设置全新的邮件加密功能Set up new Message Encryption capabilities

通过新的 Office 365 邮件加密 (OME) 功能,组织可与任何设备上的任何人共享受保护的电子邮件。The new Office 365 Message Encryption (OME) capabilities allow organizations to share protected email with anyone on any device. 用户可使用 Outlook.com、Gmail 和其他电子邮件服务与其他 Microsoft 365 组织以及非用户交换受保护的邮件。Users can exchange protected messages with other Microsoft 365 organizations, as well as non-customers using Outlook.com, Gmail, and other email services.

请按照下列步骤操作,确保组织中提供了新的 OME 功能。Follow the steps below to ensure that the new OME capabilities are available in your organization.

验证 Azure 权限管理已激活Verify that Azure Rights Management is active

全新的 OME 功能利用 Azure 权限管理服务 (Azure RMS) 中的保护功能,它是 Azure 信息保护用于通过加密和访问控制来保护电子邮件和文档的技术。The new OME capabilities leverage the protection features in Azure Rights Management Services (Azure RMS), the technology used by Azure Information Protection to protect emails and documents via encryption and access controls.

使用全新的 OME 功能的唯一前提是必须在组织的租户中激活Azure 权限管理The only prerequisite for using the new OME capabilities is that Azure Rights Management must be activated in your organization's tenant. 如果是这样,Microsoft 365 将自动激活全新的 OME 功能,你无需执行任何操作。If it is, Microsoft 365 activates the new OME capabilities automatically and you don't need to do anything.

对于最符合条件的计划,也会自动激活 Azure RMS,因此你可能也不需要在此方面执行任何操作。Azure RMS is also activated automatically for most eligible plans, so you probably don't have to do anything in this regard either. 有关详细信息,请参阅激活 Azure 权限管理See Activating Azure Rights Management for more information.

重要

如果通过 Exchange Online 使用 Active Directory 权限管理服务 (AD RMS),则需要先迁移到 Azure 信息保护,然后才能使用全新的 OME 功能。If you use Active Directory Rights Management service (AD RMS) with Exchange Online, you need to migrate to Azure Information Protection before you can use the new OME capabilities. OME 与 AD RMS 不兼容。OME is not compatible with AD RMS.

有关详细信息,请参阅:For more information, see:

请手动激活 Azure 权限管理Manually activating Azure Rights Management

如果禁用了 Azure RMS,或者由于某种原因未自动激活,则可在以下各项中将其手动激活:If you disabled Azure RMS, or if it was not automatically activated for any reason, you can activate it manually in the:

配置对 Azure 信息保护租户密钥的管理Configure management of your Azure Information Protection tenant key

这是一个可选步骤。This is an optional step. 允许 Microsoft 管理 Azure 信息保护的根密钥是默认设置,并且是推荐给大多数组织的最佳做法。Allowing Microsoft to manage the root key for Azure Information Protection is the default setting and recommended best practice for most organizations. 如果是这种情况,则无需执行任何操作。If this is the case, you don't need to do anything.

有多种原因(例如合规性要求)可能需要你生成和管理自己的根密钥(也称为自带密钥 (BYOK))。There are many reasons, for example compliance requirements, that may necessitate you generating and managing your own root key (also known as bring your own key (BYOK)). 如果是这种情况,我们建议你在设置新的 OME 功能前完成所需的步骤。If this is the case, we recommend that you complete the required steps before setting up the new OME capabilities. 有关详细信息,请参阅规划和实施 Azure 信息保护租户密钥See Planning and implementing your Azure Information Protection tenant key for more.

在 Exchange Online PowerShell 中验证新的 OME 配置Verify new OME configuration in Exchange Online PowerShell

可验证 Microsoft 365 租户是否已正确配置,以使用 Exchange Online PowerShell 中的新 OME 功能。You can verify that your Microsoft 365 tenant is properly configured to use the new OME capabilities in Exchange Online PowerShell.

  1. 使用 Microsoft 365 租户中具有全局管理员权限的帐户连接到 Exchange Online PowerShellConnect to Exchange Online PowerShell using an account with global administrator permissions in your Microsoft 365 tenant.

  2. 运行 Get-IRMConfiguration cmdlet。Run the Get-IRMConfiguration cmdlet.

    将看到 AzureRMSLicensingEnabled 参数的值 $True,它表示在租户中配置了 OME。You should see a value of $True for the AzureRMSLicensingEnabled parameter, which indicates that OME is configured in your tenant. 如果未配置,请使用 Set-IRMConfiguration 将 AzureRMSLicensingEnabled 的值设置为 $True 以启用 OME。If it is not, use Set-IRMConfiguration to set the value of AzureRMSLicensingEnabled to $True to enable OME.

  3. 使用以下语法运行 Test-IRMConfiguration cmdlet:Run the Test-IRMConfiguration cmdlet using the following syntax:

    Test-IRMConfiguration [-Sender <email address >]
    

    示例Example:

    Test-IRMConfiguration -Sender securityadmin@contoso.com
    
    • 向发件人提供电子邮件是可选项,但会强制系统执行其他检查。Providing a sender email is optional, but forces the system to perform additional checks. 使用 Microsoft 365 租户中任何用户的电子邮件地址。Use the email address of any user in your Microsoft 365 tenant.

    结果应类似于:Your results should be similar to:

    Results : Acquiring RMS Templates ...
               - PASS: RMS Templates acquired.  Templates available: Contoso  - Confidential View Only, Contoso  - Confidential, Do Not
           Forward.
           Verifying encryption ...
               - PASS: Encryption verified successfully.
           Verifying decryption ...
               - PASS: Decryption verified successfully.
           Verifying IRM is enabled ...
               - PASS: IRM verified successfully.
    
           OVERALL RESULT: PASS
    
  4. 运行 Remove-PSSession cmdlet,从权限管理服务断开连接。Run the Remove-PSSession cmdlet to disconnect from the Rights Management service.

    Remove-PSSession $session
    

后续步骤:定义邮件流规则以使用新的 OME 功能Next steps: Define mail flow rules to use new OME capabilities

如果有之前配置的用于在组织中对电子邮件进行加密的邮件流规则,则需要更新现有规则,以使用新的 OME 功能。If there are previously configured mail flow rules to encrypt email in your organization, you need to update the existing rules to use the new OME capabilities. 对于新部署,你需要创建新的邮件流规则。For new deployments, you need to create new mail flow rules.

重要

如果不更新现有的邮件流规则,你的用户将继续收到使用之前的 HTML 附件格式的加密邮件,而不是新的无缝 OME 体验。If you do not update existing mail flow rules, your users will continue to receive encrypted mail that uses the previous HTML attachment format, instead of the new seamless OME experience.

邮件流规则确定应在哪些条件下对电子邮件进行加密,以及删除该加密的条件。Mail flow rules determine under what conditions email messages should be encrypted, as well as conditions for removing that encryption. 为规则设置操作时, 任何匹配规则条件的邮件都会在发送时进行加密。When you set an action for a rule, any messages that match the rule conditions are encrypted when they're sent.

有关创建 OME 邮件流规则的步骤,请参阅定义邮件流规则以在 Office 365 中加密电子邮件For steps on creating mail flow rules for OME, see Define mail flow rules to encrypt email messages in Office 365.

若要更新现有规则以使用新的 OME 功能,请执行以下操作:To update existing rules to use the new OME capabilities:

  1. 在 Microsoft 365 管理中心,转到“管理中心>Exchange”。In the Microsoft 365 admin center, go to Admin centers > Exchange.
  2. 在 Exchange 管理中心,转到“邮件流>规则”。In the Exchange admin center, go to Mail flow > Rules.
  3. 对于每条规则, 在执行下列操作中:For each rule, in Do the following:
    • 选择“修改邮件安全性”。Select Modify the message security.
    • 选择“应用 Office 365 邮件加密和权限保护”。Select Apply Office 365 Message Encryption and rights protection.
    • 从列表中选择 RMS 模板。Select an RMS template from the list.
    • 选择“保存”。Select Save.
    • 选择“确定”。Select OK.