管理员指南:将 PowerShell 与 Azure 信息保护统一客户端配合使用Admin Guide: Using PowerShell with the Azure Information Protection unified client

适用于: Azure 信息保护,windows 10,Windows 8.1,windows 8,windows server 2019,windows server 2016,windows Server 2012 R2,windows server 2012Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

如果你具有 Windows 7 或 Office 2010,请参阅 AIP For Windows And office 版本中的扩展支持If you have Windows 7 or Office 2010, see AIP for Windows and Office versions in extended support.

适用于以下内容的说明: Azure 信息保护适用于 Windows 的统一标签客户端Instructions for: Azure Information Protection unified labeling client for Windows

当你安装 Azure 信息保护统一标签客户端时,将自动安装 PowerShell 命令。When you install the Azure Information Protection unified labeling client, PowerShell commands are automatically installed. 这允许通过运行可放到脚本中实现自动执行的命令来管理客户端。This lets you manage the client by running commands that you can put into scripts for automation.

Cmdlet 随 PowerShell 模块 AzureInformationProtection一起安装,其中包含用于标记的 cmdlet。The cmdlets are installed with the PowerShell module AzureInformationProtection, which has cmdlets for labeling. 例如:For example:

标记 cmdletLabeling cmdlet 用法示例Example usage
Get AIPFileStatusGet-AIPFileStatus 对于共享文件夹,请标识具有特定标签的所有文件。For a shared folder, identify all files with a specific label.
Set-AIPFileClassificationSet-AIPFileClassification 对于共享文件夹,检查文件内容,然后根据指定的条件自动标记未标记的文件。For a shared folder, inspect the file contents and then automatically label unlabeled files, according to the conditions that you have specified.
Set-AIPFileLabelSet-AIPFileLabel 对于共享文件夹,将指定的标签应用于没有标签的所有文件。For a shared folder, apply a specified label to all files that do not have a label.
Set-AIPAuthenticationSet-AIPAuthentication 以非交互方式标记文件,例如使用按计划运行的脚本。Label files non-interactively, for example by using a script that runs on a schedule.

提示

若要使用路径长度超过 260 个字符的 cmdlet,请使用自 Windows 10 版本 1607 开始提供的以下组策略设置To use cmdlets with path lengths greater than 260 characters, use the following group policy setting that is available starting Windows 10, version 1607:
本地计算机策略 > 计算机配置 > 管理模板 > 所有设置 > 启用 Win32 长路径Local Computer Policy > Computer Configuration > Administrative Templates > All Settings > Enable Win32 long paths

对于 Windows Server 2016,在安装 Windows 10 的最新管理模板 (.admx) 时,可以使用相同的组策略设置。For Windows Server 2016, you can use the same group policy setting when you install the latest Administrative Templates (.admx) for Windows 10.

有关详细信息,请参阅 Windows 10 开发人员文档中的最大路径长度限制一节。For more information, see the Maximum Path Length Limitation section from the Windows 10 developer documentation.

此模块安装在 \ProgramFiles (x86)\Microsoft Azure Information Protection 中,并将此文件夹添加到 PSModulePath 系统变量。This module installs in \ProgramFiles (x86)\Microsoft Azure Information Protection and adds this folder to the PSModulePath system variable. 此模块的 .dll 命名为 AIP.dllThe .dll for this module is named AIP.dll.

重要

AzureInformationProtection 模块不支持配置标签或标签策略的高级设置。The AzureInformationProtection module doesn't support configuring advanced settings for labels or label policies. 对于这些设置,需要 Office 365 Security & 相容性中心 PowerShell。For these settings, you need the Office 365 Security & Compliance Center PowerShell. 有关详细信息,请参阅 Azure 信息保护统一标签客户端的自定义配置For more information, see Custom configurations for the Azure Information Protection unified labeling client.

使用 AzureInformationProtection 模块的先决条件Prerequisites for using the AzureInformationProtection module

除了安装 AzureInformationProtection 模块的先决条件之外,在使用 Azure 信息保护的标记 cmdlet 时还有其他先决条件:In addition to the prerequisites for installing the AzureInformationProtection module, there are additional prerequisites for when you use the labeling cmdlets for Azure Information Protection:

  1. 必须激活 Azure 权限管理服务。The Azure Rights Management service must be activated.

  2. 使用自己的帐户从他人的文件中删除保护:To remove protection from files for others using your own account:

    • 必须为你的组织启用超级用户功能,而且必须将你的帐户配置为 Azure 权限管理的超级用户。The super user feature must be enabled for your organization and your account must be configured to be a super user for Azure Rights Management.

先决条件 1:必须激活 Azure 权限管理服务Prerequisite 1: The Azure Rights Management service must be activated

如果未激活 Azure 信息保护租户,请参阅 [从 Azure 信息保护中激活保护服务中的说明。If your Azure Information Protection tenant is not activated, see the instructions for [Activating the protection service from Azure Information Protection.

先决条件 2:使用自己的帐户从他人的文件中删除保护Prerequisite 2: To remove protection from files for others using your own account

从他人的文件中删除保护的典型方案包括数据发现或数据恢复。Typical scenarios for removing protection from files for others include data discovery or data recovery. 如果使用标签应用保护,则可以通过设置不应用保护的新标签或通过删除标签来删除保护。If you are using labels to apply the protection, you could remove the protection by setting a new label that doesn't apply protection or by removing the label.

用户必须具有从文件删除保护的权限管理使用权限或者成为超级用户。You must have a Rights Management usage right to remove protection from files, or be a super user. 对于数据发现或数据恢复,通常会使用超级用户功能。For data discovery or data recovery, the super user feature is typically used. 若要启用此功能并将你的帐户配置为超级用户,请参阅 为 Azure 信息保护和发现服务或数据恢复配置超级用户To enable this feature and configure your account to be a super user, see Configuring super users for Azure Information Protection and discovery services or data recovery.

如何以非交互方式为 Azure 信息保护标记文件How to label files non-interactively for Azure Information Protection

可以使用 Set-AIPAuthentication cmdlet,以非交互方式运行标记 cmdletYou can run the labeling cmdlets non-interactively by using the Set-AIPAuthentication cmdlet.

默认情况下,运行 cmdlet 进行标记时,命令会在交互式 PowerShell 会话中你自己的用户上下文运行。By default, when you run the cmdlets for labeling, the commands run in your own user context in an interactive PowerShell session. 若要以无人参与模式运行,请使用可以交互方式登录的 Windows 帐户,并使用将用于委派访问的 Azure AD 中的帐户。To run them unattended, use a Windows account that can sign in interactively, and use an account in Azure AD that will be used for delegated access. 为了便于管理,请使用从 Active Directory 同步到 Azure AD 的单个帐户。For ease of administration, use a single account that's synchronized from Active Directory to Azure AD.

还需要请求 Azure AD 的访问令牌,该令牌将设置和存储委派用户的凭据,以向 Azure 信息保护进行身份验证。You also need to request an access token from Azure AD, which sets and stores credentials for the delegated user to authenticate to Azure Information Protection.

运行 Set-aipauthentication cmdlet 的计算机将使用您的标签管理中心(如 Office 365 Security & 相容性中心)下载标签策略,并将其分配给委派的用户帐户。The computer running the AIPAuthentication cmdlet downloads the label policies with labels that are assigned to the delegated user account by using your labeling management center, such as the Office 365 Security & Compliance Center.

备注

如果对不同用户使用标签策略,可能需要创建新的标签策略,以发布所有标签,并将策略发布到仅此委派的用户帐户。If you use label policies for different users, you might need to create a new label policy that publishes all your labels, and publish the policy to just this delegated user account.

Azure AD 中的令牌过期时,必须再次运行该 cmdlet 才能获取新令牌。When the token in Azure AD expires, you must run the cmdlet again to acquire a new token. 你可以在 Azure AD 中将访问令牌配置为一年、两年或永不过期。You can configure the access token in Azure AD for one year, two years, or to never expire. Set-aipauthentication 的参数在 Azure AD 中使用应用注册过程中的值,如下一节中所述。The parameters for Set-AIPAuthentication use values from an app registration process in Azure AD, as described in the next section.

对于委派的用户帐户:For the delegated user account:

  • 请确保已为此帐户分配了标签策略,并且该策略包含要使用的已发布标签。Make sure that you have a label policy assigned to this account and that the policy contains the published labels you want to use.

  • 如果此帐户需要解密内容,例如,要重新保护文件并检查其他人保护的文件,请使其成为 Azure 信息保护的 超级用户 ,并确保已启用超级用户功能。If this account needs to decrypt content, for example, to reprotect files and inspect files that others have protected, make it a super user for Azure Information Protection and make sure the super user feature is enabled.

  • 如果已为分阶段部署实现了 载入控件 ,请确保此帐户包含在已配置的载入控件中。If you have implemented onboarding controls for a phased deployment, make sure that this account is included in your onboarding controls you've configured.

为 Set-AIPAuthentication 创建和配置 Azure AD 应用程序的具体步骤To create and configure the Azure AD applications for Set-AIPAuthentication

重要

这些说明适用于统一标签客户端的当前通用版本,也适用于此客户端的扫描仪的通用版本。These instructions are for the current general availability version of the unified labeling client and also apply to the general availability version of the scanner for this client.

Set-aipauthentication 要求对 AppIdAppSecret 参数进行应用注册。Set-AIPAuthentication requires an app registration for the AppId and AppSecret parameters. 如果从客户端的以前版本升级并为以前的 WebAppIdNativeAppId 参数创建了应用注册,则它们将不能用于统一的标签客户端。If you upgraded from a previous version of the client and created an app registration for the previous WebAppId and NativeAppId parameters, they won't work with the unified labeling client. 你必须创建一个新的应用注册,如下所示:You must create a new app registration as follows:

  1. 在新的浏览器窗口中,登录 Azure 门户In a new browser window, sign in the Azure portal.

  2. 对于与 Azure 信息保护配合使用的 Azure AD 租户,请导航到Azure Active Directory > 管理 > 应用注册"。For the Azure AD tenant that you use with Azure Information Protection, navigate to Azure Active Directory > Manage > App registrations.

  3. 选择 " + 新注册"。Select + New registration. 在 " 注册应用程序 " 窗格上,指定以下值,然后单击 " 注册":On the Register an application pane, specify the following values, and then click Register:

    • 名称AIP-DelegatedUserName: AIP-DelegatedUser

      如果愿意的话,请指定其他名称。If you prefer, specify a different name. 该名称对于每个租户必须是唯一的。It must be unique per tenant.

    • 受支持的帐户类型仅限此组织目录中的帐户Supported account types: Accounts in this organizational directory only

    • **重定向 URI (可选) **: Webhttps://localhostRedirect URI (optional): Web and https://localhost

  4. 在 " AIP-DelegatedUser " 窗格上,复制 " 应用程序 (客户端) ID" 的值。On the AIP-DelegatedUser pane, copy the value for the Application (client) ID. 值类似于下面的示例: 77c3c1c3-abf9-404e-8b2b-4652836c8c66The value looks similar to the following example: 77c3c1c3-abf9-404e-8b2b-4652836c8c66. 运行 Set-aipauthentication cmdlet 时,此值用于 AppId 参数。This value is used for the AppId parameter when you run the Set-AIPAuthentication cmdlet. 粘贴并保存该值供以后参考。Paste and save the value for later reference.

  5. 从侧栏中,选择 "管理 > 证书" & 密码From the sidebar, select Manage > Certificates & secrets.

  6. 在 " AIP-DelegatedUser-证书 & 密码 " 窗格的 " 客户端密码 " 部分中,选择 " + 新建客户端密钥"。On the AIP-DelegatedUser - Certificates & secrets pane, in the Client secrets section, select + New client secret.

  7. 对于 " 添加客户端密钥",请指定以下各项,然后选择 " 添加":For Add a client secret, specify the following, and then select Add:

    • 说明Azure Information Protection unified labeling clientDescription: Azure Information Protection unified labeling client
    • 过期:指定所选持续时间 (1 年、2年或永不过期) Expires: Specify your choice of duration (1 year, 2 years, or never expires)
  8. 返回到 " AIP-DelegatedUser-证书 & 机密 " 窗格的 " 客户端密码 " 部分中,复制 的字符串。Back on the AIP-DelegatedUser - Certificates & secrets pane, in the Client secrets section, copy the string for the VALUE. 此字符串类似于以下示例: OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4This string looks similar to the following example: OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4. 若要确保复制所有字符,请选择要 复制到剪贴板的图标。To make sure you copy all the characters, select the icon to Copy to clipboard.

    请务必保存此字符串,因为它不会再次显示,并且无法检索。It's important that you save this string because it is not displayed again and it cannot be retrieved. 对于所使用的任何敏感信息,请安全地存储保存的值并限制对它的访问。As with any sensitive information that you use, store the saved value securely and restrict access to it.

  9. 从边栏中选择 "管理 > API 权限"。From the sidebar, select Manage > API permissions.

  10. 在 " AIP-DelegatedUser-API 权限 " 窗格上,选择 " + 添加权限"。On the AIP-DelegatedUser - API permissions pane, select + Add a permission.

  11. 在 " 请求 API 权限 " 窗格上,确保位于 " Microsoft api " 选项卡上,然后选择 " Azure Rights Management 服务"。On the Request API permissions pane, make sure that you're on the Microsoft APIs tab, and select Azure Rights Management Services. 当系统提示你提供应用程序所需的权限类型时,请选择 " 应用程序权限"。When you're prompted for the type of permissions that your application requires, select Application permissions.

  12. 对于 " 选择权限",展开 " 内容 " 并选择以下各项:For Select permissions, expand Content and select the following:

    • DelegatedReaderContent.DelegatedReader
    • DelegatedWriterContent.DelegatedWriter
  13. 选择“添加权限”。Select Add permissions.

  14. 返回到 AIP-DelegatedUser-API 权限 窗格,选择 " + 再次添加权限 "。Back on the AIP-DelegatedUser - API permissions pane, select + Add a permission again.

  15. 在 " 请求 AIP 权限 " 窗格上,选择 "我的组织使用的 api",并搜索 " Microsoft 信息保护同步服务"。On the Request AIP permissions pane, select APIs my organization uses, and search for Microsoft Information Protection Sync Service.

  16. 在 " 请求 API 权限 " 窗格上,选择 " 应用程序权限"。On the Request API permissions pane, select Application permissions.

  17. 对于 " 选择权限",展开 " UnifiedPolicy ",然后选择以下内容:For Select permissions, expand UnifiedPolicy and select the following:

    • UnifiedPolicy。读取UnifiedPolicy.Tenant.Read
  18. 选择“添加权限”。Select Add permissions.

  19. 返回到 " AIP-DelegatedUser-API 权限" 窗格,选择 "授予管理员 <your tenant name> 同意",并在确认提示时选择 "是"Back on the AIP-DelegatedUser - API permissions pane, select Grant admin consent for <your tenant name> and select Yes for the confirmation prompt.

    你的 API 权限应该如下所示:Your API permissions should look like the following:

    Azure AD 中已注册应用程序的 API 权限

现在,你已使用机密完成了此应用的注册,接下来可以使用参数AppIdAppSecret运行set-aipauthenticationNow you've completed the registration of this app with a secret, you're ready to run Set-AIPAuthentication with the parameters AppId, and AppSecret. 此外,还需要租户 ID。Additionally, you'll need your tenant ID.

提示

你可以使用 Azure 门户Azure Active Directory > 管理 > 属性 > 目录 ID快速复制你的租户 ID。You can quickly copy your tenant ID by using Azure portal: Azure Active Directory > Manage > Properties > Directory ID.

  1. 通过 "以 管理员身份运行" 选项打开 Windows PowerShell。Open Windows PowerShell with the Run as administrator option.

  2. 在 PowerShell 会话中,创建一个变量以存储将以非交互方式运行的 Windows 用户帐户的凭据。In your PowerShell session, create a variable to store the credentials of the Windows user account that will run non-interactively. 例如,如果为扫描程序创建了服务帐户:For example, if you created a service account for the scanner:

    $pscreds = Get-Credential "CONTOSO\srv-scanner"
    

    系统将提示你输入此帐户的密码。You're prompted for this account's password.

  3. 运行 Set-aipauthentication cmdlet 和 OnBeHalfOf 参数,并将其值指定为刚创建的变量。Run the Set-AIPAuthentication cmdlet, with the OnBeHalfOf parameter, specifying as its value the variable that you just created. 同时,在 Azure AD 中指定应用注册值、租户 ID 和委托用户帐户的名称。Also specify your app registration values, your tenant ID, and the name of the delegated user account in Azure AD. 例如:For example:

    Set-AIPAuthentication -AppId "77c3c1c3-abf9-404e-8b2b-4652836c8c66" -AppSecret "OAkk+rnuYc/u+]ah2kNxVbtrDGbS47L4" -TenantId "9c11c87a-ac8b-46a3-8d5c-f4d0b72ee29a" -DelegatedUser scanner@contoso.com -OnBehalfOf $pscreds
    

备注

如果计算机无法访问 internet,则无需在 Azure AD 中创建应用程序并运行 Set-aipauthentication。If the computer cannot have internet access, there's no need to create the app in Azure AD and run Set-AIPAuthentication. 相反,请按照 断开连接的计算机的说明进行操作。Instead, follow the instructions for disconnected computers.

后续步骤Next steps

对于 PowerShell 会话中的 cmdlet 帮助,请键入 Get-Help <cmdlet name> -onlineFor cmdlet help when you are in a PowerShell session, type Get-Help <cmdlet name> -online. 例如:For example:

Get-Help Set-AIPFileLabel -online

有关支持 Azure 信息保护客户端可能需要的其他信息,请参阅以下内容:See the following for additional information that you might need to support the Azure Information Protection client: