Azure 資訊保護的常見問題集Frequently asked questions for Azure Information Protection

*適用于Azure 資訊保護Office 365**Applies to: Azure Information Protection, Office 365*

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

注意

為了提供一致且簡化的客戶體驗,在 2021 年3月 31 日起,Azure 入口網站中 Azure 資訊保護傳統用戶端標籤管理 即將 淘汰To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 此時間範圍可讓所有目前的 Azure 資訊保護客戶使用 Microsoft 資訊保護統一標籤平台轉換至我們統一的標籤解決方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 在正式的淘汰通知 (英文) 中深入了解。Learn more in the official deprecation notice.

對 Azure 資訊保護或 Azure Rights Management 服務 (Azure RMS) 有疑問?Have a question about Azure Information Protection, or about the Azure Rights Management service (Azure RMS)? 看看此處是否有解答。See if it's answered here.

「Azure 資訊保護」與「Microsoft 資訊保護」有何不同?What's the difference between Azure Information Protection and Microsoft Information Protection?

不同于 Azure 資訊保護, Microsoft 資訊保護 不是您可以購買的訂用帳戶或產品。Unlike Azure Information Protection, Microsoft Information Protection isn't a subscription or product that you can buy. 相反地,這是產品和整合功能的架構,可協助您保護組織的機密資訊。Instead, it's a framework for products and integrated capabilities that help you protect your organization's sensitive information.

Microsoft 資訊保護產品包括Microsoft Information Protection products include:

  • Azure 資訊保護Azure Information Protection
  • Microsoft 365 資訊保護,例如 Microsoft 365 DLPMicrosoft 365 Information Protection, such as Microsoft 365 DLP
  • Windows 資訊保護Windows Information Protection
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security

Microsoft 資訊保護功能包括Microsoft Information Protection capabilities include:

  • 統一標籤管理Unified label management
  • Office 應用程式內建的終端使用者標記體驗End-user labeling experiences built into Office apps
  • 讓 Windows 瞭解統一標籤並將保護套用至資料的功能The ability for Windows to understand unified labels and apply protection to data
  • Microsoft 資訊保護 SDKThe Microsoft Information Protection SDK
  • Adobe Acrobat Reader 中的功能,可查看標示和受保護的 PdfFunctionality in Adobe Acrobat Reader to view labeled and protected PDFs

如需詳細資訊,請參閱 資訊保護功能,以協助保護您的敏感性資料For more information, see Information protection capabilities to help protect your sensitive data.

Microsoft 365 中的標籤與 Azure 資訊保護中的標籤有何差異?What's the difference between labels in Microsoft 365 and labels in Azure Information Protection?

一開始,Microsoft 365 只有 保留標籤,可讓您分類檔和電子郵件,以便在內容儲存在 Microsoft 365 服務時進行審核和保留。Originally, Microsoft 365 had only retention labels, which enabled you to classify documents and emails for auditing and retention when that content was stored in Microsoft 365 services.

相反地,Azure 資訊保護標籤(在 Azure 入口網站中使用 AIP 傳統用戶端時設定),可讓您針對檔和電子郵件套用一致的分類和保護原則,不論它們是儲存在內部部署或雲端。In contrast, Azure Information Protection labels, configured at the time using the AIP classic client in the Azure portal, enabled you to apply a consistent classification and protection policy for documents and emails whether they were stored on-premises or in the cloud.

Microsoft 365 現在除了保留標籤之外,還支援 敏感度標籤Microsoft 365 now supports sensitivity labels in addition to retention labels. 您可以在下列系統管理中心內建立和設定敏感度標籤:Sensitivity labels can be created and configured in the following admin centers:

  • Office 365 安全性與合規性中心Office 365 Security & Compliance Center
  • Microsoft 365 資訊安全中心Microsoft 365 security center
  • Microsoft 365 合規性中心Microsoft 365 compliance center

如果您在 Azure 入口網站中設定舊版 AIP 標籤,建議您將它們遷移至敏感度標籤和統一標籤用戶端。If you have legacy AIP labels configured in the Azure portal, we recommend migrating them to sensitivity labels and unified labeling client. 如需詳細資訊,請參閱教學課程:從 Azure 資訊保護 (AIP) 傳統用戶端移轉至統一標籤用戶端For more information, see Tutorial: Migrating from the Azure Information Protection (AIP) classic client to the unified labeling client.

如需詳細資訊,請參閱宣佈提供資訊保護功能來協助保護敏感性資料 (英文)。For more information, see Announcing availability of information protection capabilities to help protect your sensitive data.

如何判斷我的租使用者是否位於統一標籤平臺上?How can I determine if my tenant is on the unified labeling platform?

當您的租使用者位於統一標籤平臺上時,它支援可供 支援統一標籤的用戶端和服務使用的敏感度標籤。When your tenant is on the unified labeling platform, it supports sensitivity labels that can be used by clients and services that support unified labeling. 如果您在2019年6月或之後取得 Azure 資訊保護的訂用帳戶,則您的租使用者會自動在統一標籤平臺上,不需要採取任何進一步的動作。If you obtained your subscription for Azure Information Protection in June 2019 or later, your tenant is automatically on the unified labeling platform and no further action is needed. 您的租使用者也可能在此平臺上,因為有人遷移您的 Azure 資訊保護標籤。Your tenant might also be on this platform because somebody migrated your Azure Information Protection labels.

如果您的租使用者不在統一標籤平臺上,您會在 [ Azure 資訊保護 ] 窗格上的 Azure 入口網站中看到下列資訊橫幅:If your tenant is not on the unified labeling platform, you'll see the following information banner in the Azure portal, on the Azure Information Protection panes:

遷移資訊橫幅

您也可以前往 Azure 資訊保護 > 管理 > 統一標籤,並查看 統一標籤 狀態以進行檢查:You can also check by going to Azure Information Protection > Manage > Unified labeling, and view the Unified labeling status:

狀態Status 描述Description
已啟動Activated 您的租使用者位於統一標籤平臺上。Your tenant is on the unified labeling platform.
您可以從 Microsoft 365 合規性中心 建立、設定和發佈標籤You can create, configure, and publish labels from the Microsoft 365 compliance center.
未啟用Not activated 您的租使用者不在統一標籤平臺上。Your tenant is not on the unified labeling platform.
如需遷移指示和指引,請參閱 如何將 Azure 資訊保護標籤遷移至統一的敏感度標籤For migration instructions and guidance, see How to migrate Azure Information Protection labels to unified sensitivity labels.

Azure 資訊保護傳統和統一標籤用戶端之間有何差異?What's the difference between the Azure Information Protection classic and unified labeling clients?

舊版 Azure 資訊保護用戶端(稱為 傳統 用戶端)會從 Azure 下載標籤和原則設定,並可讓您從 Azure 入口網站設定 AIP 原則The legacy Azure Information Protection client, referred to as the classic client, downloads labels and policy settings from Azure and enables you to configure the AIP policy from the Azure portal.

統一標籤用戶端 是最新的用戶端,其中包含最新的更新,並支援多個應用程式和服務所使用的統一標籤平臺。The unified labeling client is the most current client with the most recent updates, and supports the unified labeling platform used by multiple applications and services. 統一標籤用戶端會從下列系統管理中心下載 敏感度標籤 和原則設定:The unified labeling client downloads sensitivity labels and policy settings from the following admin centers:

  • Office 365 安全性與合規性中心Office 365 Security & Compliance Center
  • Microsoft 365 資訊安全中心Microsoft 365 security center
  • Microsoft 365 合規性中心Microsoft 365 compliance center

如果您是系統管理員,請在 選擇 Windows 標籤解決方案中深入瞭解。If you're an admin, learn more in Choose your Windows labeling solution.

傳統用戶端淘汰Classic client deprecation

為了提供一致且簡化的客戶體驗,在 2021 年3月 31 日起,Azure 入口網站中的 Azure 資訊保護傳統用戶端標籤管理 即將 淘汰To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021.

淘汰後,用戶端將繼續如預期般運作。After deprecation, the client will continue to work as expected. 不過,系統管理員將無法在入口網站上更新原則,也不會提供傳統用戶端的任何修正或變更。However, administrators will not be able to update policies on the portal, and no more fixes or changes will be supplied for the classic client.

此時間範圍可讓所有目前的 Azure 資訊保護客戶使用 Microsoft 資訊保護統一標籤平台轉換至我們統一的標籤解決方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 在正式的淘汰通知 (英文) 中深入了解。Learn more in the official deprecation notice.

如果您目前已部署傳統用戶端,建議您升級至統一標籤用戶端。If you currently have the classic client deployed, we recommend that you upgrade to the unified labeling client. 如需詳細資訊,請參閱。For more information, see;

識別您已安裝的用戶端Identify the client you have installed

如果您是想要瞭解您是否已安裝傳統或統一標籤用戶端的使用者,可以執行下列其中一項:If you are a user who wants to understand whether you have the classic or the unified labeling client installed, you can do one of the following:

  • 在 Office 應用程式中,檢查是否有 [ 敏感度 ] 或 [ 保護 ] 工具列按鈕。In your Office apps, check for the Sensitivity or Protect toolbar button. 統一標籤用戶端會顯示 [ 敏感度] 按鈕,而傳統用戶端則會顯示 [ 保護 ] 按鈕。

  • 檢查您已安裝 Azure 資訊保護應用程式的版本號碼。Check the version number for the Azure Information Protection application you have installed.

    • 1.x 版指出 您有傳統用戶端。Versions 1.x indicate that you have the classic client. 範例: 1.54.59.0Example: 1.54.59.0
    • 2.x 版指出 您有統一標籤用戶端。Versions 2.x indicate that you have the unified labeling client. 範例: 2.8.85.0Example: 2.8.85.0

    例如,在 [ Windows 設定 > 應用程式和功能 ] 區域中,向下 Microsoft Azure 資訊保護 應用程式中向下移動,並檢查版本號碼。For example, in the Windows Settings > Apps and features area, scroll down to the Microsoft Azure Information Protection application, and check the version number.

    檢查 Azure 資訊保護用戶端版本

何時適合遷移標籤?When is the right time to migrate my labels?

建議您將 Azure 資訊保護標籤遷移至統一標籤平臺,讓您可以使用它們作為敏感度標籤,以及其他 支援統一標籤的用戶端和服務We recommend that you migrate your Azure Information Protection labels to the unified labeling platform so that you can use them as sensitivity labels with other clients and services that support unified labeling.

如需詳細資訊和指示,請參閱 如何將 Azure 資訊保護標籤遷移至統一的敏感度標籤For more information and instructions, see How to migrate Azure Information Protection labels to unified sensitivity labels.

移轉標籤之後,我要使用哪一個管理入口網站?After I've migrated my labels, which management portal do I use?

在 Azure 入口網站中遷移標籤之後,請根據您已安裝的用戶端,在下列其中一個位置繼續管理它們:After you've migrated your labels in the Azure portal, continue managing them in one of the following locations, depending on the clients you have installed:

用戶端Client 描述Description
僅限統一標籤用戶端和服務Unified labeling clients and services only 如果您只安裝了統一標籤用戶端,請在其中一個系統管理中心內管理您的標籤: Office 365 安全性 & 合規性中心、Microsoft 365 安全性中心或 Microsoft 365 合規性中心。If you only have unified labeling clients installed, manage your labels in one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center. 統一標籤用戶端會從這些系統管理中心下載標籤和原則設定。Unified labeling clients download the labels and policy settings from these admin centers.

如需相關指示,請參閱 建立和設定敏感度標籤及其原則For instructions, see Create and configure sensitivity labels and their policies.
僅限傳統用戶端Classic client only 如果您已遷移標籤,但仍安裝了傳統用戶端,請繼續使用 Azure 入口網站來編輯標籤和原則設定。If you've migrated your labels, but still have the classic client installed, continue to use the Azure portal to edit labels and policy settings. 傳統用戶端會繼續從 Azure 下載標籤和原則設定。The classic client continues to download labels and policy settings from Azure.
AIP 傳統用戶端統一標籤 用戶端Both the AIP classic client and unified labeling clients 如果您同時安裝了兩個用戶端,請使用系統管理中心或 Azure 入口網站來進行標籤變更。If you have both of the clients installed, use the admin centers or the Azure portal to make label changes.

若要讓傳統用戶端挑選在系統管理中心進行的標籤變更,請返回 Azure 入口網站進行發佈。For the classic clients to pick up label changes made in the admin centers, return to the Azure portal to publish them. 在 [Azure 入口網站 > Azure 資訊保護-統一標籤 ] 窗格中,選取 [ 發行]。In the Azure portal > Azure Information Protection - Unified labeling pane, select Publish.

繼續使用 Azure 入口網站以執行中央報告掃描器Continue to use the Azure portal for central reporting and the scanner.

移至敏感度標籤和統一標籤平臺之後,是否需要重新加密檔案?Do I need to re-encrypt my files after moving to sensitivity labels and the unified labeling platform?

否,您不需要在移至敏感度標籤和統一標籤平臺之後,從 AIP 傳統用戶端和 Azure 入口網站中管理的標籤遷移之後,重新加密您的檔案。No, you don’t need to re-encrypt your files after moving to sensitivity labels and the unified labeling platform after migrating from the AIP classic client and the labels managed in the Azure portal.

在遷移之後,請從您的標籤系統管理中心管理您的標籤與標籤原則,包括 Microsoft 安全性中心、Microsoft 合規性中心或 Microsoft Security & 合規性中心。After migrating, manage your labels and labeling policies from your labeling admin center, including the Microsoft security center, Microsoft compliance center, or the Microsoft Security & Compliance Center.

如需詳細資訊,請參閱 Microsoft 365 檔中的 敏感度標籤 ,以及 瞭解統一標籤遷移 blog。For more information, see Learn about sensitivity labels in the Microsoft 365 documentation and the Understanding unified labeling migration blog.

Azure 資訊保護與 Azure Rights Management 有何不同?What's the difference between Azure Information Protection and Azure Rights Management?

Azure 資訊保護 (AIP) 提供組織檔和電子郵件的分類、標記和保護。Azure Information Protection (AIP) provides classification, labeling, and protection for an organization's documents and emails.

內容是使用 Azure Rights Management 服務來保護的,現在是 AIP 的元件。Content is protected using the Azure Rights Management service, which is now a component of AIP.

如需詳細資訊,請參閱 AIP 如何保護您的資料 以及 什麼是 Azure Rights Management?For more information, see How AIP protects your data and What is Azure Rights Management?.

Azure 資訊保護身分識別管理的角色為何?What's the role of identity management for Azure Information Protection?

身分識別管理是 AIP 的重要元件,因為使用者必須擁有有效的使用者名稱和密碼,才能存取受保護的內容。Identity management is an important component of AIP, as users must have a valid user name and password to access protected content.

若要深入了解 Azure 資訊保護如何保護您的資料,請參閱保護資料的 Azure 資訊保護角色To read more about how Azure Information Protection helps to secure your data, see The role of Azure Information Protection in securing data.

我需要哪個 Azure 資訊保護訂用帳戶及包含哪些功能?What subscription do I need for Azure Information Protection and what features are included?

若要瞭解 AIP 訂閱的詳細資訊,請參閱 Azure 資訊保護定價 頁面上的訂用帳戶資訊和功能清單。To understand more about AIP subscriptions, see the subscription information and feature list on the Azure Information Protection pricing page.

如果您有包含 Azure Rights Management 資料保護的 Microsoft 365 訂用帳戶,請下載 Azure 資訊保護授權 資料工作表,以取得與 AIP 整合的詳細資料。If you have a Microsoft 365 subscription that includes Azure Rights Management data protection, download the Azure Information Protection licensing datasheet for more details about integrating with AIP.

仍有授權相關問題?Still have questions about licensing? 請查看它們是否已在授權的常見問題集一節中回答。See if they are answered in the frequently asked questions for licensing section.

僅有全域管理員才能設定 Azure 資訊保護,或是我可以將此作業委派給其他系統管理員?Do you need to be a global admin to configure Azure Information Protection, or can I delegate to other administrators?

Microsoft 365 租使用者或 Azure AD 租使用者的全域管理員顯然可以執行 Azure 資訊保護的所有管理工作。Global administrators for a Microsoft 365 tenant or Azure AD tenant can obviously run all administrative tasks for Azure Information Protection.

但是,如果您想要將系統管理許可權指派給其他使用者,請使用下列角色:However, if you want to assign administrative permissions to other users, do so using the following roles:

此外,管理管理工作和角色時,請注意下列事項:Additionally, note the following when managing administrative tasks and roles:

主題Topic 詳細資料Details
支援的帳戶類型Supported account types 即使將這些帳戶指派給其中一個列出的系統管理角色,也不支援將 Microsoft 帳戶用於 Azure 資訊保護的委派管理。Microsoft accounts are not supported for delegated administration of Azure Information Protection, even if these accounts are assigned to one of the administrative roles listed.
上架控制項Onboarding controls 如果您已設定登入控制項,這項設定對 Azure 資訊保護的管理功能沒有影響,但 RMS 連接器除外。If you have configured onboarding controls, this configuration does not affect the ability to administer Azure Information Protection, except the RMS connector.

例如,如果您已設定登入控制項,讓保護內容的能力受限於 IT 部門 群組,用來安裝和設定 RMS 連接器的帳戶必須是該群組的成員。For example, if you have configured onboarding controls so that the ability to protect content is restricted to the IT department group, the account used to install and configure the RMS connector must be a member of that group.
移除保護Removing protection 系統管理員無法自動從受 Azure 資訊保護保護的檔或電子郵件移除保護。Administrators cannot automatically remove protection from documents or emails that were protected by Azure Information Protection.

只有被指派為超級使用者的使用者才能移除保護,而且只會在啟用超級使用者功能時進行移除。Only users who are assigned as super users can do remove protection, and only when the super user feature is enabled.

具有 Azure 資訊保護系統管理許可權的任何使用者都可以啟用超級使用者功能,並將使用者指派為超級使用者,包括他們自己的帳戶。Any user with administrative permissions to Azure Information Protection can enable the super user feature, and assign users as super users, including their own account.

這些動作都會記錄在系統管理員記錄中。These actions are recorded in an administrator log.

如需詳細資訊,請參閱設定 超級使用者以 Azure 資訊保護和探索服務或資料復原的安全性最佳作法一節。For more information, see the security best practices section in Configuring super users for Azure Information Protection and discovery services or data recovery.

秘訣:如果您的內容是儲存在 SharePoint 或 OneDrive 中,系統管理員可以執行 SensitivityLabelEncryptedFile Cmdlet,以移除敏感度標籤和加密。Tip: If your content is stored in SharePoint or OneDrive, admins can run the Unlock-SensitivityLabelEncryptedFile cmdlet to remove both the sensitivity label and the encryption. 如需詳細資訊,請參閱 Microsoft 365 文件For more information, see the Microsoft 365 documentation.
遷移至統一標籤存放區Migrating to the unified labeling store 如果您要將 Azure 資訊保護標籤遷移至統一標籤存放區,請務必閱讀標籤遷移檔的下一節:If you are migrating your Azure Information Protection labels to the unified labeling store, be sure to read the following section from the label migration documentation:
支援統一標籤平臺的系統管理角色Administrative roles that support the unified labeling platform.

Azure 資訊保護管理員Azure Information Protection administrator

這 Azure Active Directory 系統管理員角色可讓系統管理員設定 Azure 資訊保護,而不是其他服務。This Azure Active Directory administrator role lets an administrator configure Azure Information Protection but not other services.

具有此角色的系統管理員可以:Administrators with this role can:

若要將使用者指派到這個系統管理角色,請參閱在 Azure Active Directory 中將使用者指派給系統管理員角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

注意

此角色不支援追蹤和撤銷使用者的檔,如果您的租使用者位於 統一標籤平臺上,則 Azure 入口網站不支援。This role doesn't support tracking and revoking documents for users, and is not supported in the Azure portal if your tenant is on the unified labeling platform.

規範管理員或合規性資料管理員Compliance administrator or Compliance data administrator

這些 Azure Active Directory 系統管理員角色可讓系統管理員:These Azure Active Directory administrator roles enable administrators to:

  • 設定 Azure 資訊保護,包括啟用和停用 Azure Rights Management 保護服務Configure Azure Information Protection, including activating and deactivating the Azure Rights Management protection service
  • 設定保護設定和標籤Configure protection settings and labels
  • 設定 Azure 資訊保護原則Configure the Azure Information Protection policy
  • 針對 Azure 資訊保護用戶端AIPService 模組執行所有的 PowerShell Cmdlet。Run all the PowerShell cmdlets for the Azure Information Protection client and from the AIPService module.

若要將使用者指派到這個系統管理角色,請參閱在 Azure Active Directory 中將使用者指派給系統管理員角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

若要查看具有這些角色的使用者有哪些其他許可權,請參閱 Azure Active Directory 檔中的「 可用角色 」一節。To see what other permissions a user with these roles have, see the Available roles section from the Azure Active Directory documentation.

注意

這些角色不支援追蹤和撤銷使用者的檔。These roles don't support tracking and revoking documents for users.

安全性讀取者或全域讀者Security reader or Global reader

這些角色僅供 Azure 資訊保護分析 使用,並可讓系統管理員:These roles are used for Azure Information Protection analytics only, and enable administrators to:

  • 查看標籤的使用方式View how your labels are being used
  • 監視使用者對加上標籤的檔和電子郵件的存取權Monitor user access to labeled documents and emails
  • 查看對分類進行的變更View changes made to classification
  • 識別包含必須保護之敏感性資訊的檔Identify documents that contain sensitive information that must be protected

因為這項功能使用 Azure 監視器,所以您也必須具備支援的 RBAC 角色Because this feature uses Azure Monitor, you must also have a supporting RBAC role.

安全性系統管理員Security administrator

這 Azure Active Directory 系統管理員角色可讓系統管理員設定 Azure 入口網站中的 Azure 資訊保護,以及其他 Azure 服務的某些層面。This Azure Active Directory administrator role enables administrators to configure Azure Information Protection in the Azure portal as well as some aspects of other Azure services.

具有此角色的系統管理員無法 從 AIPService 模組執行任何 PowerShell Cmdlet,或是為使用者追蹤及撤銷檔。Administrators with this role cannot run any of the PowerShell cmdlets from the AIPService module, or track and revoke documents for users.

若要將使用者指派到這個系統管理角色,請參閱在 Azure Active Directory 中將使用者指派給系統管理員角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

若要查看具有這個角色的使用者還有其他哪些權限,請參閱 Azure Active Directory 文件可用的角色章節。To see what other permissions a user with this role has, see the Available roles section from the Azure Active Directory documentation.

Azure Rights Management 全域管理員和連接器系統管理員Azure Rights Management Global Administrator and Connector Administrator

全域系統管理員角色可讓使用者 從 AIPService 模組執行所有 PowerShell Cmdlet ,而不需要將其設為其他雲端服務的全域管理員。The Global Administrator role enables users to run all PowerShell cmdlets from the AIPService module without making them a global administrator for other cloud services.

連接器系統管理員角色可讓使用者只執行 (RMS) 連接器 Rights Management。The Connector Administrator role enables users to run only the Rights Management (RMS) connector.

這些系統管理角色不會授與管理主控台的許可權,或支援追蹤和撤銷使用者的檔。These administrative roles don't grant permissions to management consoles, or support tracking and revoking documents for users.

若要指派其中一個系統管理角色,請使用 AIPService PowerShell Cmdlet、 Add-AipServiceRoleBasedAdministratorTo assign either of these administrative roles, use the AIPService PowerShell cmdlet, Add-AipServiceRoleBasedAdministrator.

Azure 資訊保護是否支援內部部署與混合式案例?Does Azure Information Protection support on-premises and hybrid scenarios?

是。Yes. 雖然 Azure 資訊保護是雲端式解決方案,它可以針對儲存在內部部署 (以及雲端中) 的文件及電子郵件進行分類、標記及保護。Although Azure Information Protection is a cloud-based solution, it can classify, label, and protect documents and emails that are stored on-premises, as well as in the cloud.

如果您有 Exchange Server、SharePoint Server 和 Windows 檔案伺服器,請使用下列其中一種或兩種方法:If you have Exchange Server, SharePoint Server, and Windows file servers, use one or both of the following methods:

  • 部署 Rights Management 連接器 ,讓這些內部部署伺服器可以使用 Azure Rights Management 服務來保護您的電子郵件和檔Deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents
  • 使用 Azure AD 同步處理 Active Directory 網域控制站,並為其建立同盟,以提供更順暢的使用者驗證體驗。Synchronize and federate your Active Directory domain controllers with Azure AD for a more seamless authentication experience for users. 例如,使用 Azure AD ConnectFor example, use Azure AD Connect.

Azure Rights Management 服務會視需要自動產生及管理 XrML 憑證,因此它不會使用內部部署 PKI。The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn't use an on-premises PKI.

如需 Azure Rights Management 如何使用憑證的詳細資訊,請參閱 Azure RMS 運作方式的逐步解說:第一次使用、內容保護、內容耗用量For more information about how Azure Rights Management uses certificates, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption.

Azure 資訊保護能夠分類及保護的資料類型有哪些?What types of data can Azure Information Protection classify and protect?

Azure 資訊保護可為電子郵件訊息及文件進行分類與保護,不論位於內部部署或雲端皆可。Azure Information Protection can classify and protect email messages and documents, whether they are located on-premises or in the cloud. 這些文件包括 Word 文件、Excel 試算表、PowerPoint 簡報、PDF 文件、文字檔及影像檔。These documents include Word documents, Excel spreadsheets, PowerPoint presentations, PDF documents, text-based files, and image files.

如需詳細資訊,請參閱支援的完整清單 檔案類型For more information, see the full list file types supported.

注意

Azure 資訊保護無法分類和保護結構化資料,例如資料庫檔案、行事曆專案、Yammer 貼文、Sway 內容和 OneNote 筆記本。Azure Information Protection cannot classify and protect structured data such as database files, calendar items, Yammer posts, Sway content, and OneNote notebooks.

提示

Power BI 支援使用敏感度標籤進行分類,並可將這些標籤的保護套用至匯出到下列檔案格式的資料: .pdf、.xls 和 .ppt。Power BI supports classification by using sensitivity labels and can apply protection from those labels to data that is exported to the following file formats: .pdf, .xls, and .ppt. 如需詳細資訊,請參閱 Power BI 中的資料保護For more information, see Data protection in Power BI.

我發現 Azure 資訊保護是列為條件式存取的可用雲端應用程式,這是怎麼運作的呢?I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?

是的,您可以使用預覽供應專案,設定 Azure 資訊保護的 Azure AD 條件式存取。Yes, as a preview offering, you can configure Azure AD conditional access for Azure Information Protection.

現在,如果文件是在 Azure 資訊保護的羽翼之下,當使用者開啟該文件時,系統管理員可以根據標準的條件式存取控制,封鎖或授與其租用戶中的使用者存取權。When a user opens a document that is protected by Azure Information Protection, administrators can now block or grant access to users in their tenant, based on the standard conditional access controls. 最常見的要求條件之一是必須使用 Multi-Factor Authentication (MFA)。Requiring multi-factor authentication (MFA) is one of the most commonly requested conditions. 另一個條件是裝置必須符合您的 Intune 原則;比方說,行動裝置需符合您的密碼需求和最低作業系統版本,且電腦必須已加入網域。Another one is that devices must be compliant with your Intune policies so that for example, mobile devices meet your password requirements and a minimum operating system version, and computers must be domain-joined.

如需詳細資訊和逐步解說範例,請參閱下列部落格文章:Conditional Access policies for Azure Information Protection (Azure 資訊保護的條件式存取原則)。For more information and some walk-through examples, see the following blog post: Conditional Access policies for Azure Information Protection.

其他資訊:Additional information:

主題Topic 詳細資料Details
評估頻率Evaluation frequency 針對 Windows 電腦和目前的預覽版本,Azure 資訊保護的條件式存取原則會在 初始化使用者環境 時進行評估 (此程式也稱為啟動載入) ,然後每隔30天。For Windows computers, and the current preview release, the conditional access policies for Azure Information Protection are evaluated when the user environment is initialized (this process is also known as bootstrapping), and then every 30 days.

若要微調條件式存取原則的評估頻率,請 設定權杖存留期To fine-tune how often your conditional access policies get evaluated, configure the token lifetime.
系統管理員帳戶Administrator accounts 我們建議您不要將系統管理員帳戶新增至您的條件式存取原則,因為這些帳戶將無法存取 Azure 入口網站中的 Azure 資訊保護窗格。We recommend that you do not add administrator accounts to your conditional access policies because these accounts will not be able to access the Azure Information Protection pane in the Azure portal.
MFA 與 B2B 共同作業MFA and B2B collaboration 如果您在條件式存取原則中使用 MFA 以與其他組織 (B2B) 共同作業,則必須使用 Azure AD B2B 共同作業,並建立您想要與其共用並位於另一個組織的使用者來賓帳戶。If you use MFA in your conditional access policies for collaborating with other organizations (B2B), you must use Azure AD B2B collaboration and create guest accounts for the users you want to share with in the other organization.
使用條款提示Terms of Use prompts 在2018年12月 Azure AD 的預覽版本中,您現在可以在使用者第一次開啟受保護的檔之前, 提示使用者接受使用條款With the Azure AD December 2018 preview release, you can now prompt users to accept a terms of use before they open a protected document for the first time.
雲端應用程式Cloud apps 如果您的條件式存取使用了許多雲端應用程式,則可能不會在選取清單中看到 [Microsoft Azure 資訊保護]。If you use many cloud apps for conditional access, you might not see Microsoft Azure Information Protection displayed in the list to select.

在此情況下,請使用清單頂端的搜尋方塊。In this case, use the search box at the top of the list. 鍵入「Microsoft Azure 資訊保護」以篩選可用的應用程式。Start typing "Microsoft Azure Information Protection" to filter the available apps. 如果您有支援的訂用帳戶,即會看到可供選取的 [Microsoft Azure 資訊保護]。Providing you have a supported subscription, you'll then see Microsoft Azure Information Protection to select.

注意

條件式存取的 Azure 資訊保護支援目前為預覽狀態。The Azure Information Protection support for conditional access is currently in PREVIEW. Azure 預覽補充條款 包含適用於 Azure 功能 (搶鮮版 (Beta)、預覽版,或尚未發行的版本) 的其他法律條款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

我看到 Azure 資訊保護列為 Microsoft Graph Security 的安全性提供者,這如何運作以及我將會收到哪些警示?I see Azure Information Protection is listed as a security provider for Microsoft Graph Security—how does this work and what alerts will I receive?

是,做為公開預覽版供應項目,您現在可以收到 Azure 資訊保護異常資料存取 的警示。Yes, as a public preview offering, you can now receive an alert for Azure Information Protection anomalous data access. 當有嘗試存取受 Azure 資訊保護所保護之資料的異常動作時,便會觸發此警示。This alert is triggered when there are unusual attempts to access data that is protected by Azure Information Protection. 例如,在一日的不尋常時間存取異常大量的資料,或從未知位置存取。For example, accessing an unusually high volume of data, at an unusual time of day, or access from an unknown location.

此類警示可協助您偵測 進階資料相關攻擊與您環境中的內部威脅。Such alerts can help you to detect advanced data-related attacks and insider threats in your environment. 這些警示使用機器學習來分析存取受保護資料之使用者的行為。These alerts use machine learning to profile the behavior of users who access your protected data.

Azure 資訊保護警示可透過使用 Microsoft Graph 安全性 API來存取,或您可以使用「Azure 監視器」來串流警示到 SIEM 解決方案,例如 Splunk 與 IBM Qradar。The Azure Information Protection alerts can be accessed by using the Microsoft Graph Security API, or you can stream alerts to SIEM solutions, such as Splunk and IBM Qradar, by using Azure Monitor.

如需有關 Microsoft Graph 安全性 API 的詳細資訊,請參閱 Microsoft Graph 安全性 API 概觀 (英文)。For more information about the Microsoft Graph Security API, see Microsoft Graph Security API overview.

注意

Azure 資訊保護對 Microsoft Graph 安全性的支援目前為預覽狀態。The Azure Information Protection support for Microsoft Graph Security is currently in PREVIEW. Azure 預覽補充條款 包含適用於 Azure 功能 (搶鮮版 (Beta)、預覽版,或尚未發行的版本) 的其他法律條款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

我聽說過新版本即將推出,Azure 資訊保護,何時會發行?I've heard a new release is going to be available soon, for Azure Information Protection—when will it be released?

本技術文件不包含即將發行版本的相關資訊。The technical documentation does not contain information about upcoming releases. 如需這類資訊,請使用 Microsoft 365 藍圖,檢查 Enterprise Mobility + Security 的 BlogFor this type of information, use the Microsoft 365 Roadmap, check the Enterprise Mobility + Security Blog.

我所在的國家/地區可以使用 Azure 資訊保護嗎?Is Azure Information Protection suitable for my country?

不同的國家/地區會有不同的需求與法規。Different countries have different requirements and regulations. 為協助您回答組織的這個問題,請參閱不同國家/地區的適用性To help you answer this question for your organization, see Suitability for different countries.

Azure 資訊保護如何協助 GDPR?How can Azure Information Protection help with GDPR?

注意

如果您想要檢視或刪除個人資料,請檢閱 Microsoft 合規性管理員中的 Microsoft 指引和 Microsoft 365 企業版合規性網站的 GDPR 一節If you’re interested in viewing or deleting personal data, please review Microsoft's guidance in the Microsoft Compliance Manager and in the GDPR section of the Microsoft 365 Enterprise Compliance site. 如果您要尋找 GDPR 的一般資訊,請參閱 服務信任入口網站的 GDPR 一節If you’re looking for general information about GDPR, see the GDPR section of the Service Trust portal.

請參閱 Azure 資訊保護的合規性與支援資訊See Compliance and supporting information for Azure Information Protection.

如何針對 Azure Information Protection 回報問題或傳送意見反應?How can I report a problem or send feedback for Azure Information Protection?

如需技術支援,請使用標準支援管道,或連絡 Microsoft 支援服務For technical support, use your standard support channels or contact Microsoft Support.

我們也邀請您前往工程團隊的 Azure 資訊保護 Yammer 網站與他們互動。We also invite you to engage with our engineering team, on their Azure Information Protection Yammer site.

如果我的問題不在這裡,該怎麼辦?What do I do if my question isn't here?

首先,請參閱下面所列的常見問題,這些問題專屬於分類和標籤,或適用于資料保護。First, review the frequently asked questions listed below, which are specific to classification and labeling, or specific to data protection. Azure Rights Management 服務 (Azure RMS) 提供適用于 Azure 資訊保護的資料保護技術。The Azure Rights Management service (Azure RMS) provides the data protection technology for Azure Information Protection. 您可以搭配使用 Azure RMS、分類和標記,也可以單獨使用。Azure RMS can be used with classification and labeling, or by itself.

如果未回答您的問題,請參閱 Azure 資訊保護的資訊與支援中列出的連結和資源。If your question isn't answered, see the links and resources listed in Information and support for Azure Information Protection.