使用 Azure 信息保护来保护文件Protect files with Azure Information Protection

简介Introduction

使用本文中的步骤配置 Azure 信息保护 (AIP),为高度机密的 SharePoint Online 团队网站中的文件提供加密和权限。Use the steps in this article to configure Azure Information Protection (AIP) to provide encryption and permissions for files in a highly confidential SharePoint Online team site.

即使从网站下载文件,加密和权限保护也会遍历该文件。The encryption and permissions protection travels with a file even when it is downloaded from the site. 有关高度机密的 SharePoint Online 团队网站的详细信息,请参阅保护 SharePoint Online 网站和文件For more information about highly confidential SharePoint Online team sites, see Secure SharePoint Online sites and files.

备注

将 Azure 信息保护加密应用于 Office 365 中存储的文件时,该服务无法处理这些文件的内容。When Azure Information Protection encryption is applied to files stored in Office 365, the service cannot process the contents of these files. 共同创作、电子数据展示、搜索、Delve 和其他协作功能将无法正常使用。Co-authoring, eDiscovery, search, Delve, and other collaborative features do not work. 数据丢失防护 (DLP) 策略只适用于元数据(包括 Office 365 标签),但并不适用于这些文件的内容(如文件内的信用卡号)。Data Loss Prevention (DLP) policies can only work with the metadata (including Office 365 labels) but not the contents of these files (such as credit card numbers within files).

配置 Azure 信息保护Configure Azure Information Protection

首先,请按照使用 Office 365 订阅的 Office 365 管理中心激活 Azure RMS 中的说明操作。First, follow the instructions in Activate Azure RMS with the Office 365 admin center for your Office 365 subscription.

接下来,通过执行以下步骤,使用新作用域内策略以及高度机密的 SharePoint Online 团队网站的保护和权限子标签来配置 Azure 信息保护:Next, configure Azure Information Protection with a new scoped policy and sub-label for protection and permissions for your highly confidential SharePoint Online team site by following these steps:

  1. 使用具有安全管理员或公司管理员角色的帐户登录到 Office 365 门户。Sign in to the Office 365 portal with an account that has the Security Administrator or Company Administrator role. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 在浏览器的单独选项卡中,转到 Azure 门户 (https://portal.azure.com)。In a separate tab of your browser, go to the Azure portal (https://portal.azure.com).
  3. 如果是首次配置 Azure 信息保护,请参阅这些说明If this is the first time you are configuring Azure Information Protection, see these instructions.
  4. 在列表窗格中,单击“更多服务”,键入“信息”,然后单击“Azure 信息保护”。In the list pane, click More services, type information, and click Azure Information Protection.
  5. 在“Azure 信息保护”边栏选项卡上,选择“作用域内策略”>“+ 添加新策略”。On the Azure Information protection blade, click Scoped policies > + Add a new policy.
  6. 在“策略名称”中键入新策略的名称,并在“描述”中键入新策略的描述。Type a name for the new policy in Policy name and a description in Description.
  7. 单击“选择获取此策略的用户或组”>“用户/组”,然后选择高度敏感的 SharePoint Online 团队网站的网站成员访问组。Click Select which users or groups get this policy > User/Groups, and then select the site members access group for your highly sensitive SharePoint Online team site.
  8. 单击“选择”>“确定”。Click Select > OK.
  9. 对于“高度机密”标签,请单击省略号 (…),然后单击“添加子标签”。For the Highly Confidential label, click the ellipses (…), and then click Add a sub-label.
  10. 在“名称”中键入子标签的名称,并在“描述”中键入标签的描述。Type a name for the sub-label in Name and a description of the label in Description.
  11. 在“为包含此标签的文档和电子邮件设置权限”中,单击“保护”。In Set permissions for documents and emails containing this label, click Protect.
  12. 在“保护”部分中,单击“Azure (云密钥)”。In the Protection section, click Azure (cloud key).
  13. 在“保护”边栏选项卡中,在“保护设置”下,单击“+ 添加权限”。On the Protection blade, under Protection settings, click + Add permissions.
  14. 在“添加权限”边栏选项卡的“指定用户和组”下,单击“+ 浏览目录”。On the Add permissions blade, under Specify users and groups, click + Browse directory.
  15. 在“AAD 用户和组”窗格中,选择高度敏感的 SharePoint Online 团队网站的网站成员访问组,然后单击“选择”。On the AAD Users and Groups pane, select the site members access group for your highly sensitive SharePoint Online team site, and click Select.
  16. 在“从预设中选择权限”下,清除“打印、复制和提取内容”和“转接”复选框。Under Choose permissions from the preset, clear the Print, Copy and extract content, and Forward check boxes.
  17. 单击 “确定” 两次。Click OK two times.
  18. 在“子标签”边栏选项卡上,根据需要配置视觉标记,然后单击“保存”。On the Sub-label blade, configure visual markings as needed, and then click Save.
  19. 关闭“新作用域内策略”边栏选项卡。Close the new scoped policy blade.
  20. 在“Azure 信息保护 - 作用域内策略”边栏选项卡上,单击“发布”,然后单击“是”。On the Azure Information Protection – Scoped policies blade, click Publish, and then click Yes.

下面是高度机密的 SharePoint Online 团队网站的配置结果。This is the resulting configuration for your highly confidential SharePoint Online team site.

高度机密

现在可以开始创建文档并使用 Azure 信息保护和新的标签来保护它们。You are now ready to begin creating documents and protecting them with Azure Information Protection and your new label.

必须在设备或基于 Windows 的计算机上安装 Azure 信息保护客户端You must install the Azure Information Protection client on your device or Windows-based computer. 可以编辑脚本,使安装自动化,也可手动安装客户端。You can script and automate the installation, or users can install the client manually.

有关详细信息,请参阅下列资源:For more information, see the following resources:

安装完成后用户即可运行,然后使用其 Office 365 帐户从 Office 应用程序(如 Microsoft Word)登录。Once installed, your users run and then sign-in from an Office application (such as Microsoft Word) with their Office 365 account. 新的“信息保护”栏可用于选择标签。A new Information Protection bar allows you to select the label.

请确保用户知道 SharePoint Online 团队网站以及用于保护其高度机密文件的标签。Make sure that your users know the SharePoint Online team site and which label to use to protect their highly confidential files.

备注

如果有多个高度敏感的 SharePoint Online 团队网站,应创建多个 Azure 信息保护作用域内策略以及多个包含上述设置的子标签,另外每个子标签的权限设置为特定 SharePoint Online 团队网站的网站成员访问组。If you have multiple highly sensitive SharePoint Online team sites, you should create multiple Azure Information Protection scoped policies with sub-labels with the above settings, with the permissions for each sub-label set to the site members access group of a specific SharePoint Online team site.

后续步骤Next steps

云应用和混合解决方案Cloud adoption and hybrid solutions