为以前版本的邮件加密设置 Azure 权限管理Set up Azure Rights Management for the previous version of Message Encryption

本主题介绍激活 Azure 权限管理 (RMS) (Azure 信息保护的一部分)以与以前版本的 Office 365 邮件加密 (OME) 一起使用时需要执行的步骤。This topic describes the steps you need to follow in order to activate and then set up Azure Rights Management (RMS), part of Azure Information Protection, for use with the previous version of Office 365 Message Encryption (OME).

本文仅适用于以前版本的 OMEThis article only applies to the previous version of OME

如果尚未将组织移动到新的 OME 功能,但已部署 OME,则本文中的信息适用于您的组织。If you haven't yet moved your organization to the new OME capabilities, but you have already deployed OME, then the information in this article applies to your organization. Microsoft 建议你在组织合理时制定移动到新 OME 功能的计划。Microsoft recommends that you make a plan to move to the new OME capabilities as soon as it is reasonable for your organization. 有关说明,请参阅 设置新的 Office 365 邮件加密功能For instructions, see Set up new Office 365 Message Encryption capabilities. 若要详细了解新功能如何首先工作,请参阅 Office 365 邮件加密If you want to find out more about how the new capabilities work first, see Office 365 Message Encryption. 本文的其余部分将介绍新的 OME 功能发布之前 OME 的行为。The rest of this article refers to OME behavior before the release of the new OME capabilities.

使用以前版本的 Office 365 邮件加密的先决条件Prerequisites for using the previous version of Office 365 Message Encryption

Office 365 邮件加密 (OME) (包括 IRM)取决于 Azure RMS (Azure 权限) 。Office 365 Message Encryption (OME), including IRM, depends on Azure Rights Management (Azure RMS). Azure RMS 是 Azure 信息保护使用的保护技术。Azure RMS is the protection technology used by Azure Information Protection. 若要使用 OME,组织必须包含 Exchange Online 或 Exchange Online Protection 订阅,而订阅又包括 Azure 权限管理订阅。To use OME, your organization must include an Exchange Online or Exchange Online Protection subscription that, in turn, includes an Azure Rights Management subscription.

  • 如果您不确定订阅包含哪些内容,请参阅邮件策略、恢复和合规性的 Exchange Online 服务说明If you're not sure of what your subscription includes, see the Exchange Online service descriptions for Message Policy, Recovery, and Compliance.

  • 如果你拥有 Azure 权限管理,但没有为 Exchange Online 或 Exchange Online Protection 进行设置,本文将介绍如何激活 Azure 权限管理,然后介绍设置 OME 以使用 Azure 权限管理的最佳方法。If you have Azure Rights Management but it's not set up for Exchange Online or Exchange Online Protection, this article explains how to activate Azure Rights Management and then the describes the best way to set up OME to work with Azure Rights Management.

  • 如果你已设置 OME 以使用适用于 Exchange Online 或 Exchange Online Protection 的 Azure 权限管理,则根据设置方式,你可能已准备好立即开始使用 OME 及其新功能。If you've already set up OME to work with Azure Rights Management for Exchange Online or Exchange Online Protection, depending on how you set it up, you may be ready to start using OME and its new capabilities right away. 本文介绍如何确定是否正确设置了 OME、需要更改设置时应执行哪些操作,以及选择不更改设置时会发生什么情况。This article explains how to determine if you've set OME up correctly, what to do if you need to change your setup, and what happens if you choose not to change your setup. 例如,若要使用新功能,必须将 Azure RMS 与 OME 一同使用。For example, in order to use the new capabilities, you must use Azure RMS with OME. 不能将新功能与本地 Active Directory RMS 一同使用。You can't use the new capabilities with an on-premises Active Directory RMS.

在 Office 365 中为以前版本的 OME 激活 Azure 权限管理Activate Azure Rights Management for the previous version of OME in Office 365

需要激活 Azure 权限管理,以便贵组织的用户能够将信息保护应用于他们发送的邮件,并打开受 Azure 权限管理服务保护的邮件和文件。You need to activate Azure Rights Management so that the users in your organization can apply information protection to messages that they send, and open messages and files that have been protected by the Azure Rights Management service. 有关说明,请参阅 激活 Azure 权限管理For instructions, see Activating Azure Rights Management. 完成激活后,请返回此处并继续本文中的任务。Once you've completed the activation, return here and continue with the tasks in this article.

将以前版本的 OME 设置为使用 Azure RMS,方法为将受信任的发布域 (TPDs) Set up the previous version of OME to use Azure RMS by importing trusted publishing domains (TPDs)

TPD 是一个 XML 文件,其中包含有关您组织权限管理设置的信息。A TPD is an XML file that contains information about your organization's rights management settings. 例如,TPD 包含有关用于对证书和许可证进行签名和加密的服务器 (SLC) 、用于许可和发布等的 URL 的信息。For example, the TPD contains information about the server licensor certificate (SLC) used for signing and encrypting certificates and licenses, the URLs used for licensing and publishing, and so on. 使用 TPD 将 TPD 导入Windows PowerShell。You import the TPD into your organization by using Windows PowerShell.

重要

以前,您可以选择将 TPD 从 Active Directory 权限管理服务 (AD RMS) 组织。Previously, you could choose to import TPDs from the Active Directory Rights Management service (AD RMS) into your organization. 但是,这样做将阻止你使用新的 OME 功能,不建议这样做。However, doing so will prevent you from using the new OME capabilities and is not recommended. 如果组织当前已按此方式配置,Microsoft 建议创建从本地 Active Directory RMS 迁移到基于云的 Azure 信息保护的计划。If your organization is currently configured this way, Microsoft recommends that you create a plan to migrate from your on-premises Active Directory RMS to cloud-based Azure Information Protection. 有关详细信息,请参阅从 AD RMS 迁移到 Azure 信息保护For more information, see Migrating from AD RMS to Azure Information Protection. 在迁移到 Azure 信息保护之前,你将不能使用新的 OME 功能。You will not be able to use the new OME capabilities until you have completed the migration to Azure Information Protection.

从 Azure RMS 导入 TPDTo import TPDs from Azure RMS

  1. 使用远程 PowerShell 连接到 Exchange Online。Connect to Exchange Online Using Remote PowerShell.

  2. 选择与组织的地理位置对应的密钥共享 URL:Choose the key-sharing URL that corresponds to your organization's geographic location:

位置Location 密钥共享位置 URLKey sharing location URL
北美North America
https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
欧盟European Union
https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
亚洲Asia
https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
南美洲South America
https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc
政府用 Office 365(政府社区云)Office 365 for Government (Government Community Cloud)
此 RMS 密钥共享位置为购买了 Office 365 政府版 SK 的客户保留。This RMS key-sharing location is reserved for customers who have purchased Office 365 for Government SKUs.
https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc
  1. 通过运行 Set-IRMConfiguration cmdlet 配置密钥共享位置,如下所示:Configure the key-sharing location by running the Set-IRMConfiguration cmdlet as follows:

    Set-IRMConfiguration -RMSOnlineKeySharingLocation "<RMSKeySharingURL >"
    

    例如,如果组织位于北美,则配置关键共享位置:For example, to configure the key sharing location if your organization is located in North America:

    Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc"
    
  2. 使用 -RMSOnline 开关运行 Import-RMSTrustedPublishingDomain cmdlet 以从 Azure 权限管理导入 TPD:Run the Import-RMSTrustedPublishingDomain cmdlet with the -RMSOnline switch to import the TPD from Azure Rights Management:

    Import-RMSTrustedPublishingDomain -RMSOnline -Name "<TPDName> "
    

    其中 TPDName 是你想要用于 TPD 的名称。Where TPDName is the name you want to use for the TPD. 例如,"Contoso 北美 TPD"。For example, "Contoso North American TPD".

  3. 若要验证您是否已成功将组织配置为使用 Azure 权限管理服务,请运行带 -RMSOnline 开关的 Test-IRMConfiguration cmdlet,如下所示:To verify that you successfully configured your organization to use the Azure Rights Management service, run the Test-IRMConfiguration cmdlet with the -RMSOnline switch as follows:

    Test-IRMConfiguration -RMSOnline
    

    此外,此 cmdlet 还检查与 Azure 权限管理服务的连接、下载 TPD 并检查其有效性。Among other things, this cmdlet checks connectivity with the Azure Rights Management service, downloads the TPD, and checks its validity.

  4. 按如下所示 运行 Set-IRMConfiguration cmdlet,以禁止 Azure 权限管理模板在 Outlook 网页版和 Outlook 中可用:Run the Set-IRMConfiguration cmdlet as follows to disable Azure Rights Management templates from being available in Outlook on the web and Outlook:

    Set-IRMConfiguration -ClientAccessServerEnabled $false
    
  5. 按如下所示 运行 Set-IRMConfiguration cmdlet,为基于云的电子邮件组织启用 Azure 权限管理,并配置它以对 Office 365 邮件加密使用 Azure 权限管理:Run the Set-IRMConfiguration cmdlet as follows to enable Azure Rights Management for your cloud-based email organization and configure it to use Azure Rights Management for Office 365 Message Encryption:

    Set-IRMConfiguration -InternalLicensingEnabled $true
    
  6. 若要验证您是否已成功导入 TPD 并启用 Azure 权限管理,请使用 Test-IRMConfiguration cmdlet 测试 Azure 权限管理功能。To verify that you have successfully imported the TPD and enabled Azure Rights Management, use the Test-IRMConfiguration cmdlet to test Azure Rights Management functionality. 有关详细信息,请参阅 Test-IRMConfiguration 中的"示例 1"。For details, see "Example 1" in Test-IRMConfiguration.

我使用 Active Directory 权限管理而非 Azure 信息保护设置了以前版本的 OME,我该怎么办?I have the previous version of OME set up with Active Directory Rights Management not Azure Information Protection, what do I do?

您可以继续使用现有的 Office 365 邮件加密邮件流规则与 Active Directory 权限管理,但不能配置或使用新的 OME 功能。You can continue to use your existing Office 365 Message Encryption mail flow rules with Active Directory Rights Management, but you can't configure or use the new OME capabilities. 相反,你需要迁移到 Azure 信息保护。Instead, you need to migrate to Azure Information Protection. 有关迁移以及这对组织的含义的信息,请参阅从 AD RMS迁移到 Azure 信息保护。For information about migration and what this means for your organization, see Migrating from AD RMS to Azure Information Protection.

后续步骤Next steps

完成 Azure 权限管理设置后,如果要启用新的 OME 功能,请参阅设置基于 Azure 信息保护构建的新 Office 365 邮件加密功能。Once you've completed Azure Rights Management setup, if you want to enable the new OME capabilities, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection.

将组织设置为使用新的 OME 功能后,即可定义邮件流规则,以使用新的 OME 功能保护电子邮件After you've set up your organization to use the new OME capabilities, you're ready to Define mail flow rules to protect email messages with new OME capabilities.

Office 365 中的加密Encryption in Office 365

有关 Office 365 加密的技术参考详情Technical reference details about encryption in Office 365

什么是 Azure 权限管理?What is Azure Rights Management?