針對 Azure 資訊保護和探索服務或資料復原設定超級使用者Configuring super users for Azure Information Protection and discovery services or data recovery

*適用于Azure 資訊保護Office 365**Applies to: Azure Information Protection, Office 365*

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

Azure 資訊保護的 Azure Rights Management 服務所提供的進階使用者功能,可確保獲得授權的人員和服務一律可讀取及檢查 Azure Rights Management 為您的組織保護的資料。The super user feature of the Azure Rights Management service from Azure Information Protection ensures that authorized people and services can always read and inspect the data that Azure Rights Management protects for your organization. 如有必要,則可以移除或變更保護。If necessary, the protection can then be removed or changed.

進階使用者對於組織的 Azure 資訊保護租用戶所保護的文件和電子郵件,一律具有 Rights Management 的完整控制權使用權限A super user always has the Rights Management Full Control usage right for documents and emails that have been protected by your organization’s Azure Information Protection tenant. 這個功能有時稱為「資料的推理」,是維護組織資料控制權的一個關鍵要素。This ability is sometimes referred to as "reasoning over data" and is a crucial element in maintaining control of your organization’s data. 例如,您會在下列任何情況下使用這項功能:For example, you would use this feature for any of the following scenarios:

  • 您在員工離職後,需要讀取他們所保護的檔案。An employee leaves the organization and you need to read the files that they protected.

  • IT 管理員必須移除先前為檔案設定的現行保護原則,並套用新的保護原則。An IT administrator needs to remove the current protection policy that was configured for files and apply a new protection policy.

  • Exchange Server 需要為信箱編製索引以進行搜尋作業。Exchange Server needs to index mailboxes for search operations.

  • 您的資料外洩防護 (DLP) 解決方案、內容加密閘道 (CEG) 和反惡意程式碼產品現有的 IT 服務需要檢查已受保護的檔案。You have existing IT services for data loss prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products that need to inspect files that are already protected.

  • 您基於稽核、法律或其他法規遵循因素,而需要大量解密檔案。You need to bulk decrypt files for auditing, legal, or other compliance reasons.

設定進階使用者功能Configuration for the super user feature

依預設不會啟用進階使用者功能,且不會為任何使用者指派此角色。By default, the super user feature is not enabled, and no users are assigned this role. 如果您為 Exchange 設定 Rights Management 連接器,則會自動為您啟用它,而在 Microsoft 365 中執行 Exchange Online、Microsoft Sharepoint Server 或 SharePoint 的標準服務則不需要它。It is enabled for you automatically if you configure the Rights Management connector for Exchange, and it is not required for standard services that run Exchange Online, Microsoft Sharepoint Server, or SharePoint in Microsoft 365.

如果您需要手動啟用超級使用者功能,請使用 PowerShell Cmdlet AipServiceSuperUserFeature,然後視需要使用 AipServiceSuperUser 指令程式或 AipServiceSuperUserGroup Cmdlet 將使用者指派 (或服務帳戶) ,然後視需要將使用者 (或其他群組) 新增到此群組。If you need to manually enable the super user feature, use the PowerShell cmdlet Enable-AipServiceSuperUserFeature, and then assign users (or service accounts) as needed by using the Add-AipServiceSuperUser cmdlet or the Set-AipServiceSuperUserGroup cmdlet and add users (or other groups) as needed to this group.

對進階使用者使用群組會較容易管理,但請留意,基於效能考量,Azure Rights Management 會快取群組成員資格Although using a group for your super users is easier to manage, be aware that for performance reasons, Azure Rights Management caches the group membership. 因此,如果您需要將新的使用者指派為超級使用者以立即將內容解密,請使用 AipServiceSuperUser 來新增該使用者,而不是將使用者新增至您使用 AipServiceSuperUserGroup 所設定的現有群組。So if you need to assign a new user to be a super user to decrypt content immediately, add that user by using Add-AipServiceSuperUser, rather than adding the user to an existing group that you have configured by using Set-AipServiceSuperUserGroup.

注意

如果您還沒有安裝適用于 Azure Rights Management 的 Windows PowerShell 模組,請參閱 安裝 AIPService PowerShell 模組If you have not yet installed the Windows PowerShell module for Azure Rights Management, see Installing the AIPService PowerShell module.

何時啟用進階使用者功能或何時將使用者新增為進階使用者並不重要。It doesn't matter when you enable the super user feature or when you add users as super users. 例如,如果您在星期四啟用此功能,然後在星期五新增使用者,該使用者可立即開啟當週開始即受到保護的內容。For example, if you enable the feature on Thursday and then add a user on Friday, that user can immediately open content that was protected at the very beginning of the week.

進階使用者功能的安全性最佳做法Security best practices for the super user feature

  • 限制和監視被指派給您 Microsoft 365 或 Azure 資訊保護租使用者之全域管理員的系統管理員,或使用 AipServiceRoleBasedAdministrator 指令程式指派 GlobalAdministrator 角色的系統管理員。Restrict and monitor the administrators who are assigned a global administrator for your Microsoft 365 or Azure Information Protection tenant, or who are assigned the GlobalAdministrator role by using the Add-AipServiceRoleBasedAdministrator cmdlet. 這些使用者可啟用進階使用者功能,以及將使用者 (和其本身) 指派為進階使用者,並且有可能將您的組織所保護的所有檔案解密。These users can enable the super user feature and assign users (and themselves) as super users, and potentially decrypt all files that your organization protects.

  • 若要查看個別指派給超級使用者的使用者和服務帳戶,請使用 AipServiceSuperUser Cmdlet。To see which users and service accounts are individually assigned as super users, use the Get-AipServiceSuperUser cmdlet.

  • 若要查看是否已設定超級使用者群組,請使用 AipServiceSuperUserGroup 指令程式和您的標準使用者管理工具來檢查哪些使用者是此群組的成員。To see whether a super user group is configured, use the Get-AipServiceSuperUserGroup cmdlet and your standard user management tools to check which users are a member of this group.

  • 就像所有的管理動作一樣,啟用或停用超級功能,以及新增或移除超級使用者都會被記錄下來,而且可以使用 AipServiceAdminLog 命令來進行審核。Like all administration actions, enabling or disabling the super feature, and adding or removing super users are logged and can be audited by using the Get-AipServiceAdminLog command. 例如,請參閱 超級使用者功能的範例審核For example, see Example auditing for the super user feature.

  • 當進階使用者解密檔案時,此動作會被記錄下來,並且可透過使用記錄進行稽核。When super users decrypt files, this action is logged and can be audited with usage logging.

    注意

    雖然記錄檔包含解密的詳細資料,包括解密檔案的使用者,但在使用者是超級使用者時並不會注意到。While the logs include details about the decryption, including the user who decrypted the file, they do not note when the user is a super user. 使用記錄和上面所列的 Cmdlet,先收集可在記錄檔中識別的超級使用者清單。Use the logs together with the cmdlets listed above to first collect a list of super users that you can identify in the logs.

  • 如果您的日常服務不需要超級使用者功能,請只在需要時才啟用此功能,並使用 AipServiceSuperUserFeature 指令程式再次停用它。If you do not need the super user feature for everyday services, enable the feature only when you need it, and disable it again by using the Disable-AipServiceSuperUserFeature cmdlet.

稽核進階使用者功能的範例Example auditing for the super user feature

下列記錄檔解壓縮顯示使用 AipServiceAdminLog Cmdlet 的一些範例專案。The following log extract shows some example entries from using the Get-AipServiceAdminLog cmdlet.

在此範例中,Contoso Ltd 的管理員確認進階使用者功能已停用、新增 Richard Simone 作為進階使用者、確認 Richard 是為 Azure Rights Management 服務設定的唯一進階使用者,然後啟用進階使用者功能,讓 Richard 現在可以解密已離職的員工所保護的某些檔案。In this example, the administrator for Contoso Ltd confirms that the super user feature is disabled, adds Richard Simone as a super user, checks that Richard is the only super user configured for the Azure Rights Management service, and then enables the super user feature so that Richard can now decrypt some files that were protected by an employee who has now left the company.

2015-08-01T18:58:20 admin@contoso.com GetSuperUserFeatureState Passed Disabled

2015-08-01T18:59:44 admin@contoso.com AddSuperUser -id rsimone@contoso.com Passed True

2015-08-01T19:00:51 admin@contoso.com GetSuperUser Passed rsimone@contoso.com

2015-08-01T19:01:45 admin@contoso.com SetSuperUserFeatureState -state Enabled Passed True

適用於進階使用者的指令碼選項Scripting options for super users

通常,指派為 Azure Rights Management 之進階使用者的人員必須從多個位置中的多個檔案移除保護。Often, somebody who is assigned a super user for Azure Rights Management will need to remove protection from multiple files, in multiple locations. 雖然此作業可以手動執行,但使用指令碼會更有效率 (且通常更可靠)。While it’s possible to do this manually, it’s more efficient (and often more reliable) to script this. 若要這樣做,您可以使用 Unprotect-RMSFile Cmdlet,並視需要使用 Protect-RMSFile Cmdlet。To do so, you can use the Unprotect-RMSFile cmdlet, and Protect-RMSFile cmdlet as required.

如果您使用分類和保護,您也可以使用 Set-AIPFileLabel 以套用不會套用保護的新標籤,或移除套用保護的標籤。If you are using classification and protection, you can also use the Set-AIPFileLabel to apply a new label that doesn't apply protection, or remove the label that applied protection.

如需關於這些 Cmdlet 的詳細資訊,請參閱 Azure 資訊保護用戶端管理員指南中的使用 PowerShell 搭配 Azure 資訊保護用戶端For more information about these cmdlets, see Using PowerShell with the Azure Information Protection client from the Azure Information Protection client admin guide.

注意

AzureInformationProtection 模組與 AIPService PowerShell 模組 不同,並補充了管理適用于 Azure 資訊保護的 Azure Rights Management 服務的 PowerShell 模組。The AzureInformationProtection module is different from and supplements the AIPService PowerShell module that manages the Azure Rights Management service for Azure Information Protection.

使用 Unprotect-RMSFile 進行電子文件探索的指引Guidance for using Unprotect-RMSFile for eDiscovery

雖然您可以使用 Unprotect-RMSFile Cmdlet 來解密 PST 檔案的受保護內容,但請策略性地使用這個 Cmdlet 作為電子文件探索程序的一部分。Although you can use the Unprotect-RMSFile cmdlet to decrypt protected content in PST files, use this cmdlet strategically as part of your eDiscovery process. 對電腦上的大型檔案執行 Unprotect-RMSFile 是耗用大量資源 (記憶體和磁碟空間) 的作業,這個 Cmdlet 支援的最大檔案大小為 5 GB。Running Unprotect-RMSFile on large files on a computer is a resource-intensive (memory and disk space) and the maximum file size supported for this cmdlet is 5 GB.

在理想的情況下,請使用 Microsoft 365 中的 電子 檔探索,在電子郵件中搜尋和解壓縮受保護的電子郵件Ideally, use eDiscovery in Microsoft 365 to search and extract protected emails and protected attachment in emails. 進階使用者功能會自動與 Exchange Online 整合,以便 Office 365 安全性與合規性中心或 Microsoft 365 合規性中心內的電子文件探索,可以在匯出之前搜尋加密項目,或在匯出時解密加密的電子郵件。The super user ability is automatically integrated with Exchange Online so that eDiscovery in the Office 365 Security & Compliance Center or Microsoft 365 compliance center can search for encrypted items prior to export, or decrypt encrypted email on export.

如果您無法使用 Microsoft 365 的電子檔探索,您可能會有另一個與 Azure Rights Management 服務整合的電子檔探索解決方案,以類似于資料的原因。If you cannot use Microsoft 365 eDiscovery, you might have another eDiscovery solution that integrates with the Azure Rights Management service to similarly reason over data. 或者,如果您的電子文件探索解決方案無法自動讀取及解密受保護的內容,您仍然可以在多步驟處理序中使用這個解決方案,讓您更有效率地執行 Unprotect-RMSFile:Or, if your eDiscovery solution cannot automatically read and decrypt protected content, you can still use this solution in a multi-step process that lets you run Unprotect-RMSFile more efficiently:

  1. 從 Exchange Online 或 Exchange Server,或者從使用者用來儲存其電子郵件的工作站中,將描述的電子郵件匯出到 PST 檔案。Export the email in question to a PST file from Exchange Online or Exchange Server, or from the workstation where the user stored their email.

  2. 將 PST 檔案匯入您的電子文件探索工具。Import the PST file into your eDiscovery tool. 因為此工具無法讀取受保護的內容,所以預期這些項目將會產生錯誤。Because the tool cannot read protected content, it's expected that these items will generate errors.

  3. 從此工具無法開啟的所有項目產生新的 PST 檔案,該檔案這次只包含受保護的項目。From all the items that the tool couldn't open, generate a new PST file that this time, contains just protected items. 此第二個 PST 檔案可能會遠小於原始的 PST 檔案。This second PST file will likely be much smaller than the original PST file.

  4. 對此第二個 PST 檔案執行 Unprotect-RMSFile,以解密這個小很多檔案的內容。Run Unprotect-RMSFile on this second PST file to decrypt the contents of this much smaller file. 從輸出中,將現已解密的 PST 檔案匯入到探索工具。From the output, import the now-decrypted PST file into your discovery tool.

如需有關跨信箱和 PST 檔案執行電子文件探索的更多詳細資料和指引,請參閱下列部落格文章:Azure 資訊保護和電子文件探索程序 (英文)。For more detailed information and guidance for performing eDiscovery across mailboxes and PST files, see the following blog post: Azure Information Protection and eDiscovery Processes.