为存储在 SharePoint 中的文档启用自动和建议的分类和保护。When the Azure Information Protection unified labeling client periodically checks documents for the condition rules that you specify, this behavior enables automatic and recommended classification and protection for documents that are stored in SharePoint. 由于已运行条件规则,因此大型文件可实现更快保存。Large files also save more quickly because the condition rules have already run.

条件规则不会作为用户类型实时运行。The condition rules do not run in real time as a user types. 而会在文档发生修改时作为后台任务定期运行。Instead, they run periodically as a background task if the document is modified.

若要配置此高级设置,请输入以下字符串:To configure this advanced setting, enter the following strings:

  • 键:RunPolicyInBackground****Key: RunPolicyInBackground
  • 值: TrueValue: True

示例 PowerShell 命令:Example PowerShell command:

Set-LabelPolicy -Identity PolicyName -AdvancedSettings @{RunPolicyInBackground = "true"}

指定标签的颜色Specify a color for the label

此配置使用必须使用 Office 365 Security & 相容性中心 PowerShell 配置的标签 高级设置This configuration uses label advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

使用此高级设置设置标签的颜色。Use this advanced setting to set a color for a label. 若要指定颜色,请输入颜色的红色、绿色和蓝色 (RGB) 组件的十六进制三方代码。To specify the color, enter a hex triplet code for the red, green, and blue (RGB) components of the color. 例如,#40e0d0 为青绿色的 RGB 十六进制值。For example, #40e0d0 is the RGB hex value for turquoise.

如果需要这些代码的参考,可从 MSDN web 文档的页面找到一个有用的表格 <color> 。你还可以在许多应用程序中找到这些代码,以便你编辑图片。If you need a reference for these codes, you'll find a helpful table from the <color> page from the MSDN web docs. You also find these codes in many applications that let you edit pictures. 例如,通过 Microsoft 画图,从调色板中选择自定义颜色,系统将自动显示 RGB 值,该值可供复制。For example, Microsoft Paint lets you choose a custom color from a palette and the RGB values are automatically displayed, which you can then copy.

若要配置标签颜色的高级设置,请为所选标签输入以下字符串:To configure the advanced setting for a label's color, enter the following strings for the selected label:

  • 键: 颜色Key: color

  • 值:<RGB hex value>Value: <RGB hex value>

示例 PowerShell 命令,其中标签命名为 "Public":Example PowerShell command, where your label is named "Public":

Set-Label -Identity Public -AdvancedSettings @{color="#40e0d0"}

以其他用户身份登录Sign in as a different user

在生产环境中,当用户使用 Azure 信息保护统一标签客户端时,通常不需要以其他用户身份登录。In a production environment, users wouldn't usually need to sign in as a different user when they are using the Azure Information Protection unified labeling client. 不过,作为管理员,你在测试阶段可能需要以其他用户身份登录。However, as an administrator, you might need to sign in as a different user during a testing phase.

你可以使用 " Microsoft Azure 信息保护 " 对话框来验证你当前登录的帐户:打开 Office 应用程序,然后在 " 主页 " 选项卡上,选择 " 敏感度 " 按钮,然后选择 " 帮助和反馈"。You can verify which account you're currently signed in as by using the Microsoft Azure Information Protection dialog box: Open an Office application and on the Home tab, select the Sensitivity button, and then select Help and feedback. 帐户名称会显示在“客户端状态”**** 部分中。Your account name is displayed in the Client status section.

请确保还要检查所显示的登录帐户的域名。Be sure to also check the domain name of the signed in account that's displayed. 很容易忽视的一点是,使用正确的帐户名登录,但域不正确。It can be easy to miss that you're signed in with the right account name but wrong domain. 使用错误帐户的症状包括未能下载标签,或者看不到所需的标签或行为。A symptom of using the wrong account includes failing to download the labels, or not seeing the labels or behavior that you expect.

以其他用户身份登录:To sign in as a different user:

  1. 导航到 %localappdata%\Microsoft\MSIP 并删除 TokenCache 文件********。Navigate to %localappdata%\Microsoft\MSIP and delete the TokenCache file.

  2. 重新启动任何打开的 Office 应用程序,并使用其他用户帐户登录。Restart any open Office applications and sign in with your different user account. 如果在 Office 应用程序中看不到用于登录到 Azure 信息保护服务的提示,请返回Microsoft Azure 信息保护对话框,并从 "更新的客户端状态" 部分中选择 "登录"。If you do not see a prompt in your Office application to sign in to the Azure Information Protection service, return to the Microsoft Azure Information Protection dialog box and select Sign in from the updated Client status section.

此外:Additionally:

  • 完成这些步骤后,如果 Azure 信息保护的统一标签客户端仍以旧帐户登录,请从 Internet Explorer 中删除所有 cookie,然后重复步骤1和2。If the Azure Information Protection unified labeling client is still signed in with the old account after completing these steps, delete all cookies from Internet Explorer, and then repeat steps 1 and 2.

  • 如果使用的是单一登录,必须在删除令牌文件后注销 Windows,再使用其他用户帐户登录。If you are using single sign-on, you must sign out from Windows and sign in with your different user account after deleting the token file. 然后,Azure 信息保护的统一标签客户端会使用当前登录的用户帐户自动进行身份验证。The Azure Information Protection unified labeling client then automatically authenticates by using your currently signed in user account.

  • 此解决方案支持以同一租户中的其他用户身份登录。This solution is supported for signing in as another user from the same tenant. 不支持以不同租户中的其他用户身份登录。It is not supported for signing in as another user from a different tenant. 若要使用多个租户测试 Azure 信息保护,请使用不同的计算机。To test Azure Information Protection with multiple tenants, use different computers.

  • 你可以使用 "帮助和反馈" 中的 "重置设置" 选项注销并删除 Office 365 Security & 相容性中心、Microsoft 365 安全中心或 Microsoft 365 相容性中心的当前已下载标签和策略设置。You can use the Reset settings option from Help and Feedback to sign out and delete the currently downloaded labels and policy settings from the Office 365 Security & Compliance Center, the Microsoft 365 Security center, or the Microsoft 365 Compliance center.

对断开连接的计算机的支持Support for disconnected computers

重要

以下标签方案支持断开连接的计算机:文件资源管理器、PowerShell、Office 应用和扫描仪。Disconnected computers are supported for the following labeling scenarios: File Explorer, PowerShell, your Office apps and the scanner.

默认情况下,Azure 信息保护的统一标签客户端会自动尝试连接到 internet,以便从标记管理中心下载标签和标签策略设置: Office 365 Security & 相容中心、Microsoft 365 安全中心或 Microsoft 365 符合性中心。By default, the Azure Information Protection unified labeling client automatically tries to connect to the internet to download the labels and label policy settings from your labeling management center: The Office 365 Security & Compliance Center, the Microsoft 365 security center, or the Microsoft 365 compliance center. 如果计算机在一段时间内无法连接到 internet,则可以导出和复制为统一标签客户端手动管理策略的文件。If you have computers that cannot connect to the internet for a period of time, you can export and copy files that manually manages the policy for the unified labeling client.

说明:Instructions:

  1. 在 Azure AD 中选择或创建一个用户帐户,你将使用该帐户下载要在断开连接的计算机上使用的标签和策略设置。Choose or create a user account in Azure AD that you will use to download labels and policy settings that you want to use on your disconnected computer.

  2. 作为此帐户的附加标签策略设置,禁用使用EnableAudit高级设置将审核数据发送到 Azure 信息保护分析As an additional label policy setting for this account, disable sending audit data to Azure Information Protection analytics by using the EnableAudit advanced setting.

    建议执行此步骤,因为如果断开连接的计算机进行了定期 internet 连接,则会将日志记录信息发送到包含步骤1中的用户名的 Azure 信息保护分析。We recommend this step because if the disconnected computer does have periodic internet connectivity, it will send logging information to Azure Information Protection analytics that includes the user name from step 1. 该用户帐户可能不同于在断开连接的计算机上使用的本地帐户。That user account might be different from the local account you're using on the disconnected computer.

  3. 在具有 internet 连接的计算机上安装了具有统一标签的客户端并使用步骤1中的用户帐户登录后,下载标签和策略设置。From a computer with internet connectivity that has the unified labeling client installed and signed in with the user account from step 1, download the labels and policy settings.

  4. 在此计算机上,导出日志文件。From this computer, export the log files.

    例如,运行AIPLogs cmdlet,或使用客户端的 "帮助和反馈" 对话框中的 "导出日志" 选项。For example, run the Export-AIPLogs cmdlet, or use the Export Logs option from the client's Help and Feedback dialog box.

    日志文件将作为单个压缩文件导出。The log files are exported as a single compressed file.

  5. 打开压缩文件,然后从 POLICY.MSIP 文件夹中复制任何具有 .xml 文件扩展名的文件。Open the compressed file, and from the MSIP folder, copy any files that have a .xml file name extension.

  6. 将这些文件粘贴到断开连接的计算机上的 %localappdata%\Microsoft\MSIP 文件夹中。Paste these files into the %localappdata%\Microsoft\MSIP folder on the disconnected computer.

  7. 如果你选择的用户帐户通常连接到 internet,请通过将 EnableAudit 值设置为 True,再次启用发送审核数据。If your chosen user account is one that usually connects to the internet, enable sending audit data again, by setting the EnableAudit value to True.

请注意,如果此计算机上的用户从 "帮助和反馈" 中选择 "重置设置" 选项,则此操作将删除策略文件并使客户端无法运行,直到您手动替换文件或客户端连接到 internet 并下载这些文件。Be aware that if a user on this computer selects the Reset Settings option from Help and feedback, this action deletes the policy files and renders the client inoperable until you manually replace the files or the client connects to the internet and downloads the files.

如果断开连接的计算机正在运行 Azure 信息保护扫描程序,则必须执行其他配置步骤。If your disconnected computer is running the Azure Information Protection scanner, there are additional configuration steps you must take. 有关详细信息,请参阅 限制:扫描仪服务器无法 从扫描程序部署说明获得 internet 连接。For more information, see Restriction: The scanner server cannot have internet connectivity from the scanner deployment instructions.

更改本地日志记录级别Change the local logging level

默认情况下,Azure 信息保护统一标签客户端会将客户端日志文件写入到 %localappdata%\Microsoft\MSIP 文件夹。By default, the Azure Information Protection unified labeling client writes client log files to the %localappdata%\Microsoft\MSIP folder. 这些文件供 Microsoft 支持部门用来排除故障。These files are intended for troubleshooting by Microsoft Support.

若要更改这些文件的日志记录级别,请在注册表中找到以下值名称并将值数据设置为所需的日志记录级别:To change the logging level for these files, locate the following value name in the registry and set the value data to the required logging level:

HKEY_CURRENT_USER \SOFTWARE\Microsoft\MSIP\LogLevelHKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\LogLevel

将日志记录级别设置为以下值之一:Set the logging level to one of the following values:

  • 关闭:没有本地日志记录。Off: No local logging.

  • 错误:仅限错误。Error: Errors only.

  • 警告:错误和警告。Warn: Errors and warnings.

  • Info:最小日志记录,不包括任何事件 id (扫描器) 的默认设置。Info: Minimum logging, which includes no event IDs (the default setting for the scanner).

  • 调试:完整信息。Debug: Full information.

  • 跟踪:详细的日志记录 (客户端) 的默认设置。Trace: Detailed logging (the default setting for clients).

此注册表设置不会更改为 集中报告发送到 Azure 信息保护的信息。This registry setting does not change the information that's sent to Azure Information Protection for central reporting.

在扫描期间跳过或忽略文件,具体取决于文件属性Skip or ignore files during scans depending on file attributes

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,Azure 信息保护统一标签扫描程序会扫描所有相关文件。By default, the Azure Information Protection unified labeling scanner scans all relevant files. 但是,你可能想要定义要跳过的特定文件,例如用于已移动的存档文件或文件。However, you may want to define specific files to be skipped, such as for archived files or files that have been moved.

使用 ScannerFSAttributesToSkip 高级设置,使扫描程序可以根据文件属性跳过特定文件。Enable the scanner to skip specific files based on their file attributes by using the ScannerFSAttributesToSkip advanced setting. 在 "设置" 值中,列出将使文件在全部设置为 true时要跳过的文件属性。In the setting value, list the file attributes that will enable the file to be skipped when they are all set to true. 此文件属性列表使用和逻辑。This list of file attributes uses the AND logic.

下面的示例 PowerShell 命令演示了如何将此高级设置用于名为 "Global" 的标签。The following sample PowerShell commands illustrate how to use this advanced setting with a label named "Global".

跳过只读和存档的文件Skip files that are both read-only and archived

Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_ARCHIVE"}

跳过只读或存档的文件Skip files that are either read-only or archived

若要使用或逻辑,请多次运行同一属性。To use an OR logic, run the same property multiple times. 例如:For example:

Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_READONLY"}
Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_ARCHIVE"}

提示

建议你考虑启用扫描程序以跳过具有以下属性的文件:We recommend that you consider enabling the scanner to skip files with the following attributes:

  • FILE_ATTRIBUTE_SYSTEMFILE_ATTRIBUTE_SYSTEM
  • FILE_ATTRIBUTE_HIDDENFILE_ATTRIBUTE_HIDDEN
  • FILE_ATTRIBUTE_DEVICEFILE_ATTRIBUTE_DEVICE
  • FILE_ATTRIBUTE_OFFLINEFILE_ATTRIBUTE_OFFLINE
  • FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESSFILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS
  • FILE_ATTRIBUTE_RECALL_ON_OPENFILE_ATTRIBUTE_RECALL_ON_OPEN
  • FILE_ATTRIBUTE_TEMPORARYFILE_ATTRIBUTE_TEMPORARY

有关可在 ScannerFSAttributesToSkip 高级设置中定义的所有文件属性的列表,请参阅 Win32 file Attribute 常量For a list of all file attributes that can be defined in the ScannerFSAttributesToSkip advanced setting, see the Win32 File Attribute Constants

在 (公开预览版的标签期间保留 NTFS 所有者) Preserve NTFS owners during labeling (public preview)

此配置使用策略 高级设置 ,你必须使用 Office 365 Security & 相容性中心 PowerShell 进行配置。This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

默认情况下,"扫描仪"、"PowerShell" 和 "文件资源管理器扩展" 标签不会保留在标记之前定义的 NTFS 所有者。By default, scanner, PowerShell, and File Explorer extension labeling do not preserve the NTFS owner that was defined before the labeling.

若要确保保留 NTFS 所有者值,请将所选标签策略的 " UseCopyAndPreserveNTFSOwner 高级" 设置设置为 " true "。To ensure that the NTFS owner value is preserved, set the UseCopyAndPreserveNTFSOwner advanced setting to true for the selected label policy.

注意

仅当可以确保扫描程序与扫描存储库之间的低延迟、可靠网络连接时,才定义此高级设置。Define this advanced setting only when you can ensure a low-latency, reliable network connection between the scanner and the scanned repository. 自动标记过程中的网络故障可能会导致文件丢失。A network failure during the automatic labeling process can cause the file to be lost.

示例 PowerShell 命令(如果标签策略命名为 "Global"):Sample PowerShell command, when your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ UseCopyAndPreserveNTFSOwner ="true"}

自定义已修改标签的理由提示文本Customize justification prompt texts for modified labels

自定义当最终用户更改文档和电子邮件的分类标签时,在 Office 和 AIP 客户端中显示的对齐提示。Customize the justification prompts that are displayed in both Office and the AIP client, when end-users change classification labels on documents and emails.

例如,作为管理员,你可能希望提醒用户不要将任何客户标识信息添加到此字段中:For example, as an administrator, you may want to remind your users not to add any customer identifying information into this field:

自定义的理由提示文本

若要修改显示的默认 其他 文本,请将 JustificationTextForUserText advanced 属性与 LabelPolicy cmdlet 一起使用。To modify the default Other text that's displayed, use the JustificationTextForUserText advanced property with the Set-LabelPolicy cmdlet. 将值设置为要改用的文本。Set the value to the text you want to use instead.

例如:For example:


[Set-LabelPolicy](https://docs.microsoft.com/powershell/module/exchange/set-labelpolicy) -Identity Global -AdvancedSettings @{JustificationTextForUserText="Other (please explain) - Do not enter sensitive info"}

自定义 Outlook 弹出消息Customize Outlook popup messages

AIP 管理员可以自定义对 Outlook 中的最终用户显示的弹出消息,例如:AIP administrators can customize the popup messages that appear to end-users in Outlook, such as:

  • 已阻止电子邮件的消息Messages for blocked emails
  • 提示用户验证正在发送的内容的警告消息Warning messages that prompt users to verify the content that they're sending
  • 要求用户调整所发送内容的理由消息Justification messages that request users to justify the content that they're sending

自定义 Outlook 弹出消息:To customize your Outlook popup messages:

  1. 创建 json 文件,每个文件都有一个规则,用于配置 Outlook 如何向用户显示弹出消息。Create .json files, each with a rule that configures how Outlook displays popup messages to your users. 有关详细信息,请参阅 Rule 值 json 语法示例弹出 customziation 代码For more information, see Rule value .json syntax and Sample popup customziation .json code.

  2. 使用 PowerShell 定义控制要配置的弹出消息的高级设置。Use PowerShell to define advanced settings that control the popup messages you're configuring. 为要配置的每个规则运行一组单独的命令。Run a separate set of commands for each rule you want to configure.

    每组 PowerShell 命令都必须包含要配置的策略的名称,以及用于定义规则的密钥和值。Each set of PowerShell commands must include the name of the policy you're configuring, as well as the key and value that defines your rule.

    使用以下语法:Use the following syntax:

    $filedata = Get-Content "<Path to json file>”
    Set-LabelPolicy -Identity <Policy name> -AdvancedSettings @{<Key> ="$filedata"}
    

    其中:Where:

    • <Path to json file> 创建的 json 文件的路径。<Path to json file> is the the path to the json file you created. 例如: C:\Users\msanchez\Desktop\ \dlp\OutlookCollaborationRule_1.jsonFor example: C:\Users\msanchez\Desktop\ \dlp\OutlookCollaborationRule_1.json.

    • <Policy name> 要配置的策略的名称。<Policy name> is the name of the policy you want to configure.

    • <Key> 规则的名称。<Key> is a name for your rule. 使用以下语法,其中 <#> 是规则的序列号:Use the following syntax, where <#> is the serial number for your rule:

      OutlookCollaborationRule_<x>

    有关详细信息,请参阅 对 Outlook customziation 规则规则值 Json 语法进行排序。For more information, see Ordering your Outlook customziation rules and Rule value json syntax.

提示

对于其他组织,请使用与 PowerShell 命令中使用的密钥相同的字符串来命名该文件。For additional organization, name your file with the same string as the key used in your PowerShell command. 例如,将文件命名为 ** "OutlookCollaborationRule_1.js",** 然后使用 " OutlookCollaborationRule_1 " 作为密钥。For example, name your file OutlookCollaborationRule_1.json, and then also use OutlookCollaborationRule_1 as your key.

订购你的 Outlook customziation 规则Ordering your Outlook customziation rules

AIP 使用你输入的键中的序列号来确定规则的处理顺序。AIP uses the serial number in the key you enter to determine the order in which the rules are processed. 定义用于每个规则的密钥时,请使用较小的数字来定义更严格的规则,然后再使用较大的数字限制规则。When defining the keys used for each rule, define your more restrictive rules with lower numbers, followed by less restrictive rules with higher numbers.

找到特定的规则匹配项后,AIP 将停止处理规则,并执行与匹配规则关联的操作。Once a specific rule match is found, AIP stops processing the rules, and performs the action associated with the matching rule. (第一个匹配-> 退出 逻辑) (First match - > Exit logic)

示例:Example:

假设您要使用特定的警告消息来配置所有内部电子邮件,但通常不希望阻止这些电子邮件。Say you want to configure all Internal emails with a specific Warning message, but you don't generally want to block them. 不过,您确实想要阻止用户发送分类为 机密的附件,甚至作为 内部 电子邮件。However, you do want to block users from sending attachments classified as Secret, even as Internal emails.

在这种情况下,在对内部规则密钥进行更一般的警告之前,对你的块机密规则密钥进行排序,这是更具体的规则:In this scenario, order your Block Secret rule key, which is the more specific rule, before your more generic Warn on Internal rule key:

  • 对于 消息: OutlookCollaborationRule_1For the Block message: OutlookCollaborationRule_1
  • 对于 警告 消息: OutlookCollaborationRule_2For the Warn message: OutlookCollaborationRule_2

Rule 值 json 语法Rule value .json syntax

按如下所示定义规则的 json snytax:Define your rule's json snytax as follows:

"type" : "And",
"nodes" : []

您必须至少具有两个节点,第一个节点表示规则的条件,最后 represending 该规则的操作。You must have at least two nodes, the first representing your rule's condition, and the last represending the rule's action. 有关详细信息,请参阅:For more information, see:

规则条件语法Rule condition syntax

规则条件节点必须包含节点类型,然后必须包含条件本身。Rule condition nodes must include the node type, and then the conditions themselves.

支持的节点类型包括:Supported node types include:

节点类型Node type 描述Description
AndAnd 在所有子节点上执行Performs and on all child nodes
OrOr 在所有子节点上执行Performs or on all child nodes
不仅Not 用于其自己的子级Performs not for its own child
只有Except 返回 用于其自身的子级,导致其行为与 所有Returns not for its own child, causing it to behave as All
发送, 后跟 域: listOfDomainsSentTo, followed by Domains: listOfDomains 检查以下各项之一:Checks one of the following:
-如果父代为 Except, 则检查是否 所有 收件人都位于某个域中- If the Parent is Except, checks whether All of the recipients are in one of the domains
-如果父代为其他任何内容 ,但除外, 则检查 任何 收件人是否位于某个域中。- If the Parent is anything else but Except, checks whether Any of the recipients are in one of the domains.
EMailLabel, 后跟标签EMailLabel, followed by label 下列类型作之一:One of the following:
-标签 ID- The label ID
-null (如果未标记)- null, if not labeled
AttachmentLabel, 后跟 LabelsupportedExtensionsAttachmentLabel, followed by Label and supportedExtensions 下列类型作之一:One of the following:

truetrue:
-如果父对象 除外, 则检查标签中是否存在具有一个受支持的扩展名的 所有 附件- If the Parent is Except, checks whether All of the attachments with one supported extension exists within the label
-如果父代为其他任何内容 ,但除外, 则检查标签中是否存在具有一个受支持的扩展名的 任何 附件- If the Parent is anything else but Except, checks whether Any of the attachments with one supported extension exists within the label
-如果未 加标签,并且 label = null- If not labeled, and label = null

false: 对于所有其他情况false: For all other cases

规则操作语法Rule action syntax

规则操作可以是以下项之一:Rule actions can be one of the following:

操作Action 语法Syntax 示例消息Sample message
阻止Block Block (List<language, [title, body]>) 已阻止电子邮件Email Blocked

即将向一个或多个不受信任的收件人发送分类为 机密 的内容:You are about to send content classified as Secret to one or more untrusted recipients:
rsinclair@contoso.com

你的组织策略不允许此操作。请考虑删除这些收件人或替换内容。Your organization policy does not allow this action. Consider removing these recipients or replace the content.
不再Warn Warn (List<language,[title,body]>) 需要确认Confirmation Required

即将向一个或多个不受信任的收件人发送分类为 常规 的内容:You are about to send content classified as General to one or more untrusted recipients:
rsinclair@contoso.com

你的组织策略需要确认才能发送此内容。Your organization policy requires confirmation for you to send this content.
采用Justify Justify (numOfOptions, hasFreeTextOption, List<language, [Title, body, options1,options2….]> )

最多包含三个选项。Including up to three options.
需要理由Justification Required

你的组织策略要求向你发送分类为 " 常规 " 和 "不受信任收件人" 的内容。Your organization policy requires justification for you to send content classified as General to untrusted recipients.

-我确认收件人已批准共享此内容- I confirm the recipients are approved for sharing this content
-我的经理已批准共享此内容- My manager approved sharing of this content
-其他,如所述- Other, as explained
操作参数Action parameters

如果操作未提供任何参数,则弹出窗口将具有默认文本。If no parameters are provided for an action, the pop-ups will have the default text.

所有文本都支持以下动态参数:All texts support the following dynamic parameters:

参数Parameter 说明Description
${MatchedRecipientsList} 发送条件的最后一个匹配项The last match for the SentTo conditions
${MatchedLabelName} 邮件/附件 标签, 具有策略的本地化名称The mail/attachment Label, with the localized name from the policy
${MatchedAttachmentName} AttachmentLabel条件的最后一个匹配项的附件名称The name of the attachment from the last match for the AttachmentLabel condition

备注

所有消息都包括 " 告诉我更多 " 选项,以及 " 帮助反馈 " 对话框。All messages include the Tell Me More option, as well as the Help and Feedback dialogs.

语言是区域设置名称的CultureName ,例如:英语 = en-us ;西班牙语 = es-esThe Language is the CultureName for the locale name, such as: English = en-us; Spanish = es-es

还支持仅父语言名称,例如 enParent-only language names are also supported, such as en only.

示例弹出 customziation 代码Sample popup customziation .json code

下面的 json 代码集说明了如何定义各种规则,这些规则控制 Outlook 如何为用户显示弹出消息。The following sets of .json code show how you can define a variety of rules that control how Outlook displays popup messages for your users.

示例1:阻止内部电子邮件或附件Example 1: Block Internal emails or attachments

下面的 json 代码会阻止将被分类为内部收件人的电子邮件或附件设置为 内部 收件人。The following .json code will block emails or attachments that are classified as Internal from being set to external recipients.

在此示例中, 89a453df-5df4-4976-8191-259d0cf9560a内部 标签的 ID,内部域包括 contoso.commicrosoft.comIn this example, 89a453df-5df4-4976-8191-259d0cf9560a is the ID of the Internal label, and internal domains include contoso.com and microsoft.com.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
              "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",             
                    "LabelId" : "89a453df-5df4-4976-8191-259d0cf9560a"      
                },{                     
                    "type" : "EmailLabel",                  
                    "LabelId" : "89a453df-5df4-4976-8191-259d0cf9560a"              
                }
            ]
        },      
        {           
            "type" : "Block",           
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Email Blocked",                 
                    "Body": "The email or at least one of the attachments is classified as <Bold>${MatchedLabelName}</Bold>. Documents classified as <Bold> ${MatchedLabelName}</Bold> cannot be sent to external recipients (${MatchedRecipientsList}).<br><br>List of attachments classified as <Bold>${MatchedLabelName}</Bold>:<br><br>${MatchedAttachmentName}<br><br><br>This message will not be sent.<br>You are responsible for ensuring compliance with classification requirements as per Contoso’s policies."               
                },              
                "es-es": {                
                    "Title": "Correo electrónico bloqueado",                  
                    "Body": "El correo electrónico o al menos uno de los archivos adjuntos se clasifica como <Bold> ${MatchedLabelName}</Bold>."                
                }           
            },          
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

示例2:阻止未分类的 Office 附件Example 2: Block unclassified Office attachments

下面的 json 代码阻止未分类的 Office 附件或电子邮件发送到外部 recipeints。The following .json code blocks unclassified Office attachments or emails from being sent to external recipeints.

在下面的示例中,要求添加标签的附件列表为: .doc,. docm,.docx,.dot,.dot,。 dotx、. potm、. potx、. ppsm、. ppsx、.ppt、. pptm、.pptx、. .vdw、.vsd、. .vsdm、. .vssm、. .vstm、. .vssx、.xls、. .vstx、. .xlsb、.xlsx、. xlsm、. xltm、. xltx、。In the following example, the attachment list that requires labeling is: .doc,.docm,.docx,.dot,.dotm,.dotx,.potm,.potx,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.vdw,.vsd,.vsdm,.vsdx,.vss,.vssm,.vst,.vstm,.vssx,.vstx,.xls,.xlsb,.xlt,.xlsm,.xlsx,.xltm,.xltx

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
                    "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",
                     "LabelId" : null,
                    "Extensions": [
                                    ".doc",
                                    ".docm",
                                    ".docx",
                                    ".dot",
                                    ".dotm",
                                    ".dotx",
                                    ".potm",
                                    ".potx",
                                    ".pps",
                                    ".ppsm",
                                    ".ppsx",
                                    ".ppt",
                                    ".pptm",
                                    ".pptx",
                                    ".vdw",
                                    ".vsd",
                                    ".vsdm",
                                    ".vsdx",
                                    ".vss",
                                    ".vssm",
                                    ".vst",
                                    ".vstm",
                                    ".vssx",
                                    ".vstx",
                                    ".xls",
                                    ".xlsb",
                                    ".xlt",
                                    ".xlsm",
                                    ".xlsx",
                                    ".xltm",
                                    ".xltx"
                                 ]
                    
                },{                     
                    "type" : "EmailLabel",
                     "LabelId" : null
                }
            ]
        },      
        {           
            "type" : "Email Block",             
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Emailed Blocked",                   
                    "Body": "Classification is necessary for attachments to be sent to external recipients.<br><br>List of attachments that are not classified:<br><br>${MatchedAttachmentName}<br><br><br>This message will not be sent.<br>You are responsible for ensuring compliance to classification requirement as per Contoso’s policies.<br><br>For MS Office documents, classify and send again.<br><br>For PDF files, classify the document or classify the email (using the most restrictive classification level of any single attachment or the email content) and send again."               
                },              
                "es-es": {                
                    "Title": "Correo electrónico bloqueado",                  
                    "Body": "La clasificación es necesaria para que los archivos adjuntos se envíen a destinatarios externos."              
                }           
            },          
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

示例3:要求用户接受发送机密电子邮件或附件Example 3: Require the user to accept sending a Confidential email or attachment

下面的示例使 Outlook 显示一条消息,警告用户他们正在向外部收件人发送 机密 电子邮件或附件,同时还要求用户选择 " 我接受"。The following example causes Outlook to display a message that warns the user that they are sending a Confidential email or attachment to external recipients, and also requires that the user selects I accept.

此类警告消息在技术上被视为一种理由,因为用户必须选择 " 我接受"。This sort of warning message is technically considered to be a justification, as the user must select I accept.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
                    "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",             
                    "LabelId" : "3acd2acc-2072-48b1-80c8-4da23e245613"      
                },{                     
                    "type" : "EmailLabel",                  
                    "LabelId" : "3acd2acc-2072-48b1-80c8-4da23e245613"              
                }
            ]
        },      
        {           
            "type" : "Justify",             
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Warning",                   
                    "Body": "You are sending a document that is classified as <Bold>${MatchedLabelName}</Bold> to at least one external recipient. Please make sure that the content is correctly classified and that the recipients are entitled to receive this document.<br><br>List of attachments classified as <Bold>${MatchedLabelName}</Bold>:<br><br>${MatchedAttachmentName}<br><br><Bold>List of external email addresses:</Bold><br>${MatchedRecipientsList})<br><br>You are responsible for ensuring compliance to classification requirement as per Contoso’s policies.<br><br><Bold>Acknowledgement</Bold><br>By clicking <Bold>I accept<\Bold> below, you confirm that the recipient is entitled to receive the content and the communication complies with CS Policies and Standards",
                    "Options": [                        
                        "I accept"              
                    ] 
                },              
                "es-es": {                
                    "Title": "Advertencia",                   
                    "Body": "Está enviando un documento clasificado como <Bold>${MatchedLabelName}</Bold> a al menos un destinatario externo. Asegúrese de que el contenido esté correctamente clasificado y que los destinatarios tengan derecho a recibir este documento.",
                    "Options": [                        
                        "Acepto"                    
                    ]                   
                }           
            },          
            "HasFreeTextOption":"false",            
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

示例4:对没有标签的邮件发出警告,并为具有特定标签的附件提供警告Example 4: Warn on mail with no label, and an attachment with a specific label

下面的 json 代码 会使 Outlook 在用户发送内部电子邮件没有标签(带有具有特定标签的附件)时向用户发出警告。The following .json code causes Outlook to warn the user when they are sending an internal email has no label, with an attachment that has a specific label.

在此示例中, bcbef25a-c4db-446b-9496-1b558d9edd0e 是附件标签的 ID。In this example, bcbef25a-c4db-446b-9496-1b558d9edd0e is the ID of the attachment's label.

默认情况下,带标签的附件的电子邮件不会自动接收相同标签。By default, emails that have labeled attachments do not automatically receive the same label.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "EmailLabel",
                     "LabelId" : null           
        },
        {
          "type": "AttachmentLabel",
          "LabelId": "bcbef25a-c4db-446b-9496-1b558d9edd0e",
          "Extensions": [
                ".docx",
                ".xlsx",
                ".pptx"
             ]
        },
    {           
            "type" : "SentTo",              
            "Domains" : [               
                "contoso.com",              
            ]           
        },      
        {           
            "type" : "Warn" 
        }   
    ] 
}

示例5:提示输入理由,其中包含两个预定义的选项和一个额外的可用文本选项Example 5: Prompt for a justificaiton, with two predefined options, and an extra free-text option

下面的 json 代码使 Outlook 提示用户提供其操作的理由。The following .json code causes Outlook to prompt the user for a justification for their action. 对齐文本包括两个预定义的选项以及第三个可用文本选项。The justification text includes two predefined options, as well as a third, free-text option.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                                  
                ]               
            }       
        },      
        {           
            "type" : "EmailLabel",          
            "LabelId" : "34b8beec-40df-4219-9dd4-553e1c8904c1"      
        },      
        {           
            "type" : "Justify",             
            "LocalizationData": {               
                "en-us": {                  
                    "Title": "Justification Required",                  
                    "Body": "Your organization policy requires justification for you to send content classified as <Bold> ${MatchedLabelName}</Bold>,to untrusted recipients:<br>Recipients are: ${MatchedRecipientsList}",                     
                    "Options": [                        
                        "I confirm the recipients are approved for sharing this content",                   
                        "My manager approved sharing of this content",                      
                        "Other, as explained"                   
                    ]               
                },              
                "es-es": {                  
                    "Title": "Justificación necesaria",                     
                    "Body": "La política de su organización requiere una justificación para que envíe contenido clasificado como <Bold> ${MatchedLabelName}</Bold> a destinatarios que no sean de confianza.",                  
                    "Options": [                        
                        "Confirmo que los destinatarios están aprobados para compartir este contenido.",
                        "Mi gerente aprobó compartir este contenido",
                        "Otro, como se explicó"                     
                    ]               
                }           
            },          
            "HasFreeTextOption":"true",             
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

配置 SharePoint 超时Configure SharePoint timeouts

默认情况下,SharePoint 交互的超时时间为两分钟,在此时间之后,尝试的 AIP 操作将失败。By default, the timeout for SharePoint interactions is two minutes, after which the attempted AIP operation fails.

版本 2.8.85开始,AIP 管理员可以使用以下高级属性控制此超时,使用 hh: mm: ss 语法来定义超时:Starting in version 2.8.85, AIP administrators can control this timeout using the following advanced properties, using an hh:mm:ss syntax to define the timeouts:

  • SharepointWebRequestTimeoutSharepointWebRequestTimeout. 确定对 SharePoint 的所有 AIP web 请求的超时值。Determines the timeout for all AIP web requests to SharePoint. 默认值为2分钟。Default = 2 minutes.

    例如,如果你的策略命名为 Global,以下 PowerShell 命令示例会将 web 请求超时更新为5分钟。For example, if your policy is named Global, the following sample PowerShell command updates the web request timeout to 5 minutes.

    Set-LabelPolicy -Identity Global -AdvancedSettings @{SharepointWebRequestTimeout="00:05:00"}
    
  • SharepointFileWebRequestTimeoutSharepointFileWebRequestTimeout. 确定专用于 SharePoint 文件通过 AIP web 请求的超时值。Determines the timeout specifically for SharePoint files via AIP web requests. 默认值为15分钟Default = 15 minutes

    例如,如果你的策略命名为 Global,以下 PowerShell 命令示例会将文件 web 请求超时更新为10分钟。For example, if your policy is named Global, the following sample PowerShell command updates the file web request timeout to 10 minutes.

    Set-LabelPolicy -Identity Global -AdvancedSettings @{SharepointFileWebRequestTimeout="00:10:00"}
    

阻止 S/MIME 电子邮件的 Outlook 性能问题Prevent Outlook performance issues with S/MIME emails

如果在阅读窗格中打开 S/MIME 电子邮件,Outlook 可能会出现性能问题。Performance issues may occur in Outlook when the S/MIME emails are opened in Reading Pane. 若要防止这些问题,请启用 OutlookSkipSmimeOnReadingPaneProperty 高级属性。To prevent these issues, enable the OutlookSkipSmimeOnReadingPaneProperty advanced property.

启用此属性可防止在 "阅读" 窗格中显示 AIP 栏和电子邮件分类。Enabling this property prevents the AIP bar and the email classifications from being shown in the Reading Pane.

例如,如果你的策略命名为 Global,以下 PowerShell 命令示例将启用 OutlookSkipSmimeOnReadingPaneProperty 属性:For example, if your policy is named Global, the following sample PowerShell command enables the OutlookSkipSmimeOnReadingPaneProperty property:

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookSkipSmimeOnReadingPaneProperty="true"}

后续步骤Next steps

自定义 Azure 信息保护统一标签客户端后,请参阅以下资源,了解支持此客户端所需的其他信息:Now that you've customized the Azure Information Protection unified labeling client, see the following resources for additional information that you might need to support this client: