适用于安全性的 Microsoft 365 许可指南 & 合规性Microsoft 365 licensing guidance for security & compliance

出于本文的目的,租户级服务是一种在线服务, — 在为租户中的任何用户购买或作为 Office 365 或 Microsoft 365 计划的一部分购买时,将为租户中的 — 所有用户激活或完全激活) 的 (。For the purposes of this article, a tenant-level service is an online service that—when purchased for any user in the tenant (standalone or as part of Office 365 or Microsoft 365 plans)—is activated in part or in full for all users in the tenant. 尽管一些未经许可的用户在技术上能够访问该服务,但您希望从该服务获益的任何用户都需要许可证。Although some unlicensed users may technically be able to access the service, a license is required for any user that you intend to benefit from the service.

备注

某些租户服务当前不能限制特定用户的优势。Some tenant services are not currently capable of limiting benefits to specific users. 应采取措施将服务的好处限制为许可用户。Efforts should be taken to limit the service benefits to licensed users. 这有助于避免您的组织在获得目标功能后对组织造成潜在的服务中断。This will help avoid potential service disruption to your organization once targeting capabilities are available.

若要查看授权你的用户在2020年4月1日的 Microsoft 365 合规性功能中受益的选项,请下载详细的 Microsoft 365 合规性许可比较。To see the options for licensing your users to benefit from Microsoft 365 compliance features as of April 1, 2020, download the Detailed Microsoft 365 Compliance Licensing Comparison. (PDF) | (Excel) (PDF) | (Excel)

Azure Active Directory 标识保护Azure Active Directory Identity Protection

Azure Active Directory 标识保护是 Azure Active Directory 高级 P2 认证计划的一项功能,可让您检测到影响组织标识的潜在漏洞,并将自动响应配置为检测到的与您的组织的身份相关的可疑操作,并调查可疑事件并采取适当的措施来解决这些问题。Azure Active Directory Identity Protection is a feature of the Azure Active Directory Premium P2 plan that lets you detect potential vulnerabilities affecting your organization's identities, configure automated responses to detected suspicious actions that are related to your organization's identities, and investigate suspicious incidents and take appropriate action to resolve them.

用户如何从服务中获益?How do users benefit from the service?

SecOps 分析师和安全专家将从基于机器学习算法的已标记用户和风险事件的合并视图中获益。SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. 最终用户可通过基于风险的条件访问提供自动保护,并通过对漏洞的操作提供改进的安全性来获得好处。End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security provided by acting on vulnerabilities.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

企业移动性 + 安全性 E5/A5,Microsoft 365 E5/A5,Microsoft 365 E5/A5 安全性,以及 Azure Active Directory 高级计划2为用户提供了从 Azure Active Directory 标识保护中获益的权限。Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Security, and Azure Active Directory Premium Plan 2 provide the rights for a user to benefit from Azure Active Directory Identity Protection.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,Azure AD Identity Protection 功能在租户级别为租户中的所有用户启用。By default, Azure AD Identity Protection features are enabled at the tenant level for all users within the tenant. 有关 Azure AD Identity Protection 的信息,请参阅 什么是 Azure Active Directory 身份保护?For information about Azure AD Identity Protection, see What is Azure Active Directory Identity Protection?

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员可以通过分配定义密码重置级别的风险策略并仅允许许可用户访问,来对 Azure AD 标识保护进行作用域。Admins can scope Azure AD Identity Protection by assigning risk policies that define the level for password resets and allowing access for licensed users only. 有关如何对 Azure AD 标识保护部署进行作用域的说明,请参阅 配置登录风险策略For instructions on how to scope Azure AD Identity Protection deployments, see Configure the sign-in risk policy.

Azure 高级威胁防护Azure Advanced Threat Protection

Azure 高级威胁防护 (ATP) 是一项云服务,可帮助从多种类型的高级目标网络攻击和内幕威胁中保护企业混合环境。Azure Advanced Threat Protection (ATP) is a cloud service that helps protect enterprise hybrid environments from multiple types of advanced targeted cyber-attacks and insider threats.

用户如何从服务中获益?How do users benefit from the service?

SecOp 分析师和安全性专家将受益于 Azure ATP 检测和调查高级威胁、已泄露身份和恶意内幕活动的能力。SecOp analysts and security professionals benefit from the ability of Azure ATP to detect and investigate advanced threats, compromised identities, and malicious insider actions. 最终用户通过 Azure ATP 监视数据来获得好处。End users benefit by having their data monitored by Azure ATP.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

企业移动性 + 安全性 E5/A5,Microsoft 365 E5/A5,Microsoft 365 E5/A5 Security,以及适用于 Azure 的用户的 Azure 高级威胁防护提供从 Azure ATP 获益的权限。Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Security, and Azure Advanced Threat Protection for Users provide the rights to benefit from Azure ATP.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为租户中的所有用户启用 Azure ATP 功能。By default, Azure ATP features are enabled at the tenant level for all users within the tenant. 有关配置 Azure ATP 的信息,请参阅 Create a AZURE atp instanceFor information on configuring Azure ATP, see Create your Azure ATP instance.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

Azure ATP 服务当前不能限制特定用户的功能。Azure ATP services are not currently capable of limiting capabilities to specific users. 您必须为您想要受益的每个用户授予许可证。You must license every user you intend to benefit.

Office 365 高级威胁防护Office 365 Advanced Threat Protection

(ATP) 的高级威胁防护可帮助组织防御复杂的攻击,如网络钓鱼和零日恶意软件。Advanced Threat Protection (ATP) helps protect organizations against sophisticated attacks such as phishing and zero-day malware. ATP 还通过关联大量数据中的信号来提供可操作的见解,以帮助确定、设置优先级,并提供有关如何解决潜在威胁的建议。ATP also provides actionable insights by correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address potential threats.

用户如何从服务中获益?How do users benefit from the service?

ATP 可保护用户免受复杂攻击(如网络钓鱼和零天恶意软件)的攻击。ATP protects users from sophisticated attacks such as phishing and zero-day malware. 有关计划1和计划2中提供的服务的完整列表,请参阅 Office 365 高级威胁防护For the full list of services provided in Plan 1 and Plan 2, see Office 365 Advanced Threat Protection.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Office 365 高级威胁防护,Office 365 E5/A5/G5,Microsoft 365 E5/A5/G5,Microsoft 365 E5/A5/G5 Security,Microsoft 365 商业高级版和 Office 365 ATP 计划1和2为用户提供了从高级威胁防护中获益的权限。Office 365 Advanced Threat Protection, Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Security, Microsoft 365 Business Premium, and Office 365 ATP Plans 1 and 2 provide the rights for a user to benefit from Advanced Threat Protection.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为租户中的所有用户启用 ATP 功能。By default, ATP features are enabled at the tenant level for all users within the tenant. 有关为许可用户配置 ATP 策略的信息,请参阅 Office 365 高级威胁防护For information on configuring ATP policies for licensed users, see Office 365 Advanced Threat Protection.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

若要对 ATP 进行作用域,请遵循安全链接和安全附件部署策略:To scope ATP, follow the Safe Links and Safe Attachments deployment policies:

Office 365 云应用安全Office 365 Cloud App Security

Office 365 云应用安全 (OCAS) 是 Microsoft 云应用安全性的子集,其中的功能限于 Office 365,无需为第三方云应用程序和 IaaS 服务提供额外的安全性。Office 365 Cloud App Security (OCAS) is a subset of Microsoft Cloud App Security, with features limited to Office 365 and without additional security for third-party cloud apps and IaaS services.

OCAS 使组织能够深入了解他们的工作效率云应用和服务,提供了完善的分析来识别和防御网络威胁,并使他们可以控制数据 — 在 Office 365 之间的传输方式。OCAS gives organizations visibility into their productivity cloud apps and services, provides sophisticated analytics to identify and combat cyber threats, and lets them control how data travels—across Office 365.

若要比较功能,请参阅 Microsoft Cloud App security 与 Office 365 云应用安全性之间的差异To compare features, see Differences between Microsoft Cloud App Security and Office 365 Cloud App Security.

用户如何从服务中获益?How do users benefit from the service?

OCAS 发现影子它,提供跨 Office 365 的威胁防护,并可以控制哪些应用有权访问数据。OCAS discovers Shadow IT, provides threat protection across Office 365, and can control which apps have permission to access data.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5/G5 为用户提供了从 OCAS 获益的权限。Office 365 E5/A5/G5 provides the rights for a user to benefit from OCAS. 有关详细信息,请参阅 Microsoft Cloud App Security 授权数据表For more information, see the Microsoft Cloud App Security Licensing Datasheet.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,OCAS 功能在租户级别为租户中的所有用户启用。By default, OCAS features are enabled at the tenant level for all users within the tenant.

有关配置服务的信息,请参阅 Basic setup For Cloud App SecurityFor information on configuring the service, see Basic setup for Cloud App Security.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员可以对 OCAS 部署进行作用域,以强制实施特定应用程序的访问方式并限制由 Office 365 云应用安全性监控的用户组。Admins can scope OCAS deployments to enforce how certain apps are accessed and limit user groups monitored by Office 365 Cloud App Security. 有关详细信息,请参阅 作用域部署For more information, see Scoped deployment.

Microsoft Cloud App SecurityMicrosoft Cloud App Security

Microsoft Cloud App Security (MCAS) 是一个云访问安全代理 (CASB) 解决方案,可向组织提供云应用程序和服务的可见性,提供了用于识别和防御网络威胁的高级分析,并允许他们控制数据 — 在任何云应用中的传输方式。Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) solution that gives organizations visibility into their cloud apps and services, provides sophisticated analytics to identify and combat cyber threats, and lets them control how data travels—across any cloud app.

用户如何从服务中获益?How do users benefit from the service?

MCAS 发现和评估阴影,提供跨第一方云应用程序的威胁保护,并在第一方和第三方云应用中保护信息。MCAS discovers and assesses Shadow IT, provides threat protection across first- and third-party cloud apps, and protects information across first- and third-party cloud apps.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

MCAS,企业移动性 + 安全 E5/A5/G5,Microsoft 365 E5/A5/G5,Microsoft 365 E5/A5/G5 Security,Microsoft 365 E5/A5/G5 合规性,Microsoft 365 信息保护和治理为用户提供了从 MCAS 获益的权限。MCAS, Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Security, Microsoft 365 E5/A5/G5 Compliance, and Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from MCAS.

Azure AD P1 为用户提供了从 MCAS 中的发现功能中获益的权限。Azure AD P1 provides the rights for a user to benefit from the Discovery capabilities in MCAS.

若要从 MCAS 中的条件访问应用程序控制功能中受益,还必须为 Azure Active Directory P1 (包括在企业移动性 + 安全 E3/A3/G3、企业移动性 + 安全 E5/A5/G5、Microsoft 365 E3/A3/G3、Microsoft 365 E5/A5/G5 和 Microsoft 365 E5/A5/g5 安全性)授予许可证。To benefit from the Conditional Access App Control capabilities in MCAS, users must also be licensed for Azure Active Directory P1, which is included in Enterprise Mobility + Security E3/A3/G3, Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E3/A3/G3, Microsoft 365 E5/A5/G5, and Microsoft 365 E5/A5/G5 Security.

若要从自动标记中受益,用户必须获得 Azure 信息保护 P2 的许可,这些 P2 包含在企业移动性 + 安全 E5/A5/G5 中,Microsoft 365 E5/A5/G5,Microsoft 365 E5/A5/G5 合规性,Microsoft 365 信息保护和治理。To benefit from automatic labeling, users must be licensed for Azure Information Protection P2, which is included in Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, and Microsoft 365 Information Protection and Governance.

有关详细信息,请参阅 Microsoft Cloud App Security 授权数据表For more information, see the Microsoft Cloud App Security Licensing Datasheet.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,MCAS 功能在租户级别为租户中的所有用户启用。By default, MCAS features are enabled at the tenant level for all users within the tenant.

有关为许可用户配置 Microsoft 云应用安全策略的信息,请参阅 Microsoft Cloud App security 概述For information on configuring Microsoft Cloud App Security policies for licensed users, see Microsoft Cloud App Security overview.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员可以使用服务中提供的作用域部署功能将 MCAS 部署限定为许可用户。Admins can scope MCAS deployments to licensed users by using the scoped deployment capabilities available in the service. 有关详细信息,请参阅 作用域部署For more information, see Scoped deployment.

合规性管理器Compliance Manager

通过合规性管理器简化合规性并降低风险。Simplify compliance and reduce risk with Compliance Manager. 合规性管理器可帮助组织满足法规、标准、公司策略或其他所需控制框架的要求。Compliance Manager helps organizations meet requirements of regulations, standards, company policies, or other desired control frameworks.

用户如何从服务中获益?How do users benefit from the service?

以下是用户对合规性管理器服务的好处:Following are the benefits to the users from Compliance Manager service:

  • 将复杂的法规、标准、公司策略或其他所需的控制框架转换为简单语言Translates complicated regulations, standards, company policies, or other desired control frameworks into simple language
  • 提供对广泛的现成评估和自定义评估库的访问权限,以满足独特的合规性需求Provides access to a vast library of out-of-the-box assessments and custom assessments to meet unique compliance needs
  • 将规章控制映射到建议的改进操作Maps regulatory controls to recommended improvement actions
  • 提供有关如何实施解决方案以满足管理法规要求的分步指南Provides step-by-step guidance on how to implement the solutions to meet regulatory requirements
  • 帮助用户通过将分数与每个操作相关联来确定对组织合规性影响最大的操作。Helps users prioritize actions that will have the highest impact on their organizational compliance by associating a score with each action

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

具有 Office 365 E1/A1/E3/A3 和 Microsoft 365 E3/A3 许可证的客户将能够访问数据保护基准评估。Customers with Office 365 E1/A1/E3/A3 and Microsoft 365 E3/A3 licenses will be able to access the Data Protection Baseline assessment. 拥有 Office 365 E5/A5 和 Microsoft 365 E5/A5 许可证的客户将能够访问数据保护基准、GDPR、NIST 800-53 和 ISO 22701 开箱即用评估。Customers with Office 365 E5/A5 and Microsoft 365 E5/A5 licenses will be able to access Data Protection Baseline, GDPR, NIST 800-53 and ISO 22701 out-of-the-box assessments. 高级评估版将适用于购买到 Office 365 E5/A5 和 Microsoft 365 E5/A5 客户。Premium assessments will be available for purchase to Office 365 E5/A5 and Microsoft 365 E5/A5 customers.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,合规性管理器是为你的租户设置的。Compliance Manager is provisioned by default for your tenant. 管理员设置用户权限并分配角色,以便组织中的非管理员用户可以开始使用合规性管理器。Admins set user permissions and assign roles so that non-admin users in your organization can start using Compliance Manager. 有关详细信息,请参阅 文档For more information, see Documentation.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

对合规性管理器的访问权限是通过设置用户权限和分配角色来控制的。Access to Compliance Manager is controlled by setting user permissions and assigning roles. 有关详细信息,请参阅 文档For more information, see Documentation

Microsoft Defender ATPMicrosoft Defender ATP

Microsoft Defender ATP 是一个包含基于风险的漏洞管理和评估的终结点安全解决方案;攻击面减少功能;基于行为和云驱动的下一代保护; (EDR) 的终结点检测和响应自动调查和修正;和托管的搜寻服务。Microsoft Defender ATP is an endpoint security solution that includes risk-based vulnerability management and assessment; attack surface reduction capabilities; behavioral based and cloud-powered next generation protection; endpoint detection and response (EDR); automatic investigation and remediation; and managed hunting services. 若要了解详细信息,请参阅 Microsoft DEFENDER ATP 页面。See Microsoft Defender ATP page to learn more.

哪些用户从服务中受益?Which users benefit from the service?

Windows 10 企业版 E5 的许可用户(Windows 10 教育版 A5) Microsoft 365 E5 (M365 E5) 包括 Windows 10 企业版 E5、Microsoft 365 E5 Security、Microsoft 365 A5 (M365 A5) 可以从 Microsoft Defender ATP 获益。Licensed users of Windows 10 Enterprise E5, Windows 10 Education A5, Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5, Microsoft 365 E5 Security, Microsoft 365 A5 (M365 A5) can benefit from Microsoft Defender ATP.

用户如何从服务中获益?How do users benefit from the service?

SecOps 分析师和安全性专家可受益于 Microsoft Defender ATP 的终结点安全功能,以执行预防性保护、入侵后检测、自动调查以及对高级威胁的响应。SecOps analysts and security professionals benefit from endpoint security capabilities of Microsoft Defender ATP to do preventative protection, post-breach detection, automated investigation, and response to advanced threats. 最终用户通过使用 Microsoft Defender ATP 进行监视的恶意事件来获得好处。End users benefit by having malicious events monitored by Microsoft Defender ATP.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为租户中的所有用户启用 Microsoft Defender ATP 功能。By default, Microsoft Defender ATP features are enabled at the tenant level for all users within the tenant. 有关部署的信息,请参阅 部署指南For information on deployment, see Deployment guide.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

Microsoft Defender ATP 管理员可以利用 基于角色的访问控制 (RBAC) 在安全操作团队中创建角色和组,以向 Microsoft Defender 安全中心授予适当的访问权限。Microsoft Defender ATP administrators can utilize role-based access control (RBAC) to create roles and groups within the security operations team to grant appropriate access to the Microsoft Defender Security Center.

信息保护Information Protection

信息保护可帮助组织发现、分类、标记和保护敏感文档和电子邮件。Information Protection helps organizations discover, classify, label, and protect sensitive documents and emails. 管理员可以定义规则和条件以自动应用标签,用户可以手动应用标签,也可以使用二者的组合,即向用户提供有关应用标签的建议。Admins can define rules and conditions to apply labels automatically, users can apply labels manually, or a combination of the two can be used—where users are given recommendations on applying labels.

用户如何从服务中获益?How do users benefit from the service?

用户可以通过将灵敏度标签手动应用于其内容或通过将其内容自动分类来获得好处。Users benefit by having the ability to manually apply sensitivity labels to their content or by having their content automatically classified.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/G5/AIP/AIP///A3/A3/G3/F1/F3/Business Premium、企业移动性 + 安全 F3/E3/E5、Office 365 E5/A5/E3/A3/F3、Plan 1 和 Plan 2 为用户提供了从手动敏感度标记中受益的权限。Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium, Enterprise Mobility + Security F3/E3/E5, Office 365 E5/A5/E3/A3/F3, AIP Plan 1, and AIP Plan 2 provide the rights for a user to benefit from manual sensitivity labeling.

Microsoft 365 E5/A5/G5/AIP/AIP//?//A3/A3/G3/F1/F3/Business Premium、Enterprise 可移动性 + Security F3/E3/E5、Plan 1 和 Plan 2 为用户提供了一些权限,以便用户能够在 Power bi 中应用和查看敏感度标签并在将数据从 Power BI 导出到Microsoft 365 E5/A5/G5/E3/A3/G3/F1/F3/Business Premium, Enterprise Mobility + Security F3/E3/E5, AIP Plan 1, and AIP Plan 2 provide the rights for a user to benefit from applying and viewing sensitivity labels in Power BI and to protect data when it's exported from Power BI to Excel, PowerPoint, or PDF.

备注

Power BI 包含在 Microsoft 365 E5/A5/G5 中;在所有其他计划中,Power BI 必须单独获得许可。Power BI is included with Microsoft 365 E5/A5/G5; in all other plans, Power BI must be licensed separately.

Microsoft 365 E5/A5/G5,Microsoft 365 E5/A5/G5 合规性,Microsoft 365 信息保护和治理、Office 365 E5、Office 365 高级合规性、企业移动性 + 安全 E5 和 AIP Plan 2 为用户提供了从自动敏感度标记中受益的权限。Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2 provide the rights for a user to benefit from automatic sensitivity labeling.

有关许可证的具体权限,请参阅详细的 Microsoft 365 合规性许可比较。For specific rights by license, see the detailed Microsoft 365 Compliance Licensing Comparison. (PDF) | (Excel) 不包括基于机器学习 (trainable 类元) 自动分类的权限。(PDF) | (Excel) Does not include rights to automatic classification based on Machine Learning (trainable classifiers).

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为租户中的所有用户启用信息保护功能。By default, information protection features are enabled at the tenant level for all users within the tenant. 有关为许可用户配置策略的信息,请参阅激活 Azure 权限管理。For information on configuring policies for licensed users, see Activating Azure Rights Management.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

除了使用 AIP 扫描程序功能时,可以对特定组或用户和注册表进行编辑,以防止未经授权的用户运行分类或标记功能。Except when using the AIP scanner feature, policies can be scoped to specific groups or users and registries can be edited to prevent unlicensed users from running classification or labeling features. 有关如何对 AIP 部署进行作用域的说明,请参阅 配置 Azure 信息保护策略For instructions on how to scope AIP deployments, see Configuring the Azure Information Protection policy.

对于 AIP 扫描程序功能,Microsoft 不会承诺向未获得许可的用户提供文件分类、标记或保护功能。For the AIP scanner feature, Microsoft does not commit to providing file classification, labeling, or protection capabilities to users who are not licensed.

信息治理Information Governance

信息管理通过发现、分类、标记和管理数据来帮助组织管理其风险。Information Governance helps organizations manage their risk through discovering, classifying, labeling, and governing their data. 信息管理让组织能够满足业务和管理法规要求,并通过在其 Microsoft 365 和第三方数据中提供保留和删除功能来减少攻击面。Information Governance lets organizations meet business and regulatory requirements as well as reduce their attack surface by providing retention and deletion capabilities across their Microsoft 365 and third-party data.

用户如何从服务中获益?How do users benefit from the service?

用户可通过对数据进行分类以进行保留以遵守特定策略和法规,从而获得好处。Users benefit by being able to classify data for retention purposes to uphold specific policies and regulations.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 F3/Business 高级版、Office 365 E1/A1/F3 和独立 Exchange 计划为用户提供了从手动对邮箱数据应用非记录保留标签的好处。Microsoft 365 F3/Business Premium, Office 365 E1/A1/F3, and standalone Exchange plans provide the rights for a user to benefit from manually applying non-record retention labels to mailbox data.

Microsoft 365 F3/F1/Business Premium、Office 365 E1/A1/F3 和独立 SharePoint 计划为用户提供了从手动将非记录保留标签应用于 SharePoint 或 OneDrive 中的文件的权限。Microsoft 365 F3/F1/Business Premium, Office 365 E1/A1/F3, and standalone SharePoint plans provide the rights for a user to benefit from manually applying non-record retention labels to files in SharePoint or OneDrive.

Microsoft 365 E5/A5/E3/A5/A3/A3/? Premium、Office 365 E5/A5/E3/A3、Exchange Plan 2 和 Exchange Online 存档为用户提供了从基本组织范围或位置范围内的邮箱保留策略中获益的权限,并/或将非记录保留标记手动应用于邮箱数据。Microsoft 365 E5/A5/E3/A3/Business Premium, Office 365 E5/A5/E3/A3, Exchange Plan 2, and Exchange Online Archiving provide the rights for a user to benefit from a basic organization-wide or location-wide mailbox retention policy and/or to manually apply a non-record retention labeling to mailbox data.

Microsoft 365 E5/A5/E3/A5/A3、Office 365 E5/A5/a5/A3 和 SharePoint 计划2为用户提供了从基本 SharePoint 或 OneDrive 保留策略中获益的权限,以及/或手动将非记录保留标签应用于 SharePoint 或 OneDrive 中的文件。Microsoft 365 E5/A5/E3/A3, Office 365 E5/A5/E3/A3, and SharePoint Plan 2 provide the rights for a user to benefit from a basic SharePoint or OneDrive retention policy and/or to manually apply a non-record retention label to files in SharePoint or OneDrive.

Microsoft 365 E5/A5/E3/A3 和 Office 365 E5/A5/E3/A3 为用户提供了从团队保留策略中获益的权限。Microsoft 365 E5/A5/E3/A3 and Office 365 E5/A5/E3/A3 provide the rights for a user to benefit from a Teams retention policy.

Microsoft 365 E5/A5,Microsoft 365 E5/A5 合规性,Microsoft 365 信息保护和治理、Office 365 E5/A5 和 Office 365 高级合规性为用户提供了从自动应用保留标签或策略中获益的权限。应用默认保留标签或策略,基于自定义事件启动保留期的保留期,在标签保留期结束时触发手动处置评审,通过本机数据连接器导入第三方数据,将文件声明为记录,发现已标记的内容,并监视标记活动。Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, and Office 365 Advanced Compliance provide the rights for a user to benefit from automatically applying retention labels or policies, applying default retention labels or policies, starting the retention period of a retention label based on a custom event, triggering a manual disposition review at the end of the label's retention period, importing third-party data through native data connectors, declaring a file a record, discovering labeled content, and monitoring labeling activity.

Microsoft 365 E5/A5,Microsoft 365 E5/A5 合规性,Microsoft 365 信息保护和治理为用户提供了为基于 trainable 分类程序自动应用保留标签而受益的权限。Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from automatically applying retention labels based on trainable classifiers.

有关许可证的具体权限,请参阅详细的 Microsoft 365 合规性许可比较。For specific rights by license, see the detailed Microsoft 365 Compliance Licensing Comparison. (PDF) | (Excel) (PDF) | (Excel)

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为租户中的所有用户启用信息管理功能。By default, Information Governance features are enabled at the tenant level for all users within the tenant. 有关配置信息管理以将 autolabeling 和策略应用于许可用户的信息,请参阅 管理信息治理For information on configuring Information Governance to apply autolabeling and policies for licensed users, see Manage Information Governance.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

信息治理功能可应用于特定位置 (工作组网站、组网站等等 ) 的许可用户。Information Governance features can be applied to licensed users in specific locations (team sites, group sites, etc.). 有关配置信息管理以将 autolabeling 和策略应用于许可用户的信息,请参阅 管理信息治理For information on configuring Information Governance to apply autolabeling and policies for licensed users, see Manage Information Governance.

记录管理Records Management

记录管理通过跨 Microsoft 365 和第三方数据发现、分类、标记、保留和 defensible 删除功能,帮助组织满足其业务和法规记录的要求。Records Management helps organizations meet their business and regulatory record-keeping obligations through discovering, classifying, labeling, retention, and defensible deletion capabilities across their Microsoft 365 and third-party data.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5,Microsoft 365 E5/A5 合规性,Microsoft 365 信息保护和治理,Office 365 E5/A5,Office 365 高级合规性为用户提供了从记录管理中受益的权限,包括将项目声明为记录、自动应用保留或记录标签和执行处置审核流程 (排除基于 trainable 的分类程序) 自动应用保留标签。Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, Office 365 Advanced Compliance provide the rights for a user to benefit from Records Management including declaring items as records, automatically applying retention or record labels and executing disposition review processes (excluding automatically applying a retention label based on trainable classifiers).

Microsoft 365 E5/A5,Microsoft 365 E5/A5 合规性,Microsoft 365 信息保护和治理为用户提供了从基于 trainable 分类程序自动应用保留或记录标签的好处。Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from automatically applying retention or record labels based on trainable classifiers.

有关许可证的具体权限,请参阅详细的 Microsoft 365 合规性许可比较。For specific rights by license, see the detailed Microsoft 365 Compliance Licensing Comparison. (PDF) | (Excel) (PDF) | (Excel)

用户如何从服务中获益?How do users benefit from the service?

用户可以通过将内容声明为记录并通过 defensible 处置来管理其完整的记录流程,从而获得好处。Users benefit by being able to declare content as a record and manage their full records process from policy definition and declaration through defensible disposal.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为租户中的所有用户启用记录管理功能。By default, Records Management features are enabled at the tenant level for all users within the tenant. 有关配置要应用于许可用户的记录管理的信息,请参阅 Microsoft 365 中的记录管理For information on configuring Records Management to apply for licensed users, see Records Management in Microsoft 365.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

记录管理功能可应用于特定位置 (工作组网站、组网站等等 ) 的许可用户。Records Management features can be applied to licensed users in specific locations (team sites, group sites, etc.). 有关配置要应用于许可用户的记录管理的信息,请参阅 Microsoft 365 中的记录管理For information on configuring Records Management to apply for licensed users, see Records Management in Microsoft 365.

数据连接器Data Connectors

Microsoft 提供可在 Microsoft 365 合规性中心中配置的第三方数据连接器。Microsoft provides third-party data connectors that can be configured in the Microsoft 365 compliance center. 有关由 Microsoft 提供的数据连接器的列表,请参阅 第三方数据连接器 表。For a list of data connectors provided by Microsoft, see the Third-party data connectors table. 此表还概述了在 Microsoft 365 中导入和存档数据后,您可以应用于第三方数据的合规性解决方案,并提供了有关每个连接器的分步说明的链接。This table also summarizes the compliance solutions that you can apply to third-party data after you import and archive data in Microsoft 365, and links to the step-by-step instructions for each connector.

用户如何从服务中获益?How do users benefit from the service?

使用数据连接器在 Microsoft 365 中导入和存档第三方数据的主要好处在于,在导入后,可以将各种 Microsoft 365 合规性解决方案应用于该解决方案。Primary benefit of using data connectors to import and archive third-party data in Microsoft 365 is that you can apply various Microsoft 365 compliance solutions to that after it's been imported. 这有助于确保贵组织的非 Microsoft 数据符合影响组织的法规和标准。This helps ensure that your organization's non-Microsoft data is in compliance with the regulations and standards that affect your organization.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

以下许可证为用户提供了从数据连接器获益的权限:The following licenses provide the rights for a user to benefit from Data Connectors:

  • Microsoft 365 E5/A5Microsoft 365 E5/A5
  • Microsoft 365 E5/A5 Info Protection & 调控Microsoft 365 E5/A5 Info Protection & Governance
  • Microsoft 365 E5/A5 合规性Microsoft 365 E5/A5 Compliance
  • Microsoft 365 E5/A5 内幕人士风险管理Microsoft 365 E5/A5 Insider Risk Management
  • Microsoft 365 E5/A5 电子数据展示和审核Microsoft 365 E5/A5 eDiscovery and Audit
  • Office 365 E5/A5Office 365 E5/A5
  • Office 365 高级合规版Office 365 Advanced Compliance

对于由 Microsoft 合作伙伴提供的 M365 Security & 合规中心中的数据连接器,贵组织将需要与合作伙伴建立业务关系,然后才能部署这些连接器。For data connectors in the M365 Security & Compliance Center that are provided by one of Microsoft’s partners, your organization will need a business relationship with the partner before you can deploy those connectors.

服务是如何设置/部署的?How is the service provisioned/deployed?

连接器是使用安全 & 合规中心和连接器目录配置的。Connectors are configured using Security & Compliance Center and Connector Catalog.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

数据连接器服务是租户级别的值。Data Connectors services are a tenant level value. 每个旨在受益于此服务的用户都必须获得许可。Every user intended to benefit from this service must be licensed.

适用于团队 DLP 的 Microsoft Graph ApiMicrosoft Graph APIs for Teams DLP

在今年早些时候 ,我们宣布了 Microsoft Graph 更改通知 API 的公共预览,用于团队中的邮件Earlier this year we announced the public preview of the Microsoft Graph Change Notification API for messages in Teams. 通过此 API,开发人员可以生成可实时收听 Microsoft 团队邮件的应用程序,并为客户和 Isv 启用 DLP 方案实现。This API enables developers to build apps that can listen to Microsoft Teams messages in near-real time and enable DLP scenario implementations for both customers and ISVs. 此外,Microsoft Graph 修补程序 API 还允许对工作组邮件应用 DLP 操作。Additionally, Microsoft Graph Patch API allows applying DLP actions to Teams messages.

用户如何从服务中获益?How do users benefit from the service?

数据丢失防护 (DLP) 功能在 Microsoft 团队中广泛使用,尤其是在组织已移动到远程工作时。Data loss prevention (DLP) capabilities are widely used in Microsoft Teams particularly as organizations have shifted to remote work. 如果你的组织拥有 DLP,你现在可以定义策略,以防止用户在 Microsoft 团队频道或聊天会话中共享敏感信息。If your organization has DLP, you can now define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

你将需要以下 E5 许可证之一,以支持数据丢失防护 (DLP) protection 在团队聊天中:You will need one of the following E5 licenses to have support for Data Loss Prevention (DLP) protection in Teams Chat:

  • Microsoft 365 E5/A5Microsoft 365 E5/A5
  • Microsoft 365 E5/A5 合规性Microsoft 365 E5/A5 Compliance
  • Microsoft 365 E5/A5 信息保护和治理Microsoft 365 E5/A5 Information Protection and Governance
  • Office 365 E5/A5Office 365 E5/A5

服务是如何设置/部署的?How is the service provisioned/deployed?

API 访问是在租户级别配置的。API access is configured at the tenant level.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

适用于团队 DLP 的 Microsoft Graph API 是租户级别值。Microsoft Graph API for Teams DLP are a tenant level value. 每个旨在受益于此服务的用户都必须获得许可。Every user intended to benefit from this service must be licensed.

电子数据展示eDiscovery

电子数据展示为 IT 和公司内部的法律部门提供调查和电子数据展示解决方案,以在从 Microsoft 365 系统中出口之前识别、收集、保留、减少和检查与调查或诉讼相关的内容。eDiscovery provides investigation and eDiscovery solutions for IT and legal departments within corporations to identify, collect, preserve, reduce, and review content related to an investigation or litigation prior to export out of the Microsoft 365 system.

用户如何从服务中获益?How do users benefit from the service?

当用户被选作数据保管人时,用户将从高级电子数据展示中受益 (在对文档或电子文件) 进行管理控制的人的情况下。A user benefits from Advanced eDiscovery when the user is selected as a data custodian (a person having administrative control of a document or electronic file) for a case.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5/?//?/G5/G5/E3/A3/G3、Office 365 E5/A5/G5/E3/A3/G3 和 Office 365 高级合规性为用户提供了从核心电子数据展示中获益的权限。Microsoft 365 E5/A5/G5/E3/A3/G3, Office 365 E5/A5/G5/E3/A3/G3, and Office 365 Advanced Compliance provide the rights for a user to benefit from Core eDiscovery. Microsoft 365 E5/A5/G5,Microsoft 365 E5/A5/G5 合规性,Microsoft 365 E5/A5 电子数据展示和审核,Office 365 E5/A5/G5 和 Office 365 高级合规性为用户提供了从高级电子数据展示中获益的权限。Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 E5/A5 eDiscovery and Audit, Office 365 E5/A5/G5, and Office 365 Advanced Compliance provide the rights for a user to benefit from Advanced eDiscovery.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,当管理员在安全 & 合规中心中分配电子数据展示权限时,将在租户级别为租户中的所有用户启用高级电子数据展示功能。By default, Advanced eDiscovery features are enabled at the tenant level for all users within the tenant when admins assign eDiscovery permissions in the Security & Compliance Center.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

通过使用高级电子数据展示中的内置保管人管理工具,电子数据展示管理员可以选择特定用户作为事例的数据保管人,如 将保管人添加到高级电子数据展示事例中所述。eDiscovery administrators can select specific users as data custodians for a case by using the built-in custodian management tool in Advanced eDiscovery as described in Add custodians to an Advanced eDiscovery case.

Office 365 客户密钥Office 365 Customer Key

使用 "客户密钥",可以控制组织的加密密钥,并配置 Office 365 以使用它们在 Microsoft 数据中心中对静态数据进行加密。With Customer Key, you control your organization's encryption keys and configure Office 365 to use them to encrypt your data at rest in Microsoft's data centers. 换句话说,客户密钥允许您使用自己的密钥添加属于您的加密层。In other words, Customer Key allows you to add a layer of encryption that belongs to you, using your own keys. 静态数据包含来自 Exchange Online 和 Skype for business 的数据,这些数据存储在 SharePoint Online 和 OneDrive for business 中的邮箱和文件中。Data at rest includes data from Exchange Online and Skype for Business that is stored in mailboxes and files within SharePoint Online and OneDrive for Business.

用户如何从服务中获益?How do users benefit from the service?

用户可通过在应用程序层使用提供、控制和管理自己的组织的加密密钥在应用程序层对其数据进行加密,从而获得客户密钥的好处。Users benefit from Customer Key by having their data at rest encrypted at the application layer using encryption keys that are provided, controlled, and managed by their own organization.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5、Microsoft 365 E5/A5 合规性、Microsoft 365 信息保护和治理、Office 365 E5/A5 和 Office 365 高级合规性为用户提供了从客户密钥获益的权限。Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, and Office 365 Advanced Compliance provide the rights for a user to benefit from Customer Key. 若要获得客户密钥的全部好处,您还必须具有 Azure Key Vault 的订阅。To get the full benefit of Customer Key, you must also have a subscription for Azure Key Vault.

服务是如何设置/部署的?How is the service provisioned/deployed?

可以为存储在 Exchange Online 和 Skype for business 邮箱、SharePoint Online、OneDrive for Business 和团队文件中的所有数据启用 Office 365 客户密钥加密密钥。Office 365 Customer Key encryption keys can be enabled for all data stored in Exchange Online and Skype for Business mailboxes, and SharePoint Online, OneDrive for Business, and Teams files. 有关 Office 365 客户密钥的详细信息(包括如何开始),请参阅 Office 365 中的使用客户密钥的服务加密For more information about Office 365 Customer Key, including how to get started, see Service encryption with Customer Key in Office 365.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

若要将加密密钥分配给 Office 365 和/或 Microsoft 365 组织中的数据以供许可用户使用,请按照客户密钥加密密钥的部署说明进行操作。To assign encryption keys to data within an Office 365 and/or Microsoft 365 organization for licensed users, follow the Customer Key encryption keys deployment instructions.

  • 对于 SharePoint Online、OneDrive for Business 和团队文件,可以使用客户密钥对一个或多个网站上的文件进行加密。For SharePoint Online, OneDrive for Business, and Teams files, files on one or more sites can be encrypted using Customer Key.

  • 对于 Exchange Online 和 Skype for business,可以使用客户密钥加密邮箱。For Exchange Online and Skype for Business, mailboxes can be encrypted using Customer Key.

Office 365 客户密码箱Office 365 Customer Lockbox

客户密码箱通过让客户能够为服务操作提供显式访问授权,从而提供了一个额外的控制层。Customer Lockbox provides an additional layer of control by offering customers the ability to give explicit access authorization for service operations. 通过演示如何将过程用于显式数据访问授权,客户密码箱还可以帮助组织满足特定合规性义务,如 HIPAA 和 FEDRAMP。By demonstrating that procedures are in place for explicit data access authorization, Customer Lockbox may also help organizations meet certain compliance obligations such as HIPAA and FEDRAMP.

用户如何从服务中获益?How do users benefit from the service?

用户可以从客户密码箱获益,确保 Microsoft 无需在未经客户明确批准的情况下即可在 Microsoft 不能访问其内容的情况下执行服务操作。Users benefit from Customer Lockbox ensuring that no one at Microsoft can access their content to perform a service operation without the customer's explicit approval. 客户密码箱将客户引入审批工作流,以获取访问其内容的请求。Customer Lockbox brings the customer into the approval workflow for requests to access their content. 有时,Microsoft 工程师会在支持流程中参与诊断和修复客户报告的问题。Occasionally, Microsoft engineers are involved during the support process to troubleshoot and fix customer-reported issues. 在大多数情况下,通过 Microsoft 为其服务提供的大量遥测和调试工具解决了问题。In most cases, issues are fixed through extensive telemetry and debugging tools that Microsoft has in place for its services. 但是,在某些情况下,可能需要 Microsoft 工程师访问客户内容以确定根本原因并解决问题。However, there may be cases that require a Microsoft engineer to access customer content to determine the root cause and fix the issue. 客户密码箱要求工程师在审批工作流的最后步骤中请求从客户进行访问。Customer Lockbox requires the engineer to request access from the customer as a final step in the approval workflow. 这为组织提供了批准或拒绝这些请求的选项,这些请求使他们可以直接控制 Microsoft 工程师是否可以访问组织的最终用户数据。This gives organizations the option to approve or deny these requests, which gives them direct control over whether a Microsoft engineer can access the organizations' end-user data.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5/G5,Microsoft 365 E5/A5/G5,Microsoft 365 E5/A5/G5 合规性,Microsoft 365 内幕风险管理和 Office 365 高级合规性为用户提供了从客户密码箱中获益的权限。Office 365 E5/A5/G5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Insider Risk Management, and Office 365 Advanced Compliance provide the rights for a user to benefit from Customer Lockbox.

服务是如何设置/部署的?How is the service provisioned/deployed?

管理员可以在 Microsoft 365 管理中心启用客户密码箱控件。Admins can turn on Customer Lockbox controls in the Microsoft 365 admin center. 有关详细信息,请参阅 Office 365 中的客户密码箱For more information, see Customer Lockbox in Office 365. 当客户密码箱打开时,在访问其任何内容之前,需要 Microsoft 获取组织的批准。When Customer Lockbox is turned on, Microsoft is required to obtain an organization's approval prior to accessing any of their content.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

客户密码箱服务当前不能限制为特定用户。The Customer Lockbox service can't be limited currently to specific users. 您必须为您想要受益的每个用户授予许可证。You must license every user you intend to benefit.

Office 365 中的 Privileged Access ManagementPrivileged access management in Office 365

(PAM) 的 "特权访问管理 " 提供对 Office 365 中的特权管理任务的精细访问控制。Privileged access management (PAM) provides granular access control over privileged admin tasks in Office 365. 启用 PAM 后,用户将需要通过高度范围和时间限制的审批工作流请求实时访问,以完成提升和特权的任务。After enabling PAM, users will need to request just-in-time access through an approval workflow that is highly scoped and time-bound in order to complete elevated and privileged tasks.

用户如何从服务中获益?How do users benefit from the service?

启用 PAM 可让组织以零作为自主权限运行。Enabling PAM lets organizations operate with zero standing privileges. 用户从增加的防御层中受益,以防止因提供对其数据的 unfettered 访问而产生的漏洞。Users benefit from the added layer of defense against vulnerabilities arising from standing administrative access that provides unfettered access to their data.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5,Microsoft 365 E5/A5,Microsoft 365 E5/A5 合规性,Microsoft 365 E5/A5 信息保护和治理为用户提供了从 PAM 中获益的权限。Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 E5/A5 Information Protection and Governance provide the rights for a user to benefit from PAM.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为租户中的所有用户启用 PAM 功能。By default, PAM features are enabled at the tenant level for all users within the tenant. 有关配置 PAM 策略的信息,请参阅 特权访问管理入门For information on configuring PAM policies, see Get started with privileged access management.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

客户可以通过审核人组和访问策略(可应用于许可用户)在每用户的基础上管理 PAM。Customers can manage PAM on a per-user basis through approver group and access policies, which can be applied to licensed users. 有关详细信息,请参阅 Office 365 中的特权访问管理For more information, see Privileged access management in Office 365.

适用于 Microsoft 365 的双重密钥加密Double Key Encryption for Microsoft 365

对 Microsoft 365 的双重密钥加密允许您保护高度敏感的数据,以满足特殊要求并保持对加密密钥的完全控制。Double Key Encryption for Microsoft 365 allows you to protect your highly sensitive data to meet specialized requirements and maintain full control of your encryption key. 双密钥加密使用两个密钥来保护你的数据,并在你的控制中使用一个密钥,并将第二个密钥安全地存储在 Microsoft Azure 中。Double Key Encryption uses two keys to protect your data, with one key in your control and the second key stored securely Microsoft Azure. 若要查看数据,您必须具有对这两个键的访问权限。To view the data, you must have access to both keys. 由于 Microsoft 只能访问一个密钥,因此你的密钥和你的数据在 Microsoft 中不可用,从而确保你能够完全控制你的数据的隐私和安全。Since Microsoft can access only one key, your key and also your data are unavailable to Microsoft, ensuring that you have full control over the privacy and security of your data.

用户如何从服务中获益?How do users benefit from the service?

用户可以将加密的数据迁移到云中,并防止第三方访问,前提是用户可以将其加密数据迁移到云中,从而使用户受益于双密钥加密。Users benefit from Double Key Encryption by being able to migrate their encrypted data to the cloud and preventing third party access as long as the key remains in control of the users. 最终用户可以保护和使用与任何其他敏感度标签保护的内容类似的双密钥加密内容。End users can protect and consume Double Key Encrypted content similar to any other sensitivity label protected content.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5、Microsoft 365 E5/A5 合规性、Microsoft 365 信息保护和治理、Office 365 E5/A5 和 Office 365 高级合规性为用户提供了从双密钥加密中获益的权限。Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, and Office 365 Advanced Compliance provide the rights for a user to benefit from Double Key Encryption.

服务是如何设置/部署的?How is the service provisioned/deployed?

双密钥加密支持 Microsoft Office for Windows 的桌面版本。Double Key Encryption supports the desktop version of Microsoft Office for Windows.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

若要将加密密钥分配给 Office 365 和/或 Microsoft 365 组织中的数据以供许可用户使用,请按照双重密钥加密部署说明进行操作。To assign encryption keys to data within an Office 365 and/or Microsoft 365 organization for licensed users, follow the Double Key Encryption deployment instructions.

适用于 Exchange Online、SharePoint Online 和 OneDrive for business 的 Office 365 数据丢失防护Office 365 data loss prevention for Exchange Online, SharePoint Online, and OneDrive for Business

使用 Office 365 数据丢失防护 (DLP) for Exchange Online、SharePoint Online 和 OneDrive for Business,组织可以在电子邮件和 (文件中识别、监视和自动保护敏感信息,其中包括存储在 Microsoft 团队文件存储库) 中的文件。With Office 365 data loss prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business, organizations can identify, monitor, and automatically protect sensitive information across emails and files (including files stored in Microsoft Teams file repositories).

用户如何从服务中获益?How do users benefit from the service?

当检查其电子邮件和文件中的敏感信息(如组织的 DLP 策略中配置)时,用户将受益于 DLP for Exchange Online、SharePoint Online 和 OneDrive for business。Users benefit from DLP for Exchange Online, SharePoint Online, and OneDrive for Business when their emails and files are being inspected for sensitive information, as configured in the organization's DLP policy.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 A1/E3/A3/a/Business、Office 365 E3/A3 和 Office 365 数据丢失防护为用户提供了从 Office 365 DLP for Exchange Online、SharePoint Online 和 OneDrive for business 中获益的权限。Microsoft 365 A1/E3/A3/Business, Office 365 E3/A3, and Office 365 Data Loss Prevention provide the rights for a user to benefit from Office 365 DLP for Exchange Online, SharePoint Online, and OneDrive for Business.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,Exchange Online 电子邮件、SharePoint 网站和 OneDrive 帐户为租户中所有用户的这些 DLP 功能 *启用了 (工作负荷) 的位置 * 。By default, Exchange Online emails, SharePoint sites, and OneDrive accounts are enabled locations (workloads) for these DLP features for all users within the tenant. 有关使用 DLP 策略的详细信息,请参阅 数据丢失防护概述For more information about using DLP policies, see Overview of data loss prevention.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员可以在 "数据丢失防护位置" 下的 "安全 & 合规中心" 中自定义位置 (工作负载) 、包含的用户和排除的用户) > LocationsAdmins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center, under Data loss prevention > Locations.

工作组的通信数据丢失防护Communication Data Loss Prevention for Teams

使用针对团队的通信 DLP,组织可以阻止包含敏感信息(如财务信息)的聊天和频道消息,以及个人身份信息、与运行状况相关的信息或其他机密信息。With Communication DLP for Teams, organizations can block chats and channel messages that contain sensitive information, such as financial information, personally identifying information, health-related information, or other confidential information.

哪些用户从服务中受益?Which users benefit from the service?

Office 365 E5/A5 的许可用户、Microsoft 365 E5/A5、Microsoft 365 信息保护和治理以及 Office 365 高级合规性可以从适用于团队的通信 DLP 中受益。Licensed users of Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 Information Protection and Governance, and Office 365 Advanced Compliance can benefit from Communication DLP for Teams.

用户如何从服务中获益?How do users benefit from the service?

通过在组织的 DLP 策略中配置的敏感信息检查其传出聊天和频道消息中的敏感信息,发件人会获得好处。Senders benefit by having sensitive information in their outgoing chat and channel messages inspected for sensitive information, as configured in the organization's DLP policy.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,团队聊天和频道邮件是为租户中的所有用户启用这些 DLP 功能 * (工作负荷) 的已启用位置 * 。By default, Teams chat and channel messages are an enabled Location (workload) for these DLP features for all users within the tenant. 有关使用 DLP 策略的详细信息,请参阅 数据丢失防护概述For more information about using DLP policies, see Overview of data loss prevention.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员可以在 "数据丢失防护位置" 下的 "安全 & 合规中心" 中自定义位置 (工作负载) 、包含的用户和排除的用户) > LocationsAdmins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center, under Data loss prevention > Locations.

信息屏障Information barriers

信息障碍是管理员可以配置的用于阻止个人或组相互通信的策略。Information barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. 例如,如果一个部门处理的信息不应与其他部门共享,或者必须阻止某个组与外部联系人通信,则这将非常有用。This is useful if, for example, one department is handling information that shouldn't be shared with other departments, or a group needs to be prevented from communicating with outside contacts. 信息屏障策略也阻止了查找和发现。Information barrier policies also prevent lookups and discovery. 这意味着,如果您尝试与不应与之通信的人员进行通信,则不会在人员选取器中找到该用户。This means that if you attempt to communicate with someone you should not be communicating with, you won't find that user in the people picker.

用户如何从服务中获益?How do users benefit from the service?

当限制用户与其他人通信时,他们将受益于信息障碍的高级合规性功能。Users benefit from the advanced compliance capabilities of information barriers when they're restricted from communicating with others. 例如:For example:

方案Scenario 需要许可证的是谁?Who requires a license?
(组1和组 2) 的两个组无法相互通信 (也就是说,组1用户限制为与组2用户通信,而组2用户限制与组1用户通信。Two groups (Group 1 and Group 2) cannot communicate with each other (that is, Group 1 users are restricted from communicating with Group 2 users, and Group 2 users are restricted from communicating with Group 1 users. 组1和组2中的用户Users in both Group 1 and Group 2

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5、Microsoft 365 E5/A5 合规性、Microsoft 365 内幕风险管理、Office 365 E5/A5 和 Office 365 高级合规性为用户提供了从信息障碍中获益的权限。Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Insider Risk Management, Office 365 E5/A5, and Office 365 Advanced Compliance provide the rights for a user to benefit from information barriers.

服务是如何设置/部署的?How is the service provisioned/deployed?

管理员在安全 & 合规中心中使用 PowerShell cmdlet 创建和管理信息障碍策略。Admins create and manage information barrier policies by using PowerShell cmdlets in the Security & Compliance Center. 必须为管理员分配 Microsoft 365 企业全局管理员、Office 365 全局管理员或合规性管理员角色,以创建信息障碍策略。Admins must be assigned the Microsoft 365 Enterprise Global Administrator, Office 365 Global Administrator, or Compliance Administrator role to create an information barrier policy. 默认情况下,这些策略适用于租户中的所有用户。By default, these policies apply to all users in the tenant. 有关信息障碍的详细信息,请参阅 Microsoft 团队中的信息障碍For more information about information barriers, see Information barriers in Microsoft Teams.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员可以在安全 & 合规中心中自定义 (工作负荷) 、包含的用户和排除的用户的位置。Admins can customize locations (workloads), included users, and excluded users in the Security & Compliance Center. 例如,如果所有用户均为 Office 365 E3 许可,并且没有许可 Office 365 高级合规性/E5,则无需为组织创建任何信息障碍策略。For example, if all users are licensed for Office 365 E3, and none are licensed for Office 365 Advanced Compliance/E5, they wouldn't need to create any information barrier policies for the organization. 有关详细信息,请参阅 Microsoft 团队中的信息障碍For more information, see Information barriers in Microsoft Teams.

Office 365 邮件加密Office 365 Message Encryption

Office 365 邮件加密 (OME) 是一项基于 Azure 权限管理 (Azure RMS) 构建的服务,允许您向组织内外发送经加密的电子邮件,而无需考虑目标电子邮件地址(Gmail、Yahoo!Mail、Outlook.com 等)。Office 365 Message Encryption (OME) is a service built on Azure Rights Management (Azure RMS) that lets you send encrypted email to people inside or outside your organization, regardless of the destination email address (Gmail, Yahoo! Mail, Outlook.com, etc.).

若要查看加密邮件,收件人可以使用一次性密码、通过 Microsoft 帐户登录或使用与 Office 365 关联的工作或学校帐户登录。To view encrypted messages, recipients can either get a one-time passcode, sign in with a Microsoft account, or sign in with a work or school account associated with Office 365. 此外,收件人也可发送加密回复。Recipients can also send encrypted replies. 他们不需要订阅即可查看加密邮件或发送加密回复。They don't need a subscription to view encrypted messages or send encrypted replies.

用户如何从服务中获益?How do users benefit from the service?

邮件发件人可受益于对 Office 365 邮件加密提供的敏感电子邮件的新增控制。Message senders benefit from the added control over sensitive emails provided by Office 365 Message Encryption.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E3/A3、Office 365 E3/A3 和 Azure Information Protection Plan 1 为用户提供了从 Office 365 邮件加密中获益的权限。Microsoft 365 E3/A3, Office 365 E3/A3, and Azure Information Protection Plan 1 provide the rights for a user to benefit from Office 365 Message Encryption.

服务是如何设置/部署的?How is the service provisioned/deployed?

管理员在 "邮件流规则" 下的 Exchange 管理中心中创建和管理 Office 365 邮件加密策略 > RulesAdmins create and manage Office 365 Message Encryption policies in the Exchange admin center under Mail flow > Rules. 默认情况下,这些规则适用于租户中的所有用户。By default, these rules apply to all users in the tenant. 有关设置新的 Office 365 邮件加密功能的详细信息,请参阅 设置新的 office 365 邮件加密功能For more information about setting up new Office 365 Message Encryption capabilities, see Set up new Office 365 Message Encryption capabilities.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员应将仅限 Office 365 邮件加密的邮件流规则应用于许可用户。Admins should apply mail flow rules for Office 365 Message Encryption only to licensed users. 有关定义邮件流规则的详细信息,请参阅 在 Office 365 中定义用于加密电子邮件的邮件流规则For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.

Office 365 高级邮件加密Office 365 Advanced Message Encryption

Office 365 高级邮件加密帮助客户满足合规性义务,这些要求对外部收件人和对加密电子邮件的访问权限要求更灵活的控制。Office 365 Advanced Message Encryption helps customers meet compliance obligations that require more flexible controls over external recipients and their access to encrypted emails. 通过高级邮件加密,管理员可以通过使用可检测敏感信息类型的自动策略来控制在组织外共享的敏感电子邮件 (例如,个人标识信息或财务或运行状况 Id) ,也可以通过应用自定义电子邮件模板,并通过安全 web 门户终止对加密电子邮件的访问,从而使用关键字增强保护。With Advanced Message Encryption, admins can control sensitive emails shared outside the organization by using automatic policies that can detect sensitive information types (for example, personally identifying information, or financial or health IDs), or they can use keywords to enhance protection by applying custom email templates and expiring access to encrypted emails through a secure web portal. 此外,管理员可以随时撤销访问权限,从而进一步控制通过安全 web 门户外部访问的加密电子邮件。Additionally, admins can further control encrypted emails accessed externally through a secure web portal by revoking access at any time.

用户如何从服务中获益?How do users benefit from the service?

邮件发件人可受益于对高级邮件加密提供的敏感电子邮件所添加的控制。Message senders benefit from the added control over sensitive emails provided by Advanced Message Encryption.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5、Microsoft 365 E5/A5、Microsoft 365 E5/A5 合规性、Microsoft 365 信息保护和治理以及 Office 365 高级合规性为用户提供了从高级邮件加密中获益的权限。Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, and Office 365 Advanced Compliance provide the rights for a user to benefit from Advanced Message Encryption.

服务是如何设置/部署的?How is the service provisioned/deployed?

管理员在 "邮件流规则" 下的 Exchange 管理中心中创建和管理高级邮件加密策略。Admins create and manage Advanced Message Encryption policies in the Exchange admin center under mail flow rules. 默认情况下,这些规则适用于租户上的所有用户。By default, these rules apply to all users on the tenant. 有关设置新的邮件加密功能的详细信息,请参阅 设置新的 Office 365 邮件加密功能For more information about setting up new Message Encryption capabilities, see Set up new Office 365 Message Encryption capabilities.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员应将邮件流规则仅应用于已授权用户的高级邮件加密。Admins should apply mail flow rules for Advanced Message Encryption only to licensed users. 有关定义邮件流规则的详细信息,请参阅 在 Office 365 中定义用于加密电子邮件的邮件流规则For more information about defining mail flow rules, see Define mail flow rules to encrypt email messages in Office 365.

通信合规性Communication Compliance

Microsoft 365 中的通信合规性通过帮助您检测、捕获和采取补救措施对组织中不适当的邮件进行补救,来帮助最大限度地减少通信风险。Communication compliance in Microsoft 365 helps minimize communication risks by helping you detect, capture, and take remediation actions for inappropriate messages in your organization. 您可以定义用于捕获组织中的内部和外部电子邮件、Microsoft 团队或第三方通信的特定策略。You can define specific policies that capture internal and external email, Microsoft Teams, or third-party communications in your organization. 审阅者可以采取相应的更正措施,以确保它们符合组织的邮件标准。Reviewers can take appropriate remediation actions to make sure they're compliant with your organization's message standards.

用户如何从服务中获益?How do users benefit from the service?

合规性专家通过通信合规性策略监视组织通信,从而从服务中受益。Compliance specialists benefit from the service by having organization communications monitored by communication compliance policies.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Office 365 E5/A5、Microsoft 365 E5/A5、Microsoft 365 E5/A5 合规性以及 Microsoft 365 内幕风险管理为用户提供了从通信合规性中受益的权限。Office 365 E5/A5, Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 Insider Risk Management provide the rights for a user to benefit from communication compliance.

服务是如何设置/部署的?How is the service provisioned/deployed?

管理员和合规性专家在 Microsoft 365 合规性中心创建通信合规性策略。Admins and compliance specialists create communication compliance policies in the Microsoft 365 compliance center. 这些策略定义哪些通信和用户将在组织中进行审阅,定义通信必须满足的自定义条件,并指定应执行审阅的用户。These policies define which communications and users are subject to review in the organization, define custom conditions that communications must meet, and specify who should perform reviews.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

管理员选择要包含在通信合规性策略中的特定用户或组。Admins choose specific users or groups to include in a communication compliance policy. 选择组时,他们还可以选择组中要从通信合规性策略中排除的特定用户。When choosing a group, they can also select specific users in the group to exclude from the communication compliance policy. 有关通信合规性策略的详细信息,请参阅 Microsoft 365 中的通信合规性For more information about communication compliance polices, see Communication compliance in Microsoft 365.

内部风险管理Insider Risk Management

内幕风险管理是 Microsoft 365 中的一种解决方案,可帮助您检测、调查并对组织中的危险活动采取措施,从而帮助最大限度地减少内部风险。Insider risk management is a solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and take action on risky activities in your organization. 自定义策略允许您检测组织中的恶意和无意风险的活动并采取措施,包括在需要时向 Microsoft 高级电子数据展示上报案例。Custom policies allow you to detect and take action on malicious and inadvertently risky activities in your organization, including escalating cases to Microsoft Advanced eDiscovery if needed. 组织中的风险分析师可以快速采取适当的措施,以确保用户符合组织的合规性标准。Risk analysts in your organization can quickly take appropriate actions to make that sure users are compliant with your organization's compliance standards.

用户如何从服务中获益?How do users benefit from the service?

用户通过让其活动受到风险监控来获得好处。Users benefit by having their activities monitored for risk.

哪些许可证为用户提供了从服务中获益的权限?Which licenses provide the rights for a user to benefit from the service?

Microsoft 365 E5/A5、Microsoft 365 E5/A5 合规性和 Microsoft 365 内幕风险管理为用户提供了从内幕风险管理中受益的权限。Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 Insider Risk Management provide the rights for a user to benefit from Insider Risk Management.

服务是如何设置/部署的?How is the service provisioned/deployed?

必须在 Microsoft 365 合规性中心中创建内幕风险管理策略,并将其分配给用户。Insider Risk Management policies must be created in the Microsoft 365 compliance center and assigned to users.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

在 Microsoft 365 合规性中心创建策略时,在 " 选择用户和组 " 页上,选择 " 选择用户或组 " 以仅选择许可用户,或者,如果所有用户都获得许可,则可以选中 " 所有用户和已启用邮件的组 " 复选框。When creating a policy in the Microsoft 365 compliance center, on the Choose users and groups page, select Choose users or groups to select only licensed users, or, if all of your users are licensed, you may select the All users and mail-enabled groups checkbox. 有关详细信息,请参阅 内幕风险管理入门For more information, see Get started with insider risk management.

条件访问策略Conditional Access policies

条件访问是 Azure Active Directory 用来将信号放在一起以做出决定以及强制实施组织策略的工具。Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. 条件访问是恒等驱动控制平面的核心。Conditional Access is at the heart of the identity driven control plane. 条件访问策略的最简单之处是 if 语句。Conditional Access policies at their simplest are if-then statements. 如果用户想要访问某个资源,则必须完成某一操作。If a user wants to access a resource, then they must complete an action. 示例:工资经理想要访问工资应用程序,并需要执行多重身份验证以对其进行访问。Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

哪些用户从服务中受益?Which users benefit from the service?

企业移动性 + 安全 E3/A3、Microsoft 365 F3/E3/A3/商业高级版和 Azure Active Directory 高级计划1的许可用户可从条件访问策略中受益。Licensed users of Enterprise Mobility + Security E3/A3, Microsoft 365 F3/E3/A3/Business Premium, and Azure Active Directory Premium Plan 1 can benefit from Conditional Access policies. 企业移动性 + 安全性 E5/A5/G5 的许可用户: Microsoft 365 E5/A5、Microsoft E5 Security 和 Azure Active Directory 高级计划2可从身份保护 (基于风险的条件访问策略) 中受益。Licensed users of Enterprise Mobility + Security E5/A5/G5, Microsoft 365 E5/A5, Microsoft E5 Security, and Azure Active Directory Premium Plan 2 can benefit from Identity Protection (risk-based Conditional Access policies).

用户如何从服务中获益?How do users benefit from the service?

安全操作分析师和安全性专家通过具备对用户实施组织策略的能力,要求他们在授予对公司内容的访问权限之前满足特定的条件,从而获益。Security operations analysts and security professionals benefit by having the ability to enforce organizational policies on users, requiring them to meet certain criteria before granting access to corporate content. 最终用户可以随时随地访问他们的工作,同时还能在保护组织资产时随时访问他们的工作。End users benefit by being able to access their work wherever and whenever they choose, while protecting the organization's assets.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为租户中的所有用户启用条件访问功能。By default, Conditional Access features are enabled at the tenant level for all users within the tenant.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

若要明确标识保护和条件访问,用户必须包含在组中或添加到条件访问策略中。For Identity Protection and Conditional Access specifically, a user must be included in a Group or be added to a Conditional Access policy. 在条件访问策略中,users 和 groups 条件是必需的。The users and groups condition is mandatory in a Conditional Access policy. 在策略中,您可以选择 " 所有用户 " 或 "特定用户和组"。In your policy, you can select either All users or specific users and groups. 您应仅选择经过适当授权的用户和组。You should select only appropriately licensed users and groups. 有关详细信息,请参阅 在 Azure Active Directory 条件访问中有哪些条件?For more information, see What are conditions in Azure Active Directory Conditional Access?.

高级审核Advanced Audit

Microsoft 365 中的高级审核为用户和管理员活动提供了为期一年的审核日志保留,并提供了创建自定义审核日志保留策略以管理其他 Microsoft 365 服务的审核日志保留的功能。Advanced Audit in Microsoft 365 provides one-year retention of audit logs for user and admin activities, and provides the ability to create custom audit log retention policies to manage audit log retention for other Microsoft 365 services. 此外,它还提供对 Office 365 管理活动 API 的调查和高带宽访问的关键事件的访问。It also provides access to crucial events for investigations and high-bandwidth access to the Office 365 Management Activity API. 有关详细信息,请参阅 Microsoft 365 中的高级审核For more information, see Advanced Audit in Microsoft 365.

您还可以使用附加 SKU 为10年启用保留期。You can also enable a retention period of 10 years with an add-on SKU. 将需要在2021早些时候启动附加 SKU。The add-on SKU will be required starting early 2021.

哪些用户从服务中受益?Which users benefit from the service?

Office 365 E5、Microsoft 365 E5、Microsoft 365 E5 合规性和 Microsoft 365 电子数据展示和审核的许可用户可从高级审核中受益。Licensed users of Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 eDiscovery and Audit can benefit from Advanced Audit.

具有高级审核的许可用户和为期10年的审核日志保留加载项可以从10年审核日志保留中受益。Licensed users with Advanced Audit and the 10-year Audit Log Retention add-on can benefit from 10-year Audit Log Retention.

用户如何从服务中获益?How do users benefit from the service?

由于 Microsoft 365 服务中与用户活动相关的审核记录可保留最多一年,因此用户从高级审核中受益。A user benefits from Advanced Audit because audit records related to user activity in Microsoft 365 services can be retained for up to one year. 此外,还记录了高值审核事件,如访问或读取用户邮箱中的项目的时间。Additionally, high-value auditing events are logged such as when items in a user's mailbox are accessed or read. 有关详细信息,请参阅 Microsoft 365 中的高级审核For more information, see Advanced Audit in Microsoft 365.

服务是如何设置/部署的?How is the service provisioned/deployed?

默认情况下,在租户级别为拥有 Office 365 或 Microsoft 365 E5 订阅的所有组织启用高级审核,并自动为用户在 Azure Active Directory、Exchange 和 SharePoint 中具有相应许可证) 的用户执行的 (活动提供一年审核日志保留。By default, Advanced Audit is enabled at the tenant level for all organizations that have an Office 365 or Microsoft 365 E5 subscription, and automatically provides one-year retention of audit logs for activities (performed by users with the appropriate license) in Azure Active Directory, Exchange, and SharePoint. 此外,组织可以使用审核日志保留策略来管理其他 Microsoft 365 服务中的活动生成的审核记录的保留期。Additionally, organizations can use audit log retention policies to manage the retention period for audit records generated by activity in other Microsoft 365 services. 还可以使用相同的保留策略启用10年审核日志保留功能。The 10-year Audit Log Retention functionality is also enabled using the same retention policies. 有关详细信息,请参阅管理审核日志保留策略For more information, see Manage audit log retention policies.

如何将服务仅应用于受该服务授权的租户中的用户?How can the service be applied only to users in the tenant who are licensed for the service?

审核日志的一年保留时间和关键事件的审核仅适用于具有相应许可证的用户。One-year retention of audit logs and the auditing of crucial events only apply to users with the appropriate license. 此外,管理员还可以使用审核日志保留策略为特定用户的审核日志指定较短的保留期限。Additionally, admins can use audit log retention policies to specify shorter retention durations for the audit logs of specific users.

10年的审核日志保留仅适用于具有相应加载项许可证的用户。10-year retention of audit logs only apply to users with the appropriate add-on license. 将需要在2021早些时候启动附加 SKU。The add-on SKU will be required starting early 2021.