教學課程:設定 Azure 資訊保護原則設定和建立新標籤Tutorial: Configure Azure Information Protection policy settings and create a new label

適用對象: Azure 資訊保護Applies to: Azure Information Protection

操作指示:適用於 Windows 的 Azure 資訊保護用戶端Instructions for: Azure Information Protection client for Windows

在此教學課程中,您將了解如何:In this tutorial, you learn how to:

  • 設定原則設定Configure policy settings
  • 建立新的標籤Create a new label
  • 設定標籤以提供視覺標記、建議的分類和保護Configure the label for visual markings, recommended classification, and protection
  • 查看設定和標籤的實際運作See your settings and labels in action

由於此設定的結果,使用者在建立新文件或電子郵件時,會看到套用預設標籤。As a result of this configuration, users see a default label applied when they create a new document or email. 不過,當系統偵測到信用卡資訊時,會提示他們套用新標籤。However, they are prompted to apply the new label when credit card information is detected. 套用新標籤之後,便會重新分類內容並加以保護,內容具有對應的頁尾和浮水印。When the new label is applied, the content is reclassified and protected, with a corresponding footer and watermark.

您可以在大約 15 分鐘內完成此教學課程。You can finish this tutorial in about 15 minutes.

必要條件Prerequisites

若要完成此教學課程,您需要:To complete this tutorial, you need:

  1. 包含 Azure 資訊保護方案 2 的訂用帳戶。A subscription that includes Azure Information Protection Plan 2.

    如果您沒有包含 Azure 資訊保護方案 2 的訂用帳戶,您可以為您的組織建立免費帳戶。If you don't have a subscription that includes Azure Information Protection Plan 2, you can create a free account for your organization.

  2. 您已經將 [Azure 資訊保護] 刀鋒視窗新增到 Azure 入口網站,並確認保護服務已啟用。You've added the Azure Information Protection blade to the Azure portal, and confirmed that the protection service is activated.

    如果您需要這些動作的說明,請參閱快速入門:將 Azure 資訊保護新增至 Azure 入口網站並檢視原則If you need help with these actions, see Quickstart: Add Azure Information Protection to the Azure portal and view the policy

  3. 您的電腦上已安裝 Azure 資訊保護用戶端。The Azure Information Protection client is installed on your computer.

    若要安裝用戶端,請移至 Microsoft 下載中心 (英文),並從 [Azure 資訊保護] 頁面下載 AzInfoProtection.exeTo install the client, go to the Microsoft download center and download AzInfoProtection.exe from the Azure Information Protection page.

  4. 執行 Windows (至少要是 Windows 7 Service Pack 1) 的電腦,而且在這部電腦上,您已從下列其中一個類別登入 Office 應用程式:A computer running Windows (minimum of Windows 7 with Service Pack 1), and on this computer, you're signed in to Office apps from one of the following categories:

    • 當您獲指派 Azure 版權管理授權 (也稱為適用於 Office 365 的 Azure 資訊保護) 時,來自 Office 365 商務版或 Microsoft 365 商務版的 Office 應用程式 (最低版本 1805、組建 9330.2078)。Office apps minimum version 1805, build 9330.2078 from Office 365 Business or Microsoft 365 Business when you are assigned a license for Azure Rights Management (also known as Azure Information Protection for Office 365).

    • Office 365 專業增強版。Office 365 ProPlus.

    • Office 專業增強版 2019。Office Professional Plus 2019.

    • Office 專業增強版 2016。Office Professional Plus 2016.

    • Office 專業增強版 2013 Service Pack 1。Office Professional Plus 2013 with Service Pack 1.

    • Office 專業增強版 2010 Service Pack 2。Office Professional Plus 2010 with Service Pack 2.

如需使用 Azure 資訊保護之先決條件的完整清單,請參閱 Azure 資訊保護需求For a full list of prerequisites to use Azure Information Protection, see Requirements for Azure Information Protection.

讓我們開始這次的教學。Let's get started.

編輯 Azure 資訊保護原則Edit the Azure Information Protection policy

使用 Azure 入口網站,我們將先變更幾個原則設定,然後再建立新標籤。Using the Azure portal, we'll first change a couple of policy settings, and then create a new label.

編輯原則設定Edit the policy settings

  1. 開啟新的瀏覽器視窗並以全域系統管理員的身分登入 Azure 入口網站。然後瀏覽至 [Azure 資訊保護] 。Open a new browser window and sign in to the Azure portal as a global admin. Then navigate to Azure Information Protection.

    例如,在中樞功能表按一下 [所有服務] ,然後開始在 [篩選] 方塊中鍵入資訊For example, on the hub menu, click All services and start typing Information in the Filter box. 選取 [Azure 資訊保護] 。Select Azure Information Protection.

    若您不是全域管理員,請針對替代角色使用以下連結:登入 Azure 入口網站If you are not the global admin, use the following link for alternative roles: Signing in to the Azure portal

  2. 選取 [分類] > [原則] > [全域] ,以開啟 [原則:全域] 刀鋒視窗。Select Classifications > Policies > Global to open the Policy: Global blade.

  3. 在 [設定要在資訊保護終端使用者上顯示及套用的設定] 區段中,於標籤後找到原則設定。Locate the policy settings after the labels, in the Configure settings to display and apply on Information Protection end users section.

    請記下目前的設定方式。Make a note of how the settings are currently configured. 特別是 [選取預設標籤] 和 [使用者必須提供理由才能設定較低的分類標籤、移除標籤或移除保護] 設定。Specifically, the settings Select the default label and Users must provide justification to set a lower classification label, remove a label, or remove protection. 例如:For example:

    Azure 資訊保護教學課程 - 要變更的原則設定

    稍後我們將在教學課程中使用這些原則設定,屆時您會看到它們的運作方式。We'll use these policy settings later in the tutorial when you will see them in action.

  4. 針對 [選取預設標籤] 選取 [一般] 。For Select the default label, select General.

    如果您因舊版的原則而沒有此標籤,請選擇 [內部] 作為對等標籤。If you don't have this label because you have an older version of the policy, choose Internal as the equivalent label.

  5. 針對 [使用者必須提供理由才能設定較低的分類標籤、移除標籤或移除保護] 選項設定為 [開啟] (若尚未開啟)。For Users must provide justification to set a lower classification label, remove a label, or remove protection, set this option to On if it is not already.

  6. 此外,確定 [在 Office 應用程式中顯示資訊保護列] 設定為 [開啟] 。In addition, make sure that Display the Information Protection bar in Office apps is set to On.

  7. 選取 [儲存] (位於此 [原則:全域] 刀鋒視窗上),如果系統提示您確認動作,請選取 [確定] 。Select Save on this Policy: Global blade, and if you're prompted to confirm your action, select OK. 關閉此刀鋒視窗。Close this blade.

建立新的保護標籤、視覺標記,以及提示分類的條件Create a new label for protection, visual markers, and a condition to prompt for classification

我們現在要為 [機密] 建立新的子標籤。We'll now create a new sublabel for Confidential.

  1. 從 [分類] > [標籤] 功能表選項:以滑鼠右鍵按一下 [機密] 標籤,然後選取 [Add a sub-label] (新增子標籤) 。From the Classifications > Labels menu option: Right-click the Confidential label, and select Add a sub-label.

    如果您沒有名為 [機密] 的標籤,您可以選取另一個標籤或改為建立新的標籤,仍依教學課程操作,稍加變動。If you don't have a label named Confidential, you can select another label or you can create a new label instead and still follow the tutorial with minor differences.

  2. 在 [子標籤] 刀鋒視窗中,指定 [財務] 的標籤名稱並新增下列描述:包含僅財務資訊的機密資料,僅限員工On the Sub-label blade, specify the label name of Finance and add the following description: Confidential data that contains financial information that is restricted to employees only.

    此文字會說明要如何使用選取的標籤,並且會向使用者顯示為工具提示,協助他們決定要選取的標籤。This text describes how the selected label is intended to be used and it's visible to users as a tooltip, to help them decide which label to select.

  3. 針對 [為包含此標籤的文件與電子郵件設定權限] ,選取 [保護] ,這會透過為您選取 [保護] 選項來自動開啟 [保護] 刀鋒視窗:For Set permissions for documents and emails containing this label, select Protect, which automatically opens the Protection blade by selecting the Protection option for you:

    設定 Azure 資訊保護標籤以獲得保護

  4. 在 [保護] 刀鋒視窗中,請確認已選取 [Azure 雲端金鑰] 。On the Protection blade, make sure that Azure (cloud key) is selected. 這個選項使用 Azure Rights Management 服務來保護文件與電子郵件。This option uses the Azure Rights Management service to protect documents and emails. 此外,請確定已選取 [設定權限] 選項。Also make sure that the Set Permissions option is selected. 然後選取 [新增權限] 。Then select Add permissions.

  5. 在 [新增權限] 刀鋒視窗中,選取 [Add <organization name> - All members] (新增 <組織名稱> - 所有成員) 。On the Add permissions blade, select Add <organization name> - All members. 例如,如果您的組織名稱是 VanArsdel Ltd,您看到要選取的選項如下:For example, if your organization name is VanArsdel Ltd, you see the following option to select:

    將 [Azure 資訊保護] 標籤的保護權限授與所有成員

    此選項會自動選取貴組織中可獲授與權限的所有使用者。This option automatically selects all the users in your organization who can be granted permissions. 但從其他選項您可以看到,您可以瀏覽和搜尋您租用戶的群組或使用者。However, you can see from the other options that you could browse and search for groups or users from your tenant. 或者,當您選取 [輸入詳細資料] 選項時,您可以指定個別的電子郵件地址,或另一個組織的所有使用者。Or, when you select the Enter details option, you can specify individual email addresses or even all users from another organization.

  6. 針對權限,請從預設的選項選取 [檢閱者] 。For the permissions, select Reviewer from the preset options. 您會看到此權限層級如何自動授與某些列出的權限,但並非所有的權限:You see how this permission level automatically grants some permissions listed but not all permissions:

    將 [Azure 資訊保護] 標籤的保護權限授與共同作者

    您可以使用 [自訂] 選項,選取不同的權限等級或指定個別的使用權限。You can select different permission levels or specify individual usage rights by using the Custom option. 但在本教學課程中,請保留 [檢閱者] 選項。But for this tutorial, keep the Reviewer option. 稍後您可以試驗不同的權限,了解它們如何限制指定的使用者對受保護文件或電子郵件可以執行的作業。You can experiment with different permissions later and read how they restrict what the specified users can do with the protected document or email.

  7. 按一下 [確定] 關閉此 [新增權限] 刀鋒視窗,您會看到 [保護] 刀鋒視窗如何更新以反映您的設定。Click OK to close this Add permissions blade, and you see how the Protection blade is updated to reflect your configuration. 例如:For example:

    顯示 [Azure 資訊保護] 標籤權限設定的 [保護] 刀鋒視窗

    如果您選取 [新增權限] ,此動作會再次開啟 [新增權限] 刀鋒視窗,讓您可以新增更多使用者並授與其不同的權限。If you select Add permissions, this action opens the Add permissions blade again, so that you can add more users and grant them different permissions. 例如,只授與特定群組檢視存取權。For example, grant just view access for a specific group. 但在本教學課程中,所有使用者會一直使用一組權限。But for this tutorial, we'll keep with one set of permissions for all users.

  8. 檢閱並保留過期內容及離線存取的預設值,然後按一下 [確定] 儲存並關閉此 [保護] 刀鋒視窗。Review and keep the defaults for content expiration and offline access, and then click OK to save and close this Protection blade.

  9. 返回 [子標籤] 刀鋒視窗,找到 [設定視覺標記] 區段:Back on the Sub-label blade, locate the Set visual marking section:

    按一下 [為有此標籤的文件加上浮水印] 設定的 [開啟] ,然後在 [文字] 方塊中鍵入分類為機密For the Documents with this label have a footer setting, click On, and then for the Text box, type Classified as Confidential.

    針對 [Documents with this label have a watermark] (具有此標籤的文件有浮水印) 設定,按一下 [開啟] ,然後在 [文字] 方塊中輸入您的組織名稱。For the Documents with this label have a watermark setting, click On, and then for the Text box, type your organization name. 例如 VanArsdel, LtdFor example, VanArsdel, Ltd

    雖然您可以變更這些視覺標記的外觀,但預設值目前仍保留這些設定。Although you can change the appearance for these visual markers, we'll leave these settings at the defaults for now.

  10. 找出 [Configure conditions for automatically applying this label] (設定自動套用此標籤的條件) 區段:Locate the section Configure conditions for automatically applying this label:

    按一下 [新增條件] ,然後在 [條件] 刀鋒視窗中,選取下列項目︰Click Add a new condition and then, on the Condition blade, select the following:

    a.a. 選擇條件類型:保留預設值 [資訊類型] 。Choose the type of condition: Keep the default of Information Types.

    b.b. 針對 [請選擇產業] :保留預設值 [所有] 。For Choose an industry: Keep the default of All.

    c.c. 在 [選取資訊類型] 搜尋方塊中:鍵入信用卡號碼In the Select information types search box: Type credit card number. 然後,從搜尋結果中選取 [信用卡號碼] 。Then, from the search results, select Credit Card Number.

    d.d. 出現次數下限:保留預設值 [1] 。Minimum number of occurrences: Keep the default of 1.

    e.e. 只計算唯一值的出現次數:保留預設值 [關閉] 。Count occurrences with unique values only: Keep the default of Off.

    Azure 資訊保護教學課程 - 設定信用卡條件

    按一下 [儲存] 回到 [子標籤] 刀鋒視窗。Click Save to return to the Sub-label blade.

  11. 在 [子標籤] 刀鋒視窗中,您會看到 [信用卡號碼] 顯示為 [條件名稱] ,而且 [發生次數] 為 1On the Sub-label blade, you see that Credit Card Number is displayed as the CONDITION NAME, with 1 OCCURRENCES:

    Azure 資訊保護教學課程 - 信用卡條件摘要

  12. 針對 [選取套用這個標籤的方式] :保留預測值 [建議] ,且不要變更預設原則提示。For Select how this label is applied: Keep the default of Recommended, and don't change the default policy tip.

  13. 在 [新增備註以供管理員使用] 方塊中,輸入僅供測試用途使用In the Add notes for administrator use box, type For testing purposes only.

  14. 按一下 [子標籤] 刀鋒視窗的 [儲存] 。Click Save on this Sub-label blade. 如果系統提示您確認,請按一下 [確定] 。If you're prompted to confirm, click OK. 這會建立並儲存新標籤,但尚未加入至原則。The new label is created and saved, but not yet added to a policy.

  15. 從 [分類] > [原則] 功能表選項:再次選取 [全域] ,然後選取標籤後面的 [新增或移除標籤] 連結。From the Classifications > Policies menu option: Select Global again, and then select the Add or remove labels link after the labels.

  16. 從 [原則:新增或移除標籤]** 刀鋒視窗中,選取剛剛建立的標籤 (名為 [財務] 的子標籤),然後按一下 [確定] 。From the Policy: Add or remove labels blade, select the label that you've just created, the sublabel named Finance, and click OK.

  17. 在 [原則:全域]** 刀鋒視窗上,您現在可以在全域原則中看到新的子標籤,該標籤已針對視覺標記和保護進行設定。On the Policy: Global blade, you now see your new sublabel in your global policy, which is configured for visual markings and protection. 例如:For example:

    Azure 資訊保護教學課程 - 新的子標籤

    您也會看到針對預設標籤和理由來進行設定:You also see that the settings are configured for the default label and justification:

    Azure 資訊保護教學課程 - 已進行設定

  18. 按一下 [儲存] (位於此 [原則:全域] 刀鋒視窗上)。Click Save on this Policy: Global blade. 如果系統提示您確認此動作,請按一下 [確定] 。If you're prompted to confirm this action, click OK.

您可以關閉 Azure 入口網站,或維持開啟,以在完成此教學課程後嘗試其他設定選項。You can either close the Azure portal, or leave it open to try additional configuration options after you've finished this tutorial.

您已準備好嘗試變更的結果。You're ready to try out the results of your changes.

查看分類、標記和保護的實際運作See classification, labeling, and protection in action

您所做的原則變更和建立的新標籤會套用至 Word、Excel、PowerPoint 和 Outlook。The policy changes you made and the new label you created applies to Word, Excel, PowerPoint, and Outlook. 但此教學課程中,我們將使用 Word 來查看實際運作情況。But for this tutorial, we'll use Word to see them in action.

在 Word 中開啟新文件。Open a new document in Word. 因為已安裝 Azure 資訊保護用戶端,您可看到下列:Because the Azure Information Protection client is installed, you see the following:

Azure 資訊保護教學課程 - 已安裝用戶端

  • 在 [常用] 索引標籤上,有 [保護] 群組,以及一個名為 [保護] 的按鈕。On the Home tab, a Protection group, with a button named Protect.

    按一下 [保護] > [說明與意見反應] ,然後在 [Microsoft Azure 資訊保護] 對話方塊中,確認您的用戶端狀態。Click Protect > Help and Feedback, and in the Microsoft Azure Information Protection dialog box, confirm your client status. 它應該會顯示 [連線方式] 和您的使用者名稱。It should display Connected as and your user name. 此外,您應該也會看到上次連線的最近時間和日期,以及下載資訊保護原則的時間。In addition, you should also see a recent time and date for the last connection and when the Information Protection policy was downloaded. 確認顯示的使用者名稱對您的租用戶而言正確。Verify that your displayed user name is correct for your tenant.

  • 功能區下會出現一個新的列:Information Protection 列。A new bar under the ribbon; the Information Protection bar. 顯示敏感度標題,以及在 Azure 入口網站中看到的標籤。It displays the title of Sensitivity, and the labels that we saw in the Azure portal.

手動變更預設標籤To manually change our default label

  1. 在 [資訊保護] 列上,選取最後一個標籤,您會看到子標籤的顯示方式:On the Information Protection bar, select the last label and you see how sublabels display:

    Azure 資訊保護教學課程 - 查看子標籤

  2. 選取其中一個子標籤,由於您已經為此文件選取標籤,其他標籤將不再顯示於列上。Select one of these sublabels, and you see how the other labels no longer display on the bar now that you've selected a label for this document. [敏感度] 值會變更以顯示標籤和子標籤名稱,並變更為對應的標籤色彩。The Sensitivity value changes to show the label and sublabel name, with a corresponding change in label color. 例如:For example:

    Azure 資訊保護教學課程 - 已選取子標籤

  3. 在 [資訊保護] 列上,按一下目前所選取標籤值旁邊的 [編輯標籤] 圖示:On the Information Protection bar, click the Edit Label icon next to the currently selected label value:

    Azure 資訊保護教學課程 - 編輯標籤圖示

    這個動作會再次顯示可用的標籤。This action displays the available labels again.

  4. 現在選取第一個標籤 [個人] 。Now select the first label, Personal. 由於您選取的標籤比之前為此文件選取的標籤分類來得低,因此會要求您說明為何要降低分類層級:Because you've selected a label that's a lower classification than the previously selected label for this document, you're prompted to justify why you're lowering the classification level:

    Azure 資訊保護教學課程 - 提示確認為何降低

    選取 [The previous label no longer applies] (不再套用舊標籤),然後按一下 [確認]Select The previous label no longer applies, and click Confirm. [敏感度] 值會變更為 [個人] ,並且會再次隱藏其他標籤。The Sensitivity value changes to Personal and the other labels are hidden again.

完全移除分類To remove the classification completely

  1. 在 [資訊保護] 列上,再按一次「編輯標籤」 圖示。On the Information Protection bar, click the Edit Label icon again. 但這次不要選擇其中一個標籤,而是按一下「刪除標籤」 圖示:But instead of choosing one of the labels, click the Delete Label icon:

    Azure 資訊保護教學課程 - 刪除圖示

  2. 這次當提示出現時,請輸入「這份文件不需要分類」並按一下 [確認] 。This time when you're prompted, type "This document doesn't need classifying", and click Confirm.

    您會看到 [敏感度] 值顯示 [未設定] ,如果未設定預設標籤作為原則設定,這便是使用者最初看到新文件的樣子。You see the Sensitivity value display Not set, which is what users see initially for new documents if you don't set a default label as a policy setting.

查看標記和自動保護的建議提示To see a recommendation prompt for labeling and automatic protection

  1. 在 Word 文件中,鍵入有效的信用卡號碼,例如:4242-4242-4242-4242In the Word document, type a valid credit card number, for example: 4242-4242-4242-4242.

  2. 使用任何檔案名稱將文件儲存在本機。Save the document locally, with any file name.

  3. 您現在會看到套用標籤的提示,而標籤是在偵測到信用卡號碼時針對保護所設定。You now see a prompt to apply the label that you configured for protection when credit card numbers are detected. 如果我們不同意建議,則原則設定可讓我們選取 [關閉] 予以拒絕。If we didn't agree with the recommendation, our policy setting lets us reject it, by selecting Dismiss. 提供建議但讓使用者覆寫它,有助於在使用自動分類時減少誤報。Giving a recommendation but letting a user override it helps to reduce false positives when you're using automatic classification. 在此教學課程中,按一下 [立即變更] 。For this tutorial, click Change now.

    Azure 資訊保護教學課程 - 建議提示

    除了現在顯示已套用我們所設定標籤的文件之外 (例如,[Confidential \ Finance](機密\財務) ),您會立刻看到組織名稱的浮水印橫跨頁面,並套用 [分類為機密] 的頁尾。In addition to the document now showing that our configured label is applied (for example, Confidential \ Finance), you immediately see the watermark of your organization name across the page, and the footer of Classified as Confidential is also applied.

    文件也會受到您為此標籤指定的權限保護。The document is also protected with the permissions that you specified for this label. 您可以按一下 [檔案] 索引標籤,檢視 [保護文件] 的資訊,確認文件是否受到保護。You can confirm that the document is protected by clicking the File tab and view the information for Protect Document. 您會看到文件受 [Confidential \ Finance](機密\財務) 和標籤描述保護。You see that the document is protected by Confidential \ Finance and the label description.

    由於標籤的保護設定,只有員工可以開啟文件,但某些動作會受到限制。Because of the protection configuration of the label, only employees can open the document and some actions are restricted for them. 例如,因為他們沒有列印和複製並擷取內容的權限,所以他們無法列印文件或複製文件內容。For example, because they don't have the Print and the Copy and extract content permissions, they can't print the document or copy from it. 這類限制有利於防止資料遺失。Such restrictions help to prevent data loss. 身為文件的擁有者,您可以列印它以及從其中複製內容。As the owner of the document, you can print it and copy from it. 不過,若您將文件以電子郵件方式寄送給您組織中的另一個人,他們將無法執行這些動作。However, if you email the document to another user in your organization, they cannot do these actions.

  4. 您現在可以關閉此文件。You can now close this document.

清除資源Clean up resources

如果您不想要保留您在此教學課程中所做的變更,請執行下列步驟:Do the following if you don't want to keep the changes that you made in this tutorial:

  1. 選取 [分類] > [原則] > [全域] ,以開啟 [原則:全域] 刀鋒視窗。Select Classifications > Policies > Global to open the Policy: Global blade.

  2. 將原則設定還原為您記下來的原始值,然後選取 [儲存] 。Return the policy settings to their original values that you took a note of, and then select Save.

  3. 從 [分類] > [標籤] 功能表選項:在 [Azure 資訊保護 - 標籤] 刀鋒視窗中,針對您建立的 [財務] 標籤選取操作功能表 ( ... )。From the Classifications > Label menu option: On the Azure Information Protection - Label blade, select the context menu (...) for the Finance label you created.

  4. 選取 [刪除這個標籤] ,如果系統要求您確認,請選取 [確定] 。Select Delete this label and if you're asked to confirm, select OK.

重新啟動 Word 以下載這些變更。Restart Word to download these changes.

接下來的步驟Next steps

如需如何編輯 Azure 資訊保護原則的詳細資訊,請參閱設定 Azure 資訊保護原則For more information about editing the Azure Information Protection policy, see Configuring Azure Information Protection policy.

如需標籤活動之記錄位置的詳細資訊,請參閱Azure 資訊保護用戶端的使用情況記錄For more information about where the labeling activity is logged, see Usage logging for the Azure Information Protection client.