创建和配置敏感度标签及其策略Create and configure sensitivity labels and their policies

Microsoft 365 安全性与合规性许可指南Microsoft 365 licensing guidance for security & compliance.

所有 Microsoft 信息保护解决方案(有时缩写为 MIP)通过使用 敏感度标签实现。All Microsoft Information Protection solutions (sometimes abbreviated to MIP) are implemented by using sensitivity labels. 要创建并发布这些标签,请转到标签管理中心,例如 Microsoft 365 合规中心To create and publish these labels, go to your labeling admin center, such as the Microsoft 365 compliance center. 此外,还可使用 Microsoft 365 安全中心或安全与合规中心。You can also use the Microsoft 365 security center, or the Security & Compliance Center.

首先,创建和配置要在应用和其他服务中使用的敏感度标签。First, create and configure the sensitivity labels that you want to make available for apps and other services. 例如,希望用户在 Office 应用中看到和采用的标签。For example, the labels you want users to see and apply from Office apps.

然后,创建一个或多个包含标签和你配置的策略设置的标签策略。Then, create one or more label policies that contain the labels and policy settings that you configure. 这是用于发布所选用户和位置的标签和设置的标签策略。It's the label policy that publishes the labels and settings for your chosen users and locations.

准备工作Before you begin

组织的全局管理员具有创建和管理敏感度标签各方面的完全权限。The global admin for your organization has full permissions to create and manage all aspects of sensitivity labels. 如果你未以全局管理员的身份登录,请参阅创建和管理敏感度标签所需的权限If you aren't signing in as a global admin, see Permissions required to create and manage sensitivity labels.

创建和配置敏感度标签Create and configure sensitivity labels

  1. 在标签管理中心中,导航到“灵敏度”标签:In your labeling admin center, navigate to sensitivity labels:

    • Microsoft 365 合规中心:Microsoft 365 compliance center:

      • 解决方案 > 信息保护Solutions > Information protection

      如果看不到此选项,请先选择“ 全部显示 ”。If you don't immediately see this option, first select Show all.

    • Microsoft 365 安全中心:Microsoft 365 security center:

      • 分类 > 灵敏度标签Classification > Sensitivity labels
    • 安全与合规中心:Security & Compliance Center:

      • 分类 > 灵敏度标签Classification > Sensitivity labels
  2. 在“ 标签 ”页面,选择“ + 创建标签 ”,以启动“新建灵敏度标签”向导。On the Labels page, select + Create a label to start the New sensitivity label wizard.

    例如,从 Microsoft 365 合规中心:For example, from the Microsoft 365 compliance center:

    创建敏感度标签

    注意:默认情况下,租户没有任何标签,你必须创建它们。Note: By default, tenants don't have any labels and you must create them. 示例图片中的标签显示 从 Azure 信息保护迁移的默认标签。The labels in the example picture show default labels that were migrated from Azure Information Protection.

  3. 定义此标签的范围 页面上,选择的选项将确定可以配置的设置的标签范围以及它们发布后的可见位置:On the Define the scope for this label page, the options selected determine the label's scope for the settings that you can configure and where they will be visible when they are published:

    敏感度标签的范围

    • 如果已选中 “文件和 电子邮件” ,则可以在此向导中配置适用于支持敏感度标签的应用(如 Office Word 和 Outlook)的设置。If Files & emails is selected, you can configure settings in this wizard that apply to apps that support sensitivity labels, such as Office Word and Outlook. 如果未选择此选项,向导将显示这些设置的第一页,但无法进行配置,用户无法在这些应用中选择标签。If this option isn't selected, the wizard displays the first page of these settings but you can't configure them and the labels won't be available for users to select in these apps.

    • 如果已选中 “组合网站” ,则可以在此向导中配置适用于 Microsoft 365 组和网站(Teams 和 SharePoint)的设置。If Groups & sites is selected, you can configure settings in this wizard that apply to Microsoft 365 groups, and sites for Teams and SharePoint. 如果未选择此选项,向导将显示这些设置的第一页,但无法进行配置,用户无法在组合网站中选择标签。If this option isn't selected, the wizard displays the first page of these settings but you can't configure them and the labels won't be available for users to select for groups and site.

  4. 在向导中按照提示进行标签设置。Follow the prompts in the wizard for the label settings.

    有关标签设置的详细信息,请参阅概述信息中的“敏感度标签有何用途”并使用向导中针对单个设置的帮助。For more information about the label settings, see What sensitivity labels can do from the overview information and use the help in the wizard for individual settings.

  5. 重复这些步骤以创建更多标签。Repeat these steps to create more labels. 但是,如果想要创建子标签,请先选择父标签,然后点击“ ... ”并选择“ 更多操作 ”,然后选择“ 添加子标签 ”。However, if you want to create a sublabel, first select the parent label and select ... for More actions , and then select Add sub label.

  6. 创建所需的所有标签后,请查看其顺序,如有必要,请向上或向下移动它们。When you have created all the labels you need, review their order and if necessary, move them up or down. 若要更改标签的顺序,请选择“ ... ”进行 更多操作 ”,然后选择 “ 上移 ”或 “ 下移 ”。To change the order of a label, select ... for More actions , and then select Move up or Move down. 有关详细信息,请参阅概述信息中的“标签优先级(顺序非常重要)”。For more information, see Label priority (order matters) from the overview information.

若要编辑现有标签,请将其选中,然后选择“ 编辑标签 ”按钮:To edit an existing label, select it, and then select the Edit label button:

编辑标签按钮以便编辑敏感度标签

此按钮将启动“ 编辑敏感度标签 ”向导,可用于更改步骤 4 中的所有标签设置。This button starts the Edit sensitivity label wizard, which lets you change all the label settings in step 4.

除非你了解对用户的影响,否则不要删除标签。Don't delete a label unless you understand the impact for users. 有关更多信息,请参阅移除和删除标签部分。For more information, see the Removing and deleting labels section.

备注

如果要编辑已使用标签策略发布的标签,则在完成该向导时不需要执行额外步骤。If you edit a label that's already published by using a label policy, no extra steps are needed when you finish the wizard. 例如,不需要将其添加到新的标签策略,以便对相同用户提供所做的更改。For example, you don't need to add it to a new label policy for the changes to become available to the same users. 但是,可允许在 24 小时内将所做的更改复制到用户和服务。However, allow up to 24 hours for the changes to replicate to users and services.

发布标签之前,无法在应用程序或服务中使用。Until you publish your labels, they won't be available to select in apps or for services. 若要发布标签,必须将其添加到标签策略To publish the labels, they must be added to a label policy.

重要

在此“ 标签 ”选项卡上,不要选择“ 发布标签 ”选项卡(或在编辑标签时的“ 发布标签 ”按钮),除非你需要创建新的标签策略。On this Labels tab, do not select the Publish labels tab (or the Publish label button when you edit a label) unless you need to create a new label policy. 仅当用户需要不同的标签或不同的策略设置时,才需要多个标签策略。You need multiple label policies only if users need different labels or different policy settings. 旨在创建尽可能少的标签策略 - 组织只有一个标签策略的情况并不少见。Aim to have as few label policies as possible—it's not uncommon to have just one label policy for the organization.

附加标签设置在安全与合规中心 PowerShell 中可用Additional label settings with Security & Compliance Center PowerShell

附加标签设置可在安全与合规中心 PowerShell 中的设置标签中使用。Additional label settings are available with the Set-Label cmdlet from Security & Compliance Center PowerShell.

例如:For example:

  • 使用 LocaleSettings 参数来进行跨国部署,以便用户可查看使用本地语言的标签名称和工具提示。Use the LocaleSettings parameter for multinational deployments so that users see the label name and tooltip in their local language. 下列部分 有一个示例配置,用于为法语、意大利语和德语指定标签名称和工具提示文本。The following section has an example configuration that specifies the label name and tooltip text for French, Italian, and German.

  • 仅限 Azure 信息保护统一标记客户端,你可以指定包括设置标签颜色,以及在应用标签时应用自定义属性的 高级设置For the Azure Information Protection unified labeling client only, you can specify advanced settings that include setting a label color, and applying a custom property when a label is applied. 有关完整列表,请参阅该客户端管理员指南的“标签 可用高级设置”。For the full list, see Available advanced settings for labels from this client's admin guide.

配置不同语言的灵敏度标签的配置示例Example configuration to configure a sensitivity label for different languages

下面的示例显示了名为“Public”的标签的 PowerShell 配置以及工具提示的占位符文本。The following example shows the PowerShell configuration for a label named "Public" with placeholder text for the tooltip. 在此示例中,将为法语、意大利语和德语配置标签名称和工具提示文本。In this example, the label name and tooltip text are configured for French, Italian, and German.

进行此配置后,如果用户拥有使用这些显示语言的 Office 应用,则会看到他们的标签名称和工具提示使用相同的语言。As a result of this configuration, users who have Office apps that use those display languages see their label names and tooltips in the same language. 类似地,当你已安装 Azure 信息保护统一标签客户端以标记文件资源管理器中的文件时,如果用户具有这些语言版本的 Windows,则他们在使用右键单击来进行标记时将会看到其标签名称和工具提示以本地语言显示。Similarly, if you have the Azure Information Protection unified labeling client installed to label files from File Explorer, users who have those language versions of Windows see their label names and tooltips in their local language when they use the right-click actions for labeling.

对于需要支持的语言,请使用 Office 语言标识符(也称为语言标记),并指定你自己的标签名称和工具提示翻译。For the languages that you need to support, use the Office language identifiers (also known as language tags), and specify your own translation for the label name and tooltip.

在 PowerShell 中运行命令之前,必须先连接到安全与合规中心 PowerShellBefore you run the commands in PowerShell, you must first connect to Security & Compliance Center PowerShell.

$Languages = @("fr-fr","it-it","de-de")
$DisplayNames=@("Publique","Publico","Oeffentlich")
$Tooltips = @("Texte Français","Testo italiano","Deutscher text")
$label = "Public"
$DisplayNameLocaleSettings = [PSCustomObject]@{LocaleKey='DisplayName';
Settings=@(
@{key=$Languages[0];Value=$DisplayNames[0];}
@{key=$Languages[1];Value=$DisplayNames[1];}
@{key=$Languages[2];Value=$DisplayNames[2];})}
$TooltipLocaleSettings = [PSCustomObject]@{LocaleKey='Tooltip';
Settings=@(
@{key=$Languages[0];Value=$Tooltips[0];}
@{key=$Languages[1];Value=$Tooltips[1];}
@{key=$Languages[2];Value=$Tooltips[2];})}
Set-Label -Identity $Label -LocaleSettings (ConvertTo-Json $DisplayNameLocaleSettings -Depth 3 -Compress),(ConvertTo-Json $TooltipLocaleSettings -Depth 3 -Compress)

通过创建标签策略来发布敏感度标签Publish sensitivity labels by creating a label policy

  1. 在标签管理中心中,导航到“灵敏度”标签:In your labeling admin center, navigate to sensitivity labels:

    • Microsoft 365 合规中心:Microsoft 365 compliance center:

      • 解决方案 > 信息保护Solutions > Information protection

      如果看不到此选项,请先选择“ 全部显示 ”。If you don't immediately see this option, first select Show all.

    • Microsoft 365 安全中心:Microsoft 365 security center:

      • 分类 > 灵敏度标签Classification > Sensitivity labels
    • 安全与合规中心:Security & Compliance Center:

      • 分类 > 灵敏度标签Classification > Sensitivity labels
  2. 依次选择“ 标签策略 ”选项卡和“ 发布标签 ”,以启动“创建策略”向导:Select the Label policies tab, and then Publish labels to start the Create policy wizard:

    例如,从 Microsoft 365 合规中心:For example, from the Microsoft 365 compliance center:

    发布标签

    注意:默认情况下,租户没有任何策略,你必须创建它们。Note: By default, tenants don't have any label policies and you must create them.

  3. 在想到中,选择“ 选择要发布的敏感度标签 ”。In the wizard, select Choose sensitivity labels to publish. 选择可在应用和服务中可以使用的标签,随后选择“ 添加 ”。Select the labels that you want to make available in apps and to services, and then select Add.

    重要

    如果选择子标签,请确保也选择其父标签。If you select a sublabel, make sure you also select its parent label.

  4. 查看所选标签,若要进行任何更改,请选择“ 编辑 ”。Review the selected labels and to make any changes, select Edit. 否则选择“ 下一步 ”。Otherwise, select Next.

  5. 按照提示配置策略设置。Follow the prompts to configure the policy settings.

    所看到的策略设置会匹配你选择的标签的范围。The policy settings that you see match the scope of the labels that you selected. 例如,如果选择了仅用于 文件和电子邮件 范围,则默认情况下看不到策略设置 “”将此标签应用到组和网站”“要求用户将标签应用到他们的组和网站”For example, if you selected labels that have just the Files & emails scope, you don't see the policy settings Apply this label by default to groups and sites and Require users to apply a label to their groups and sites.

    有关这些设置的详细信息,请参阅概述信息中的“标签策略有何用途”并使用向导中针对单个设置的帮助。For more information about these settings, see What label policies can do from the overview information and use the help in the wizard for individual settings.

  6. 如果不同的用户或范围需要不同的策略设置,请重复这些步骤。Repeat these steps if you need different policy settings for different users or scopes. 例如,希望为一组用户创建附加标签,或用户为子集创建不同的默认标签。For example, you want additional labels for a group of users, or a different default label for a subset of users. 或者,如果你配置的标签具有不同的范围。Or, if you have configured labels to have different scopes.

  7. 如果创建多个可能导致用户发生冲突的标签策略,请查看策略顺序,并根据需要向上或向下移动。If you create more than one label policy that might result in a conflict for a user, review the policy order and if necessary, move them up or down. 若要更改标签策略的顺序,请选择“ ... ”进行 更多操作 ”,然后选择 “ 上移 ”或 “ 下移 ”。To change the order of a label policy, select ... for More actions , and then select Move up or Move down. 有关详细信息,请参阅概述信息中的“标签策略优先级(顺序非常重要)”。For more information, see Label policy priority (order matters) from the overview information.

完成向导会自动发布标签策略。Completing the wizard automatically publishes the label policy. 若要更改已发布的策略,只需对其进行编辑。To make changes to a published policy, simply edit it. 没有特定发布或重新发布操作可供选择。There is no specific publish or republish action for you to select.

若要编辑现有标签策略,请将其选中,然后选择“ 编辑策略 ”按钮:To edit an existing label policy, select it, and then select the Edit Policy button:

编辑敏感度标签

此按钮将启动“ 创建策略 ”向导,可用于编辑所包含的标签和标签设置。This button starts the Create policy wizard, which lets you edit which labels are included and the label settings. 完成向导后,所有更改都将自动复制到所选用户和服务。When you complete the wizard, any changes are automatically replicated to the selected users and services.

用户在一小时内即可在其 Office 应用程序中看到新标签。Users see new labels in their Office apps within one hour. 但是,最多需要 24 小时以将所做的更改复制到用户和服务。However, allow up to 24 hours for changes to existing labels to replicate to all users and services.

附加标签策略设置在安全与合规中心 PowerShell 中可用Additional label policy settings with Security & Compliance Center PowerShell

附加标签策略设置可在安全与合规中心 PowerShell 中的Set-LabelPolicy cmdlet 中使用。Additional label policy settings are available with the Set-LabelPolicy cmdlet from Security & Compliance Center PowerShell.

你可以指定 “高级设置”,这些高级设置包括为 Outlook 设置不同的默认标签,并在 Outlook 中实现弹出消息,警告、两端对齐或阻止正在发送的电子邮件,这仅可以用于 Azure 信息保护统一标记客户端。For the Azure Information Protection unified labeling client only, you can specify advanced settings that include setting a different default label for Outlook, and implement pop-up messages in Outlook that warn, justify, or block emails being sent. 有关完整列表,请参阅该客户端管理员指南的 “适用于标签策略的高级设置”。For the full list, see Available advanced settings for label policies from this client's admin guide.

为灵敏度标签及其策略使用 PowerShellUse PowerShell for sensitivity labels and their policies

现在,你可以使用 安全性 & 合规性中心 PowerShell 创建和配置你在标签管理中心里看到的所有设置。You can now use Security & Compliance Center PowerShell to create and configure all the settings you see in your labeling admin center. 这意味着,除了将 PowerShell 用于标记管理中心里不可用的设置外,你现在还可以完全编写灵敏度标签和灵敏度标签策略的创建和维护脚本。This means that in addition to using PowerShell for settings that aren't available in the labeling admin centers, you can now fully script the creation and maintenance of sensitivity labels and sensitivity label policies.

请参阅以下文档,获取受支持的参数和值:See the following documentation for supported parameters and values:

如果你需要编写对敏感度标签或灵敏度标签策略的删除脚本,则还可使用 Remove-LabelRemove-LabelPolicyYou can also use Remove-Label and Remove-LabelPolicy if you need to script the deletion of sensitivity labels or sensitivity label policies. 但是,在你删除灵敏度标签前,请务必阅读以下部分。However, before you delete sensitivity labels, make sure you read the following section.

移除和删除标签Removing and deleting labels

在生产环境中,不太可能需要从标签策略中移除敏感度标签,也不太可能需要删除敏感度标签。In a production environment, it's unlikely that you will need to remove sensitivity labels from a label policy, or delete sensitivity labels. 更有可能是在初始测试阶段需要执行这两项操作之一。It's more likely that you might need to do one or either of these actions during an initial testing phase. 请务必了解执行这两项操作之一时所发生的情况。Make sure you understand what happens when you do either of these actions.

从标签策略中移除标签比删除标签的风险要小;如果需要,稍后始终可以将标签添加回标签策略中:Removing a label from a label policy is less risky than deleting it, and you can always add it back to a label policy later if needed:

  • 如果从标签策略中移除标签,让标签不再发布给最初指定的用户,那么当标签策略下次刷新时,标签就不再可供这些用户在 Office 应用程序中选择。When you remove a label from a label policy so that the label is no longer published to the originally specified users, the next time the label policy is refreshed, users no longer see that label to select in their Office app. 不过,如果已将标签应用于文档或电子邮件,那么标签不会从此类内容中移除。However, if the label has been applied to documents or emails, the label isn't removed from that content. 由标签应用的任何加密都会保留,且基础保护模板也会保持已发布状态不变。Any encryption that was applied by the label remains and the underlying protection template remains published.

  • 对于已移除但以前应用于内容的标签,在 Word、Excel 和 PowerPoint 中使用内置标签的用户仍会在状态栏中看到已应用标签名称。For labels that are removed but have previously been applied to content, users who are using built-in labeling for Word, Excel, and PowerPoint, still see the applied label name on the status bar. 同样,已移除但以前应用于 SharePoint 网站的标签仍会在“敏感度”列中显示标签名称。Similarly, labels that are removed that were applied to SharePoint sites still display the label name in the Sensitivity column.

相比之下,如果删除标签:In comparison, when you delete a label:

  • 如果标签应用了加密,则会存档基础保护模板,这样以前受保护的内容就仍能打开。If the label applied encryption, the underlying protection template is archived so that previously protected content can still be opened. 因为有此已存档保护模板,所以无法创建同名的新标签。Because of this archived protection template, you won't be able to create a new label with the same name. 虽然可以使用 PowerShell 删除保护模板,但请不要这样做,除非你确定无需打开使用已存档模板加密的内容。Although it's possible to delete a protection template by using PowerShell, don't do this unless you're sure you don't need to open content that was encrypted with the archived template.

  • 对于桌面应用程序:元数据中的标签信息会保留,但由于无法再进行标签 ID 到名称的映射,导致用户看不到显示的已应用标签名称(例如,在状态栏中),因此用户会假定内容未标记。For desktop apps: The label information in the metadata remains, but because a label ID to name mapping is no longer possible, users don't see the applied label name displayed (for example, on the status bar) so users will assume the content isn't labeled. 如果标签应用了加密,则会保留加密,且用户仍会在内容打开时看到当前已存档保护模板的名称和说明。If the label applied encryption, the encryption remains and when the content is opened, uses still see the name and description of the now archived protection template.

  • 对于 Office 网页版:用户在状态栏或“敏感度”列中看不到标签名称。For Office on the web: Users don't see the label name on status bar or in the Sensitivity column. 元数据中的标签信息仅在标签未应用加密的情况下保留。The label information in the metadata remains only if the label didn't apply encryption. 如果标签应用了加密,且你已为 SharePoint 和 OneDrive 启用敏感度标签,那么元数据中的标签信息就会遭移除,且加密也会遭撤消。If the label applied encryption, and you've enabled sensitivity labels for SharePoint and OneDrive, the label information in the metadata is removed and the encryption is removed.

从标签策略中移除敏感度标签或删除敏感度标签时,这些更改最多可能需要一个小时才能复制到所有用户和服务。When you remove a sensitivity label from a label policy, or delete a sensitivity label, these changes can take up to one hour to replicate to all users and services.

后续步骤Next steps

若要根据具体情况配置和使用敏感度标签,请使用下列文章:To configure and use your sensitivity labels for specific scenarios, use the following articles:

若要监视标签的使用情况,请参阅“使用标签分析查看标签使用情况”。To monitor how your labels are being used, see View label usage with label analytics.