通过敏感度标签应用加密,从而限制对内容的访问Restrict access to content by using sensitivity labels to apply encryption

Microsoft 365 安全性与合规性许可指南Microsoft 365 licensing guidance for security & compliance.

创建敏感度标签时,可以限制对将要应用标签的内容的访问。例如,通过敏感度标签的加密设置,可以保护内容,以便:When you create a sensitivity label, you can restrict access to content that the label will be applied to. For example, with the encryption settings for a sensitivity label, you can protect content so that:

  • 只有组织中的用户才能打开机密文档或电子邮件。Only users within your organization can open a confidential document or email.
  • 只有市场部的用户才能编辑和打印促销声明文档或电子邮件,而组织中的所有其他用户只能阅读它。Only users in the marketing department can edit and print the promotion announcement document or email, while all other users in your organization can only read it.
  • 用户无法转发电子邮件或从中复制包含有关内部组织的新闻的信息。Users cannot forward an email or copy information from it that contains news about an internal reorganization.
  • 发送到业务合作伙伴的当前价目表在指定日期后无法打开。The current price list that is sent to business partners cannot be opened after a specified date.

当文档或电子邮件被加密时,对内容的访问将受到限制,以便它:When a document or email is encrypted, access to the content is restricted, so that it:

  • 只能由标签的加密设置授权的用户解密。Can be decrypted only by users authorized by the label's encryption settings.
  • 无论其所在位置(组织内部或外部)如何,仍保持加密状态,即使该文件被重命名也是如此。Remains encrypted no matter where it resides, inside or outside your organization, even if the file's renamed.
  • 静态加密(例如,在 OneDrive 帐户中)和传输加密(例如,正在通过 Internet 传输的电子邮件)。Is encrypted both at rest (for example, in a OneDrive account) and in transit (for example, email as it traverses the internet).

最后,作为管理员,你在配置敏感度标签来应用加密时可选择执行下述任一操作:Finally, as an admin, when you configure a sensitivity label to apply encryption, you can choose either to:

  • 立即分配权限,以便准确确定哪些用户获得了带有该标签的内容的哪些权限。Assign permissions now, so that you determine exactly which users get which permissions to content with that label.
  • Let users assign permissions when they apply the label to content. This way, you can allow people in your organization some flexibility that they might need to collaborate and get their work done.Let users assign permissions when they apply the label to content. This way, you can allow people in your organization some flexibility that they might need to collaborate and get their work done.

在 Microsoft 365 合规中心、Microsoft 365 安全中心或安全与合规中心创建敏感度标签时,可使用加密设置。The encryption settings are available when you create a sensitivity label in the Microsoft 365 compliance center, Microsoft 365 security center, or the Security & Compliance Center.

了解加密的工作方式Understand how the encryption works

Encryption uses the Azure Rights Management service (Azure RMS) from Azure Information Protection. This protection solution uses encryption, identity, and authorization policies. To learn more, see What is Azure Rights Management? from the Azure Information Protection documentation.Encryption uses the Azure Rights Management service (Azure RMS) from Azure Information Protection. This protection solution uses encryption, identity, and authorization policies. To learn more, see What is Azure Rights Management? from the Azure Information Protection documentation.

When you use this encryption solution, the super user feature ensures that authorized people and services can always read and inspect the data that has been encrypted for your organization. If necessary, the encryption can then be removed or changed. For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.When you use this encryption solution, the super user feature ensures that authorized people and services can always read and inspect the data that has been encrypted for your organization. If necessary, the encryption can then be removed or changed. For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.

如何配置加密标签How to configure a label for encryption

  1. 请遵循一般说明创建或编辑敏感度标签,并确保为标签的作用域选择 “文件和电子邮件”Follow the general instructions to create or edit a sensitivity label and make sure Files & emails is selected for the label's scope:

    文件和电子邮件的敏感度标签作用域选项

  2. 然后,在选择文件和电子邮件的保护设置页面上,确保选择 “加密文件和电子邮件”Then, on the Choose protection settings for files and emails page, make sure you select Encrypt files and emails

    文件和电子邮件的敏感度标签保护选项

  3. 对于向导的加密页面,选择下列选项之一:On the Encryption page of the wizard, select one of the following options:

    • 如果文件已加密,则删除加密:有关此方案的详细信息,请参阅应用标签时,对现有加密的影响部分。Remove encryption if the file is encrypted: For more information about this scenario, see the What happens to existing encryption when a label's applied section. 请务必注意,此设置可能会导致敏感度标签,用户没有足够的权限时,他们可能无法应用标签。It's important to understand that this setting can result in a sensitivity label that users might not be able to apply when they don't have sufficient permissions.

    • 配置加密设置:启用加密,并使加密设置可见:Configure encryption settings: Turns on encryption and makes the encryption settings visible:

      用于加密的敏感度标签选项

      有关这些设置的说明,请参阅以下配置加密设置 部分。Instructions for these settings are in the following Configure encryption settings section.

应用标签后,现有加密会发生什么情况What happens to existing encryption when a label's applied

如果向未加密的内容应用敏感度标签,则你可选择的加密选项的结果一目了然。If a sensitivity label is applied to unencrypted content, the outcome of the encryption options you can select is self-explanatory. 例如,如果未选择 “加密文件和电子邮件”,则内容仍然不加密。For example, if you didn't select Encrypt files and emails, the content remains unencrypted.

但是,内容可能已经加密。However, the content might be already encrypted. 例如,其他用户可能已应用以下内容:For example, another user might have applied:

  • 其自己的权限,包括在标签提示时提供的用户定义的权限、Azure 信息保护客户端提供的自定义权限,以及 Office 应用中的受限访问文档保护。Their own permissions, which include user-defined permissions when prompted by a label, custom permissions by the Azure Information Protection client, and the Restricted Access document protection from within an Office app.
  • 在不使用标签的情况下加密内容的 Azure 权限管理保护模板。An Azure Rights Management protection template that encrypts the content independently from a label. 此类别包括通过权限保护应用加密的邮件流规则。This category includes mail flow rules that apply encryption by using rights protection.
  • 使用管理员分配的权限应用加密的标签。A label that applies encryption with permissions assigned by the administrator.

下表说明了在向该内容应用敏感度标签后现有加密发生的情况:The following table identifies what happens to existing encryption when a sensitivity label is applied to that content:

加密:未选择Encryption: Not selected 加密:已配置Encryption: Configured 加密:删除Encryption: Remove
用户指定的权限Permissions specified by a user 保留原有加密Original encryption is preserved 应用新的标签加密New label encryption is applied 删除原有加密Original encryption is removed
保护模板Protection template 保留原有加密Original encryption is preserved 应用新的标签加密New label encryption is applied 删除原有加密Original encryption is removed
具有管理员定义的权限的标签Label with administator-defined permissions 删除原有加密Original encryption is removed 应用新的标签加密New label encryption is applied 删除原有加密Original encryption is removed

请注意,如果应用了新的标签加密或删除了原有加密,则仅在应用标签的用户具有支持此操作的使用权限或角色时才会发生此情况:Note that in the cases where the new label encryption is applied or the original encryption is removed, this happens only if the user applying the label has a usage right or role that supports this action:

如果用户没有上述权限或角色之一,则无法应用标签,因此原有加密将保留。If the user doesn't have one of these rights or roles, the label can't be applied and so the original encryption is preserved. 用户会看到以下消息:你无权对敏感度标签进行此更改。请联系内容所有者。The user sees the following message: You don't have permission to make this change to the sensitivity label. Please contact the content owner.

例如,向电子邮件应用“请勿转发”标签的用户可重新标记会话,以替换或删除加密,因为他们是该电子邮件的权限管理所有者。For example, the person who applies Do Not Forward to an email message can relabel the thread to replace the encryption or remove it, because they are the Rights Management owner for the email. 但除了超级用户外,此电子邮件的收件人无法对其重新标记,因为他们没有必需的使用权限。But with the exception of super users, recipients of this email can't relabel it because they don't have the required usage rights.

加密电子邮件的电子邮件附件Email attachments for encrypted email messages

通过任何方式加密电子邮件时,附加到该电子邮件的所有未加密的 Office 文档都将自动继承相同的加密设置。When an email message is encrypted by any method, any unencrypted Office documents that are attached to the email automatically inherit the same encryption settings.

已加密且随后添加为附件的文档始终保留其原有加密。Documents that are already encrypted and then added as attachments always preserve their original encryption.

配置加密设置Configure encryption settings

在向导的加密页面选择 “配置加密设置” 来创建或编辑敏感度标签时,选择以下选项之一:When you select Configure encryption settings on the Encryption page of the wizard to create or edit a sensitivity label, choose one of the following options:

  • 立即分配权限,以便可准确确定哪些用户对已应用标签的内容具有哪些权限。Assign permissions now, so that you can determine exactly which users get which permissions to content that has the label applied. 有关详细信息,请参阅下一部分:立即分配权限For more information, see the next section Assign permissions now.
  • 在用户向内容应用标签时允许用户分配权限Let users assign permissions when your users apply the label to content. 通过此选项,可使组织内部人员在协作处理和完成任务时具有一定程度可能需要的灵活性。With this option, you can allow people in your organization some flexibility that they might need to collaborate and get their work done. 有关详细信息,请参阅下述部分:允许用户分配权限For more information, see the Let users assign permissions section on this page.

例如,如果你有一个名为“高度机密”的敏感度标签,它将应用于你的大部分敏感内容,则你可能需要决定谁对该内容获得哪种类型的权限。For example, if you have a sensitivity label named Highly Confidential that will be applied to your most sensitive content, you might want to decide now who gets what type of permissions to that content.

或者,如果你有一个名为“商业合同”的敏感度标签,而你所在组织的工作流要员工临时与不同人员协作处理此内容,则你可能需要允许用户在分配此标签时决定由谁获得权限。Alternatively, if you have a sensitivity label named Business Contracts, and your organization's workflow requires that your people collaborate on this content with different people on an ad hoc basis, you might want to allow your users to decide who gets permissions when they assign the label. 这种灵活性都能帮助你的用户保持高效,同时减少管理员要更新或新建敏感度标签来应对特定场景的请求。This flexibility both helps your users' productivity and reduces the requests for your admins to update or create new sensitivity labels to address specific scenarios.

选择是要立即分配权限还是允许用户分配权限:Choosing whether to assign permissions now or let users assign permissions:

用于添加用户或管理员定义的权限的选项

立即分配权限Assign permissions now

使用下述选项来控制哪些人员可访问应用了此标签的电子邮件或文档。Use the following options to control who can access email or documents to which this label is applied. 可执行下列操作:You can:

  • 允许对标记的内容的访问权限过期(在某个特定日期或在应用标签后的特定天数后)。在此时间后,用户将无法打开标记的项。如果指定某个日期,则它将于该日期午夜(在你的当前时区)生效。请注意,某些电子邮件客户端由于其缓存机制,可能不强制过期,仍显示过期的电子邮件。Allow access to labeled content to expire, either on a specific date or after a specific number of days after the label is applied. After this time, users won't be able to open the labeled item. If you specify a date, it is effective midnight on that date in your current time zone. (Note that some email clients might not enforce expiration and show emails past their expiration date, due to their caching mechanisms.)

  • 允许脱机访问(从不、始终或在应用标签后的特定天后)。如果将脱机访问限制为从不或一定天数,则当达到该阈值时,必须对用户重新进行身份验证并记录其访问。有关详细信息,请参阅下一部分有关 Rights Management 使用许可证的内容。Allow offline access never, always, or for a specific number of days after the label is applied. If you restrict offline access to never or a number of days, when that threshold is reached, users must be reauthenticated and their access is logged. For more information, see the next section on the Rights Management use license.

加密内容的访问控制设置:Settings for access control for encrypted content:

有关管理员定义的权限的设置

针对脱机访问的 Rights Management 使用许可证Rights Management use license for offline access

当用户打开受 Azure 权限管理服务加密保护的文档或电子邮件时,将向该用户授予对该内容的 Azure 权限管理使用许可证。When a user opens a document or email that's been protected by encryption from the Azure Rights Management service, an Azure Rights Management use license for that content is granted to the user. 此使用许可证是一种证书,其中包含用户对文档或电子邮件的使用权限,以及用于加密内容的加密密钥。This use license is a certificate that contains the user's usage rights for the document or email, and the encryption key that was used to encrypt the content. 此使用许可证还包含过期日期(若已设置)及其有效时长。The use license also contains an expiration date if this has been set, and how long the use license is valid.

如果尚未设置任何到期日期,则针对租户的默认使用许可证有效期为 30 天。在使用许可证有效期内,无需就内容对用户重新进行身份验证或授权。这使用户无需具有 Internet 连接即可继续打开受保护的文档或电子邮件。当用户许可有效期到期后,在用户下次访问受保护的文档或电子邮件时,必须对用户重新进行身份验证和授权。If no expiration date has been set, the default use license validity period for a tenant is 30 days. For the duration of the use license, the user is not reauthenticated or reauthorized for the content. This process lets the user continue to open the protected document or email without an internet connection. When the use license validity period expires, the next time the user accesses the protected document or email, the user must be reauthenticated and reauthorized.

除重新进行身份验证以外,还将重新评估策略和用户组成员身份。In addition to reauthentication, the encryption settings and user group membership is reevaluated. 这意味着,如果自他们最后一次访问内容时在加密设置或组成员身份中出现更改,则对于同一文档或电子邮件,他们可能会收到不同的访问结果。This means that users could experience different access results for the same document or email if there are changes in the encryption settings or group membership from when they last accessed the content.

若要了解如何更改默认的 30 天设置,请参阅 Rights Management 使用许可证To learn how to change the default 30-day setting, see Rights Management use license.

向特定用户或组分配权限Assign permissions to specific users or groups

可向特定人员授予权限,只允许这些人员与标记的内容进行交互:You can grant permissions to specific people so that only they can interact with the labeled content:

  1. 首先,添加将向其分配对标记的内容具有访问权限的用户或组。First, add users or groups that will be assigned permissions to the labeled content.

  2. 然后,选择这些用户应对标记的内容具有的权限。Then, choose which permissions those users should have for the labeled content.

分配权限:Assigning permissions:

向用户分配权限的选项

添加用户或组Add users or groups

分配权限时,可以选择:When you assign permissions, you can choose:

  • 组织中的任何人(所有租户成员)。此设置不包括来宾帐户。Everyone in your organization (all tenant members). This setting excludes guest accounts.

  • 所有经过身份验证的用户。Any authenticated users. 选择前,请确保你了解此设置的相关要求和限制Make sure you understand the requirements and limitations of this setting before selecting it.

  • Azure AD 中的任何特定用户或启用了电子邮件的安全组、通讯组、或 Microsoft 365 组(旧称为“Office 365 组”)。Any specific user or email-enabled security group, distribution group, or Microsoft 365 group (formerly Office 365 group) in Azure AD. Microsoft 365 组可以有静态或动态成员资格The Microsoft 365 group can have static or dynamic membership. 请注意,不能使用来自 Exchange 的动态通讯组,因为此组类型不会同步到 Azure AD,并且不能使用未启用电子邮件的安全组。Note that you can't use a dynamic distribution group from Exchange because this group type isn't synchronized to Azure AD, and you can't use a security group that isn't email-enabled.

  • 任何电子邮件地址或域。Any email address or domain. 借助此选项,通过输入 Azure AD 使用的另一组织中的任何域名,指定该组织中的所有用户。Use this option to specify all users in another organization who uses Azure AD, by entering any domain name from that organization. 你可使用此选项处理社交提供商,方式是输入其域名,例如 gmail.comhotmail.comoutlook.comYou can also use this option for social providers, by entering their domain name such as gmail.com, hotmail.com, or outlook.com.

    备注

    如果从使用 Azure AD 的组织中指定一个域,则无法将访问权限局限于该特定域。If you specify a domain from an organization that uses Azure AD, you can't restrict access to that specific domain. 转而对于拥有你指定的域名的租户来说,会自动包含 Azure AD 中已经过验证的所有域。Instead, all verified domains in Azure AD are automatically included for the tenant that owns the domain name you specify.

选择组织中的所有用户和组或浏览目录时,这些用户或组必须具有电子邮件地址。When you choose all users and groups in your organization or browse the directory, the users or groups must have an email address.

最佳做法是使用组,而不是使用用户。此策略可使你的配置更为简单。As a best practice, use groups rather than users. This strategy keeps your configuration simpler.

有关“添加任何经过身份验证的用户”的要求和限制Requirements and limitations for "Add any authenticated users"

此设置不会限制谁可访问标签加密的内容,但仍会加密内容并向你提供用来限制内容使用方式(权限)和访问方式(过期和脱机访问)的选项。This setting doesn't restrict who can access the content that the label encrypts, while still encrypting the content and providing you with options to restrict how the content can be used (permissions), and accessed (expiry and offline access). 但是,打开加密内容的应用程序必须能够支持正在使用的身份验证。However, the application opening the encrypted content must be able to support the authentication being used. 由此,联合社交提供商(如 Google)和一次性密码身份验证仅适用于电子邮件,且仅在你使用 Exchange Online 时才适用。For this reason, federated social providers such as Google, and onetime passcode authentication work for email only, and only when you use Exchange Online. Microsoft 帐户可与 Office 365 应用和 Azure 信息保护查看器一起使用。Microsoft accounts can be used with Office 365 apps and the Azure Information Protection viewer.

“所有经过身份验证的用户”设置的一些典型场景:Some typical scenarios for any authenticated users setting:

  • 你不在乎谁会查看内容,但你想要限制内容使用方式。You don't mind who views the content, but you want to restrict how it is used. 例如,你不希望内容遭到编辑、复制或打印。For example, you don't want the content to be edited, copied, or printed.
  • 你不需要限制谁有权访问内容,但你想要能够确定谁可打开内容。You don't need to restrict who accesses the content, but you want to be able to confirm who opens it.
  • 你要求内容必须在静态和传输中经过加密,但不要求访问权限控制。You have a requirement that the content must be encrypted at rest and in transit, but it doesn't require access controls.

选择权限Choose permissions

选择允许为这些用户或组使用哪些权限时,可以选择:When you choose which permissions to allow for those users or groups, you can select either:

  • 具有预设权限组的预定义权限级别,例如共同创作或审阅者。A predefined permissions level with a preset group of rights, such as Co-Author or Reviewer.
  • 自定义权限,可在其中选择一个或多个使用权限。Custom permissions, where you choose one or more usage rights.

有关帮助你选择适当权限的详细信息,请参阅使用权限和说明For more information to help you select the appropriate permissions, see Usage rights and descriptions.

选择预设权限或自定义权限的选项。

请注意,同一标签可向不同用户授予不同的权限。例如,一个标签可将某些用户分配为审阅者,并可将其他用户分配为共同创作,如下所示。Note that the same label can grant different permissions to different users. For example, a single label can assign some users as Reviewer and a different user as Co-author, as shown in the following screenshot.

为此,添加用户或组、向其分配权限并保存这些设置。然后重复这些步骤,添加用户并向其分配权限、每次保存设置。可以根据需要经常重复此配置,以便为不同用户定义不同权限。To do this, add users or groups, assign them permissions, and save those settings. Then repeat these steps, adding users and assigning them permissions, saving the settings each time. You can repeat this configuration as often as necessary, to define different permissions for different users.

具有不同权限的不同用户

Rights Management 颁发者(应用敏感度标签的用户)始终具有完全控制Rights Management issuer (user applying the sensitivity label) always has Full Control

敏感度标签加密使用了 Azure 信息保护中的 Azure 权限管理服务。Encryption for a sensitivity label uses the Azure Rights Management service from Azure Information Protection. 当用户通过加密应用敏感度标签来保护文档或电子邮件时,该用户就成为了该内容的权限管理颁发者。When a user applies a sensitivity label to protect a document or email by using encryption, that user becomes the Rights Management issuer for that content.

权限管理颁发者始终具有对文档或电子邮件的完全控制权限;此外:The Rights Management issuer is always granted Full Control permissions for the document or email, and in addition:

  • 如果加密设置包含过期日期,权限管理颁发者在该日期后仍可打开和编辑文档或电子邮件。If the encryption settings include an expiration date, the Rights Management issuer can still open and edit the document or email after that date.
  • Rights Management 颁发者可以始终在脱机状态下访问文档或电子邮件。The Rights Management issuer can always access the document or email offline.
  • 在文档被撤销后,Rights Management 颁发者仍然可以打开该文档。The Rights Management issuer can still open a document after it is revoked.

有关详细信息,请参阅 Rights Management 颁发者和 Rights Management 所有者For more information, see Rights Management issuer and Rights Management owner.

双密钥加密Double Key Encryption

备注

当前仅 Azure 信息保护统一标签客户端支持此功能。This feature is currently supported only by the Azure Information Protection unified labeling client.

只有配置了双密钥加密服务,并且需要为应用了此标签的文件使用此双密钥加密后,才可选择此选项。Select this option only after you have configured the Double Key Encryption service and you need to use this double key encryption for files that will have this label applied.

了解更多信息、先决条件、以及配置说明,请参阅双密钥加密 (DKE)For more information, prerequisites, and configuration instructions, see Double Key Encryption (DKE).

允许用户分配权限Let users assign permissions

可使用下述选项来允许用户在向内容手动应用敏感度标签时分配权限:You can use these options to let users assign permissions when they manually apply a sensitivity label to content:

  • 在 Outlook 中,用户可为其所选收件人选择与“请勿转发”选项等效的限制。In Outlook, a user can select restrictions equivalent to the Do Not Forward option for their chosen recipients.

  • 在 Word、PowerPoint 和 Excel 中,系统会提示用户为特定用户、组或组织选择他们自己的权限。In Word, PowerPoint, and Excel, a user is prompted to select their own permissions for specific users, groups, or organizations.

    备注

    Azure 信息保护统一标记客户端支持对 Word、PowerPoint 和 Excel 使用此选项。This option for Word, PowerPoint, and Excel is supported by the Azure Information Protection unified labeling client. 对于使用内置标记的应用,检查哪些应用支持它For apps that use built-in labeling, check which apps support it.

    如果已选中此选项,但用户的应用不支持这一选项,则该标签不会向用户显示,或者会显示标签以确保一致性,但无法随说明消息一起应用到用户。If this option is selected but isn't supported for a user's app, either that label doesn't display to the user, or the label displays for consistency, but it can't be applied with an explanation message to users.

在这些选择受到支持时,请使用以下标签确定用户何时回看到敏感度标签:When the options are supported, use the following table to identify when users see the sensitivity label:

设置Setting 标签在 Outlook 中可见Label visible in Outlook 标签在 Word、Excel 和 PowerPoint 中可见Label visible in Word, Excel, PowerPoint
在 Outlook 中,强制实施与“请勿转发”选项等效的限制In Outlook, enforce restrictions equivalent to the Do Not Forward option Yes No
在 Word、PowerPoint 和 Excel 中提示用户指定权限In Word, PowerPoint, and Excel, prompt users to specify permissions No Yes

同时选中这两个选项时,标签在 Outlook 和 Word、Exce、PowerPoint 中都可见。When both settings are selected, the label is therefore visible in both Outlook and in Word, Excel, and PowerPoint.

允许用户分配权限的敏感度标签仅可由用户手动应用于内容;它不能自动应用,也不能用作建议的标签。A sensitivity label that lets users assign permissions can be applied to content only manually by users; it can't be auto-applied or used as a recommended label.

配置用户分配的权限:Configuring the user-assigned permissions:

有关用户定义的权限的加密设置

Outlook 限制Outlook restrictions

在 Outlook 中,当用户向邮件应用允许其分配权限的敏感度标签时,需遵守的限制与“请勿转发”选项相同。In Outlook, when a user applies a sensitivity label that lets them assign permissions to a message, the restrictions are the same as the Do Not Forward option. 用户将在邮件顶部看到标签名称和说明,这表示正在保护该内容。The user will see the label name and description at the top of the message, which indicates the content's being protected. 与 Word、PowerPoint 和 Excel 不同(详见下一部分),系统不会提示用户选择特定权限。Unlike Word, PowerPoint, and Excel (see the next section), users aren't prompted to select specific permissions.

应用于 Outlook 中的邮件的敏感度标签

向电子邮件应用“请勿转发”选项时,电子邮件将被加密,且收件人必须通过身份验证。When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. 其次,收件人不得转发、打印和复制该邮件。Then, the recipients cannot forward it, print it, or copy from it. 例如,在 Outlook 客户端中,“转发”按钮不可用,“另存为”和“打印”菜单选项也不可用,并且你不可在“收件人”、“抄送”和“密件抄送”框中添加或更改收件人。For example, in the Outlook client, the Forward button is not available, the Save As and Print menu options are not available, and you cannot add or change recipients in the To, Cc, or Bcc boxes.

自动附加到电子邮件但未加密的 Office 文档会自动继承相同的限制。Unencrypted Office documents that are attached to the email automatically inherit the same restrictions. 应用于这些文档的使用权限为“编辑内容”、“编辑”,“保存”,“视图”、“打开”、“阅读”,以及“允许宏”。The usage rights applied to these documents are Edit Content, Edit; Save; View, Open, Read; and Allow Macros. 如果用户对附件实施其他使用权限,或者附件并非支持该继承权限的 Office 文档,则用户需要在将文件附加到电子邮件之前保护该文件。If the user wants different usage rights for an attachment, or the attachment is not an Office document that supports this inherited protection, the user needs to protect the file before attaching it to the email.

Word、PowerPoint 和 Excel 权限Word, PowerPoint, and Excel permissions

在 Word、PowerPoint 和 Excel 中,当用户向文档应用允许其分配权限的敏感度标签时,系统会提示他们在应用加密时指定其对用户和权限的选择。In Word, PowerPoint, and Excel, when a user applies a sensitivity label that lets them assign permissions to a document, they are prompted to specify their choice of users and permissions when the encryption is applied.

例如,用户可通过 Azure 信息保护统一标记客户端:For example, with the Azure Information Protection unified labeling client, users can:

  • 选择权限级别,例如查看者(可分配“仅查看”权限)或合著者(可分配“查看”、“编辑”、“复制”和“打印”权限)。Select a permission level, such as Viewer (which assigns View Only permission) or Co-Author (which assigns View, Edit, Copy, and Print permissions).
  • 选择用户、组或组织。Select users, groups, or organizations. 这可包括你所在组织内部或外部的人员。This can include people both inside or outside your organizations.
  • 设置到期日期,所选用户在该日期后不可访问内容。Set an expiration date, after which the selected users cannot access the content. 有关详细信息,请参阅上一部分:针对脱机访问的 Rights Management 使用许可证For more information, see the above section Rights Management use license for offline access.

供用户通过自定义权限进行保护的选项

对于内置标签,用户在选择以下项时也会看到此对话框:For built-in labeling, users see the same dialog box if they select the following:

  • Windows:“文件”选项卡 >“信息” > “保护文档” > “限制访问” > “受限访问Windows: File tab > Info > Protect Document > Restrict Access > Restricted Access

  • MacOS:“查看”选项卡 >“保护” > “权限” > “受限访问MacOS: Review tab > Protection > Permissions > Restricted Access

加密设置的配置示例Example configurations for the encryption settings

对于后面的每个示例,请在选择配置加密设置时通过向导的加密页面进行配置:For each example that follows, do the configuration from the Encryption page of the wizard when Configure encryption settings is selected:

应用敏感度标签向导中的加密选项

示例 1:应用“请勿转发”以将加密的电子邮件发送至 Gmail 帐户的标签Example 1: Label that applies Do Not Forward to send an encrypted email to a Gmail account

此标签仅显示 Outlook 和 Outlook 网页版,且你必须使用 Exchange Online。This label displays only in Outlook and Outlook on the web, and you must use Exchange Online. 在用户需要向使用 Gmail 帐户(或你组织外部的任何其他电子邮件帐户)的人员发送加密电子邮件时,指示这些用户选择此标签。Instruct users to select this label when they need to send an encrypted email to people using a Gmail account (or any other email account outside your organization).

用户需在“收件人”框中键入 Gmail 电子邮件地址。Your users type the Gmail email address in the To box. 然后选中该标签,“请勿转发”选项会自动添加到电子邮件中。Then, they select the label and the Do Not Forward option is automatically added to the email. 这样的话,收件人就无法转发、打印或复制该电子邮件,也不能使用“另存为”选项在其邮箱之外保存该电子邮件。The result is that recipients cannot forward the email, or print it, copy from it, or save the email outside their mailbox by using the Save As option.

  1. 在“加密”页面上:对于“立即分配权限还是让用户决定?”,选择“允许用户在应用标签时自行分配权限”。On the Encryption page: For Assign permissions now or let users decide? select Let users assign permissions when they apply the label.

  2. 选择复选框:在 Outlook 中,强制实施与“请勿转发”选项等效的限制Select the checkbox: In Outlook, enforce restrictions equivalent to the Do Not Forward option.

  3. 如果选中,请清除复选框:在 Word、PowerPoint 和 Excel 中提示用户指定权限If selected, clear the checkbox: In Word, PowerPoint, and Excel, prompt users to specify permissions.

  4. 选择“下一步”并完成向导。Select Next and complete the wizard.

示例 2:将只读权限局限于另一组织中的所有用户的标签Example 2: Label that restricts read-only permission to all users in another organization

此标签适用于以只读形式共享非常敏感的文档,文档始终需要 Internet 连接才能查看。This label is suitable for sharing very sensitive documents as read-only, and the documents always require an internet connection to view them.

此标签不适用于电子邮件。This label is not suitable for emails.

  1. 在“加密”页面上:对于“立即分配权限还是让用户决定?”,选择“立即分配权限”。On the Encryption page: For Assign permissions now or let users decide? select Assign permissions now.

  2. 对于“允许脱机访问”,选择“从不”。For Allow offline access, select Never.

  3. 选择“分配权限”。Select Assign permissions.

  4. 在“分配权限”窗格上,选择“添加特定电子邮件地址或域”。On the Assign permissions pane, select Add specific email addresses or domains.

  5. 在文本框中,输入另一组织中的域的名称,例如 fabrikam.comIn the text box, enter the name of a domain from the other organization, for example, fabrikam.com. 然后,选择“添加”。Then select Add.

  6. 选择“选择权限”。Select Choose permissions.

  7. 在“选择权限”窗格中,选择下拉框,选择“查看者”,然后选择“保存”。On the Choose permissions pane, select the dropdown box, select Viewer, and then select Save.

  8. 返回到“分配权限”窗格中,选择“保存”。Back on the Assign Permissions pane, select Save.

  9. 在“加密”窗格上,选择“下一步”并完成向导。On the Encryption page, select Next and complete the wizard.

示例 3:将外部用户添加到加密内容的现有标签Example 3: Add external users to an existing label that encrypts content

添加的新用户将能够打开已使用此标签保护的文档和电子邮件。The new users that you add will be able open documents and emails that have already been protected with this label. 授予这些用户的权限可能与现有用户拥有的权限不同。The permissions that you grant these users can be different from the permissions that the existing users have.

  1. 在“加密”页面上:对于“立即分配权限还是让用户决定?”,确保选中“立即分配权限”。On the Encryption page: For Assign permissions now or let users decide? make sure Assign permissions now is selected.

  2. 选择“分配权限”。Select Assign permissions.

  3. 在“分配权限”窗格上,选择“添加特定电子邮件地址或域”。On the Assign permissions pane, select Add specific email addresses or domains.

  4. 在文本框中,输入要添加的第一名用户(或组)的电子邮件地址,然后选择“添加”。In the text box, enter the email address of the first user (or group) to add, and then select Add.

  5. 选择“选择权限”。Select Choose permissions.

  6. 在“选择权限”窗格中,选择此用户(或组)的权限,然后选择“保存”。On the Choose permissions pane, select the permissions for this user (or group), and then select Save.

  7. 返回到“分配权限”窗格,对要添加到此标签的每位用户(或组)重复步骤 3 到步骤 6。Back on the Assign Permissions pane, repeat steps 3 through 6 for each user (or group) that you want to add to this label. 然后单击“保存”。Then click Save.

  8. 在“加密”窗格上,选择“下一步”并完成向导。On the Encryption page, select Next and complete the wizard.

示例 4:对内容进行加密但不限制可访问的人员的标签Example 4: Label that encrypts content but doesn't restrict who can access it

此配置的优势在于,你无需指定用户、组或域即可加密电子邮件或文档。This configuration has the advantage that you don't need to specify users, groups, or domains to encrypt an email or document. 内容仍将被加密,但你仍可指定使用权限、过期日期和脱机访问权限。The content will still be encrypted and you can still specify usage rights, an expiry date, and offline access.

仅在无需限制谁可打开受保护的文档或电子邮件时才使用此配置。Use this configuration only when you do not need to restrict who can open the protected document or email. 有关此设置的详细信息More information about this setting

  1. 在“加密”页面上:对于“立即分配权限还是让用户决定?”,确保选中“立即分配权限”。On the Encryption page: For Assign permissions now or let users decide? make sure Assign permissions now is selected.

  2. 根据需要配置“用户访问内容的权限过期”和“允许脱机访问”。Configure settings for User access to content expires and Allow offline access as required.

  3. 选择“分配权限”。Select Assign permissions.

  4. 在“分配权限”窗格中,选择“添加任何经过身份验证的用户”。On the Assign permissions pane, select Add any authenticated users.

    对于“用户和组”,你将看到认证用户已自动添加。For Users and groups, you see Authenticated users automatically added. 无法更改此值,只能将其删除,但这会取消选择“添加任何经过身份验证的用户”。You can't change this value, only delete it, which cancels the Add any authenticated users selection.

  5. 选择“选择权限”。Select Choose permissions.

  6. 在“选择权限”窗格中,选择下拉框,选择所需的权限,然后选择“保存”。On the Choose permissions pane, select the dropdown box, select the permissions you want, and then select Save.

  7. 返回到“分配权限”窗格中,选择“保存”。Back on the Assign Permissions pane, select Save.

  8. 在“加密”窗格上,选择“下一步”并完成向导。On the Encryption page, select Next and complete the wizard.

有关加密内容的注意事项Considerations for encrypted content

加密最敏感的文档和电子邮件有助于确保只有授权人员可访问此数据。Encrypting your most sensitive documents and emails helps to ensure that only authorized people can access this data. 但是,需要考虑以下注意事项:However, there are some considerations to take into account:

  • 如果你的组织未启用 SharePoint 和 OneDrive 中 Office 文件的灵敏度标签If your organization hasn't enabled sensitivity labels for Office files in SharePoint and OneDrive:

    • “搜索”、“电子数据展示”和 Delve 将无法用于加密文件。Search, eDiscovery, and Delve will not work for encrypted files.
    • DLP 策略适用于这些加密文件的元数据(包括保留标签信息),但不适用于这些文件的内容(如文件内的信用卡号)。DLP policies work for the metadata of these encrypted files (including retention label information) but not the content of these files (such as credit card numbers within files).
    • 用户无法使用 Office 网页版打开加密文件。Users can't open encrypted files using Office on the web. 如果在 SharePoint 和 OneDrive 中为 Office 文件启用了敏感度标签,则用户可使用 Office 网页版打开加密文件,但存在一些限制,包括已通过本地密钥应用的加密(称为“保留自己的密钥”(HYOK))、双密钥加密以及在不使用敏感度标签的情况下应用的加密。When sensitivity labels for Office files in SharePoint and OneDrive are enabled, users can use Office on the web to open encrypted files, with some limitations that include encryption that has been applied with an on-premises key (known as "hold your own key", or HYOK), double key encryption, and encryption that has been applied independently from a sensitivity label.
  • 要使多名用户同时编辑一个加密文件,这些用户必须全都在使用 Web 版 Office。For multiple users to edit an encrypted file at the same time, they must all be using Office for the web. 如果不是这种情况且文件已打开:If this isn't the case, and the file is already open:

    • 在 Office 应用(Windows、Mac、Android 和 iOS)中,用户会看到一条“文件正在使用中”消息,其中包含签出该文件的用户的姓名。In Office apps (Windows, Mac, Android, and iOS), users see a File In Use message with the name of the person who has checked out the file. 然后,他们可查看只读副本或保存和编辑文件副本,并可在文件可用时收到通知。They can then view a read-only copy or save and edit a copy of the file, and receive notification when the file is available.
    • 在 Web 版 Office 中,用户会看到一则错误消息,其中指出他们可与其他人一起编辑文档。In Office for the web, users see an error message that they can't edit the document with other people. 然后,他们可选择“在阅读视图中打开”。They can then select Open in Reading View.
  • 已对加密文件禁用 Office 应用(Windows、Mac、Android 和 iOS)的自动保存功能。The AutoSave functionality in Office apps (Windows, Mac, Android, and iOS) is disabled for encrypted files. 用户会看到一条消息,其中指出文件具有受限权限且必须删除此权限才能启用“自动保存”。Users see a message that the file has restricted permissions that must be removed before AutoSave can be turned on.

  • 在 Office 应用(Windows、Mac、Android 和 iOS)中打开加密文件可能需要更长时间。Encrypted files might take longer to open in Office apps (Windows, Mac, Android, and iOS).

  • Office 应用(Windows、Mac、Android 和 iOS)不支持对加密文件进行以下操作,并且用户将看到一则错误消息指出出现了错误。The following actions for encrypted files aren't supported from Office apps (Windows, Mac, Android, and iOS), and users see an error message that something went wrong. 但是,可将 SharePoint 功能用作替代项:However, SharePoint functionality can be used as an alternative:

为了在已用敏感度标签加密的文件上获得更佳的协作体验,建议使用 SharePoint 和 OneDrive中 Office 文件的敏感度标签并使用 Web 版 Office。For the best collaboration experience for files that are encrypted by a sensitivity label, we recommend you use sensitivity labels for Office files in SharePoint and OneDrive and Office for the web.

重要先决条件Important prerequisites

可能需要执行一些配置任务,然后才可使用加密。Before you can use encryption, you might need to do some configuration tasks.

  • 激活 Azure 信息保护中的保护Activate protection from Azure Information Protection

    要使敏感度标签应用加密,必须为租户激活 Azure 信息保护中的保护服务(即 Azure 权限管理)。For sensitivity labels to apply encryption, the protection service (Azure Rights Management) from Azure Information Protection must be activated for your tenant. 在较新的租户中,这是默认设置,但你可能需要手动激活该服务。In newer tenants, this is the default setting, but you might need to manually activate the service. 有关详细信息,请参阅激活 Azure 信息保护中的保护服务For more information, see Activating the protection service from Azure Information Protection.

  • 配置用于 Azure 信息保护的 ExchangeConfigure Exchange for Azure Information Protection

    无需针对 Azure 信息保护进行配置,用户即可在 Outlook 中应用标签来加密其电子邮件。Exchange does not have to be configured for Azure Information Protection before users can apply labels in Outlook to encrypt their emails. 但是,除非已针对 Azure 信息保护进行了配置,否则无法通过 Exchange 获得使用 Azure 权限管理保护的完整功能。However, until Exchange is configured for Azure Information Protection, you do not get the full functionality of using Azure Rights Management protection with Exchange.

    例如,用户无法查看移动电话或 Outlook 网页版上机密的电子邮件,无法索引加密的电子邮件用于搜索,并且无法针对 Rights Management 保护配置 Exchange Online DLP。For example, users cannot view encrypted emails on mobile phones or with Outlook on the web, encrypted emails cannot be indexed for search, and you cannot configure Exchange Online DLP for Rights Management protection.

    为确保 Exchange 可以支持这些其他应用场景,请参阅以下内容:To ensure that Exchange can support these additional scenarios, see the following: