設定全新的郵件加密功能Set up new Message Encryption capabilities

新的 Office 365 郵件加密 (OME) 功能可讓組織與任何裝置上的任何人共用受保護的電子郵件。The new Office 365 Message Encryption (OME) capabilities allow organizations to share protected email with anyone on any device. 使用者可以與其他 Microsoft 365 組織以及使用 Outlook.com、Gmail 和其他電子郵件服務的非客戶交換受保護的郵件。Users can exchange protected messages with other Microsoft 365 organizations, as well as non-customers using Outlook.com, Gmail, and other email services.

遵循下列步驟以確保新的 OME 功能可在您的組織中使用。Follow the steps below to ensure that the new OME capabilities are available in your organization.

驗證 Azure 版權管理作用中Verify that Azure Rights Management is active

全新的 OME 功能利用 Azure 版權管理服務 (Azure RMS) 中的保護功能,它是 Azure 資訊保護用來透過加密和存取控制保護電子郵件和文件的技術。The new OME capabilities leverage the protection features in Azure Rights Management Services (Azure RMS), the technology used by Azure Information Protection to protect emails and documents via encryption and access controls.

使用全新 OME 功能的唯一先決條件是必須在組織的租用戶中啟用 Azure 版權管理The only prerequisite for using the new OME capabilities is that Azure Rights Management must be activated in your organization's tenant. 如果是,Microsoft 365 會自動啟用新的 OME 功能,您不需要採取任何動作。If it is, Microsoft 365 activates the new OME capabilities automatically and you don't need to do anything.

Azure RMS 也會對多數合格方案自動啟用,因此您也不需要對此採取任何動作。Azure RMS is also activated automatically for most eligible plans, so you probably don't have to do anything in this regard either. 如需詳細資訊,請參閱啟用 Azure 版權管理See Activating Azure Rights Management for more information.

重要

如果您使用 Active Directory 版權管理服務 (AD RMS) 搭配 Exchange Online,您需要先移轉至 Azure 資訊保護,之後才能使用新的 OME 功能。If you use Active Directory Rights Management service (AD RMS) with Exchange Online, you need to migrate to Azure Information Protection before you can use the new OME capabilities. OME 與 AD RMS 不相容。OME is not compatible with AD RMS.

如需詳細資訊,請參閱:For more information, see:

手動啟用 Azure 版權管理Manually activating Azure Rights Management

如果您已停用 Azure RMS,或如果它因任何原因無法自動啟用,您可以在以下位置手動啟用:If you disabled Azure RMS, or if it was not automatically activated for any reason, you can activate it manually in the:

設定 Azure 資訊保護租用戶金鑰的管理Configure management of your Azure Information Protection tenant key

這是選擇性的步驟。This is an optional step. 允許 Microsoft 管理 Azure 資訊保護的根金鑰是大部分組織的預設設定和建議的最佳做法。Allowing Microsoft to manage the root key for Azure Information Protection is the default setting and recommended best practice for most organizations. 如果是這種情況,您不需要執行任何動作。If this is the case, you don't need to do anything.

有許多原因,例如合規性需求,可能要求您產生及管理您的根金鑰 (也稱為使用自己的金鑰 (BYOK))。There are many reasons, for example compliance requirements, that may necessitate you generating and managing your own root key (also known as bring your own key (BYOK)). 如果是這種情況,建議您完成所需的步驟,之後再設定全新的 OME 功能。If this is the case, we recommend that you complete the required steps before setting up the new OME capabilities. 如需詳細資訊,請參閱規劃及實作您的 Azure 資訊保護租用戶金鑰See Planning and implementing your Azure Information Protection tenant key for more.

在 Exchange Online PowerShell 中驗證 新的 OME 設定Verify new OME configuration in Exchange Online PowerShell

您可以驗證您的 Microsoft 365 租用戶已正確設定以使用 Exchange Online PowerShell 中的新 OME 功能。You can verify that your Microsoft 365 tenant is properly configured to use the new OME capabilities in Exchange Online PowerShell.

  1. 使用具有 Microsoft 365 租用戶中全域系統管理員權限的帳戶連線至 Exchange Online PowerShellConnect to Exchange Online PowerShell using an account with global administrator permissions in your Microsoft 365 tenant.

  2. 執行 Get-IRMConfiguration Cmdlet。Run the Get-IRMConfiguration cmdlet.

    您應該會看到 $True AzureRMSLicensingEnabled 參數,這表示 OME 已設定租用戶中的值。You should see a value of $True for the AzureRMSLicensingEnabled parameter, which indicates that OME is configured in your tenant. 如果不是,請使用 Set-IRMConfiguration 將 AzureRMSLicensingEnabled 的值設為 $True 以啟用 OME。If it is not, use Set-IRMConfiguration to set the value of AzureRMSLicensingEnabled to $True to enable OME.

  3. 使用以下語法來執行 Test-IRMConfiguration Cmdlet:Run the Test-IRMConfiguration cmdlet using the following syntax:

    Test-IRMConfiguration [-Sender <email address >]
    

    範例Example:

    Test-IRMConfiguration -Sender securityadmin@contoso.com
    
    • 提供寄件者電子郵件是選擇性的,但會強制系統執行額外的檢查。Providing a sender email is optional, but forces the system to perform additional checks. 使用 Microsoft 365 租用戶中任何使用者的電子郵件地址。Use the email address of any user in your Microsoft 365 tenant.

    您的結果應該類似於:Your results should be similar to:

    Results : Acquiring RMS Templates ...
               - PASS: RMS Templates acquired.  Templates available: Contoso  - Confidential View Only, Contoso  - Confidential, Do Not
           Forward.
           Verifying encryption ...
               - PASS: Encryption verified successfully.
           Verifying decryption ...
               - PASS: Decryption verified successfully.
           Verifying IRM is enabled ...
               - PASS: IRM verified successfully.
    
           OVERALL RESULT: PASS
    
  4. 移除 Remove-PSSession Cmdlet 來與版權管理服務中斷連線。Run the Remove-PSSession cmdlet to disconnect from the Rights Management service.

    Remove-PSSession $session
    

後續步驟:定義郵件流程規則,以使用新 OME 功能Next steps: Define mail flow rules to use new OME capabilities

如果有先前設定的郵件流程規則可加密您的組織中的電子郵件,則必須更新現有規則,才能使用新的 OME 功能。If there are previously configured mail flow rules to encrypt email in your organization, you need to update the existing rules to use the new OME capabilities. 針對新的部署,您必須建立新的電子郵件流程規則。For new deployments, you need to create new mail flow rules.

重要

如果您不更新現有的郵件流程規則,您的使用者會繼續收到使用先前的 HTML 附件格式的加密電子郵件,而非新的無縫 OME 體驗。If you do not update existing mail flow rules, your users will continue to receive encrypted mail that uses the previous HTML attachment format, instead of the new seamless OME experience.

郵件流程規則決定在何情況下應該加密電子郵件訊息,以及移除該加密的情況。Mail flow rules determine under what conditions email messages should be encrypted, as well as conditions for removing that encryption. 當您設定規則的動作時,符合規則條件的任何郵件在傳送時都會經過加密。When you set an action for a rule, any messages that match the rule conditions are encrypted when they're sent.

如需為 OME 建立郵件流程規則的步驟,請參閱定義郵件流規則以加密 Office 365 中的電子郵件For steps on creating mail flow rules for OME, see Define mail flow rules to encrypt email messages in Office 365.

若要更新現有規則,以使用新 OME 功能:To update existing rules to use the new OME capabilities:

  1. 在 Microsoft 365 系統管理中心,移至 [系統管理中心] > [Exchange]****。In the Microsoft 365 admin center, go to Admin centers > Exchange.
  2. 在 Exchange 系統管理中心,移至 [郵件流程] > [規則]****。In the Exchange admin center, go to Mail flow > Rules.
  3. 對於每個規則,在 [執行下列動作]**** 中:For each rule, in Do the following:
    • 選取 [修改郵件安全性]****。Select Modify the message security.
    • 選取 [套用 Office 365 郵件加密與權限保護]****。Select Apply Office 365 Message Encryption and rights protection.
    • 從清單中選取 RMS 範本。Select an RMS template from the list.
    • 選取 [儲存]****。Select Save.
    • 選取 [確定]****。Select OK.