Azure 信息保护集成Azure Information Protection integration

适用范围:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security


Microsoft 提供的威胁防护产品名称即将发生变化。Threat protection product names from Microsoft are changing. 请参阅此处,详细了解此更新及其他更新。Read more about this and other updates here. 我们将在不久的将来更新产品和文档中的名称。We'll be updating names in products and in the docs in the near future.

借助 Microsoft Cloud App Security,可将 Azure 信息保护分类标签(无论是否受保护)作为文件策略管理操作自动应用于文件。Microsoft Cloud App Security lets you apply Azure Information Protection classification labels automatically, with or without protection, to files as a file policy governance action. 还可以通过在 Cloud App Security 门户中筛选应用的分类标签来调查文件。You can also investigate files by filtering for the applied classification label within the Cloud App Security portal. 使用分类可以加强对云中敏感数据的可见性和控制力。Using classifications enables greater visibility and control of your sensitive data in the cloud. 将 Azure 信息保护与 Cloud App Security 集成非常简单,只需要选中一个复选框。Integrating Azure Information Protection with Cloud App Security is as easy as selecting one single checkbox.


如果已 迁移 office 365 安全性和符合性中心的分类标签,本文还适用于 office 365 统一的敏感度标签。This article is also relevant for Office 365 unified sensitivity labels if you already migrated your classification labels for the Office 365 Security and Compliance Center. 如果你没有迁移现有的分类标签,并且你开始在 Office 365 安全性和符合性中心创建新标签,Cloud App Security 将仅使用在 Azure 信息保护门户中配置的已有标签。If you did not migrate your existing classification labels, and you begin to create new labels in the Office 365 Security and Compliance Center, Cloud App Security will only use the preexisting labels configured in the Azure Information Protection portal.

将 Azure 信息保护集成到 Cloud App Security 中后,用户可以充分利用云中的服务和安全文件,包括:By integrating Azure Information Protection into Cloud App Security, you can use the full power of both services and secure files in your cloud, including:

  • 能够将分类标签作为管理操作应用于符合特定策略的文件The ability to apply classification labels as a governance action to files that match specific policies
  • 能够在一个中心位置查看所有分类文件The ability to view all classified files in a central location
  • 能够根据分类级别开展调查,并量化云应用程序中敏感数据的公开The ability to investigate according to classification level, and quantify exposure of sensitive data over your cloud applications
  • 能够创建策略以确保正确处理分类文件The ability to create policies to make sure classified files are being handled properly


必须有 Cloud App Security 许可证和 Azure 信息保护高级版 P1 许可证,才能启用此功能。To enable this feature, you need both a Cloud App Security license and a license for Azure Information Protection Premium P1. 只要这两个许可证就位,Cloud App Security 就会从 Azure 信息保护服务同步组织标签。As soon as both licenses are in place, Cloud App Security syncs the organizations labels from the Azure Information Protection service.


若要在 Cloud App Security 中使用标签,则必须将标签作为策略的一部分进行发布。To use labels in Cloud App Security, the labels must be published as part of the policy. 如果你使用的是 Azure 信息保护,则必须通过 Azure 信息保护门户发布标签。If you're using Azure Information Protection, labels must be published via the Azure Information Protection portal. 如果已迁移到统一标签,则必须通过 Office 365 安全性和符合性中心发布标签。If you migrated to unified labels, labels must be published via Office 365 Security and Compliance Center.

Cloud App Security 当前支持对以下文件类型应用 Azure 信息保护分类标签:Cloud App Security currently supports applying Azure Information Protection classification labels for the following file types:

  • Word:docm、docx、dotm、dotxWord: docm, docx, dotm, dotx
  • Excel:xlam、xlsm、xlsx、xltxExcel: xlam, xlsm, xlsx, xltx
  • PowerPoint:potm、potx、ppsx、ppsm、pptm、pptxPowerPoint: potm, potx, ppsx, ppsm, pptm, pptx


    对于 PDF,必须使用统一标签。For PDF, you must use unified labels.

此功能目前适用于存储在 Box、G Suite、SharePoint Online 和 OneDrive for Business 中的文件。This feature is currently available for files stored in Box, G Suite, SharePoint Online, and OneDrive for Business. 未来的版本将支持更多的云应用。More cloud apps will be supported in future versions.

不能通过 Cloud App Security 更改标记为保护 Cloud App Security 之外的文件。Files that were labeled with protection outside of Cloud App Security can't be changed by Cloud App Security. 但是,你可以通过授予 检查受保护文件的内容的权限来扫描这些文件。However, you can scan these files by granting permissions to inspect content for protected files.

工作原理How it works

你可能熟悉 Azure 信息保护中的文件分类标签。You're probably familiar with file classification labels in Azure Information Protection. 在 Cloud App Security 中可以看到 Azure 信息保护分类标记。You can see the Azure Information Protection classification tags in Cloud App Security. 将 Cloud App Security 与 Azure 信息保护集成后,Cloud App Security 便可扫描文件,如下所示:As soon as you integrate Cloud App Security with Azure Information Protection, Cloud App Security scans files as follows:

  1. Cloud App Security 检索租户中使用的所有分类标签的列表。Cloud App Security retrieves the list of all the classification labels used in your tenant. 每隔一小时执行一次此操作,使列表保持最新。This action is performed every hour to keep the list up-to-date.

  2. 然后 Cloud App Security 会扫描这些文件的分类标签,如下所示:Cloud App Security then scans the files for classification labels, as follows:

    • 如果启用了自动扫描,则所有新文件或已修改的文件都将被添加到扫描队列,并将扫描所有现有文件和存储库。If you enabled automatic scan, all new or modified files are added to the scan queue and all existing files and repositories will be scanned.
    • 如果将文件策略设置为搜索分类标签,这些文件会被添加到分类标签的扫描队列。If you set a file policy to search for classification labels, these files are added to the scan queue for classification labels.
  3. 如上文所述,这些扫描是针对初次扫描中发现的分类标签,Cloud App Security 执行此次扫描以查看租户中所使用的分类标签。As noted above, these scans are for the classification labels discovered in the initial scan Cloud App Security does to see which classification labels are used in your tenant. 租户外部的人员设置的外部标签和分类标签添加到分类标签的列表中。External labels, classification labels set by someone external to your tenant, are added to the list of classification labels. 如果不想扫描这些数据,请选中“仅从此租户扫描文件的 Azure 信息保护分类标签”**** 复选框。If you don't want to scan for these, select the Only scan files for Azure Information Protection classification labels from this tenant check box.

  4. 在 Cloud App Security 上启用 Azure 信息保护后,将扫描添加到已连接的云应用的所有新文件的分类标签。After you enable Azure Information Protection on Cloud App Security, all new files that are added to your connected cloud apps will be scanned for classification labels.

  5. 可以在 Cloud App Security 中创建自动应用分类标签的新策略。You can create new policies within Cloud App Security that apply your classification labels automatically.

如何将 Azure 信息保护与 Cloud App Security 集成How to integrate Azure Information Protection with Cloud App Security

启用 Azure 信息保护Enable Azure Information Protection

将 Azure 信息保护与 Cloud App Security 集成,只需要选中一个复选框。All you have to do to integrate Azure Information Protection with Cloud App Security is click a single checkbox. 通过启用自动扫描,可以搜索 Office 365 文件上的 Azure 信息保护分类标签,且无需创建策略。By enabling automatic scan, you enable searching for Azure Information Protection classification labels on your Office 365 files without the need to create a policy. 启用后,如果已使用 Azure 信息保护分类标签标记云环境中的文件,在 Cloud App Security 中会看到这些文件。After you enable it, if you have files in your cloud environment that are labeled with Azure Information Protection classification labels, you'll see them in Cloud App Security.

若要使 Cloud App Security 能够扫描启用了内容检查的文件的分类标签,请执行以下操作:To enable Cloud App Security to scan files with content inspection enabled for classification labels:

  1. 在 Cloud App Security 的“设置”齿轮下,选择“系统”标题下的“设置”页。In Cloud App Security, under the settings cog, select the Settings page under the System heading.


  2. 在“Azure 信息保护”下,选择“自动扫描新文件是否有 Azure 信息保护分类标签”。Under Azure Information Protection, select Automatically scan new files for Azure Information Protection classification labels.

    启用 azure 信息保护

启用 Azure 信息保护后,在 Cloud App Security 中便能够看到具有分类标签的文件并且可以根据标签进行筛选。After enabling Azure Information Protection, you'll be able to see files that have classification labels and filter them per label in Cloud App Security. Cloud App Security 连接到云应用后,可以使用 Azure 信息保护集成功能,以便在 Cloud App Security 门户中应用 Azure 信息保护分类标签(无论是否受保护),方法是将这些标签直接添加到文件或配置以管理操作的形式自动应用分类标签的文件策略。After Cloud App Security is connected to the cloud app, you'll be able to use the Azure Information Protection integration features to apply Azure Information Protection classification labels (with or without protection) in the Cloud App Security portal, by adding them directly to files or by configuring a file policy to apply classification labels automatically as a governance action.


自动扫描不会扫描现有文件,除非它们重新经过修改。Automatic scan does not scan existing files until they are modified again. 若要扫描 Azure 信息保护分类标签的现有文件,你必须至少具有一个包含内容检查的 文件策略To scan existing files for Azure Information Protection classification labels, you must have at least one File policy that includes content inspection. 如果没有,则创建新的 文件策略,删除所有预设筛选器,然后在 " 检查方法 " 下选择 " 内置 DLP"。If you have none, create a new File policy, delete all the preset filters, under Inspection method select Built-in DLP. 在 " 内容检查 " 字段中,选择 " 包括匹配预设表达式的文件 ",然后选择任何预定义的值,然后保存策略。In the Content inspection field, select Include files that match a preset expression and select any predefined value, and save the policy. 这会启用内容检查,此功能可自动检测 Azure 信息保护分类标签。This enables content inspection, which automatically detects Azure Information Protection classification labels.

设置内部和外部标签Set internal and external tags

Cloud App Security 默认扫描组织中定义的分类标签,以及其他组织定义的外部标签。By default, Cloud App Security scans classification labels that were defined in your organization as well as external ones defined by other organizations.

若要忽略在组织外部设置的分类标签,请在 Cloud App Security 门户中转到“设置”**** 和“Azure 信息保护”****。To ignore classification labels set external to your organization, in the Cloud App Security portal, go under Settings and Azure Information Protection. 选择“仅从此租户扫描文件的 Azure 信息保护分类标签和内容检查警告”****。Select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.


将标签直接应用于文件Apply labels directly to files

  1. 从“调查”**** 下的“文件”**** 页,选择要保护的文件。From the Files page under Investigate, select the file you want to protect. 单击文件行末尾的三个点,然后选择“应用分类标签”****。Click the three dots at the end of the file's row then choose Apply classification label.



    Cloud App Security 可以将 Azure 信息保护应用于最大为 50 MB 的文件。Cloud App Security can apply Azure Information Protection on files that are up to 50 MB.

  2. 系统会要求选择使用其中一个组织分类标签来应用到文件,然后单击“应用”****。You're asked to choose one of your organization's classification labels to apply to the file, and click Apply.


  3. 选择分类标签并单击“应用”后,Cloud App Security 将分类标签应用到原始文件。After you choose a classification label and click apply, Cloud App Security will apply the classification label to the original file.

  4. 还可以通过选择“删除分类标签”选项删除分类标签****。You can also remove classification labels by choosing the Remove classification label option.


只有当标签不含保护设置,且它们是从 Cloud App Security 中应用,而不是直接在信息保护中应用时,才能删除标签。You can remove labels only if they do not include protection, and they were applied from within Cloud App Security, not labels applied directly in Information Protection.

有关 Cloud App Security 和 Azure 信息保护如何协同工作的详细信息,请参阅 自动应用 Azure 信息保护分类标签For more information about how Cloud App Security and Azure Information Protection work together, see Automatically apply Azure Information Protection classification labels.

自动对文件添加标签Automatically label files

通过创建文件策略并设置“应用分类标签”作为管理操作,可自动对文件应用分类标签****。You can automatically apply classification labels to files by creating a file policy and setting Apply classification label as the governance action.

按照以下说明创建文件策略:Follow these instructions to create the file policy:

  1. 创建文件策略。Create a file policy.

  2. 设置策略以包含要检测的文件类型。Set the policy to include the type of file you want to detect. 例如,选择“访问级别”**** 不等于“内部”**** 并且“所有者 OU”**** 等于“财务团队”的所有文件。For example, select all files where Access level does not equal Internal and where the Owner OU equals your finance team.

  3. 在相关应用的管理操作下,单击“应用分类标签”****,然后选择标签类型。Under governance actions for the relevant app, click Apply a classification label then select the label type.



通过文件策略自动应用 Azure 信息保护标签的能力是一项强大功能。The ability to automatically apply an Azure Information Protection label through file policy is a powerful capability. 为了防止客户将标签错误应用到大量文件,作为安全预防措施,每个应用程序每个租户对应的“应用标签”**** 操作的每日限制数为 100。To protect customers from mistakenly applying a label to a large number of files, as a safety precaution there is a daily limit of 100 Apply label actions per app, per tenant. 在达到每日限制后,应用标签操作会暂停,并在第二天(12:00 UTC 过后)自动继续。After the daily limit is reached, the apply label action pauses temporarily and continues automatically the next day (after 12:00 UTC). 若要提高租户限制,请打开支持票证。To raise the limit for your tenant, open a support ticket.

控制文件公开Control file exposure

  • 例如,如果下面是使用 Azure 信息保护分类标签标记的文档:For example, if the below is a document you labeled with an Azure Information Protection classification label:

    示例 Azure 信息保护屏幕

  • 可以在 Cloud App Security 中看到此文档,方法是在“文件”**** 页中筛选 Azure 信息保护分类标签。You can see this document in Cloud App Security by filtering on the classification label for Azure Information Protection in the Files page.

    Cloud App Security 对比 Azure 信息保护

  • 在文件抽屉中,可以获取有关这些文件及其分类标签的详细信息。You can get more information about these files and their classification labels in the file drawer. 只需在“文件”**** 页中单击相关文件,然后查看其是否具有分类标签。Just click on the relevant file in the Files page and check whether it has a classification label.


  • 然后,可以在 Cloud App Security 中创建文件策略,以控制不恰当共享的文件和查找已标记的并且最近修改的文件。Then, you can create file policies in Cloud App Security to control files that are shared inappropriately and find files that are labeled and were recently modified.

  • 可以创建策略,使分类标签自动应用于特定文件。You can create a policy that automatically applies a classification label to specific files.

  • 还可以对与文件分类相关的活动触发警报。You can also trigger alerts on activities related to file classification.


在文件上禁用 Azure 信息保护标签时,已禁用的标签将在 Cloud App Security 中显示为已禁用。When Azure Information Protection labels are disabled on a file, the disabled labels appear as disabled in Cloud App Security. 已删除的标签不会显示。Deleted labels are not displayed.

示例策略 - 在 Box 上外部共享的机密数据:Sample policy - confidential data that is externally shared on Box:

  1. 创建文件策略。Create a file policy.

  2. 设置策略的名称、严重性和类别。Set the policy's name, severity, and category.

  3. 添加以下筛选器以查找在 Box 上外部共享的所有机密数据:Add the following filters to find all confidential data that is externally shared on Box:


示例策略 - 在 SharePoint 上的 Finance 文件夹外最近修改的受限数据:Sample policy - restricted data that was recently modified outside the Finance folder on SharePoint:

  1. 创建文件策略。Create a file policy.

  2. 设置策略的名称、严重性和类别。Set the policy's name, severity, and category.

  3. 添加以下筛选器以查找最近修改的所有受限文件,同时在“文件夹选择”选项中排除 Finance 文件夹:Add the following filters to find all recently modified restricted files while excluding the Finance folder in the folder selection option:


还可选择设置警报、用户通知或立即执行这些策略。You can also choose to set alerts, user notification or take immediate action for these policies. 了解有关治理操作的详细信息。Learn more about governance actions.

了解有关 Azure 信息保护的详细信息,并查看 Azure 信息保护快速入门教程Learn more about Azure Information Protection and check out the Azure Information Protection Quick start tutorial.

后续步骤Next steps

若遇到任何问题,可随时向我们寻求帮助。If you run into any problems, we're here to help. 若要获取帮助或支持以解决产品问题,请打开支持票证To get assistance or support for your product issue, please open a support ticket.