設定 Azure Information Protection 原則Configuring the Azure Information Protection policy

適用Azure 資訊保護Applies to Azure Information Protection

*適用于Azure 資訊保護適用于 Windows 的傳統用戶端*Relevant for: Azure Information Protection classic client for Windows. 針對統一標籤用戶端,請參閱 Microsoft 365 檔中的「 瞭解敏感度標籤 」。For the unified labeling client, see Learn about sensitivity labels from the Microsoft 365 documentation.*

注意

為了提供統一且流暢的客戶體驗,自 2021 年 3 月 31 日 起,Azure 入口網站將 淘汰 Azure 資訊保護傳統用戶端標籤管理To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 此時間範圍可讓所有目前的 Azure 資訊保護客戶使用 Microsoft 資訊保護統一標籤平台轉換至我們統一的標籤解決方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 在正式的淘汰通知 (英文) 中深入了解。Learn more in the official deprecation notice.

若要為傳統用戶端設定分類、標記和保護,您必須設定 Azure 資訊保護原則。To configure classification, labeling, and protection for the classic client, you must configure the Azure Information Protection policy. 然後,此原則會下載到已安裝 Azure Information Protection 用戶端的電腦。This policy is then downloaded to computers that have installed the Azure Information Protection client.

原則包含標籤和設定:The policy contains labels and settings:

  • 標籤會將分類值套用至文件和電子郵件,而且可以選擇性地保護此內容。Labels apply a classification value to documents and emails, and can optionally protect this content. 針對您在 Office 應用程式中的使用者以及當使用者以滑鼠右鍵按一下檔案總管時,Azure 資訊保護用戶端就會顯示這些標籤。The Azure Information Protection client displays these labels for your users in Office apps and when users right-click from File Explorer. 使用 PowerShell 和 Azure 資訊保護掃描器也可以套用這些標籤。These labels can also be applied by using PowerShell and the Azure Information Protection scanner.

  • 這些設定會變更 Azure 資訊保護用戶端的預設行為。The settings change the default behavior of the Azure Information Protection client. 例如,您可以選取預設標籤、所有文件和電子郵件是否必須具有標籤,以及 Azure 資訊保護列是否會顯示在 Office 應用程式中。For example, you can select a default label, whether all documents and emails must have a label, and whether the Azure Information Protection bar is displayed in Office apps.

訂用帳戶支援Subscription support

Azure 資訊保護支援不同層級的訂用帳戶:Azure Information Protection supports different levels of subscriptions:

  • Azure 資訊保護 P2:支援所有分類、標籤和保護功能。Azure Information Protection P2: Support for all classification, labeling, and protection features.

  • Azure 資訊保護 P1:支援大部分的分類、標籤和保護功能,但不支援自動分類或 HYOK。Azure Information Protection P1: Support for most classification, labeling, and protection features, but not automatic classification or HYOK.

  • 包含 Azure Rights Management 服務的 Microsoft 365:支援保護,但不支援分類和標記。Microsoft 365 that includes the Azure Rights Management service: Support for protection but not classification and labeling.

需要 Azure 資訊保護 P2 訂用帳戶的選項已在入口網站中標示。Options that require an Azure Information Protection P2 subscription are identified in the portal.

若組織有混合的訂用帳戶,您必須負責確認使用者不會使用其帳戶未獲授權的功能。If your organization has a mix of subscriptions, it is your responsibility to make sure that users do not use features that their account is not licensed to use. Azure 資訊保護用戶端不會執行授權檢查和強制執行原則。The Azure Information Protection client does not do license checking and enforcement. 當您設定並非所有使用者都有授權的選項時,請使用有範圍的原則或登錄設定,以確保組織可符合授權的規範:When you configure options that not all users have a license for, use scoped policies or a registry setting to ensure that your organization stays in compliance with your licenses:

  • 當組織有 Azure 資訊保護 P1 和 Azure 資訊保護 P2 的混合授權時:針對具有 P2 授權的使用者,當您設定需要 Azure 資訊保護 P2 授權的選項時,請建立和使用一或多個 有範圍的原則When your organization has a mix of Azure Information Protection P1 and Azure Information Protection P2 licenses: For users who have a P2 license, create and use one or more scoped policies when you configure options that require an Azure Information Protection P2 license. 請確定您的全域原則不包含需要 Azure 資訊保護 P2 授權的選項。Make sure that your global policy does not contain options that require an Azure Information Protection P2 license.

  • 當您的組織有 Azure 資訊保護的訂用帳戶時,某些使用者只會有包含 Azure Rights Management 服務之 Microsoft 365 的授權:對於沒有 Azure 資訊保護授權的使用者,請在其電腦上編輯登錄,使其不會下載 Azure 資訊保護原則。When your organization has a subscription for Azure Information Protection but some users have only a license for Microsoft 365 that includes the Azure Rights Management service: For the users who do not have a license for Azure Information Protection, edit the registry on their computers so they do not download the Azure Information Protection policy. 如需指示,請參閱系統管理指南中有關下列自訂的主題:當組織有混合的授權時,強制執行僅限保護模式For instructions, see the admin guide for the following customization: Enforce protection-only mode when your organization has a mix of licenses.

如需訂用帳戶的詳細資訊,請參閱我需要哪個 Azure 資訊保護訂用帳戶及包含哪些功能?For more information about the subscriptions, see What subscription do I need for Azure Information Protection and what features are included?

登入 Azure 入口網站Signing in to the Azure portal

若要登入 Azure 入口網站,以設定及管理 Azure 資訊保護:To sign in to the Azure portal, to configure and manage Azure Information Protection:

第一次存取 Azure 資訊保護窗格To access the Azure Information Protection pane for the first time

  1. 登入 Azure 入口網站。Sign in to the Azure portal.

  2. 選取 [+ 建立資源],然後從 Marketplace 的搜尋方塊中,輸入 Azure 資訊保護Select + Create a resource, and then, from the search box for the Marketplace, type Azure Information Protection.

  3. 從結果清單中,選取 [Azure 資訊保護]。From the results list, select Azure Information Protection. 在 [ Azure 資訊保護 ] 窗格中,按一下 [ 建立]。On the Azure Information Protection pane, click Create.

    提示

    或者,可以選取 [釘選到儀表板],在儀表板上建立 [Azure 資訊保護] 磚,以便您可以在下次登入入口網站時略過瀏覽步驟。Optionally, select Pin to dashboard to create an Azure Information Protection tile on your dashboard, so that you can skip browsing to the service the next time you sign in to the portal.

    再次按一下 [建立]。Click Create again.

  4. 第一次連線到服務時,會顯示自動開啟的 [快速入門] 頁面。You see the Quick start page that automatically opens the first time you connect to the service. 您可以瀏覽建議的資源,或使用其他功能表選項。Browse the suggested resources, or use the other menu options. 若要設定標籤以供使用者選取,請使用下列程序。To configure the labels that users can select, use the following procedure.

下次存取 Azure 資訊保護 窗格時,它會自動選取 [ 標籤 ] 選項,讓您可以為所有使用者查看及設定標籤。Next time you access the Azure Information Protection pane, it automatically selects the Labels option so that you can view and configure labels for all users. 您可以從 [一般] 功能表中選取 [快速入門] 頁面,以返回 [快速入門] 頁面。You can return to the Quick start page by selecting it from the General menu.

如何設定 Azure 資訊保護原則How to configure the Azure Information Protection policy

  1. 請確定您已使用下列其中一個系統管理角色登入 Azure 入口網站: Azure 資訊保護系統管理員、安全性系統管理員或全域管理。Make sure that you are signed in to the Azure portal by using one of these administrative roles: Azure Information Protection administrator, Security administrator, or Global administration. 如需這些系統管理角色的詳細資訊,請參閱先前的章節See the preceding section for more information about these administrative roles.

  2. 如有必要,請流覽至 [ Azure 資訊保護 ] 窗格:例如,在 [中樞] 功能表上,按一下 [ 所有服務 ],然後在 [篩選] 方塊中開始輸入 資訊保護If necessary, navigate to the Azure Information Protection pane: For example, on the hub menu, click All services and start typing Information Protection in the Filter box. 從結果中,選取 [Azure Information Protection]。From the results, select Azure Information Protection.

    [ Azure 資訊保護標籤 ] 窗格會自動開啟,讓您可以查看和編輯可用的標籤。The Azure Information Protection - Labels pane automatically opens for you to view and edit the available labels. 標籤可藉由從原則中新增或移除它們,供所有使用者或選取的使用者使用,或者沒有任何使用者可以使用。The labels can be made available to all users, selected users, or no users by adding or removing them from a policy.

  3. 若要檢視和編輯原則,從功能表選項中選取 [原則]。To view and edit the policies, select Policies from the menu options. 若要檢視和編輯所有使用者均可取得的原則,選取 [全域] 原則。To view and edit the policy that all users get, select the Global policy. 若要針對選取的使用者建立自訂原則,選取 [新增原則]。To create a custom policy for selected users, select Add a new policy.

對原則進行變更Making changes to the policy

您可以建立任意數目的標籤。You can create any number of labels. 不過,如果它們開始變得太多,讓使用者輕易就能看到和選取正確的標籤,請建立已設定領域的原則,讓使用者只看到相關的標籤。However, when they start to get too many for users to easily see and select the right label, create scoped policies so that users see only the labels that are relevant to them. 套用保護的標籤有其上限,即 500。There is an upper limit for labels that apply protection, which is 500.

當您在 Azure 資訊保護窗格上進行任何變更時,請按一下 [ 儲存 ] 以儲存變更,或按一下 [ 捨棄 ] 來還原到最後儲存的設定。When you make any changes on an Azure Information Protection pane, click Save to save the changes, or click Discard to revert to the last saved settings. 當您儲存原則中的變更,或對新增至原則的標籤進行變更時,系統會自動發佈這些變更。When you save changes in a policy, or make changes to labels that are added to policies, those changes are automatically published. 不提供個別的發佈選項。There's no separate publish option.

每當支援的 Office 應用程式啟動時,Azure 資訊保護用戶端會檢查是否有任何變更,並將變更下載為其最新的 Azure 資訊保護原則。The Azure Information Protection client checks for any changes whenever a supported Office application starts, and downloads the changes as its latest Azure Information Protection policy. 在用戶端上重新整理原則的其他觸發程序:Additional triggers that refresh the policy on the client:

  • 按一下滑鼠右鍵以分類及保護檔案或資料夾。Right-click to classify and protect a file or folder.

  • 執行 PowerShell Cmdlet 以設定標籤與保護 (Get-AIPFileStatus、Set-AIPFileClassification 和 Set-AIPFileLabel)。Running the PowerShell cmdlets for labeling and protection (Get-AIPFileStatus, Set-AIPFileClassification, and Set-AIPFileLabel).

  • 每 24 小時。Every 24 hours.

  • Azure 資訊保護掃描器:服務啟動時 (如果原則超過一小時),以及作業期間每小時。For the Azure Information Protection Scanner: When the service starts (if the policy is older than an hour), and every hour during operation.

注意

用戶端下載原則時,請預備等候幾分鐘才能完整運作。When the client downloads the policy, be prepared to wait a few minutes before it's fully operational. 實際的時間會依各項因素而異,例如原則設定的大小和複雜度及網路連線。The actual time varies, according to factors such as the size and complexity of the policy configuration, and the network connectivity. 如果標籤產生的動作與您最近的變更不符,請稍待最多 15 分鐘後再試一次。If the resulting action of your labels does not match your latest changes, allow up to 15 minutes and then try again.

設定組織的原則Configuring your organization's policy

使用下列資訊來協助您設定 Azure 資訊保護原則:Use the following information to help you configure the Azure Information Protection policy:

電子郵件與文件中儲存的標籤資訊Label information stored in emails and documents

當標籤套用到文件或電子郵件時,在背景中,標籤是儲存在中繼資料中,以便應用程式與服務可以讀取標籤:When a label is applied to a document or email, under the covers, the label is stored in metadata so that applications and services can read the label:

  • 在電子郵件中,這項資訊會儲存在 x 標頭中: msip_labels: MSIP_Label_ <GUID> _Enabled = TrueIn emails, this information is stored in the x-header: msip_labels: MSIP_Label_<GUID>_Enabled=True

  • 針對 Word 檔 ( .doc 和 .docx) 、Excel 試算表 ( .xls 和 .xlsx) 、PowerPoint 簡報 ( .ppt 和 .pptx) 和 PDF 檔,此中繼資料會儲存在下列自訂屬性中: MSIP_Label_ <GUID> _Enabled = TrueFor Word documents (.doc and .docx), Excel spreadsheets (.xls and .xlsx), PowerPoint presentations (.ppt and .pptx), and PDF documents, this metadata is stored in the following custom property: MSIP_Label_<GUID>_Enabled=True

若為電子郵件,則會在傳送電子郵件時儲存標籤資訊。For emails, the label information is stored when the email is sent. 針對檔,儲存檔案時,會儲存標籤資訊。For documents, the label information is stored when the file is saved.

若要識別標籤的 GUID,請在 [ 標籤 ] 窗格的 [Azure 入口網站] 中找到標籤識別碼值(當您看到或設定 Azure 資訊保護原則時)。To identify the GUID for a label, locate the Label ID value on the Label pane in the Azure portal, when you view or configure the Azure Information Protection policy. 對於已套用標籤的檔案,您也可以執行 Get-AIPFileStatus PowerShell Cmdlet 來識別 GUID (MainLabelId 或 SubLabelId)。For files that have labels applied, you can also run the Get-AIPFileStatus PowerShell cmdlet to identify the GUID (MainLabelId or SubLabelId). 當標籤有子標籤時,請一律只指定子標籤的 GUID,而不要指定父標籤的 GUID。When a label has sublabels, always specify the GUID of just a sublabel and not the parent label.

後續步驟Next steps

如需如何自訂 Azure 資訊保護原則的範例,以及查看使用者的最終行為,請嘗試下列教學課程:For examples of how to customize the Azure Information Protection policy, and see the resulting behavior for users, try the following tutorials:

若要查看您的原則的執行狀況,請參閱 Azure 資訊保護的集中報告To see how your policy is performing, see Central reporting for Azure Information Protection.