在 Office 应用中使用敏感度标签Use sensitivity labels in Office apps

Microsoft 365 安全性与合规性许可指南Microsoft 365 licensing guidance for security & compliance.

当您从 Microsoft 365 合规性中心或等效标签中心 发布 灵敏度标签时,它们将开始显示在 Office 应用程序中,以便用户可以在创建或编辑数据时对其进行分类和保护。When you have published sensitivity labels from the Microsoft 365 compliance center or equivalent labeling center, they start to appear in Office apps for users to classify and protect data as it's created or edited.

使用本文中的信息可帮助您在 Office 应用程序中成功管理敏感度标签。Use the information in this article to help you successfully manage sensitivity labels in Office apps. 例如,确定需要支持内置标签的应用程序的最低版本,并了解与其他应用程序和服务的 Azure 信息保护统一标签客户端和兼容性的交互。For example, identify the minimum versions of apps you need to support built-in labeling, and understand interactions with the Azure Information Protection unified labeling client and compatibility with other apps and services.

为桌面应用程序标记客户端Labeling client for desktop apps

若要使用内置于 Windows 和 Mac 的 Office 桌面应用程序的敏感度标签,必须使用 Office 的订阅版本。To use sensitivity labels that are built into Office desktop apps for Windows and Mac, you must use a subscription edition of Office. 此标签客户端不支持独立版本的 Office,如 Office 2016 或 Office 2019。This labeling client doesn't support standalone editions of Office, such as Office 2016 or Office 2019.

若要在 Windows 计算机上将敏感度标签与这些独立版本的 Office 配合使用,请安装 Azure 信息保护统一标记客户端To use sensitivity labels with these standalone editions of Office on Windows computers, install the Azure Information Protection unified labeling client.

支持应用程序中的敏感度标签功能Support for sensitivity label capabilities in apps

对于每项功能,下表列出了该应用程序为支持使用内置标签的敏感度标签所需的最低 Office 版本。For each capability, the following tables list the minimum Office version you need for that app to support sensitivity labels using built-in labeling. 或者,如果标签功能处于公共预览或正在审阅中,以供将来的版本使用。Or, if the label capability is in public preview or under review for a future release. 使用 Microsoft 365 路线图 获取有关未来版本的详细信息。Use the Microsoft 365 roadmap for details about future releases.

新版本的 Office 应用程序将在不同的时间为不同的更新频道提供。New versions of Office apps are made available at different times for different update channels. 有关详细信息,包括如何配置更新频道以便能够测试您感兴趣的新标记功能,请参阅 Microsoft 365 应用的更新通道概述For more information, including how to configure your update channel so that you can test a new labeling capability that you're interested in, see Overview of update channels for Microsoft 365 Apps. 专用预览中的新功能不包含在表中,但您可能可以通过 nominating 您的组织来加入 Microsoft 信息保护专用预览计划,从而加入这些预览。New capabilities that are in private preview are not included in the table but you might be able to join these previews by nominating your organization for the Microsoft Information Protection private preview program.

备注

最近更改了 Office 应用的更新通道的名称。The names of the update channels for Office apps have recently changed. 例如,"每月频道" 现在是 "当前频道",Office 预览体验成员现已成为 Beta 频道。For example, Monthly Channel is now Current Channel, and Office Insider is now Beta Channel. 有关详细信息,请参阅 对 Microsoft 365 应用更新频道的更改For more information, see Changes to update channels for Microsoft 365 Apps.

在安装仅在 Windows 计算机上运行的 Azure 信息保护统一标记客户端时,可以使用其他功能。Additional capabilities are available when you install the Azure Information Protection unified labeling client, which runs on Windows computers only. 有关这些详细信息,请参阅 比较 Windows 计算机的标记客户端For these details, see Compare the labeling clients for Windows computers.

Word、Excel 和 PowerPoint 中的敏感度标签功能Sensitivity label capabilities in Word, Excel, and PowerPoint

对于 iOS 和 Android:其中列出了最低版本, Office 应用程序也支持敏感度标签功能。For iOS and Android: Where these have a minimum version listed, the sensitivity label capability is also supported with the Office app.

功能Capability Windows 桌面Windows Desktop Mac 桌面Mac Desktop iOSiOS AndroidAndroid WebWeb
手动应用、更改或删除标签Manually apply, change, or remove label 1910+1910+ 16.21 +16.21+ 2.21+2.21+ 16.0.11231+16.0.11231+ 是-自愿加入Yes - opt-in
应用默认标签Apply a default label 1910+1910+ 16.21 +16.21+ 2.21+2.21+ 16.0.11231+16.0.11231+ 是-自愿加入Yes - opt-in
需要调整以更改标签Require a justification to change a label 1910+1910+ 16.21 +16.21+ 2.21+2.21+ 16.0.11231+16.0.11231+ 是-自愿加入Yes - opt-in
提供指向自定义帮助页的 "帮助" 链接Provide help link to a custom help page 1910+1910+ 16.21 +16.21+ 2.21+2.21+ 16.0.11231+16.0.11231+ 是-自愿加入Yes - opt-in
标记内容Mark the content 1910+1910+ 16.21 +16.21+ 2.21+2.21+ 16.0.11231+16.0.11231+ 是-自愿加入Yes - opt-in
带有变量的动态标记Dynamic markings with variables 2010 +2010+ 16.42 +16.42+ 2.42 +2.42+ 16.0.13328 +16.0.13328+ 正在审阅Under review
立即分配权限Assign permissions now 1910+1910+ 16.21 +16.21+ 2.21+2.21+ 16.0.11231+16.0.11231+ 是-自愿加入Yes - opt-in
允许用户分配权限Let users assign permissions 2004 +2004+ 16.35 +16.35+ 正在审阅Under review 正在审阅Under review 正在审阅Under review
查看标签使用情况标签分析 并为管理员发送数据View label usage with label analytics and send data for administrators 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review 是的 *Yes *
要求用户对其电子邮件和文档应用标签Require users to apply a label to their email and documents 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review
将敏感度标签自动应用于内容Apply a sensitivity label to content automatically 2009 +2009+ Word 和 PowerPoint 的预览:滚动到 当前频道 (预览) Preview for Word and PowerPoint: Rolling out to Current Channel (Preview) 正在审阅Under review 正在审阅Under review 是-自愿加入Yes - opt-in
支持在标签和受保护的文档上的自动保存共同创作Support AutoSave and coauthoring on labeled and protected documents 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review 是-自愿加入Yes - opt-in

脚注Footnote:

* 目前,不包含调整文本以删除标签或降低分类级别* Currently, doesn't include justification text to remove a label or lower the classification level

Outlook 中的敏感度标签功能Sensitivity label capabilities in Outlook

功能Capability Windows 桌面上的 OutlookOutlook on Windows Desktop Mac 桌面上的 OutlookOutlook on Mac Desktop iOS 版 OutlookOutlook on iOS Android 版 OutlookOutlook on Android Outlook 网页版Outlook on the web
手动应用、更改或删除标签Manually apply, change, or remove label 1910+1910+ 16.21 +16.21+ 4.7.1 +4.7.1+ 4.0.39 +4.0.39+ Yes
应用默认标签Apply a default label 1910+1910+ 16.21 +16.21+ 4.7.1 +4.7.1+ 4.0.39 +4.0.39+ Yes
需要调整以更改标签Require a justification to change a label 1910+1910+ 16.21 +16.21+ 4.7.1 +4.7.1+ 4.0.39 +4.0.39+ Yes
提供指向自定义帮助页的 "帮助" 链接Provide help link to a custom help page 1910+1910+ 16.21 +16.21+ 4.7.1 +4.7.1+ 4.0.39 +4.0.39+ Yes
标记内容Mark the content 1910+1910+ 16.21 +16.21+ 4.7.1 +4.7.1+ 4.0.39 +4.0.39+ Yes
带有变量的动态标记Dynamic markings with variables 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review
立即分配权限Assign permissions now 1910+1910+ 16.21 +16.21+ 4.7.1 +4.7.1+ 4.0.39 +4.0.39+ Yes
允许用户分配权限Let users assign permissions 1910+1910+ 16.21 +16.21+ 4.7.1 +4.7.1+ 4.0.39 +4.0.39+ Yes
查看标签使用情况标签分析 并为管理员发送数据View label usage with label analytics and send data for administrators 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review Yes
要求用户对其电子邮件和文档应用标签Require users to apply a label to their email and documents 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review 正在审阅Under review
将敏感度标签自动应用于内容Apply a sensitivity label to content automatically 2009 +2009+ 正在审阅Under review 正在审阅Under review 正在审阅Under review Yes

Office 内置标签客户端和其他标记解决方案Office built-in labeling client and other labeling solutions

Office 内置标签客户端从以下管理中心下载灵敏度标签和敏感度标签策略设置:The Office built-in labeling client downloads sensitivity labels and sensitivity label policy settings from the following admin centers:

  • Microsoft 365 合规中心Microsoft 365 compliance center
  • Microsoft 365 安全中心Microsoft 365 security center
  • Office 365 安全与合规中心Office 365 Security & Compliance Center

若要使用 Office 内置标签客户端,必须向用户发布一个或多个从列出的管理中心和受支持的 Office 版本发布的标签策略To use the Office built-in labeling client, you must have one or more label policies published to users from one of the listed admin centers and a supported version of Office.

如果满足这两个条件,但需要关闭 Office 内置标签客户端,请使用以下组策略设置:If both of these conditions are met but you need to turn off the Office built-in labeling client, use the following Group Policy setting:

  1. 导航到 " 用户配置/管理模板/Microsoft Office 2016/安全设置"。Navigate to User Configuration/Administrative Templates/Microsoft Office 2016/Security Settings.

  2. Set 使用 Office 中的灵敏度功能将敏感度标签应用于 0 并将其查看。Set Use the Sensitivity feature in Office to apply and view sensitivity labels to 0.

通过使用组策略或使用 Office 云策略服务部署此设置。Deploy this setting by using Group Policy, or by using the Office cloud policy service. 该设置将在 Office 应用程序重新启动时生效。The setting takes effect when Office apps restart.

Office 内置标签客户端和 Azure 信息保护客户端Office built-in labeling client and the Azure Information Protection client

如果用户安装了 (统一标签客户 端或 经典客户端) 的 Azure 信息保护客户端之一,默认情况下,内置标签客户端在其 Office 应用中处于关闭状态。If users have one of the Azure Information Protection clients installed (unified labeling client or classic client), by default, the built-in labeling client is turned off in their Office apps.

若要使用内置标签而不是 Azure 信息保护客户端的 Office 应用,请使用上一节中的说明,但设置组策略设置 使用 Office 中的敏感度功能将敏感度标签应用并查看1To use built-in labeling rather than the Azure Information Protection client for Office apps, use the instructions from the previous section but set the Group Policy setting Use the Sensitivity feature in Office to apply and view sensitivity labels to 1.

或者,禁用或删除 Office 加载项 " Azure 信息保护"。Alternatively, disable or remove the Office Add-in, Azure Information Protection. 此方法适用于一台计算机和临时测试。This method is suitable for a single computer, and ad-hoc testing. 有关说明,请参阅 在 Office 程序中查看、管理和安装加载项For instructions, see View, manage, and install add-ins in Office programs.

当您禁用或删除此 Office 加载项时,将保持安装的 Azure 信息保护客户端,以便您可以继续标记 Office 应用外部的文件。When you disable or remove this Office Add-in, the Azure Information Protection client remains installed so that you can continue to label files outside your Office apps. 例如,通过使用文件资源管理器或 PowerShell。For example, by using File Explorer, or PowerShell.

有关 Azure 信息保护客户端和 Office 内置标签客户端支持的功能的信息,请参阅从 Azure 信息保护文档中 选择用于 Windows 计算机的标记客户端For information about which features are supported by the Azure Information Protection clients and the Office built-in labeling client, see Choose which labeling client to use for Windows computers from the Azure Information Protection documentation.

支持的 Office 文件类型Office file types supported

对 Word、Excel 和 PowerPoint 文件使用内置标签的 Office 应用支持 Open XML 格式 (如 .docx 和 .xlsx) ,而不是 Microsoft Office 97-2003 格式 (如 .doc 和 .xls) 。Office apps that have built-in labeling for Word, Excel, and PowerPoint files support the Open XML format (such as .docx and .xlsx) but not the Microsoft Office 97-2003 format (such as .doc and .xls). 如果某个文件类型不支持内置标签,则 " 敏感度 " 按钮在 Office 应用中不可用。When a file type is not supported for built-in labeling, the Sensitivity button is not available in the Office app.

Azure 信息保护统一标签客户端支持 Open XML 格式和 Microsoft Office 97-2003 格式。The Azure Information Protection unified labeling client supports both the Open XML format and the Microsoft Office 97-2003 format. 有关详细信息,请参阅该客户端的管理员指南中的 Azure 信息保护统一标记客户端支持的文件类型For more information, see File types supported by the Azure Information Protection unified labeling client from that client's admin guide.

有关其他标记解决方案,请查看文档中支持的文件类型。For other labeling solutions, check their documentation for file types supported.

保护模板和敏感度标签Protection templates and sensitivity labels

在使用内置标记时,管理员定义的 保护模板(如您为 Office 365 邮件加密定义的模板)在 Office 应用中不可见。Administrator-defined protection templates, such as those you define for Office 365 Message Encryption, aren't visible in Office apps when you're using built-in labeling. 这种简化的体验反映了无需选择保护模板,因为具有已启用加密功能的敏感度标签中包含相同的设置。This simplified experience reflects that there's no need to select a protection template, because the same settings are included with sensitivity labels that have encryption enabled.

如果需要将现有保护模板转换为标签,请使用 Azure 门户和以下说明: 将模板转换为标签If you need to convert existing protection templates to labels, use the Azure portal and the following instructions: To convert templates to labels.

(IRM) 选项和敏感度标签的信息权限管理Information Rights Management (IRM) options and sensitivity labels

为应用加密而配置的敏感度标签消除了用户的复杂性,以指定自己的加密设置。Sensitivity labels that you configure to apply encryption remove the complexity from users to specify their own encryption settings. 在许多 Office 应用程序中,用户仍然可以使用信息权限管理 (IRM) 选项手动配置这些单独的加密设置。In many Office apps, these individual encryption settings can still be manually configured by users by using Information Rights Management (IRM) options. 例如,对于 Windows 应用:For example, for Windows apps:

  • 对于文档:文件 > 信息 > 保护文档 > 限制访问For a document: File > Info > Protect Document > Restrict Access
  • 对于电子邮件:从 " 选项 " 选项卡中 > 加密for an email: From the Options tab > Encrypt

用户最初标记文档或电子邮件时,他们始终可以使用自己的加密设置覆盖您的标签配置设置。When users initially label a document or email, they can always override your label configuration settings with their own encryption settings. 例如:For example:

  • 用户将 " 机密 \ 所有雇员 " 标签应用于文档,此标签配置为对组织中的所有用户应用加密设置。A user applies the Confidential \ All Employees label to a document and this label is configured to apply encryption settings for all users in the organization. 然后,此用户可手动配置 IRM 设置,以限制对组织外部用户的访问。This user then manually configures the IRM settings to restrict access to a user outside your organization. 最终结果是标记为 " 机密 \ 所有员工 并进行加密" 的文档,但组织中的用户无法按预期方式打开它。The end result is a document that's labeled Confidential \ All Employees and encrypted, but users in your organization can't open it as expected.

  • 用户将 "机密" " 仅限收件人 " 标签应用于电子邮件,此电子邮件配置为应用 "不 转发" 的加密设置。A user applies the Confidential \ Recipients Only label to an email and this email is configured to apply the encryption setting of Do Not Forward. 然后,此用户手动配置 IRM 设置,使该电子邮件不受限制。This user then manually configures the IRM settings so that the email is unrestricted. 最终结果是,尽管拥有机密的 " 仅收件人 " 标签,也可以将电子邮件转发给收件人。The end result is the email can be forwarded by recipients, despite having the Confidential \ Recipients Only label.

  • 用户将 " 常规 " 标签应用于文档,并且此标签未配置为 "应用加密"。A user applies the General label to a document, and this label isn't configured to apply encryption. 然后,此用户可手动配置 IRM 设置以限制对文档的访问。This user then manually configures the IRM settings to restrict access to the document. 最终结果是一个标签为 " 常规 " 但也采用加密的文档,以便某些用户无法按预期方式打开它。The end result is a document that's labeled General but that also applies encryption so that some users can't open it as expected.

如果已标记文档或电子邮件,则用户可以执行这些操作中的任何操作(如果内容尚未加密),或者具有 使用权限 导出或完全控制。If the document or email is already labeled, a user can do any of these actions if the content isn't already encrypted, or they have the usage right Export or Full Control.

若要获得具有有意义的报告的更一致的标签体验,请提供适当的标签和指导,以供用户仅应用标签来保护文档。For a more consistent label experience with meaningful reporting, provide appropriate labels and guidance for users to apply only labels to protect documents. 例如:For example:

  • 对于用户必须分配其自己的权限的例外情况,请提供 允许用户分配其自己的权限的标签。For exception cases where users must assign their own permissions, provide labels that let users assign their own permissions.

  • 当用户需要具有相同分类但不加密的标签时,请提供选项替代方法,而不是用户在选择应用了加密的标签后手动删除加密。Instead of users manually removing encryption after selecting a label that applies encryption, provide a sublabel alternative when users need a label with the same classification, but no encryption. 例如:Such as:

    • 机密 \ 所有员工Confidential \ All Employees
    • 机密 \ 任何人 (无加密)Confidential \ Anyone (no encryption)

备注

如果用户从存储在 SharePoint 或 OneDrive 中的标记文档中手动删除加密,并且已 对 sharepoint 和 onedrive 中的 Office 文件启用了敏感度标签,则下次访问或下载该文档时,将自动还原标签加密。If users manually remove encryption from a labeled document that's stored in SharePoint or OneDrive and you've enabled sensitivity labels for Office files in SharePoint and OneDrive, the label encryption will be automatically restored the next time the document is accessed or downloaded.

将敏感度标签应用于文件、电子邮件和附件Apply sensitivity labels to files, emails, and attachments

用户可以一次仅为每个文档或电子邮件应用一个标签。Users can apply just one label at a time for each document or email.

当您标记包含附件的电子邮件时,附件不会继承标签,但有一个例外:When you label an email message that has attachments, the attachments don't inherit the label with one exception:

  • 附件是标签不适用的 Office 文档,并且应用于电子邮件的标签将应用加密。The attachment is an Office document with a label that doesn't apply encryption, and the label you apply to the email message applies encryption. 在这种情况下,电子邮件的 Office 文档会将电子邮件的标签继承为其加密设置。In this case, the emailed Office document inherits the email's label with its encryption settings.

或者:Otherwise:

  • 如果附件具有标签,则保留其最初应用的标签。If the attachments have a label, they keep their originally applied label.
  • 如果在没有标签的情况下加密附件,则会保留加密但不会对其进行标记。If the attachments are encrypted without a label, the encryption remains but they aren't labeled.
  • 如果附件没有标签,它们将保持未标记。If the attachments don't have a label, they remain unlabeled.

敏感度标签兼容性Sensitivity label compatibility

对于智能型应用:如果在不支持敏感度标签的 RMS 智能型应用程序 中打开已标记和加密的文档或电子邮件,则应用仍强制实施加密和权限管理。With RMS-enlightened apps: If you open a labeled and encrypted document or email in an RMS-enlightened application that doesn't support sensitivity labels, the app still enforces encryption and rights management.

使用 Azure 信息保护客户端:您可以使用 Azure 信息保护客户端和其他方法查看和更改应用于 Office 内置标记客户端的文档和电子邮件的敏感度标签。With the Azure Information Protection client: You can view and change sensitivity labels that you apply to documents and emails with the Office built-in labeling client by using the Azure Information Protection client, and the other way around.

与其他版本的 office:任何授权的用户都可以在其他版本的 office 中打开带标签的文档和电子邮件。With other versions of Office: Any authorized user can open labeled documents and emails in other versions of Office. 但是,只能在受支持的 Office 版本中或通过使用 Azure 信息保护客户端来查看或更改标签。However, you can only view or change the label in supported Office versions or by using the Azure Information Protection client. 上一节中列出了受支持的 Office 应用程序版本。Supported Office app versions are listed in the previous section.

支持由敏感度标签保护的 SharePoint 和 OneDrive 文件Support for SharePoint and OneDrive files protected by sensitivity labels

若要对 SharePoint 或 OneDrive 中的文档使用 office 内置标签客户端与 Office 网页版,请确保已 在 sharepoint 和 onedrive 中为 Office 文件启用了敏感度标签To use the Office built-in labeling client with Office on the web for documents in SharePoint or OneDrive, make sure you've enabled sensitivity labels for Office files in SharePoint and OneDrive.

支持外部用户和带标签的内容Support for external users and labeled content

当您标记文档或电子邮件时,该标签将存储为包括租户和标签 GUID 的元数据。When you label a document or email, the label is stored as metadata that includes your tenant and a label GUID. 当支持敏感度标签的 Office 应用打开带标签的文档或电子邮件时,将读取此元数据,并且只有当该用户属于同一租户时,该标签才会显示在其应用中。When a labeled document or email is opened by an Office app that supports sensitivity labels, this metadata is read and only if the user belongs to the same tenant, the label displays in their app. 例如,对于 Word、PowerPoint 和 Excel 的内置标签,标签名称将显示在状态栏上。For example, for built-in labeling for Word, PowerPoint, and Excel, the label name displays on the status bar.

这意味着,如果您与使用不同标签名称的其他组织共享文档,则每个组织都可以应用并查看其自己的标签应用于该文档的标签。This means that if you share documents with another organization that uses different label names, each organization can apply and see their own label applied to the document. 但是,在您的组织外部的用户可以看到已应用标签中的以下元素:However, the following elements from an applied label are visible to users outside your organization:

  • 内容标记。Content markings. 当标签应用页眉、页脚或水印时,它们将直接添加到内容中并保持可见,直到有人修改或删除它们。When a label applies a header, footer, or watermark, these are added directly to the content and remain visible until somebody modifies or deletes them.

  • 来自应用了加密的标签的基础保护模板的名称和说明。The name and description of the underlying protection template from a label that applied encryption. 此信息显示在文档顶部的消息栏中,以提供有关有权打开文档的用户的信息,以及该文档的使用权限。This information displays in a message bar at the top of the document, to provide information about who is authorized to open the document, and their usage rights for that document.

与外部用户共享加密文档Sharing encrypted documents with external users

除了限制对自己组织中的用户的访问之外,还可以将访问权限扩展到在 Azure Active Directory 中具有帐户的任何其他用户。In addition to restricting access to users in your own organization, you can extend access to any other user who has an account in Azure Active Directory. 在用户成功通过身份验证后,所有 Office 应用和其他智能型 应用程序 都可以打开加密的文档。All Office apps and other RMS-enlightened application can open encrypted documents after the user has successfully authenticated.

如果外部用户在 Azure Active Directory 中没有帐户,则可以在租户中为其创建一个来宾帐户。If external users do not have an account in Azure Active Directory, you can create a guest account for them in your tenant. 对于其电子邮件地址,您可以指定他们已使用的任何电子邮件地址。For their email address, you can specify any email address that they already use. 例如,它们的 Gmail 地址。For example, their Gmail address. 当您在 sharepoint 和 onedrive 中为 Office 文件启用了敏感度标签时,也可以使用此来宾帐户访问 Sharepoint 或 onedrive 中的共享文档。This guest account can also be used to access a shared document in SharePoint or OneDrive when you have enabled sensitivity labels for Office files in SharePoint and OneDrive.

外部用户也可以在使用 Microsoft 365 应用程序时,使用 microsoft 帐户) 在 Windows 上 (以前的 Office 365 应用程序 ,并在 macOS (version 16.42 +) 、Android (version 16.0.13029 +) 和 iOS (版本 2.42 +) 中新支持。External users can also use a Microsoft account for encrypted documents when they use Microsoft 365 Apps (formerly Office 365 apps) on Windows, and newly supported on macOS (version 16.42+), Android (version 16.0.13029+), and iOS (version 2.42+). 例如,有人与一个加密的文档共享一个加密的文档,而加密设置则指定其 Gmail 电子邮件地址。For example, somebody shares an encrypted document with them, and the encryption settings specify their Gmail email address. 此用户可以创建自己的使用 Gmail 电子邮件地址的 Microsoft 帐户。This user can create their own Microsoft account that uses their Gmail email address. 然后,在使用此帐户登录后,用户可以打开文档并对其进行编辑,具体取决于为该用户指定的使用限制。Then, after signing in with this account, they can open the document and edit it, according to the usage restrictions specified for that user. 有关此方案的演练示例,请参阅 打开和编辑受保护的文档For a walkthrough example of this scenario, see Opening and editing the protected document.

备注

Microsoft 帐户的电子邮件地址必须与指定用于限制加密设置访问权限的电子邮件地址相匹配。The email address for the Microsoft account must match the email address that's specified to restrict access for the encryption settings.

当使用 Microsoft 帐户的用户以这种方式打开加密文档时,如果具有相同名称的来宾帐户尚不存在,则会自动为该租户创建来宾帐户。When a user with a Microsoft account opens an encrypted document in this way, it automatically creates a guest account for the tenant if a guest account with the same name doesn't already exist. 如果来宾帐户存在,则它可用于在 SharePoint 和 OneDrive 中打开文档,方法是使用 web 上的浏览器 (Office) ,以及从 Windows 桌面应用程序中打开加密的文档。When the guest account exists, it can then be used to open documents in SharePoint and OneDrive by using a browser (Office on the web), in addition to opening encrypted documents from the Windows desktop app.

但是,由于复制延迟,自动来宾帐户不会立即创建。However, the automatic guest account is not created immediately because of replication latency. 如果您将个人电子邮件地址指定为标签加密设置的一部分,我们建议您在 Azure Active Directory 中创建相应的来宾帐户。If you specify personal email addresses as part of your label encryption settings, we recommend that you create corresponding guest accounts in Azure Active Directory. 然后,让这些用户知道他们必须使用此帐户从您的组织中打开加密的文档。Then let these users know that they must use this account to open an encrypted document from your organization.

提示

由于您无法确定外部用户将使用受支持的 Office 客户端应用程序,因此,在创建来宾帐户后共享 SharePoint 和 OneDrive 中的链接是更可靠的方法来支持与外部用户进行安全协作。Because you can't be sure that external users will be using a supported Office client app, sharing links from SharePoint and OneDrive after creating guest accounts is a more reliable method to support secure collaboration with external users.

Office 应用程序何时应用内容标记和加密When Office apps apply content marking and encryption

Office 应用程序使用敏感度标签以不同方式应用内容标记和加密,具体取决于您使用的应用程序。Office apps apply content marking and encryption with a sensitivity label differently, depending on the app you use.

应用App 内容标记Content marking 加密Encryption
所有平台上的 Word、Excel 和 PowerPointWord, Excel, PowerPoint on all platforms 立即Immediately 立即Immediately
Outlook for PC 和 Outlook for MacOutlook for PC and Mac Exchange Online 发送电子邮件后After Exchange Online sends the email 立即Immediately
网页版、iOS 版和 Android 版 OutlookOutlook on the web, iOS, and Android Exchange Online 发送电子邮件后After Exchange Online sends the email Exchange Online 发送电子邮件后After Exchange Online sends the email

将敏感度标签应用于 Office 应用程序之外的文件的解决方案通过将标记元数据应用于文件来实现。Solutions that apply sensitivity labels to files outside Office apps do so by applying labeling metadata to the file. 在这种情况下,从标签的配置中标记的内容不会插入到文件中,但会应用加密。In this scenario, content marking from the label's configuration isn't inserted into the file but encryption is applied.

在 Office 桌面应用程序中打开这些文件时,Azure 信息保护统一标记客户端将自动应用内容标记。When those files are opened in an Office desktop app, the content markings are automatically applied by the Azure Information Protection unified labeling client. 将内置标签用于桌面、移动或 web 应用时,不会自动应用内容标记。The content markings are not automatically applied when you use built-in labeling for desktop, mobile, or web apps.

包括在 Office 应用程序外部应用敏感度标签的方案包括:Scenarios that include applying a sensitivity label outside Office apps include:

  • 来自 Azure 信息保护统一标签客户端的扫描程序、文件资源管理器和 PowerShellThe scanner, File Explorer, and PowerShell from the Azure Information Protection unified labeling client

  • SharePoint 和 OneDrive 的自动标记策略Auto-labeling policies for SharePoint and OneDrive

  • 从 Power BI 导出的标记和加密的数据Exported labeled and encrypted data from Power BI

  • Microsoft 云应用安全Microsoft Cloud App Security

对于这些方案,使用内置标签的用户可以通过临时删除或替换当前标签,然后重新应用原始标签来应用标签的内容标记。For these scenarios, using their Office apps, a user with built-in labeling can apply the label's content markings by temporarily removing or replacing the current label and then reapplying the original label.

带有变量的动态标记Dynamic markings with variables

重要

目前,并非所有平台上的所有应用程序都支持动态内容标记,您可以为页眉、页脚和水印指定这些标记。Currently, not all apps on all platforms support dynamic content markings that you can specify for your headers, footers, and watermarks. 对于不支持此功能的应用程序,这些应用程序会将标记应用为标签配置中指定的原始文本,而不是解析这些变量。For apps that don't support this capability, they apply the markings as the original text specified in the label configuration, rather than resolving the variables.

Azure 信息保护统一标签客户端支持动态标记。The Azure Information Protection unified labeling client supports dynamic markings. 有关内置于 Office 的标记,请参阅此页上 " 功能 " 部分中的表。For labeling built in to Office, see the tables in the capabilities section on this page.

为内容标记配置敏感度标签时,可以在页眉、页脚或水印的文本字符串中使用以下变量:When you configure a sensitivity label for content markings, you can use the following variables in the text string for your header, footer, or watermark:

变量Variable 说明Description 应用标签的示例Example when label applied
${Item.Label} 当前标签显示名称Current label display name 常规General
${Item.Name} 当前文件名或电子邮件主题Current file name or email subject Sales.docxSales.docx
${Item.Location} 文档的当前路径和文件名,或电子邮件的电子邮件主题Current path and file name of the document, or the email subject for an email \\Sales\2020\Q3\Report.docx\\Sales\2020\Q3\Report.docx
${User.Name} 当前用户显示名称Current user display name Richard SimoneRichard Simone
${User.PrincipalName} 当前用户的 Azure AD 用户主体名称 (UPN) Current user Azure AD user principal name (UPN) rsimone @ contoso.comrsimone@contoso.com
${Event.DateTime} 本地时区的当前日期和时间Current date and time for the local time zone 8/10/2020 1:30 PM8/10/2020 1:30 PM

备注

这些变量的语法区分大小写。The syntax for these variables is case-sensitive.

为 Word、Excel、PowerPoint 和 Outlook 设置不同的视觉标记Setting different visual markings for Word, Excel, PowerPoint, and Outlook

作为一个额外的变量,可以使用文本字符串中的 "If. App" 变量语句来配置每个 Office 应用程序类型的可视标记,并使用值 WordExcelPowerPointOutlook 标识应用程序类型。As an additional variable, you can configure visual markings per Office application type by using an "If.App" variable statement in the text string, and identify the application type by using the values Word, Excel, PowerPoint, or Outlook. 您还可以缩写这些值,如果要在同一个 If 应用程序语句中指定多个值,则这是必需的。You can also abbreviate these values, which is necessary if you want to specify more than one in the same If.App statement.

备注

由于目前仅受 Azure 信息保护统一标记客户端支持,因此包含 Outlook 的说明是完整的。For completeness, instructions for Outlook are included, although currently supported only by the Azure Information Protection unified labeling client.

使用以下语法:Use the following syntax:

${If.App.<application type>}<your visual markings text> ${If.End}

与其他动态视觉标记一样,语法区分大小写。As with the other dynamic visual markings, the syntax is case-sensitive.

示例:Examples:

  • 仅设置 Word 文档的页眉文本:Set header text for Word documents only:

    ${If.App.Word}This Word document is sensitive ${If.End}

    仅在 Word 文档头中,标签应用标题文本 "此 Word 文档是敏感文档"。In Word document headers only, the label applies the header text "This Word document is sensitive". 不会向其他 Office 应用程序应用任何标题文本。No header text is applied to other Office applications.

  • 设置 Word、Excel 和 Outlook 的页脚文本和 PowerPoint 的不同页脚文本:Set footer text for Word, Excel, and Outlook, and different footer text for PowerPoint:

    ${If.App.WXO}This content is confidential. ${If.End}${If.App.PowerPoint}This presentation is confidential. ${If.End}

    在 Word、Excel 和 Outlook 中,标签应用页脚文本 "此内容是机密"。In Word, Excel, and Outlook, the label applies the footer text "This content is confidential." 在 PowerPoint 中,标签应用页脚文本 "此演示文稿是保密的"。In PowerPoint, the label applies the footer text "This presentation is confidential."

  • 为 word 和 PowerPoint 设置特定的水印文本,然后为 Word、Excel 和 PowerPoint 设置水印文本:Set specific watermark text for Word and PowerPoint, and then watermark text for Word, Excel, and PowerPoint:

    ${If.App.WP}This content is ${If.End}Confidential

    在 Word 和 PowerPoint 中,标签应用水印文本 "此内容是机密"。In Word and PowerPoint, the label applies the watermark text "This content is Confidential". 在 Excel 中,标签应用水印文本 "保密"。In Excel, the label applies the watermark text "Confidential". 在 Outlook 中,标签不会应用任何水印文本,因为 Outlook 不支持将水印用作视觉标记。In Outlook, the label doesn't apply any watermark text because watermarks as visual markings are not supported for Outlook.

最终用户文档End-user documentation