在开发/测试环境中保护 SharePoint Online 网站Secure SharePoint Online sites in a dev/test environment

简介Introduction

本文提供了有关如何创建开发/测试环境的分步说明,该环境中包括用于保护 SharePoint Online 网站和文件解决方案的四种不同类型的 SharePoint Online 团队网站。This article provides step-by-step instructions to create a dev/test environment that includes the four different types of SharePoint Online team sites for the Secure SharePoint Online sites and files solution.

使用此开发/测试环境来试验信息保护行为,并根据具体要求微调设置,然后在生产中部署 SharePoint Online 团队网站。Use this dev/test environment to experiment with the information protection behaviors and fine-tune settings for your specific needs before deploying SharePoint Online team sites in production.

阶段 1:创建开发/测试环境Phase 1: Create your dev/test environment

在此阶段,将获取用于虚拟组织的 Office 365 和企业移动性 + 安全性的试用订阅。In this phase, you obtain trial subscriptions for Office 365 and Enterprise Mobility + Security for a fictional organization.

首先,按照 Office 365 开发/测试环境的阶段 2 中的说明进行操作。First, follow the instructions in Phase 2 of the Office 365 dev/test environment.

接下来,注册 EMS 试用订阅并将其添加到与 Office 365 试用订阅相同的组织,然后执行以下步骤:Next, sign up for the EMS trial subscription and add it to the same organization as your Office 365 trial subscription, and then follow these steps:

  1. 如有需要,请使用试用订阅的全局管理员帐户的凭据登录 Office 365 门户。If needed, sign in to the Office 365 portal with the credentials of the global administrator account of your trial subscription. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 单击“管理”磁贴。Click the Admin tile.
  3. 在浏览器的“Office 管理中心”选项卡的左侧导航中,单击“帐单”>“购买服务”。On the Office Admin center tab in your browser, in the left navigation, click Billing > Purchase services.
  4. 在“购买服务”页中,找到“企业移动性 + 安全性 E5”项,然后将鼠标指针悬停其上,并单击“开始免费试用”。On the Purchase services page, find the Enterprise Mobility + Security E5 item, and then hover your mouse pointer over it and click Start free trial.
  5. 在“确认订单”页中,单击“立即试用”。On the Confirm your order page, click Try now.
  6. 在“订单签收”页中,单击“继续”。On the Order receipt page, click Continue.

接下来,为全局管理员帐户启用企业移动性 + 安全性 E5 许可证。Next, enable the Enterprise Mobility + Security E5 license for your global administrator account.

  1. 在浏览器的“Office 365 管理中心”选项卡的左侧导航中,单击“用户”>“活动用户”。On the Office 365 Admin center tab in your browser, in the left navigation, click Users > Active users.
  2. 单击全局管理员帐户,然后单击“针对产品许可证进行编辑”。Click your global administrator account, and then click Edit for Product licenses.
  3. 在“产品许可证”窗格中,将“企业移动性 + 安全性 E5”的产品许可切换为“开”,单击“保存”,然后单击“关闭”两次。On the Product licenses pane, turn the product license for Enterprise Mobility + Security E5 to On, click Save, and click Close two times.

阶段 2:创建和配置 Azure Active Directory (AD) 组和用户Phase 2: Create and configure your Azure Active Directory (AD) groups and users

此阶段为虚构组织创建和配置 Azure AD 组和用户。In this phase, you create and configure the Azure AD groups and users for your fictional organization.

首先,通过 Azure 门户为典型组织创建一系列组。First, create a set of groups for a typical organization with the Azure portal.

  1. 在浏览器中创建单独的标签页,然后转到 Azure 门户 (https://portal.azure.com)。如有需要,请使用 Office 365 E5 试用订阅的全局管理员帐户凭据登录。Create a separate tab in your browser, and then go to the Azure portal at https://portal.azure.com. If needed, sign in with the credentials of the global administrator account for your Office 365 E5 trial subscription.
  2. 在 Azure 门户中,单击“Azure Active Directory”>“用户和组”>“所有组”。In the Azure portal, click Azure Active Directory > Users and groups > All groups.
  3. 在“所有组”边栏选项卡上,单击“+ 新建组”。On the All groups blade, click + New group.
  4. 在“组”边栏选项卡上:On the Group blade:
    • 在“名称”中键入“高层管理人员”。Type C-Suite in Name.
    • 在“成员身份”中选择“已分配”。Select Assigned in Membership.
    • 对“启用 Office 功能”单击“是”。Click Yes for Enable Office features.
  5. 单击“创建”,然后关闭“组”边栏选项卡。Click Create, and then close the Group blade.
  6. 对以下组名称重复步骤 3-5:Repeat steps 3-5 for the following group names:
    • IT 人员IT staff
    • 研究人员Research staff
    • 正式员工Regular staff
    • 市场营销人员Marketing staff
    • 销售人员Sales staff
  7. 使浏览器中的 Azure 门户选项卡保持打开状态。Keep the Azure portal tab in your browser open.

然后配置自动授权,以便组的成员可自动分配 Office 365 和 EMS 订阅的许可证,然后执行以下步骤:Next, configure automatic licensing so that members of your groups are automatically assigned licenses for your Office 365 and EMS subscriptions, and then follow these steps:

  1. 在 Azure 门户中,单击“Azure Active Directory”>“许可证”>“所有产品”。In the Azure portal, click Azure Active Directory > Licenses > All products.
  2. 在列表中,选择“企业移动性 + 安全性 E5”和“Office 365 企业版 E5”,然后单击“分配”。In the list, select Enterprise Mobility + Security E5 and Office 365 Enterprise E5, and click Assign.
  3. 在“分配许可证”边栏选项卡中,单击“用户和组”。In the Assign license blade, click Users and groups.
  4. 在组列表中,选择以下各项:In the list of groups, select the following:
    • 高层管理人员C-Suite
    • IT 人员IT staff
    • 研究人员Research staff
    • 正式员工Regular staff
    • 市场营销人员Marketing staff
    • 销售人员Sales staff
  5. 依次单击“选择”和“分配”。Click Select, and click Assign.
  6. 关闭浏览器中的 Azure 门户选项卡。Close the Azure portal tab in your browser.

接下来,连接到 Azure Active Directory V2 PowerShell 模块Next, you Connect with the Azure Active Directory V2 PowerShell module.

填写组织名称、位置和公用密码。Fill in your organization name, your location, and a common password. 从 PowerShell 命令提示符或集成脚本环境 (ISE) 中运行以下命令,创建用户帐户并将其添加到相应的组。Run the following commands from the PowerShell command prompt or Integrated Script Environment (ISE) to create user accounts and add them to their corresponding groups.

$orgName="[organization name, such as contoso for the contoso.onmicrosoft.com trial subscription domain name]"
$location="[the ISO ALPHA2 country code, such as US for the United States]"
$commonPassword="[common password for all the new accounts]"

$PasswordProfile=New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password=$commonPassword

$groupName="C-Suite"
$userNames=@("CEO","CFO","CIO")
$groupID=(Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID
ForEach ($element in $userNames){
New-AzureADUser -DisplayName $element -PasswordProfile $PasswordProfile -UserPrincipalName ($element + "@" + $orgName + ".onmicrosoft.com") -AccountEnabled $true -MailNickName $element -UsageLocation $location
Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $element }).ObjectID -ObjectId $groupID
}
$groupName="IT staff"
$userNames=@("ITAdmin1","ITAdmin2")
$groupID=(Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID
ForEach ($element in $userNames){
New-AzureADUser -DisplayName $element -PasswordProfile $PasswordProfile -UserPrincipalName ($element + "@" + $orgName + ".onmicrosoft.com") -AccountEnabled $true -MailNickName $element -UsageLocation $location
Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $element }).ObjectID -ObjectId $groupID
}
$groupName="Research staff"
$userNames=@("Researcher1")
$groupID=(Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID
ForEach ($element in $userNames){
New-AzureADUser -DisplayName $element -PasswordProfile $PasswordProfile -UserPrincipalName ($element + "@" + $orgName + ".onmicrosoft.com") -AccountEnabled $true -MailNickName $element -UsageLocation $location
Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $element }).ObjectID -ObjectId $groupID
}
$groupName="Regular staff"
$userNames=@("Regular1", "Regular2")
$groupID=(Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID
ForEach ($element in $userNames){
New-AzureADUser -DisplayName $element -PasswordProfile $PasswordProfile -UserPrincipalName ($element + "@" + $orgName + ".onmicrosoft.com") -AccountEnabled $true -MailNickName $element -UsageLocation $location
Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $element }).ObjectID -ObjectId $groupID
}
$groupName="Marketing staff"
$userNames=@("Marketing1", "Marketing2")
$groupID=(Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID
ForEach ($element in $userNames){
New-AzureADUser -DisplayName $element -PasswordProfile $PasswordProfile -UserPrincipalName ($element + "@" + $orgName + ".onmicrosoft.com") -AccountEnabled $true -MailNickName $element -UsageLocation $location
Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $element }).ObjectID -ObjectId $groupID
}
$groupName="Sales staff"
$userNames=@("SalesPerson1")
$groupID=(Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID
ForEach ($element in $userNames){
New-AzureADUser -DisplayName $element -PasswordProfile $PasswordProfile -UserPrincipalName ($element + "@" + $orgName + ".onmicrosoft.com") -AccountEnabled $true -MailNickName $element -UsageLocation $location
Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $element }).ObjectID -ObjectId $groupID
}

备注

此处使用公用密码旨在自动配置开发/测试环境,简化配置过程。The use of a common password here is for automation and ease of configuration for a dev/test environment. 但不建议生产订阅这样做。This is not recommended for production subscriptions.

接下来,请按照以下步骤验证基于组的许可是否正常工作。Next, follow these steps to verify that group-based licensing is working correctly.

  1. 在浏览器的“Microsoft Office 主页”标签页中,单击“管理”磁贴。From the Microsoft Office Home tab of your browser, click the Admin tile.
  2. 在浏览器的新“Office 管理中心”标签页中,单击“用户”。From the new Office Admin center tab of your browser, click Users.
  3. 在用户列表中,单击“CEO”。In the list of users, click CEO.
  4. 在列出 CEO 用户帐户属性的窗格中,验证已向其分配“企业移动性 + 安全性 E5”和“Office 365 企业版 E5”许可证(位于“产品许可证”中)。 In the pane that lists the properties of the CEO user account, verify that it has been assigned the Enterprise Mobility + Security E5 and Office 365 Enterprise E5 licenses (in Product licenses).

阶段 3:创建 Office 365 标签Phase 3: Create Office 365 labels

此阶段将针对 SharePoint Online 团队网站文档文件夹的不同安全级别创建标签。In this phase, you create the labels for the different levels of security for SharePoint Online team site documents folders.

  1. 如有必要,使用 Internet 浏览器的私有实例并使用 Office 365 E5 试用订阅的全局管理员帐户登录 Office 365 门户。If needed, use a private instance of your Internet browser and sign in to the Office 365 portal with the global administrator account of your Office 365 E5 trial subscription. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 在“Microsoft Office 主页”标签页中,单击“管理”磁贴。From the Microsoft Office Home tab, click the Admin tile.
  3. 在浏览器的新“Office 管理中心”标签页中,单击“管理中心”>“安全性和符合性”。From the new Office Admin center tab of your browser, click Admin centers > Security & Compliance.
  4. 在浏览器的新“主页 -安全性和符合性”标签页中,单击“分类”>“标签”。From the new Home – Security & Compliance tab of your browser, click Classifications > Labels.
  5. 在“开始”>“标签”窗格中,单击“创建标签”。From the Home > Labels pane, click Create a label.
  6. 在“命名标签”窗格中,键入“内部公用”,然后单击“下一步”。On the Name your label pane, type Internal Public, and click Next.
  7. 在“标签设置”窗格中,单击“下一步”。On the Label settings pane, click Next.
  8. 在“查看设置”窗格中,单击“创建此标签”,然后单击“关闭”。On the Review your settings pane, click Create this label, and click Close.
  9. 对以下标签重复步骤 5-8:Repeat steps 5-8 for these additional labels:
    • PrivatePrivate
    • 敏感Sensitive
    • 高度机密Highly Confidential
  10. 在“开始”>“标签”窗格中,单击“发布标签”。From the Home > Labels pane, click Publish labels.
  11. 在“选择要发布的标签”窗格中,单击“选择要发布的标签”。On the Choose labels to publish pane, click Choose labels to publish.
  12. 在“选择标签”窗格中,单击“添加”并选择全部四个标签,然后单击“完成”。On the Choose labels pane, click Add and select all four labels, and click Done.
  13. 在“选择要发布的标签”窗格中,单击“下一步”。On the Choose labels to publish pane, click Next.
  14. 在“选择位置”窗格中,单击“下一步”。On the Choose locations pane, click Next.
  15. 在“为策略命名”窗格中,在“名称”中键入“示例组织”,然后单击“下一步”。On the Name your policy pane, type Example organization in Name, and click Next.
  16. 在“查看设置”窗格中,单击“发布标签”,然后单击“关闭”。On the Review your settings pane, click Publish labels, and click Close.

阶段 4:创建 SharePoint Online 团队网站Phase 4: Create your SharePoint Online team sites

在此阶段中,将为示例组织创建和配置四种类型的 SharePoint Online 团队网站。In this phase, you create and configure the four types of SharePoint Online team sites for your example organization.

组织范围团队网站Organization wide team site

要创建基线公共 SharePoint Online 团队网站,请执行以下操作:To create a baseline public SharePoint Online team site, do the following:

  1. 如果需要,请使用本地计算机上的浏览器,并使用全局管理员帐户登录 Office 365 门户。If needed, use a browser on your local computer and sign in to the Office 365 portal using your global administrator account. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 在磁贴列表中,单击“SharePoint”。In the list of tiles, click SharePoint.
  3. 在浏览器的新“SharePoint”标签页中,单击“+ 创建网站”。On the new SharePoint tab in your browser, click + Create site.
  4. 在“创建网站”页中,单击“团队网站”。On the Create a site page, click Team site.
  5. 在“网站名称”中,键入“组织范围”。In Site name, type Organization wide.
  6. 在“团队网站描述”中,键入“用于整个组织的 SharePoint 网站”。In Team site description, type SharePoint site for the entire organization.
  7. 在“隐私设置”中,选择“公用 - 组织中的任何人都可以访问此网站”,然后单击“下一步”。In Privacy settings, select Public – anyone in the organization can access this site, and then click Next.
  8. 在“希望添加哪些人员?”窗格中,单击“完成”。On the Who do you want to add? pane, click Finish.

接下来,针对内部公共标签配置组织范围团队网站的文档文件夹。Next, configure the documents folder of the Organization wide team site for the Internal Public label.

  1. 在浏览器的“组织范围 - 主页”标签页中,单击“文档”。In the Organization wide–Home tab of your browser, click Documents.
  2. 单击设置图标,然后单击“库设置”。Click the settings icon, and then click Library settings.
  3. 在“权限和管理”下,单击“向此库中的项应用标签”。Under Permissions and Management, click Apply label to items in this library.
  4. 在“设置-应用标签”中,选择“内部公用”,然后单击“保存”。In Settings-Apply Label, select Internal Public, and click Save.

生成的配置如下。Here is your resulting configuration.

公共团队网站保护

项目 1 团队网站Project 1 team site

要为组织内的项目创建基线专用 SharePoint Online 团队网站,请执行以下操作:To create a baseline private SharePoint Online team site for a project within the organization, do the following:

  1. 如果需要,请使用本地计算机上的浏览器,并使用全局管理员帐户登录 Office 365 门户。If needed, use a browser on your local computer and sign in to the Office 365 portal using your global administrator account. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 在磁贴列表中,单击“SharePoint”。In the list of tiles, click SharePoint.
  3. 在浏览器的新“SharePoint”标签页中,单击“+ 创建网站”。On the new SharePoint tab in your browser, click + Create site.
  4. 在“创建网站”页中,单击“团队网站”。On the Create a site page, click Team site.
  5. 在“网站名称”中,键入“项目 1”。In Site name, type Project 1.
  6. 在“团队网站描述”中,键入“用于项目 1 的 SharePoint 网站”。In Team site description, type SharePoint site for Project 1.
  7. 在“隐私设置”中,选择“专用 - 只有成员可以访问此网站”,然后单击“下一步”。In Privacy settings, select Private – only members can access this site, and click Next.
  8. 在“希望添加哪些人员?”窗格中,单击“完成”。On the Who do you want to add? pane, click Finish.

接下来,针对专用标签配置项目 1 团队网站的文档文件夹。Next, configure the documents folder of the Project 1 team site for the Private label.

  1. 在浏览器的“项目 1 - 主页”标签页中,单击“文档”。In the Project 1-Home tab of your browser, click Documents.
  2. 单击设置图标,然后单击“库设置”。Click the settings icon, and then click Library Settings.
  3. 在“权限和管理”下,单击“向此库中的项应用标签”。Under Permissions and Management, click Apply label to items in this library.
  4. 在“设置-应用标签”中,选择“专用”,然后单击“保存”。In Settings-Apply Label, select Private, and click Save.

生成的配置如下。Here is your resulting configuration.

专用团队网站保护

市场营销活动团队网站Marketing campaigns team site

要为市场营销活动资源创建敏感级别的独立 SharePoint Online 团队网站,请执行以下操作:To create a sensitive-level isolated SharePoint Online team site for marketing campaign resources, do the following:

  1. 请使用本地计算机上的浏览器,并使用全局管理员帐户登录 Office 365 门户。Using a browser on your local computer, sign in to the Office 365 portal using your global administrator account. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 在磁贴列表中,单击“SharePoint”。In the list of tiles, click SharePoint.
  3. 在浏览器的新“SharePoint”标签页中,单击“+ 创建网站”。On the new SharePoint tab in your browser, click + Create site.
  4. 在“创建网站”页中,单击“团队网站”。On the Create a site page, click Team site.
  5. 在“团队网站名称”中,键入“市场营销活动”。In Team site name, type Marketing campaigns.
  6. 在“团队网站描述”中,键入“用于市场营销活动资源的 SharePoint 网站(敏感)”。In Team site description, type SharePoint site for marketing campaign resources (sensitive).
  7. 在“隐私设置”中,选择“专用 - 只有成员可以访问此网站”,然后单击“下一步”。In Privacy settings, select Private – only members can access this site, and click Next.
  8. 在“希望添加哪些人员?”窗格中,单击“完成”。On the Who do you want to add? pane, click Finish.
  9. 在浏览器的新“市场营销活动”标签页中,在工具栏中单击设置图标,然后单击“网站权限”。On the new Marketing campaigns tab in your browser, in the toolbar, click the settings icon, and click Site permissions.
  10. 在“网站权限”窗格中,单击“高级权限设置”。In the Site permissions pane, click Advanced permissions settings.
  11. 在浏览器的新“权限”标签页中,单击“访问请求设置”。In the new Permissions tab in your browser, click Access Request Settings.
  12. 在“访问请求设置”对话框中:In the Access Request Settings dialog box:
  13. 清除“允许成员共享网站和单独的文件和文件夹”和“允许成员邀请他人到网站成员组”复选框。Clear the Allow members to share the site and individual files and folders and Allow members to invite others to the site members group check boxes.
  14. 在“发送所有访问请求”中,键入“ITAdmin1@[组织名称].onmicrosoft.com”,然后单击“确定”。Type ITAdmin1@[your organization name].onmicrosoft.com in Send all requests for access, and then click OK.
  15. 单击列表中的“市场营销活动成员”。Click Marketing campaigns Members in the list.
  16. 在“人员和组”页中,单击“新建”。On the People and Groups page, click New.
  17. 在“共享”对话框中,键入“市场营销人员”,将其选中,然后单击“共享”。In the Share dialog box, type Marketing staff, select it, and click Share.
  18. 对 Researcher1 用户帐户重复上述步骤。Repeat steps above for the Researcher1 user account.
  19. 单击浏览器中的后退按钮,然后单击列表中的“市场营销活动所有者”。Click the back button on your browser, and click Marketing campaigns Owners in the list.
  20. 在“人员和组”页中,单击“新建”。On the People and Groups page, click New.
  21. 在“共享”对话框中,键入“IT 人员”,将其选中,然后单击“共享”。In the Share dialog box, type IT staff, select it, and click Share.
  22. 单击浏览器中的后退按钮,关闭浏览器中的“人员和组”标签页,单击浏览器中的“市场营销活动 - 主页”标签页,然后关闭“网站权限”窗格。Click the back button on your browser, and close the People and Groups tab in your browser, click the Marketing campaigns-Home tab in your browser, and close the Site permissions pane.

权限的配置结果如下所示:Here are the results of configuring permissions:

  • 市场营销活动-成员:SharePoint 组仅包含“市场营销活动”组(其中包含全局管理员用户帐户)、“市场营销人员”组(其中包含 Marketing1 和 Marketing2 用户帐户)以及 Researcher1 用户帐户。The Marketing campaigns-Members SharePoint group contains only the Marketing campaigns group (which contains the global administrator user account), the Marketing staff group (which contains the Marketing1 and Marketing2 user accounts), and the Researcher1 user account.
  • 市场营销活动-所有者:SharePoint 组仅包含“IT 人员”组(其中仅包含 ITAdmin1 和 ITAdmin2 用户帐户)。The Marketing campaigns-Owners SharePoint group contains only the IT staff group (which contains only the ITAdmin1 and ITAdmin2 user accounts).
  • 市场营销活动-访问者:SharePoint 组不包含任何组或用户帐户。The Marketing campaigns-Visitors SharePoint group contains no groups or user accounts.
  • 成员不能修改网站级权限(此设置只能由营销活动-所有者组的成员执行)。Members cannot modify site-level permissions (this can only be done by members of the Marketing campaigns-Owners group).
  • 其他用户帐户无法访问网站或其资源,但可以请求访问网站,将向 ITAdmin1 用户帐户邮箱发送电子邮件。Other user accounts cannot access the site or its resources, but can request access to the site, which sends an email to the ITAdmin1 user account mailbox.

接下来,针对敏感标签配置市场营销活动团队网站的文档文件夹。Next, configure the documents folder of the Marketing campaigns team site for the Sensitive label.

  1. 在浏览器的“市场营销活动 - 主页”标签页中,单击“文档”。In the Marketing campaigns-Home tab of your browser, click Documents.
  2. 单击设置图标,然后单击“库设置”。Click the settings icon, and then click Library Settings.
  3. 在“权限和管理”下,单击“向此库中的项应用标签”。Under Permissions and Management, click Apply label to items in this library.
  4. 在“设置-应用标签”中,选择“敏感”,然后单击“保存”。In Settings-Apply Label, select Sensitive, and click Save.

接下来,配置数据丢失防护 (DLP) 策略,以便在用户共享关于含敏感标签的 SharePoint Online 团队网站(包括组织外的营销活动网站)的文档时进行通知。Next, configure a data loss prevention (DLP) policy that notifies users when they share a document on a SharePoint Online team site with the Sensitive label, which includes the Marketing campaigns site, outside the organization.

  1. 在浏览器的“Microsoft Office 主页”标签页中,单击“安全性与符合性”磁贴。From the Microsoft Office Home tab in your browser, click the Security & Compliance tile.
  2. 在浏览器的新“安全性与符合性”标签页中,单击“数据丢失防护”>“策略”。On the new Security & Compliance tab in your browser, click Data loss prevention > Policy.
  3. 在“数据丢失防护”窗格中,单击“+ 创建策略”。In the Data loss prevention pane, click + Create a policy.
  4. 在“从模板开始或创建自定义策略”窗格中,单击“自定义”,然后单击“下一步”。In the Start with a template or create a custom policy pane, click Custom, and click Next.
  5. 在“为策略命名”窗格中,在“名称”中键入“敏感标签 SharePoint Online 团队网站”,然后单击“下一步”。In the Name your policy pane, type Sensitive label SharePoint Online team sites in Name, and click Next.
  6. 在“选择位置”窗格中,单击“允许选择特定位置”,然后单击“下一步”。In the Choose locations pane, click Let me choose specific locations, and click Next.
  7. 在位置列表中,禁用“Exchange 电子邮件”和“OneDrive 帐户位置”,然后单击“下一步”。In the list of locations, disable the Exchange email and OneDrive accounts locations, and click Next.
  8. 在“自定义要保护的敏感信息类型”窗格中,单击“编辑”。In the Customize the types of sensitive info you want to protect pane, click Edit.
  9. 在“选择要保护的内容类型”窗格中,单击下拉框中的“添加”,然后单击“标签”。In the Choose the types of content to protect pane, click Add in the drop-down box, and click Labels.
  10. 在“标签”窗格中,单击“+ 添加”,选择“敏感”标签,然后依次单击“添加”和“完成”。In the Labels pane, click + Add, select the Sensitive label, click Add, and click Done.
  11. 在“选择要保护的内容类型”窗格中,单击“保存”。In the Choose the types of content to protect pane, click Save.
  12. 在“自定义要保护的敏感信息类型”窗格中,单击“下一步”。In the Customize the types of sensitive info you want to protect pane, click Next.
  13. 在“如果检测到敏感信息,希望采取什么操作?”窗格中,单击“自定义提示和电子邮件”。In the What do you want to do if we detect sensitive info? pane, click Customize the tip and email.
  14. 在“自定义策略提示和电子邮件通知”窗格中,单击“自定义策略提示文本”。In the Customize policy tips and email notifications pane, click Customize the policy tip text.
  15. 在文本框中,键入或粘贴以下内容:In the text box, type or paste in the following:
    • 要与组织外部的用户共享,请下载并打开文件。To share with a user outside the organization, download the file and then open it. 依次单击“文件”、“保护文档”、“使用密码加密”,然后指定强密码。Click File, then Protect Document, and Encrypt with Password, and specify a strong password. 通过单独的电子邮件或其他通信方式发送密码。Send the password in a separate email or other means of communication.
  16. 单击" 确定"。Click OK.
  17. 在“如果检测到敏感信息,希望采取什么操作?”窗格中,清除“阻止共享并将访问限于共享内容”复选框,然后单击“下一步”。In the What do you want to do if we detect sensitive info? pane, clear the Block people from sharing, and restrict access to shared content check box, and click Next.
  18. 在“是否希望立即启用策略或先进行测试?”窗格中,单击“是,立即启用”,然后单击“下一步”。In the Do you want to turn on the policy or test things out first? pane, click Yes, turn it on right away, and click Next.
  19. 在“查看设置”窗格中,单击“创建”,然后单击“关闭”。In the Review your settings pane, click Create, and click Close.

生成的配置如下。Here is your resulting configuration.

敏感保护

公司策略团队网站Company strategy team site

若要针对组织首席执行官的公司战略资源创建高度机密级别的独立 SharePoint Online 团队网站,请执行以下操作:To create an isolated SharePoint Online team site at the highly confidential level for strategic company resources of the chief executives of the organization, do the following:

  1. 如果需要,请使用本地计算机上的浏览器,并使用全局管理员帐户登录 Office 365 门户。If needed, use a browser on your local computer and sign in to the Office 365 portal using your global administrator account. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 在磁贴列表中,单击“SharePoint”。In the list of tiles, click SharePoint.
  3. 在浏览器的新“SharePoint”标签页中,单击“+ 创建网站”。On the new SharePoint tab in your browser, click + Create site.
  4. 在“创建网站”页中,单击“团队网站”。On the Create a site page, click Team site.
  5. 在“团队网站名称”中,键入“公司战略”。In Team site name, type Company strategy.
  6. 在“团队网站描述”中,键入“针对公司战略的 SharePoint 网站(高度机密)”。In Team site description, type SharePoint site for company strategy (highly confidential).
  7. 在“隐私设置”中,选择“专用 - 只有成员可以访问此网站”,然后单击“下一步”。In Privacy settings, select Private – only members can access this site, and click Next.
  8. 在“希望添加哪些人员?”窗格中,单击“完成”。On the Who do you want to add? pane, click Finish.
  9. 在浏览器的新“公司战略”标签页中,在工具栏中单击设置图标,然后单击“网站权限”。On the new Company strategy tab in your browser, in the toolbar, click the settings icon, and click Site permissions.
  10. 在“网站权限”窗格中,单击“高级权限设置”。In the Site permissions pane, click Advanced permissions settings.
  11. 在浏览器的新“权限”标签页中,单击“访问请求设置”。In the new Permissions tab in your browser, click Access Request Settings.
  12. 在“访问请求设置”对话框中,清除“允许成员共享网站和单独的文件和文件夹”和“允许成员邀请他人到网站成员组”(这样三个复选框全都被清除),然后单击“确定”。In the Access Request Settings dialog box, clear Allow members to share the site and individual files and folders and Allow members to invite others to the site members group (so that all three check boxes are cleared), and click OK.
  13. 单击列表中的“公司战略成员”,然后在“人员和组”页中单击“新建”。Click Company strategy Members in the list, and on the People and Groups page, click New.
  14. 在“共享”对话框中,键入“高层管理人员”,将其选中,然后单击“共享”。In the Share dialog box, type C-Suite, select it, and click Share.
  15. 单击列表中的“公司战略所有者”,然后在“人员和组”页中单击“新建”。Click Company strategy Owners in the list, and on the People and Groups page, click New.
  16. 在“共享”对话框中,键入“IT 人员”,将其选中,然后单击“共享”。In the Share dialog box, type IT staff, select it, and click Share.
  17. 单击浏览器中的后退按钮,然后关闭“人员和组”标签页。Click the back button on your browser, and close the People and Groups tab.
  18. 单击浏览器中的“公司战略-主页”标签页,然后关闭“网站权限”窗格。Click the Company strategy-Home tab in your browser, and then close the Site permissions pane.

权限的配置结果如下所示:Here are the results of configuring permissions:

  • 公司战略-成员:SharePoint 组仅包含“高层管理人员”组(其中仅包含 CEO、CFO和 CIO 用户帐户)和“公司战略”组(其中仅包含全局管理员用户帐户)。The Company strategy-Members SharePoint group contains only the C-Suite group (which contains only the CEO, CFO, and CIO user accounts) and the Company strategy group (which contains only the global administrator user account).
  • 公司战略-所有者:SharePoint 组仅包含“IT 人员”组(其中仅包含 ITAdmin1 和 ITAdmin2 用户帐户)。The Company strategy-Owners SharePoint group contains only the IT staff group (which contains only the ITAdmin1 and ITAdmin2 user accounts).
  • 公司战略-访问者:SharePoint 组不包含任何组或用户帐户。The Company strategy-Visitors SharePoint group contains no groups or user accounts.
  • 成员不能修改网站级别权限(仅“公司战略-所有者”组的成员才可进行修改)。Members cannot modify site-level permissions (this can only be done by members of the Company strategy-Owners group).
  • 其他用户帐户无法访问网站或其资源,也无法请求访问网站。Other user accounts cannot access the site or its resources or request access to the site. 网站的其他权限必须由全局管理员或“公司战略-所有者”组的成员履行。Additional permissions to the site must be done by the global administrator or by a member of the Company strategy-Owners group.

接下来,针对高度机密标签配置公司战略团队网站的文档文件夹。Next, configure the documents folder of the Company strategy team site for the Highly Confidential label.

  1. 在浏览器的“公司战略-主页”标签页中,单击“文档”。In the Company strategy-Home tab of your browser, click Documents.
  2. 单击设置图标,然后单击“库设置”。Click the settings icon, and then click Library Settings.
  3. 在“权限和管理”下,单击“向此库中的项应用标签”。Under Permissions and Management, click Apply label to items in this library.
  4. 在“设置-应用标签”中,选择“高度机密”,然后单击“保存”。In Settings-Apply Label, select Highly Confidential, and click Save.

接下来,配置 DLP 策略,当用户在具有“高度机密”标签的 SharePoint Online 团队网站(包括组织外的公司战略网站)上共享文档时,该策略会阻止用户。Next, configure a DLP policy that blocks users when they share a document on a SharePoint Online team site with the Highly Confidential label, which includes the Company strategy site, outside the organization.

  1. 如果需要,请使用本地计算机上的浏览器,并使用具有安全管理员或公司管理员角色的帐户登录 Office 365 门户。If needed, use a browser on your local computer and sign in to the Office 365 portal with an account that has the Security Administrator or Company Administrator role. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 在浏览器的“Microsoft Office 主页”标签页中,单击“安全性与符合性”磁贴。From the Microsoft Office Home tab in your browser, click the Security & Compliance tile.
  3. 在浏览器的新“安全性与符合性”标签页中,单击“数据丢失防护”>“策略”。On the new Security & Compliance tab in your browser, click Data loss prevention > Policy.
  4. 在“数据丢失防护”窗格中,单击“+ 创建策略”。In the Data loss prevention pane, click + Create a policy.
  5. 在“从模板开始或创建自定义策略”窗格中,单击“自定义”,然后单击“下一步”。In the Start with a template or create a custom policy pane, click Custom, and click Next.
  6. 在“为策略命名”窗格中,在“名称”中键入“高度机密标签 SharePoint Online 团队网站”,然后单击“下一步”。In the Name your policy pane, type Highly Confidential label SharePoint Online team sites in Name, and click Next.
  7. 在“选择位置”窗格中,单击“允许选择特定位置”,然后单击“下一步”。In the Choose locations pane, click Let me choose specific locations, and click Next.
  8. 在位置列表中,禁用“Exchange 电子邮件”和“OneDrive 帐户位置”,然后单击“下一步”。In the list of locations, disable the Exchange email and OneDrive accounts locations, and click Next.
  9. 在“自定义要保护的敏感信息类型”窗格中,单击“编辑”。In the Customize the types of sensitive info you want to protect pane, click Edit.
  10. 在“选择要保护的内容类型”窗格中,单击下拉框中的“添加”,然后单击“标签”。In the Choose the types of content to protect pane, click Add in the drop-down box, and click Labels.
  11. 在“标签”窗格中,单击“+ 添加”,选择“高度机密标签”,依次单击“添加”和“完成”。In the Labels pane, click + Add, select the Highly Confidential label, click Add, and click Done.
  12. 在“选择要保护的内容类型”窗格中,单击“保存”。In the Choose the types of content to protect pane, click Save.
  13. 在“自定义要保护的敏感信息类型”窗格中,单击“下一步”。In the Customize the types of sensitive info you want to protect pane, click Next.
  14. 在“如果检测到敏感信息,希望采取什么操作?”窗格中,单击“自定义提示和电子邮件”。In the What do you want to do if we detect sensitive info? pane, click Customize the tip and email.
  15. 在“自定义策略提示和电子邮件通知”窗格中,单击“自定义策略提示文本”。In the Customize policy tips and email notifications pane, click Customize the policy tip text.
  16. 在文本框中,键入或粘贴以下内容:In the text box, type or paste in the following:
    • 要与组织外部的用户共享,请下载并打开文件。To share with a user outside the organization, download the file and then open it. 依次单击“文件”、“保护文档”、“使用密码加密”,然后指定强密码。Click File, then Protect Document, then Encrypt with Password, and specify a strong password. 通过单独的电子邮件或其他通信方式发送密码。Send the password in a separate email or other means of communication.
  17. 单击" 确定"。Click OK.
  18. 在“如果检测到敏感信息,希望采取什么操作?”窗格中,选择“需要业务理由进行重写”,然后单击“下一步”。In the What do you want to do if we detect sensitive info? pane, select Require a business justification to override, and click Next.
  19. 在“是否希望立即启用策略或先进行测试?”窗格中,单击“是,立即启用”,然后单击“下一步”。In the Do you want to turn on the policy or test things out first? pane, click Yes, turn it on right away, and click Next.
  20. 在“查看设置”窗格中,单击“创建”,然后单击“关闭”。In the Review your settings pane, click Create, and click Close.

接下来,按照使用 Office 365 管理中心激活 Azure RMS 中的说明进行操作。Next, follow the instructions in Activate Azure RMS with the Office 365 admin center.

接下来,通过执行以下步骤,使用新作用域内策略以及保护和权限的子标签来配置 Azure 信息保护:Next, configure Azure Information Protection with a new scoped policy and sub-label for protection and permissions with the following steps:

  1. 在已使用全局管理员帐户登录的浏览器的单独标签页中,转到 Azure 门户 (http://portal.azure.com)。In a separate tab of your browser in which you have signed in with your global administrator account, go to the Azure portal (http://portal.azure.com).
  2. 如果是首次配置 Azure 信息保护,请参阅这些说明If this is the first time you are configuring Azure Information Protection, see these instructions.
  3. 在列表窗格中,单击“更多服务”,键入“信息”,然后单击“Azure 信息保护”。In the list pane, click More services, type information, and click Azure Information Protection.
  4. 在“Azure 信息保护”边栏选项卡上,选择“作用域内策略”>“+ 添加新策略”。On the Azure Information protection blade, click Scoped policies > + Add a new policy.
  5. 在“策略名称”中键入“CompanyStrategy”,并在“描述”中键入“公司策略团队网站中文档的标签”。Type CompanyStrategy in Policy name and Label for documents in the Company strategy team site in Description.
  6. 单击“选择获取此策略的用户或组”>“用户/组”,然后选择“高层管理人员”。Click Select which users or groups get this policy > User/Groups, and then select C-Suite.
  7. 单击“选择”>“确定”。Click Select > OK.
  8. 对于“高度机密”标签,请单击省略号 (…),然后单击“添加子标签”。For the Highly Confidential label, click the ellipses (…), and then click Add a sub-label.
  9. 在“名称”中键入“CompStrat-HC”,并在“描述”中键入“保护公司策略团队网站中的文档”。Type CompStrat-HC in Name and Protect documents in the Company strategy team site in Description.
  10. 在“为包含此标签的文档和电子邮件设置权限”中,单击“保护”。In Set permissions for documents and emails containing this label, click Protect.
  11. 在“保护”部分中,单击“Azure (云密钥)”。In the Protection section, click Azure (cloud key).
  12. 在“保护”边栏选项卡中,在“保护设置”下,单击“+ 添加权限”。On the Protection blade, under Protection settings, click + Add permissions.
  13. 在“添加权限”边栏选项卡的“指定用户和组”下,单击“+ 浏览目录”。On the Add permissions blade, under Specify users and groups, click + Browse directory.
  14. 在“AAD 用户和组”窗格中,选择“高层管理人员”,然后单击“选择”。On the AAD Users and Groups pane, select C-Suite, and click Select.
  15. 在“从预设中选择权限”下,清除“打印、复制和提取内容”和“转接”复选框。Under Choose permissions from the preset, clear the Print, Copy and extract content, and Forward check boxes.
  16. 单击 “确定” 两次。Click OK two times.
  17. 在“子标签”边栏选项卡上,单击“保存”。On the Sub-label blade, click Save.
  18. 关闭“新作用域内策略”边栏选项卡。Close the new scoped policy blade.
  19. 在“Azure 信息保护 - 作用域内策略”边栏选项卡上,单击“发布”,然后单击“是”。On the Azure Information Protection – Scoped policies blade, click Publish, and then click Yes.

若要使用 Azure 信息保护和高度机密标签保护文档,必须在测试计算机上安装 Azure 信息保护客户端,从 Office 365 门户安装 Office,然后使用试用订阅的“高层管理人员”组中的帐户从 Microsoft Word 登录。To protect a document with Azure Information Protection and the Highly Confidential label, you must install the Azure Information Protection client on a test machine, install Office from the Office 365 portal, and then sign in from Microsoft Word with an account in the C-Suite group of your trial subscription.

生成的配置如下。Here is your resulting configuration.

高度机密保护

创建文档并测试访问Create documents and test access

现在,可以在这四个网站中创建文档,并使用试用订阅中的各种用户帐户进行访问测试。You are now ready to create documents in these four sites and test access to them with various user accounts in your trial subscription.

下面是针对全部四个 SharePoint Online 团队网站的整体配置。Here is the overall configuration for all four SharePoint Online team sites.

最终配置

后续步骤Next steps

如果已准备好进行安全 SharePoint Online 网站的生产部署,请参阅保护 SharePoint Online 网站和文件,了解详细信息,获取分步部署文章的链接。When you are ready for production deployment of secure SharePoint Online sites, see Secure SharePoint Online sites and files for detailed information and links to step-by-step deployment articles.