Azure 資訊保護的其他 Azure AD 需求Additional Azure AD requirements for Azure Information Protection

*適用於:*Azure 資訊保護Office 365*Applies to: Azure Information Protection, Office 365*

*相關AIP 統一標籤用戶端和 AIP 傳統用戶端。**Relevant for: AIP unified labeling client and AIP classic client.*


為了提供統一且流暢的客戶體驗,自 2021 年 3 月 31 日 起,Azure 入口網站將 淘汰 Azure 資訊保護傳統用戶端標籤管理To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021.

目前所有的 Azure 資訊保護客戶都有充裕的時間,可轉換至 Microsoft 資訊保護統一標籤解決方案。This time-frame allows all current Azure Information Protection customers to transition to the Microsoft Information Protection unified labeling solution. 在正式的淘汰通知 (英文) 中深入了解。Learn more in the official deprecation notice.

使用 Azure 資訊保護必須要有 Azure AD 目錄An Azure AD directory is a requirement for using Azure Information protection. 使用 Azure AD 目錄中的帳戶登入 Azure 入口網站,您可在此設定 Azure 資訊保護設定。Use an account from an Azure AD directory to sign in to the Azure portal, where you can configure Azure Information Protection settings.

如果您的訂用帳戶包含 Azure 資訊保護或 Azure Rights Management,則會視需要自動為您建立 Azure AD 目錄。If you have a subscription that includes Azure Information Protection or Azure Rights Management, your Azure AD directory is automatically created for you if needed.

下列各節會列出特定案例的其他 AIP 和 Azure AD 需求。The following sections list additional AIP and Azure AD requirements for specific scenarios.

支援憑證型驗證 (CBA)Support for certificate-based authentication (CBA)

適用於 iOS 和 Android 的 Azure 資訊保護應用程式支援憑證式驗證。The Azure Information Protection apps for iOS and Android support certificate-based authentication.

如需詳細資訊,請參閱開始在 Azure Active Directory 中使用憑證型驗證For more information, see Get started with certificate-based authentication in Azure Active Directory.

Multi-Factor Authentication (MFA) 和 Azure Information ProtectionMulti-factor authentication (MFA) and Azure Information Protection

若要使用 Multi-Factor Authentication (MFA) 與 Azure 資訊保護,則必須下列安裝其中一個:To use multi-factor authentication (MFA) with Azure Information Protection, you must have at least one of the following installed:

  • Microsoft Office,2013 版或更高版本Microsoft Office, version 2013 or higher
  • AIP 用戶端An AIP client. 不需要最低版本。No minimum version required. Windows 版 AIP 用戶端以及 iOS 和 Android 版檢視器應用程式全都支援 MFA。The AIP clients for Windows, as well as the viewer apps for iOS and Android all support MFA.
  • 適用於 Mac 電腦的 Rights Management 共用應用程式The Rights Management sharing app for Mac computers. RMS 共用應用程式自 2015 年 9 月版起即支援 MFA。The RMS sharing apps have supported MFA since the September 2015 release.


如果您有 Office 2013,即可能必須安裝額外更新才能支援 Active Directory 驗證程式庫 (ADAL),例如 2015 年 6 月 9 日的 Office 2013 更新 (KB3054853) (自動翻譯)。If you have Office 2013, you might need to install an additional update to support Active Directory Authentication Library (ADAL), such as the June 9, 2015, update for Office 2013 (KB3054853).

如需詳細資訊,請參閱 Office 部落格的 Office 2013 新式驗證公開預覽公告 (英文)。For more information, see Office 2013 modern authentication public preview announced on the Office blog.

確認這些必要條件之後,請根據租用戶設定,執行下列其中一項作業:Once you've confirmed these prerequisites, do one of the following, depending on your tenant configuration:

Rights Management 連接器/AIP 掃描器需求Rights Management connector / AIP scanner requirements

Rights Management 連接器和 Azure 資訊保護掃描程式不支援 MFA。The Rights Management connector and the Azure Information Protection scanner do not support MFA.

如果您部署連接器或掃描程式,則以下帳戶不可以要求 MFA:If you deploy the connector or scanner, the following accounts must not require MFA:

  • 安裝並設定連接器的帳戶。The account that installs and configures the connector.
  • 連接器在 Azure AD (Aadrm_S-1-7-0) 中建立的服務主體帳戶。The service principal account in Azure AD, Aadrm_S-1-7-0, that the connector creates.
  • 執行掃描器的服務帳戶。The service account that runs the scanner.

使用者的 UPN 值與其電子郵件地址不相符User UPN values don't match their email addresses

設定中的使用者 UPN 值與其電子郵件地址不相符,其非建議的設定,且不支援 Azure 資訊保護的單一登入。Configurations where users' UPN values don't match their email addresses is not a recommended configuration, and does not support single-sign on for Azure Information Protection.

若無法變更 UPN 值,請為相關使用者設定替代識別碼,並指引其如何使用此替代識別碼來登入 Office。If you cannot change the UPN value, configure alternate IDs for the relevant users, and instruct them how to sign in to Office by using this alternate ID.

如需詳細資訊,請參閱For more information, see:


如果 UPN 值中網域名稱是租用戶的已驗證網域時,請將使用者的 UPN 值當作另一個電子郵件地址新增到 Azure AD proxyAddresses 屬性。If the domain name in the UPN value is a domain that is verified for your tenant, add the user's UPN value as another email address to the Azure AD proxyAddresses attribute. 如果在授與使用權限時指定使用者的 UPN 值,這會讓使用者獲得 Azure Rights Management 的授權。This allows the user to be authorized for Azure Rights Management if their UPN value is specified at the time the usage rights are granted.

如需詳細資訊,請參閱準備 Azure 資訊保護的使用者和群組For more information, see Preparing users and groups for Azure Information Protection.

使用 AD FS 或其他驗證提供者來驗證內部部署Authenticating on-premises using AD FS or another authentication provider

如果您正在使用以 AD FS 驗證內部部署的行動裝置或 Mac 電腦,或對等的驗證提供者,則必須在下列其中一項設定中使用 AD FS:If you're using a mobile device or Mac computer that authenticates on-premises using AD FS, or an equivalent authentication provider, you must use AD FS on one of the following configurations:

  • 最低伺服器版本為 Windows Server 2012 R2A minimum server version of Windows Server 2012 R2
  • 支援 OAuth 2.0 通訊協定的替代驗證提供者An alternative authentication provider that supports the OAuth 2.0 protocol

執行 Office 2010 的電腦Computers running Office 2010


Office 2010 延伸支援已於 2020 年 10 月 13 日結束。Office 2010 extended support ended on October 13, 2020. 如需詳細資訊,請參閱 AIP 和舊版 Windows 和 Office 版本For more information, see AIP and legacy Windows and Office versions.

執行 Microsoft 2010 的電腦除 Azure AD 帳戶外,還需要有 Windows 版 Azure 資訊保護用戶端,才能向 Azure 資訊保護及其資料保護服務 Azure Rights Management 驗證。In addition to an Azure AD account, computers running Microsoft 2010 require the Azure Information Protection client for Windows to authenticate to Azure Information Protection, and its data protection service, Azure Rights Management.

如果使用者帳戶是同盟帳戶 (例如,您使用 AD FS),則這些電腦必須使用 Windows 整合式驗證。If your user accounts are federated (for example, you use AD FS), these computers must use Windows-Integrated Authentication. 此案例中的表單型驗證無法驗證 Azure 資訊保護的使用者。Forms-based authentication in this scenario fails to authenticate users for Azure Information Protection.

建議部署 Azure 資訊保護統一標籤用戶端。We recommend that you deploy the Azure Information Protection unified labeling client. 若尚未升級,則您的系統可能還是部署了 Azure 資訊保護傳統用戶端If you haven't yet upgraded, your system may still have the Azure Information Protection classic client deployed.

如需詳細資訊,請參閱 Azure 資訊保護用戶端For more information, see The client side of Azure Information Protection.

後續步驟Next steps

若要檢查其他需求,請參閱 Azure 資訊保護的需求To check for other requirements, see Requirements for Azure Information Protection.