在應用層級設定客戶機碼Set up Customer Key at the application level

使用客戶金鑰,您可以控制組織的加密金鑰,然後設定 Microsoft 365,以使用這些金鑰在 Microsoft 資料中心內加密您的資料。With Customer Key, you control your organization's encryption keys and then configure Microsoft 365 to use them to encrypt your data at rest in Microsoft's data centers. 換句話說,客戶金鑰可讓客戶新增屬於其金鑰的加密層級。In other words, Customer Key allows customers to add a layer of encryption that belongs to them, with their keys. 存放的資料包括 Exchange Online 資料和儲存在信箱的商務用 Skype 資料,以及儲存在 SharePoint Online 中和商務用 OneDrive 中的檔案。Data at rest includes data from Exchange Online and Skype for Business that is stored in mailboxes and files that are stored in SharePoint Online and OneDrive for Business.

您必須先設定 Azure,才能使用 Office 365 的客戶金鑰。You must set up Azure before you can use Customer Key for Office 365. 本文說明建立及設定必要 Azure 資源所需遵循的步驟,並提供在 Office 365 中設定客戶機碼的步驟。This article describes the steps you need to follow to create and configure the required Azure resources and then provides the steps for setting up Customer Key in Office 365. 完成 Azure 安裝之後,您可以決定要將哪些原則指派給組織中的信箱和檔案,進而決定要指派哪些機碼。After you have completed Azure setup, you determine which policy, and therefore, which keys, to assign to mailboxes and files in your organization. 您未指派原則的信箱和檔案會使用由 Microsoft 所控制和管理的加密原則。Mailboxes and files for which you don't assign a policy will use encryption policies that are controlled and managed by Microsoft. 如需客戶機碼的相關資訊,或有關一般概述,請參閱 Office 365 中的客戶金鑰服務加密For more information about Customer Key, or for a general overview, see Service encryption with Customer Key in Office 365.


強烈建議您遵循本文中的最佳作法。We strongly recommend that you follow the best practices in this article. 這些是以 TIP重要 的方式呼叫。These are called out as TIP and IMPORTANT. 客戶金鑰可讓您控制根加密金鑰,其範圍可以像整個組織一樣大。Customer Key gives you control over root encryption keys whose scope can be as large as your entire organization. 這表示對這些機碼所做的錯誤可能會產生很大的影響,而且可能會導致服務中斷或資料遺失。This means that mistakes made with these keys can have a broad impact and may result in service interruptions or irrevocable loss of your data.

在您設定客戶機碼之前Before you set up Customer Key

開始之前,請先確定您的組織具有適當的授權。Before you get started, ensure that you have the appropriate licensing for your organization. 使用企業合約或雲端服務提供者,以支付已開發票的 Azure 訂閱。Use a paid, invoiced Azure Subscription using either an Enterprise Agreement or a Cloud Service Provider. 客戶機碼不支援使用「隨付」方案或信用卡使用信用卡購買的 Azure 訂閱。Azure Subscriptions purchased using Pay As You Go plans or using a credit card aren't supported for Customer Key. 從 office 365 的2020年4月1日開始,于 office 365 E5,M365 E5,M365 E5 規範,以及 M365 E5 & 控管 SKUs 中提供的資訊保護。Starting April 1, 2020, Customer Key in Office 365 is offered in Office 365 E5, M365 E5, M365 E5 Compliance, and M365 E5 Information Protection & Governance SKUs. Office 365 Advanced 相容性 SKU 已無法再提供購置新的授權。Office 365 Advanced Compliance SKU is no longer available for procuring new licenses. 現有的 Office 365 Advanced 相容性授權會繼續受到支援。Existing Office 365 Advanced Compliance licenses will continue to be supported.

若要瞭解本文中的概念和程式,請參閱 Azure 重要保險庫 檔。To understand the concepts and procedures in this article, review the Azure Key Vault documentation. 此外,熟悉 Azure 中使用的條款,例如 AZURE AD 租使用者。Also, become familiar with the terms used in Azure, for example, Azure AD tenant.

FastTrack 僅用於收集用於註冊客戶金鑰所需的承租人和服務設定資訊。FastTrack is only used to collect the required tenant and service configuration information used to register for Customer Key. 客戶金鑰提供方案是透過 FastTrack 發佈,讓您與我們的協力廠商可以方便您與我們的合作夥伴使用相同方法提交必要的資訊。The Customer Key Offers are published via FastTrack so that it is convenient for you and our partners to submit the required information using the same method. FastTrack 也可讓您輕鬆地封存您在提供中提供的資料。FastTrack also makes it easy to archive the data that you provide in the Offer.

如果您需要檔以外的其他支援,請與 Microsoft 諮詢服務 (MCS) 、Premier Field 工程 (PFE) 或 Microsoft 合作夥伴以取得協助。If you need more support beyond the documentation, contact Microsoft Consulting Services (MCS), Premier Field Engineering (PFE), or a Microsoft partner for assistance. 若要提供對客戶機碼的意見反應(包括檔),請將您的想法、建議和觀點傳送至 customerkeyfeedback@microsoft.com。To provide feedback on Customer Key, including the documentation, send your ideas, suggestions, and perspectives to customerkeyfeedback@microsoft.com.

設定客戶機碼的步驟概述Overview of steps to set up Customer Key

若要設定客戶機碼,請依所列順序完成這些工作。To set up Customer Key, complete these tasks in the listed order. 本文的其餘部分提供每項工作的詳細指示,或連結至程式中每個步驟的詳細資訊。The rest of this article provides detailed instructions for each task, or links out to more information for each step in the process.

在 Azure 和 Microsoft FastTrack:In Azure and Microsoft FastTrack:

您可以遠端連線至 Azure PowerShell,以完成大部分的工作。You will complete most of these tasks by remotely connecting to Azure PowerShell. 為了獲得最佳結果,請使用版本4.4.0 或更新版本的 Azure PowerShell。For best results, use version 4.4.0 or later of Azure PowerShell.

建立兩個新的 Azure 訂閱後,您必須完成 Microsoft FastTrack 入口網站中主控的 web 表單,以提交適當的客戶金鑰提供要求。Once you've created the two new Azure subscriptions, you'll need to submit the appropriate Customer Key offer request by completing a web form that is hosted in the Microsoft FastTrack portal. FastTrack 小組不會向客戶金鑰提供協助。Office 只會使用 FastTrack 入口網站,讓您提交表單,並協助我們追蹤客戶金鑰的相關提供 者。The FastTrack team doesn't provide assistance with Customer Key. Office simply uses the FastTrack portal to allow you to submit the form and to help us track the relevant offers for Customer Key.

在 Office 365 中:In Office 365:

Exchange Online 和商務用 Skype:Exchange Online and Skype for Business:

SharePoint 線上和商務 OneDrive:SharePoint Online and OneDrive for Business:

完成 Azure Key Vault 中的工作及客戶機碼的 Microsoft FastTrackComplete tasks in Azure Key Vault and Microsoft FastTrack for Customer Key

在 Azure Key Vault 中完成這些工作。Complete these tasks in Azure Key Vault. 您必須完成這些步驟,不論您是否想要為 Exchange Online 和商務用 Skype、商務用 Skype OneDrive SharePoint,或是 Office 365 中的所有支援服務設定客戶金鑰。You'll need to complete these steps regardless of whether you intend to set up Customer Key for Exchange Online and Skype for Business or for SharePoint Online, OneDrive for Business, and Teams files, or for all supported services in Office 365.

建立兩個新的 Azure 訂閱Create two new Azure subscriptions

客戶金鑰需要兩個 Azure 訂閱。Customer Key requires two Azure subscriptions. 最佳作法是 Microsoft 建議您建立新的 Azure 訂閱,以與客戶金鑰搭配使用。As a best practice, Microsoft recommends that you create new Azure subscriptions for use with Customer Key. Azure 金鑰保存庫金鑰只能針對相同 Azure Active directory 中的應用程式授權 (Microsoft Azure Active Directory) 租使用者,您必須使用與 DEPs 將會指派之組織搭配使用的相同 Azure AD 租使用者來建立新的訂閱。Azure Key Vault keys can only be authorized for applications in the same Azure Active Directory (Microsoft Azure Active Directory) tenant, you must create the new subscriptions using the same Azure AD tenant used with your organization where the DEPs will be assigned. 例如,在您的組織中使用具有全域系統管理員許可權的公司或學校帳戶。For example, using your work or school account that has global administrator privileges in your organization. 如需詳細步驟,請參閱 註冊 Azure 做為組織For detailed steps, see Sign up for Azure as an organization.


客戶金鑰需要每個資料加密原則 (DEP) 的兩個金鑰。Customer Key requires two keys for each data encryption policy (DEP). 為了達到此目的,您必須建立兩個 Azure 訂閱。In order to achieve this, you must create two Azure subscriptions. 建議的最佳作法是,您組織中的個別成員可以在每個訂閱中設定一個金鑰。As a best practice, Microsoft recommends that you have separate members of your organization configure one key in each subscription. 您應只使用這些 Azure 訂閱來管理 Office 365 的加密金鑰。You should only use these Azure subscriptions to administer encryption keys for Office 365. 這會保護您的組織,以防其中一個操作員意外、故意或惡意刪除,或 mismanages 其負責的金鑰。This protects your organization in case one of your operators accidentally, intentionally, or maliciously deletes or otherwise mismanages the keys for which they are responsible.

您可以為組織建立的 Azure 訂閱數目沒有實際的限制。There is no practical limit to the number of Azure subscriptions that you can create for your organization. 遵循這些最佳作法,可在協助管理客戶金鑰所使用的資源時,將人為錯誤所造成的影響降至最低。Following these best practices will minimize the impact of human error while helping to manage the resources used by Customer Key.

提交要求以啟用 Office 365 的客戶金鑰Submit a request to activate Customer Key for Office 365

當您完成 Azure 步驟之後,您必須在 Microsoft FastTrack 入口網站中提交提供要求。Once you've completed the Azure steps, you'll need to submit an offer request in the Microsoft FastTrack portal. 當您透過 FastTrack 網頁入口網站提交要求之後,Microsoft 會驗證 Azure 金鑰 Vault 設定資料和您所提供的連絡人資訊。Once you've submitted a request through the FastTrack web portal, Microsoft verifies the Azure Key Vault configuration data and contact information you provided. 您在 [提供] 表單中為您組織的授權官員所做的選擇,對完成客戶金鑰註冊是很重要且必要的。The selections that you make in the offer form about the authorized officers of your organization is critical and necessary for completion of Customer Key registration. 組織的監察官員會確定任何要求的真偽,以吊銷和銷毀客戶金鑰資料加密原則所使用的所有金鑰。The officers of your organization ensure the authenticity of any request to revoke and destroy all keys used with a Customer Key data encryption policy. 您必須執行此步驟一次,以啟用 Exchange Online 和商務用 Skype 覆蓋服務的客戶金鑰,以及啟用 SharePoint 線上和商務 OneDrive 之客戶金鑰的第二次。You'll need to do this step once to activate Customer Key for Exchange Online and Skype for Business coverage and a second time to activate Customer Key for SharePoint Online and OneDrive for Business.

若要提交服務以啟用客戶金鑰,請完成下列步驟:To submit an offer to activate Customer Key, complete these steps:

  1. 在您的組織中使用具有全域系統管理員許可權的公司或學校帳戶,登入 Microsoft FastTrack 入口網站Using a work or school account that has global administrator permissions in your organization, sign in to the Microsoft FastTrack portal.

  2. 登入之後,請流覽至 儀表板Once you're logged in, browse to the Dashboard.

  3. 從導覽列中選擇 [部署], 選取 [在 部署 資訊卡片上 查看所有部署資源],然後查看目前的提供方案清單。Choose Deploy from the navigation bar OR select View all deployment resources on the Deploy information card, and review the list of current offers.

  4. 選擇適用于您的優惠資訊卡片:Choose the information card for the offer that applies to you:

    • Exchange Online 和商務用 Skype: 選擇 Exchange online 提供的要求加密金鑰 說明。Exchange Online and Skype for Business: Choose the Request encryption key help for Exchange online offer.

    • SharePoint 線上、OneDrive 及小組檔案: 選擇 Sharepoint 的要求加密金鑰說明,並 OneDrive 提供。SharePoint Online, OneDrive, and Teams files: Choose the Request encryption key help for Sharepoint and OneDrive offer.

  5. 當您複習提供詳細資料之後,請選擇 [ 繼續] 步驟 2Once you've reviewed the offer details, choose Continue to step 2.

  6. 在 [服務] 表單上填寫所有適用的詳細資料和要求的資訊。Fill out all applicable details and requested information on the offer form. 請特別注意您的組織中您要授權的監察官員,以核准加密金鑰和資料的永久和不可恢復的毀壞專案。Pay particular attention to your selections for which officers of your organization you want to authorize to approve the permanent and irreversible destruction of encryption keys and data. 當您完成表單之後,請選擇 [ 提交]。Once you've completed the form, choose Submit.

註冊 Azure 訂閱以使用強制保留期間Register Azure subscriptions to use a mandatory retention period

暫時或永久遺失根加密金鑰的功能可能會造成中斷,甚至可能造成資料遺失。The temporary or permanent loss of root encryption keys can be disruptive or even catastrophic to service operation and can result in data loss. 因此,與客戶金鑰搭配使用的資源需要加強保護。For this reason, the resources used with Customer Key require strong protection. 與客戶金鑰搭配使用的所有 Azure 資源,除了預設設定之外,還提供保護機制。All the Azure resources that are used with Customer Key offer protection mechanisms beyond the default configuration. 您可以為 強制保留期間 標記或註冊 Azure 訂閱。You can tag or register Azure subscriptions for a mandatory retention period. 強制保留期間可防止對您的 Azure 訂閱進行立即和不可撤銷的取消。A mandatory retention period prevents immediate and irrevocable cancellation of your Azure subscription. 在必要保留期間內註冊 Azure 訂閱所需的步驟,需要與 Microsoft 365 小組共同作業。The steps required to register Azure subscriptions for a mandatory retention period require collaboration with the Microsoft 365 team. 此程式可能會花費一到五個工作日。This process can take from one to five business days. 先前,強制保留期間有時稱為「不要取消」。Previously, mandatory retention period was sometimes referred to as "Do Not Cancel".

在聯繫 Microsoft 365 團隊之前,您必須針對每個用客戶金鑰使用的 Azure 訂閱執行下列步驟。Before contacting the Microsoft 365 team, you must do the following steps for each Azure subscription that you use with Customer Key. 開始之前,請確定您已安裝 Azure PowerShell Az 模組。Ensure that you have the Azure PowerShell Az module installed before you start.

  1. 使用 Azure PowerShell 登入。Sign in with Azure PowerShell. 如需相關指示,請參閱 使用 Azure PowerShell 登入For instructions, see Sign in with Azure PowerShell.

  2. 執行 Register-AzProviderFeature Cmdlet 註冊您的訂閱,以使用強制保留期間。Run the Register-AzProviderFeature cmdlet to register your subscriptions to use a mandatory retention period. 請針對每個訂閱完成此動作。Complete this action for each subscription.

    Set-AzContext -SubscriptionId <SubscriptionId>
    Register-AzProviderFeature -FeatureName mandatoryRetentionPeriodEnabled -ProviderNamespace Microsoft.Resources
  3. 請與 Microsoft 聯繫完成此程式。Contact Microsoft to complete the process. 如需商務小組的 SharePoint 和 OneDrive,請與 spock@microsoft.com聯繫。For the SharePoint and OneDrive for Business team, contact spock@microsoft.com. 若為 Exchange Online 和商務用 Skype,請與 exock@microsoft.com聯繫。For Exchange Online and Skype for Business, contact exock@microsoft.com. 在您的電子郵件中包含下列資訊:Include the following information in your email:

    主旨 :客戶 金鑰<Your tenant's fully qualified domain name>Subject: Customer Key for <Your tenant's fully qualified domain name>

    本文 :包括 您要為其完成必要保留期間的訂閱 IDs,以及每個訂閱的 Get-AzProviderFeature 輸出。Body: Include the subscription IDs for which you want to complete the mandatory retention period and the output of Get-AzProviderFeature for each subscription.

    完成此程式的服務等級協定 (SLA) 一天之後,Microsoft 會 (通知您已註冊訂閱,) 您已註冊訂閱,以使用強制保留期間。The Service Level Agreement (SLA) for completion of this process is five business days once Microsoft has been notified (and verified) that you have registered your subscriptions to use a mandatory retention period.

  4. 當您收到來自 Microsoft 的通知,表明已完成註冊後,請執行 Get-AzProviderFeature 命令,按下列方式,以確認註冊的狀態。Once you receive notification from Microsoft that registration is complete, verify the status of your registration by running the Get-AzProviderFeature command as follows. 若驗證,Get-AzProviderFeature 命令會傳回登錄 狀態 屬性的 註冊 值。If verified, the Get-AzProviderFeature command returns a value of Registered for the Registration State property. 請針對每個訂閱完成此步驟。Complete this step for each subscription.

    Set-AzContext -SubscriptionId <SubscriptionId>
    Get-AzProviderFeature -ProviderNamespace Microsoft.Resources -FeatureName mandatoryRetentionPeriodEnabled
  5. 若要完成此程式,請執行 Register-AzResourceProvider 命令。To complete the process, run the Register-AzResourceProvider command. 請針對每個訂閱完成此步驟。Complete this step for each subscription.

    Set-AzContext -SubscriptionId <SubscriptionId>
    Register-AzResourceProvider -ProviderNamespace Microsoft.KeyVault

在每個訂閱中建立高級 Azure 金鑰 VaultCreate a premium Azure Key Vault in each subscription

建立主要 vault 的步驟會在 開始使用 Azure Key vault時記錄下來,可引導您安裝及啟動 azure PowerShell、連線至 azure 訂閱、建立資源群組,以及在該資源群組中建立金鑰 vault。The steps to create a key vault are documented in Getting Started with Azure Key Vault, which guides you through installing and launching Azure PowerShell, connecting to your Azure subscription, creating a resource group, and creating a key vault in that resource group.

當您建立金鑰 vault 時,您必須選擇 SKU: [標準] 或 [特優]。When you create a key vault, you must choose a SKU: either Standard or Premium. Standard SKU 允許使用軟體來保護 Azure 金鑰 Vault 金鑰-沒有硬體安全性模組 (HSM) 金鑰保護-而且特優 SKU 允許使用 Hsm 來保護主要 Vault 金鑰。The Standard SKU allows Azure Key Vault keys to be protected with software - there's no Hardware Security Module (HSM) key protection - and the Premium SKU allows the use of HSMs for protection of Key Vault keys. 客戶金鑰可接受使用任一 SKU 的金鑰電子倉庫,但 Microsoft 強烈建議您只使用特優 SKU。Customer Key accepts key vaults that use either SKU, though Microsoft strongly recommends that you use only the Premium SKU. 使用任何一種類型之機碼的作業成本是相同的,所以每個受 HSM 保護的金鑰只會有每個月的成本差異。The cost of operations with keys of either type is the same, so the only difference in cost is the cost per month for each HSM-protected key. 如需詳細資訊,請參閱 主要 Vault 定價See Key Vault pricing for details.


針對實際執行資料使用特優 SKU 金鑰保存庫和受版權保護的金鑰,只使用標準的 SKU 金鑰保存庫和金鑰進行測試和驗證。Use the Premium SKU key vaults and HSM-protected keys for production data, and only use Standard SKU key vaults and keys for testing and validation purposes.

針對每個要使用客戶金鑰的 Microsoft 365 服務,在您建立的兩個 Azure 訂閱中建立金鑰 vault。For each Microsoft 365 service with which you will use Customer Key, create a key vault in each of the two Azure subscriptions that you created. 例如,僅限 Exchange Online 和商務用 Skype 或 SharePoint 線上和 OneDrive 僅供商務用,只會建立一對電子倉庫。For example, for Exchange Online and Skype for Business only or SharePoint Online and OneDrive for Business only, you'll create only one pair of vaults. 若要同時對 Exchange Online 和 SharePoint 啟用客戶金鑰,您會建立兩組主要保險電子倉庫。To enable Customer Key for both Exchange Online and SharePoint Online, you will create two pairs of key vaults.

使用金鑰保管的命名慣例,以反映要與保存庫建立關聯的 DEP 預定用途。Use a naming convention for key vaults that reflects the intended use of the DEP with which you will associate the vaults. 如需命名慣例建議,請參閱下列最佳作法一節。See the Best Practices section below for naming convention recommendations.

為每個資料加密原則建立一組成對的保險集。Create a separate, paired set of vaults for each data encryption policy. 若為 Exchange Online,當您將原則指派給信箱時,會選取資料加密原則的範圍。For Exchange Online, the scope of a data encryption policy is chosen by you when you assign the policy to mailbox. 信箱只會指派一個原則,而且您可以建立最多50個原則。A mailbox can have only one policy assigned, and you can create up to 50 policies. SharePoint 線上原則的範圍包括地理位置或 地理 位置中組織內的所有資料。The scope of a SharePoint Online policy includes all of the data within an organization in a geographic location, or geo.

建立機碼 vault 也需要建立 Azure 資源群組,因為若啟用,主要電子倉庫需要儲存容量 (,) 但若啟用,也會產生儲存的資料。The creation of key vaults also requires the creation of Azure resource groups, since key vaults need storage capacity (though small) and Key Vault logging, if enabled, also generates stored data. 最佳作法是 Microsoft 建議使用個別的系統管理員管理每個資源群組,並將其與一組系統管理員搭配使用,以管理所有相關客戶的重要資源。As a best practice Microsoft recommends using separate administrators to manage each resource group, with the administration that's aligned with the set of administrators that will manage all related Customer Key resources.


若要使可用性最大化,您的主要電子倉庫應該位於您的 Microsoft 365 服務區域附近。To maximize availability, your key vaults should be in regions close to your Microsoft 365 service. 例如,如果您的 Exchange Online 組織位於北美,請將您的主要電子倉庫放在北美。For example, if your Exchange Online organization is in North America, place your key vaults in North America. 如果您的 Exchange Online 組織在歐洲,請將您的主要存放庫放在歐洲。If your Exchange Online organization is in Europe, place your key vaults in Europe.

使用主要保管區的一般前置詞,並包含主要存放區和機碼的使用和範圍的縮寫, (例如,針對存放庫在北美的 Contoso SharePoint 服務,可能的名稱組為 Contoso-O365SP-NA-NA-NA-NA-na-NA-NA-NA-NA-NA。Use a common prefix for key vaults, and include an abbreviation of the use and scope of the key vault and keys (e.g., for the Contoso SharePoint service where the vaults will be located in North America, a possible pair of names is Contoso-O365SP-NA-VaultA1 and Contoso-O365SP-NA-VaultA2. 保存庫名稱是 Azure 內全域唯一的字串,因此,您可能需要嘗試所需名稱的變化,以防其他 Azure 客戶已索取所需的名稱。Vault names are globally unique strings within Azure, so you may need to try variations of your desired names in case the desired names are already claimed by other Azure customers. 從2017年7月的電子倉庫名稱無法變更,因此最佳作法是使用書面計畫進行安裝,然後使用第二個人驗證計畫是否正確執行。As of July 2017 vault names cannot be changed, so a best practice is to have a written plan for setup and use a second person to verify the plan is executed correctly.

如果可能,請在非成對區域中建立您的電子倉庫。If possible, create your vaults in non-paired regions. 配對的 Azure 區域可提供跨服務失敗網域的高可用性。Paired Azure regions provide high availability across service failure domains. 因此,區域配對可以視為彼此的備份區域。Therefore, regional pairs can be thought of as each other's backup region. 這表示位於某個地區的 Azure 資源會透過成對區域自動取得容錯。This means that an Azure resource that is placed in one region is automatically gaining fault tolerance through the paired region. 基於此原因,針對在地區是成對的資料加密原則中所使用的兩個保存庫選擇地區時,只會使用兩個可用區域的可用性。For this reason, choosing regions for two vaults used in a data encryption policy where the regions are paired means that only a total of two regions of availability are in use. 大多數地理有兩個地區,所以尚不能選取非成對區域。Most geographies only have two regions, so it's not yet possible to select non-paired regions. 如有可能,請選擇兩個不成對的區域,以用於資料加密原則的兩個保存庫。If possible, choose two non-paired regions for the two vaults used with a data encryption policy. 其優點是共有四個地區的可用性。This benefits from a total of four regions of availability. 如需詳細資訊,請參閱 Business 持續性和嚴重損壞修復 (BCDR) : Azure 成對區域 的目前區域配對清單。For more information, see Business continuity and disaster recovery (BCDR): Azure Paired Regions for a current list of regional pairs.

將許可權指派給每個金鑰保存庫Assign permissions to each key vault

根據您的實施,您必須為每個金鑰保存庫定義三組不同的許可權。You'll need to define three separate sets of permissions for each key vault, depending on your implementation. 例如,您必須為下列各項專案定義一組許可權:For example, you will need to define one set of permissions for each of the following:

  • 主要 vault 管理員 ,可對您的組織進行重要 vault 的日常管理工作。Key vault administrators that do day-to-day management of your key vault for your organization. 這些工作包括備份、建立、取得、匯入、清單及還原。These tasks include backup, create, get, import, list, and restore.


    指派給主要 vault 管理員的許可權集不包含刪除金鑰的許可權。The set of permissions assigned to key vault administrators does not include the permission to delete keys. 這是故意和重要的作法。This is intentional and an important practice. 刪除加密金鑰通常不會這麼做,因為這樣做會永久銷毀資料。Deleting encryption keys is not typically done, since doing so permanently destroys data. 根據預設,請勿將此許可權授與主要 vault 管理員的最佳作法。As a best practice, do not grant this permission to key vault administrators by default. 相反地,針對主要 vault 投稿人保留這種情況,而且只要清楚瞭解對結果的瞭解,就只需在短期內將其指派給系統管理員。Instead, reserve this for key vault contributors and only assign it to an administrator on a short term basis once a clear understanding of the consequences is understood.

    若要將這些許可權指派給組織中的使用者,請使用 Azure PowerShell 登入您的 Azure 訂閱。To assign these permissions to a user in your organization, sign in to your Azure subscription with Azure PowerShell. 如需相關指示,請參閱 使用 Azure PowerShell 登入For instructions, see Sign in with Azure PowerShell.

  • 執行 Set-AzKeyVaultAccessPolicy Cmdlet 指派必要的許可權。Run the Set-AzKeyVaultAccessPolicy cmdlet to assign the necessary permissions.

    Set-AzKeyVaultAccessPolicy -VaultName <vault name> -UserPrincipalName <UPN of user> -PermissionsToKeys create,import,list,get,backup,restore

    例如:For example:

    Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -UserPrincipalName alice@contoso.com -PermissionsToKeys create,import,list,get,backup,restore
  • 可以變更 Azure Key Vault 自身許可權的 主要 vault 參與者Key vault contributors that can change permissions on the Azure Key Vault itself. 您必須在員工離職或加入您的小組時,變更這些許可權。You'll need to change these permissions as employees leave or join your team. 在極少數的情況下,主要 vault 管理員合法需要刪除或還原機碼的許可權,您也需要變更許可權。In the rare situation that the key vault administrators legitimately need permission to delete or restore a key you'll also need to change the permissions. 這組重要的 vault 投稿人員必須授與主要 vault 上的 投稿 人角色。This set of key vault contributors needs to be granted the Contributor role on your key vault. 您可以使用 Azure 資源管理員指派此角色。You can assign this role by using Azure Resource Manager. 如需詳細步驟,請參閱 Use Role-Based Access Control,以管理您的 Azure 訂閱資源的存取權For detailed steps, see Use Role-Based Access Control to manage access to your Azure subscription resources. 建立訂閱的系統管理員會隱含此存取權,以及將其他管理員指派給參與者角色的能力。The administrator who creates a subscription has this access implicitly, and the ability to assign other administrators to the Contributor role.

  • 如果您想要使用客戶金鑰搭配 Exchange Online 和商務用 Skype,您必須授與 Microsoft 365 的許可權,以代表 Exchange Online 和商務用 Skype 使用金鑰 vault。If you intend to use Customer Key with Exchange Online and Skype for Business, you need to give permission to Microsoft 365 to use the key vault on behalf of Exchange Online and Skype for Business. 同樣地,如果您想要使用客戶金鑰與 SharePoint 線上且 OneDrive 商務用,您必須新增 Microsoft 365 的許可權,才能代表 SharePoint 線上及 OneDrive 的商務用金鑰 vault。Likewise, if you intend to use Customer Key with SharePoint Online and OneDrive for Business, you need to add permission for the Microsoft 365 to use the key vault on behalf of SharePoint Online and OneDrive for Business. 若要授與 Microsoft 365 的許可權,請使用下列語法執行 AzKeyVaultAccessPolicy Cmdlet:To give permission to Microsoft 365, run the Set-AzKeyVaultAccessPolicy cmdlet using the following syntax:

    Set-AzKeyVaultAccessPolicy -VaultName <vault name> -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName <Office 365 appID>


    • 保存庫名稱 是您建立的主要 vault 名稱。vault name is the name of the key vault you created.

    • 若為 Exchange Online 和商務用 Skype,請將 Office 365 appID 取代為 00000002-0000-0ff1-ce00-000000000000For Exchange Online and Skype for Business, replace Office 365 appID with 00000002-0000-0ff1-ce00-000000000000

    • 如需 SharePoint 線上、商務和團隊檔案的 OneDrive,請將 Office 365 appID 取代為 00000003-0000-0ff1-ce00-000000000000For SharePoint Online, OneDrive for Business, and Teams files, replace Office 365 appID with 00000003-0000-0ff1-ce00-000000000000

    範例:設定 Exchange Online 和商務用 Skype 的許可權:Example: Setting permissions for Exchange Online and Skype for Business:

    Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000002-0000-0ff1-ce00-000000000000

    範例:設定 SharePoint Online、商務 OneDrive 及小組檔案的許可權:Example: Setting permissions for SharePoint Online, OneDrive for Business, and Teams files:

    Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365SP-NA-VaultA1 -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000003-0000-0ff1-ce00-000000000000

在金鑰保存庫上啟用然後確認虛刪除Enable and then confirm soft delete on your key vaults

當您可以快速復原金鑰時,由於意外或惡意刪除的金鑰,您很可能會因意外或惡意刪除的金鑰而經歷長時間的服務中斷。When you can quickly recover your keys, you are less likely to experience an extended service outage due to accidentally or maliciously deleted keys. 您必須啟用此設定,稱為「虛刪除」,才能使用您的金鑰與客戶金鑰。You need to enable this configuration, referred to as Soft Delete, before you can use your keys with Customer Key. 啟用 [虛刪除] 可讓您在刪除90天內復原金鑰或存放庫,而不需要從備份中還原。Enabling Soft Delete allows you to recover keys or vaults within 90 days of deletion without having to restore them from backup.

若要在金鑰保存庫上啟用虛刪除,請完成下列步驟:To enable Soft Delete on your key vaults, complete these steps:

  1. 使用 Windows PowerShell 登入您的 Azure 訂閱。Sign in to your Azure subscription with Windows PowerShell. 如需相關指示,請參閱 使用 Azure PowerShell 登入For instructions, see Sign in with Azure PowerShell.

  2. 執行 AzKeyVault Cmdlet。Run the Get-AzKeyVault cmdlet. 在此範例中, 保存庫名稱 是您要啟用 soft delete 之主要 vault 的名稱:In this example, vault name is the name of the key vault for which you are enabling soft delete:

    $v = Get-AzKeyVault -VaultName <vault name>
    $r = Get-AzResource -ResourceId $v.ResourceId
    $r.Properties | Add-Member -MemberType NoteProperty -Name enableSoftDelete -Value 'True'
    Set-AzResource -ResourceId $r.ResourceId -Properties $r.Properties
  3. 執行 AzKeyVault 指令程式,確認已為金鑰保存庫設定 soft delete。Confirm soft delete is configured for the key vault by running the Get-AzKeyVault cmdlet. 如果已正確設定 key vault 的 [虛刪除],則 Soft Delete Enabled 屬性會傳回 True 值:If soft delete is configured properly for the key vault, then the Soft Delete Enabled property returns a value of True:

    Get-AzKeyVault -VaultName <vault name> | fl

透過建立或匯入機碼,將機碼新增到每個機碼 vaultAdd a key to each key vault either by creating or importing a key

有兩種方法可以將機碼新增到 Azure Key Vault;您可以直接在 Key Vault 中建立金鑰,也可以匯入金鑰。There are two ways to add keys to an Azure Key Vault; you can create a key directly in Key Vault, or you can import a key. 直接在 Key Vault 中建立金鑰是不夠複雜的方法,而匯入金鑰會提供如何產生機碼的整體控制權。Creating a key directly in Key Vault is the less complicated method, while importing a key provides total control over how the key is generated. 使用 RSA 機碼。Use the RSA keys. Azure 金鑰 Vault 不支援使用橢圓曲線鍵進行換行及解換。Azure Key Vault doesn't support wrapping and unwrapping with elliptical curve keys.

若要直接在金鑰保存庫中建立金鑰,請執行 AzKeyVaultKey 指令 程式 ,如下所示:To create a key directly in your key vault, run the Add-AzKeyVaultKey cmdlet as follows:

Add-AzKeyVaultKey -VaultName <vault name> -Name <key name> -Destination <HSM|Software> -KeyOps wrapKey,unwrapKey


  • vault 名稱 是您要在其中建立機碼的金鑰 vault 名稱。vault name is the name of the key vault in which you want to create the key.

  • key name 是您要給予新機碼的名稱。key name is the name you want to give the new key.


    使用主要保險檔的上述命名慣例,以前面所述的名稱慣例命名機碼。Name keys using a similar naming convention as described above for key vaults. 如此一來,在僅顯示金鑰名稱的工具中,該字串是自我描述的。This way, in tools that show only the key name, the string is self-describing.

如果您想要使用 HSM 來保護機碼,請確定您將 hsm 指定為 Destination 參數的值,否則請指定 軟體If you intend to protect the key with an HSM, ensure that you specify HSM as the value of the Destination parameter, otherwise, specify Software.

例如:For example,

Add-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -Name Contoso-O365EX-NA-VaultA1-Key001 -Destination HSM -KeyOps wrapKey,unwrapKey

若要將機碼直接匯入到金鑰保存庫,您必須具有 nCipher nShield 硬體安全性模組。To import a key directly into your key vault, you need to have a nCipher nShield Hardware Security Module.

有些組織喜歡使用此方法來建立其機碼的 provenance,然後此方法也會提供下列 attestations:Some organizations prefer this approach to establish the provenance of their keys, and then this method also provides the following attestations:

  • 用於匯入的工具組包括 nCipher 中的認證金鑰交換金鑰 (KEK) (用來加密您所產生的金鑰)不可匯出,而且會在 nCipher 所生產的正版 HSM 內產生。The toolset used for import includes attestation from nCipher that the Key Exchange Key (KEK) that is used to encrypt the key you generate is not exportable and is generated inside a genuine HSM that was manufactured by nCipher.

  • 工具組包含從 nCipher 證明,Azure 金鑰 Vault 安全性世界也會在 nCipher 所生產的正版 HSM 上產生。The toolset includes attestation from nCipher that the Azure Key Vault security world was also generated on a genuine HSM manufactured by nCipher. 此認證會向您證明 Microsoft 也在使用正版 nCipher 硬體。This attestation proves to you that Microsoft is also using genuine nCipher hardware.

請與您的安全性群組核實,以判斷是否需要上述 attestations。Check with your security group to determine if the above attestations are required. 如需建立主要內部部署並將其匯入金鑰保存庫的詳細步驟,請參閱 how to 針對 Azure Key vault 產生及轉移受保護性保護的金鑰For detailed steps to create a key on-premises and import it into your key vault, see How to generate and transfer HSM-protected keys for Azure Key Vault. 使用 Azure 指示在每個金鑰保存庫中建立金鑰。Use the Azure instructions to create a key in each key vault.

檢查機碼的恢復層級Check the recovery level of your keys

Microsoft 365 要求 Azure Key Vault 訂閱設定為 [不要取消],且客戶機碼使用的金鑰已啟用 [虛刪除]。Microsoft 365 requires that the Azure Key Vault subscription is set to Do Not Cancel and that the keys used by Customer Key have soft delete enabled. 您可以查看您機碼上的復原層級,以確認訂閱設定。You can confirm you subscriptions settings by looking at the recovery level on your keys.

若要檢查機碼的復原層級,請在 Azure PowerShell 中執行 Get-AzKeyVaultKey Cmdlet,如下所示:To check the recovery level of a key, in Azure PowerShell, run the Get-AzKeyVaultKey cmdlet as follows:

(Get-AzKeyVaultKey -VaultName <vault name> -Name <key name>).Attributes

Recovery Level 屬性傳回的值不是 [可復原 + ProtectedSubscription] 的值,請確定您已將訂閱置於 [不取消取消] 清單中,而且您已在每個金鑰存放庫上啟用虛刪除。If the Recovery Level property returns anything other than a value of Recoverable+ProtectedSubscription, ensure that you have put the subscription on the Do Not Cancel list and that you have soft delete enabled on each of your key vaults.

備份 Azure Key VaultBack up Azure Key Vault

立即建立或變更索引鍵,執行備份及儲存備份的備份,不論是線上還是離線。Immediately following creation or any change to a key, perform a backup and store copies of the backup, both online and offline. 離線副本不應該連接至任何網路,例如在實體安全或商務儲存設施中。Offline copies should not be connected to any network, such as in a physical safe or commercial storage facility. 至少應有一個備份副本儲存在發生嚴重損壞時可存取的位置。At least one copy of the backup should be stored in a location that will be accessible in the event of a disaster. 備份 blob 是一種還原重要材料的唯一方法,應永久銷毀主要 Vault 金鑰,否則無法使用。The backup blobs are the sole means of restoring key material should a Key Vault key be permanently destroyed or otherwise rendered inoperable. Azure Key Vault 外部的金鑰和匯入到 Azure Key Vault 的金鑰不會做為備份,因為客戶金鑰使用金鑰所需的中繼資料不存在於外部金鑰。Keys that are external to Azure Key Vault and were imported to Azure Key Vault do not qualify as a backup because the metadata necessary for Customer Key to use the key does not exist with the external key. 只有從 Azure 金鑰保存庫取得的備份可用於使用客戶金鑰進行還原作業。Only a backup taken from Azure Key Vault can be used for restore operations with Customer Key. 因此,您必須在上傳或建立金鑰之後,建立 Azure 金鑰 Vault 的備份。Therefore, you must create a backup of Azure Key Vault after you upload or create a key.

若要建立 Azure Key Vault 機碼的備份,請執行 AzKeyVaultKey Cmdlet,如下所示:To create a backup of an Azure Key Vault key, run the Backup-AzKeyVaultKey cmdlet as follows:

Backup-AzKeyVaultKey -VaultName <vault name> -Name <key name>
-OutputFile <filename.backup>

確定您的輸出檔案使用尾碼 .backupEnsure that your output file uses the suffix .backup.

由此 Cmdlet 所產生的輸出檔已加密,且無法用於 Azure Key Vault 之外。The output file resulting from this cmdlet is encrypted and cannot be used outside of Azure Key Vault. 備份只能還原至執行備份的來源 Azure 訂閱。The backup can be restored only to the Azure subscription from which the backup was taken.


針對輸出檔,選擇您的保存庫名稱和機碼名稱的組合。For the output file, choose a combination of your vault name and key name. 這會使檔案名自我描述。This will make the file name self-describing. 它也會確定備份檔案名稱不會發生衝突。It will also ensure that backup file names do not collide.

例如:For example:

Backup-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -Name Contoso-O365EX-NA-VaultA1-Key001 -OutputFile Contoso-O365EX-NA-VaultA1-Key001-Backup-20170802.backup

驗證 Azure 金鑰 Vault 設定設定Validate Azure Key Vault configuration settings

使用 DEP 中的金鑰之前進行驗證是選用的,但是強烈建議您這麼做。Validating before using keys in a DEP is optional, but highly recommended. 如果您使用步驟來設定您的金鑰和電子倉庫(本文所述除外),請先驗證 Azure 金鑰 Vault 資源的健康情況,再設定客戶金鑰。If you use steps to set up your keys and vaults other than the ones described in this article, validate the health of your Azure Key Vault resources before you configure Customer Key.

若要確認您的金鑰具有 getwrapKeyunwrapKey 作業已啟用:To verify that your keys have get, wrapKey, and unwrapKey operations enabled:

執行 AzKeyVault 指令程式 ,如下所示:Run the Get-AzKeyVault cmdlet as follows:

Get-AzKeyVault -VaultName <vault name>

在 [輸出] 中,視需要查看存取原則和 Exchange Online 身分識別 (GUID) 或 SharePoint 線上身分識別 (GUID) 。In the output, look for the Access Policy and for the Exchange Online identity (GUID) or the SharePoint Online identity (GUID) as appropriate. 上述所有三個許可權都必須顯示在 [索引鍵的許可權] 底下。All three of the above permissions must be shown under Permissions to Keys.

如果存取原則設定不正確,請執行 Set-AzKeyVaultAccessPolicy Cmdlet,如下所示:If the access policy configuration is incorrect, run the Set-AzKeyVaultAccessPolicy cmdlet as follows:

Set-AzKeyVaultAccessPolicy -VaultName <vault name> -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName <Office 365 appID>

例如,對於 Exchange Online 和商務用 Skype:For example, for Exchange Online and Skype for Business:

Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 
-PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000002-0000-0ff1-ce00-000000000000

例如,針對 SharePoint 線上和商務 OneDrive:For example, for SharePoint Online and OneDrive for Business:

Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365SP-NA-VaultA1
-PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000003-0000-0ff1-ce00-000000000000

若要確認您的機碼未設定到期日,請執行 AzKeyVaultKey 指令程式 ,如下所示:To verify that an expiration date isn't set for your keys, run the Get-AzKeyVaultKey cmdlet as follows:

Get-AzKeyVaultKey -VaultName <vault name>

客戶金鑰不能使用到期金鑰。Customer Key can't use an expired key. 使用到期金鑰所嘗試的作業會失敗,而且可能會造成服務中斷。Operations attempted with an expired key will fail, and possibly result in a service outage. 強烈建議使用與客戶金鑰搭配使用的金鑰沒有到期日。We strongly recommend that keys used with Customer Key do not have an expiration date. 到期日一經設定,便無法移除,但可以變更為不同的日期。An expiration date, once set, cannot be removed, but can be changed to a different date. 如果必須使用具有到期日期設定的金鑰,請將 [到期] 值變更為12/31/9999。If a key must be used that has an expiration date set, change the expiration value to 12/31/9999. 到期日期設定為12/31/9999 以外的金鑰,將不會通過 Microsoft 365 驗證。Keys with an expiration date set to a date other than 12/31/9999 will not pass Microsoft 365 validation.

若要變更已設定為12/31/9999 以外任何值的到期日,請執行 AzKeyVaultKey 指令 程式 ,如下所示:To change an expiration date that has been set to any value other than 12/31/9999, run the Update-AzKeyVaultKey cmdlet as follows:

Update-AzKeyVaultKey -VaultName <vault name> -Name <key name> -Expires (Get-Date -Date "12/31/9999")


請勿設定與客戶金鑰搭配使用的加密金鑰上的到期日期。Don't set expiration dates on encryption keys you use with Customer Key.

取得每個 Azure 金鑰保存庫機碼的 URIObtain the URI for each Azure Key Vault key

在您設定好金鑰保存庫並新增金鑰之後,請執行下列命令,以取得每個金鑰保存庫中的金鑰 URI。Once you've set up your key vaults and added your keys, run the following command to get the URI for the key in each key vault. 您在稍後建立並指派每個 DEP 時,您需要使用這些 URIs,因此請將此資訊儲存在安全的位置。You'll need to use these URIs when you create and assign each DEP later, so save this information in a safe place. 請對每個金鑰保存庫執行一次此命令。Run this command once for each key vault.

Azure PowerShell:In Azure PowerShell:

(Get-AzKeyVaultKey -VaultName <vault name>).Id

Office 365:設定 Exchange Online 和商務用 Skype 的客戶金鑰Office 365: Setting up Customer Key for Exchange Online and Skype for Business

開始之前,請確定您已完成設定 Azure Key Vault 所需的工作。Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. 如需詳細資訊,請參閱 Azure Key Vault 和 Microsoft FastTrack 中的完成 工作。See Complete tasks in Azure Key Vault and Microsoft FastTrack for Customer Key for information.

若要為 Exchange Online 和商務用 Skype 設定客戶金鑰,您可以透過 Windows PowerShell 遠端連線至 Exchange Online,以完成這些步驟。To set up Customer Key for Exchange Online and Skype for Business, you'll complete these steps by remotely connecting to Exchange Online with Windows PowerShell.

在與 Exchange Online 和商務用 Skype 搭配使用的情況中,建立資料加密原則 (DEP) Create a data encryption policy (DEP) for use with Exchange Online and Skype for Business

DEP 與儲存在 Azure Key Vault 中的一組機碼相關聯。A DEP is associated with a set of keys stored in Azure Key Vault. 您為 Microsoft 365 中的信箱指派 DEP。You assign a DEP to a mailbox in Microsoft 365. 然後 Microsoft 365 會使用原則中所識別的金鑰來加密信箱。Microsoft 365 will then use the keys identified in the policy to encrypt the mailbox. 若要建立 DEP,您需要有先前取得的主要 Vault URIs。To create the DEP, you need the Key Vault URIs you obtained earlier. 如需相關指示,請參閱 取得每個 Azure Key Vault 金鑰的 URISee Obtain the URI for each Azure Key Vault key for instructions.

記得!Remember! 當您建立 DEP 時,您會在兩個不同的 Azure Key 保存庫中指定兩個金鑰。When you create a DEP, you specify two keys in two different Azure Key Vaults. 在兩個不同的 Azure 區域中建立這些機碼,以確保異地冗余。Create these keys in two separate Azure regions to ensure geo-redundancy.

若要建立 DEP,請遵循下列步驟:To create the DEP, follow these steps:

  1. 在您的本機電腦上,使用組織中具有全域系統管理員許可權的公司或學校帳戶,在 Windows PowerShell 視窗中連線 至 Exchange Online PowerShellOn your local computer, using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell in a Windows PowerShell window.

  2. 若要建立 DEP,請輸入下列命令,以使用 New-DataEncryptionPolicy Cmdlet。To create a DEP, use the New-DataEncryptionPolicy cmdlet by typing the following command.

    New-DataEncryptionPolicy -Name <PolicyName> -Description "Policy Description" -AzureKeyIDs <KeyVaultURI1>, <KeyVaultURI2>



    New-DataEncryptionPolicy -Name USA_mailboxes -Description "Root key for mailboxes in USA and its territories" -AzureKeyIDs https://contoso_EastUSvault01.vault.azure.net/keys/USA_key_01, https://contoso_EastUS2vault01.vault.azure.net/keys/USA_Key_02

如需詳細的語法及參數資訊,請參閱 DataEncryptionPolicyFor detailed syntax and parameter information, see New-DataEncryptionPolicy.

將 DEP 指派給信箱Assign a DEP to a mailbox

使用 Set-Mailbox Cmdlet 將 DEP 指派給信箱。Assign the DEP to a mailbox by using the Set-Mailbox cmdlet. 一旦您指派原則之後,Microsoft 365 便可使用 DEP 中識別的金鑰來加密信箱。Once you assign the policy, Microsoft 365 can encrypt the mailbox with the key identified in the DEP.

Set-Mailbox -Identity <MailboxIdParameter> -DataEncryptionPolicy <PolicyName>

其中 MailboxIdParameter 指定使用者信箱。Where MailboxIdParameter specifies a user mailbox. 如需 Set-Mailbox Cmdlet 的詳細資訊,請參閱 Set-MailboxFor more information about the Set-Mailbox cmdlet, see Set-Mailbox.

在混合式環境中,您可以為已同步處理至您的 Exchange Online 租使用者的內部部署信箱資料指派 DEP。In hybrid environments, you can assign a DEP to the on-premises mailbox data that is synchronized into your Exchange Online tenant. 若要將 DEP 指派給此同步處理的信箱資料,您將使用 Set-MailUser Cmdlet。To assign a DEP to this synchronized mailbox data, you'll use the Set-MailUser cmdlet. 如需混合式環境中信箱資料的詳細資訊,請參閱 使用 Outlook iOS 和 Android 搭配混合式新式驗證的內部部署信箱For more information about mailbox data in the hybrid environment, see on-premises mailboxes using Outlook for iOS and Android with hybrid Modern Authentication.

Set-MailUser -Identity <MailUserIdParameter> -DataEncryptionPolicy <PolicyName>

其中 MailUserIdParameter 指定郵件使用者 (也稱為啟用郵件功能的使用者) 。Where MailUserIdParameter specifies a mail user (also known as a mail-enabled user). 如需 Set-MailUser Cmdlet 的詳細資訊,請參閱 Set-MailUserFor more information about the Set-MailUser cmdlet, see Set-MailUser.

驗證信箱加密Validate mailbox encryption

加密信箱可能需要一些時間。Encrypting a mailbox can take some time. 若為第一次原則指派,在服務可以加密信箱之前,信箱也必須完全從一個資料庫移至另一個。For first-time policy assignment, the mailbox must also completely move from one database to another before the service can encrypt the mailbox. 建議您先等候72小時,再嘗試在變更 DEP 後,或第一次將 DEP 指派給信箱之後,再嘗試驗證加密。We recommend that you wait 72 hours before you attempt to validate encryption after you change a DEP or the first time you assign a DEP to a mailbox.

使用 Get-MailboxStatistics Cmdlet 來判斷信箱是否已加密。Use the Get-MailboxStatistics cmdlet to determine if a mailbox is encrypted.

Get-MailboxStatistics -Identity <GeneralMailboxOrMailUserIdParameter> | fl IsEncrypted

如果信箱已加密,IsEncrypted 屬性會傳回 true 值,如果信箱未加密,則傳回 false 的值。The IsEncrypted property returns a value of true if the mailbox is encrypted and a value of false if the mailbox isn't encrypted. 完成信箱移動的時間取決於第一次指派 DEP 的信箱數目,以及信箱的大小。The time to complete mailbox moves depends on the number of mailboxes to which you assign a DEP for the first time, and the size of the mailboxes. 如果信箱在您指派 DEP 的時間之後,一星期內尚未加密,請與 Microsoft 聯繫。If the mailboxes haven't been encrypted after a week from the time you assigned the DEP, contact Microsoft.

Office 365:設定 SharePoint Online、商務 OneDrive 及小組檔案的客戶金鑰Office 365: Setting up Customer Key for SharePoint Online, OneDrive for Business, and Teams files

開始之前,請確定您已完成設定 Azure Key Vault 所需的工作。Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. 如需詳細資訊,請參閱 Azure Key Vault 和 Microsoft FastTrack 中的完成 工作。See Complete tasks in Azure Key Vault and Microsoft FastTrack for Customer Key for information.

若要設定 SharePoint 線上、商務用 OneDrive 和團隊檔案的客戶金鑰,您可以使用 Windows PowerShell 遠端連線至 SharePoint 線上,完成這些步驟。To set up Customer Key for SharePoint Online, OneDrive for Business, and Teams files you complete these steps by remotely connecting to SharePoint Online with Windows PowerShell.

為商務地理位置的每個 SharePoint 線上及 OneDrive 建立資料加密原則 (DEP) Create a data encryption policy (DEP) for each SharePoint Online and OneDrive for Business geo

您可以將 DEP 與儲存在 Azure Key Vault 中的一組機碼產生關聯。You associate a DEP with a set of keys stored in Azure Key Vault. 您將 DEP 套用到一個地理位置(也稱為地理位置)上的所有資料。You apply a DEP to all of your data in one geographic location, also called a geo. 如果您使用 Office 365 的多地理位置功能,您可以為每個地理位置建立一個 DEP,使每個地理位置使用不同的金鑰。If you use the multi-geo feature of Office 365, you can create one DEP per geo with the capability to use different keys per geo. 如果您不是使用多地理位置,您可以在組織中建立一個 DEP,以用於 SharePoint 線上、商務 OneDrive 商務及小組檔案。If you aren't using multi-geo, you can create one DEP in your organization for use with SharePoint Online, OneDrive for Business, and Teams files. Microsoft 365 會使用 DEP 中識別的金鑰來加密該地理位置的資料。Microsoft 365 uses the keys identified in the DEP to encrypt your data in that geo. 若要建立 DEP,您需要有先前取得的主要 Vault URIs。To create the DEP, you need the Key Vault URIs you obtained earlier. 如需相關指示,請參閱 取得每個 Azure Key Vault 金鑰的 URISee Obtain the URI for each Azure Key Vault key for instructions.

記得!Remember! 當您建立 DEP 時,您會在兩個不同的 Azure Key 保存庫中指定兩個金鑰。When you create a DEP, you specify two keys in two different Azure Key Vaults. 在兩個不同的 Azure 區域中建立這些機碼,以確保異地冗余。Create these keys in two separate Azure regions to ensure geo-redundancy.

若要建立 DEP,您必須使用 Windows PowerShell,以遠端方式從遠端連線至 SharePoint。To create a DEP, you need to remotely connect to SharePoint Online by using Windows PowerShell.

  1. 在您的本機電腦上,使用組織中具有全域系統管理員許可權的工作或學校帳戶, 連線至 SharePoint Online PowerShellOn your local computer, using a work or school account that has global administrator permissions in your organization, Connect to SharePoint Online PowerShell.

  2. 在 Microsoft SharePoint Online 管理命令介面中,執行 Register-SPODataEncryptionPolicy Cmdlet,如下所示:In the Microsoft SharePoint Online Management Shell, run the Register-SPODataEncryptionPolicy cmdlet as follows:

    Register-SPODataEncryptionPolicy -Identity <adminSiteCollectionURL> -PrimaryKeyVaultName <PrimaryKeyVaultName> -PrimaryKeyName <PrimaryKeyName> -PrimaryKeyVersion <PrimaryKeyVersion> -SecondaryKeyVaultName <SecondaryKeyVaultName> -SecondaryKeyName <SecondaryKeyName> -SecondaryKeyVersion <SecondaryKeyVersion>


    Register-SPODataEncryptionPolicy -Identity https://contoso.sharepoint.com -PrimaryKeyVaultName 'stageRG3vault' -PrimaryKeyName 'SPKey3' -PrimaryKeyVersion 'f635a23bd4a44b9996ff6aadd88d42ba' -SecondaryKeyVaultName 'stageRG5vault' -SecondaryKeyName 'SPKey5' -SecondaryKeyVersion '2b3e8f1d754f438dacdec1f0945f251a’

    當您註冊 DEP 時,加密會從 geo 中的資料開始。When you register the DEP, encryption begins on the data in the geo. 加密可能需要一些時間。Encryption can take some time. 如需使用此參數的詳細資訊,請參閱 SPODataEncryptionPolicyFor more information on using this parameter, see Register-SPODataEncryptionPolicy.

驗證檔加密Validate file encryption

若要驗證 SharePoint 線上、OneDrive 商務及小組檔案的加密,請 連線至 SharePoint 線上 PowerShell,然後使用 Get-SPODataEncryptionPolicy Cmdlet 檢查您租使用者的狀態。To validate encryption of SharePoint Online, OneDrive for Business, and Teams files, connect to SharePoint Online PowerShell, and then use the Get-SPODataEncryptionPolicy cmdlet to check the status of your tenant. 如果已啟用客戶金鑰加密,且所有網站中的所有檔案都已加密,則 State 屬性會傳回 已註冊 的值。The State property returns a value of registered if Customer Key encryption is enabled and all files in all sites have been encrypted. 如果加密仍在進行中,則此 Cmdlet 會傳回 註冊 的值。If encryption is still in progress, this cmdlet returns a value of registering.