从 Azure 信息保护激活保护服务Activating the protection service from Azure Information Protection

适用范围:Azure 信息保护Office 365*Applies to: Azure Information Protection, Office 365*

相关内容:AIP 统一标记客户端和经典客户端Relevant for: AIP unified labeling client and classic client*

本文介绍管理员如何为 Azure 信息保护 (AIP) 激活 Azure Rights Management 保护服务。This article describes how administrators can activate the Azure Rights Management protection service for Azure Information Protection (AIP). 为组织激活保护服务时,管理员和用户可以使用支持此信息保护解决方案的应用程序和服务来开始保护重要数据。When the protection service is activated for your organization, administrators and users can start to protect important data by using applications and services that support this information protection solution. 管理员还可以管理和监视你的组织拥有的受保护文档和电子邮件。Administrators can also manage and monitor protected documents and emails that your organization owns.

备注

此配置信息适用于负责应用于组织中所有用户的服务的管理员。This configuration information is for administrators who are responsible for a service that applies to all users in an organization. 如果你要寻找针对特定应用程序使用 Rights Management 功能,或者如何打开受权限保护的文件或电子邮件的用户帮助和信息,请使用你的应用程序附带的帮助和指南。If you are looking for user help and information to use the Rights Management functionality for a specific application or how to open a file or email that is rights-protected, use the help and guidance that accompanies your application.

例如,对于 Office 应用程序,请单击帮助图标并输入搜索词,例如 Rights ManagementIRMFor example, for Office applications, click the Help icon and enter search terms such as Rights Management or IRM. 有关适用于 Windows 的 Azure 信息保护客户端,请参阅 Azure 信息保护客户端用户指南For the Azure Information Protection client for Windows, see the Azure Information Protection client user guide.

有关技术支持和其他服务问题,请参阅支持选项和社区资源信息。For technical support and other questions about the service, see the Support options and community resources information.

自动激活 Azure Rights ManagementAutomatic activation for Azure Rights Management

如果你有包含 Azure Rights Management 的服务计划,则可能不需要激活此服务:When you have a service plan that includes Azure Rights Management, you may not have to activate the service:

  • 如果获得包含 Azure Rights Management 或 Azure 信息保护的订阅的时间是在 2018 年 2 月底或之后,我们将自动为你激活此服务。If your subscription that includes Azure Rights Management or Azure Information Protection was obtained towards the end of February 2018 or later: The service is automatically activated for you. 除非你或你组织的其他全局管理员停用了 Azure Rights Management,否则你无需激活此服务。You do not have to activate the service unless you or another global administrator for your organization deactivated Azure Rights Management.

  • 如果获得包含 Azure Rights Management 或 Azure 信息保护的订阅的时间是在 2018 年 2 月之前或期间:若租户使用的是 Exchange Online,Microsoft 将为这些订阅激活 Azure Rights Management 服务。If your subscription that includes Azure Rights Management or Azure Information Protection was obtained before or during February 2018: Microsoft activates the Azure Rights Management service for these subscriptions if your tenant is using Exchange Online. 对于这些订阅,除非运行 Get-IRMConfiguration 时看到 AutomaticServiceUpdateEnabled 设置为 false,否则将为你激活该服务 。For these subscriptions, the service will be activated for you unless you see that AutomaticServiceUpdateEnabled is set to false when you run Get-IRMConfiguration.

如果列出的两种场景都不适用,则必须手动激活保护服务。If neither of the listed scenarios apply to you, you must manually activate the protection service.

激活此服务后,组织中的所有用户都可以对文档和电子邮件应用信息保护,并且所有用户都能打开(使用)受 Azure Rights Management 服务保护的文档和电子邮件。When the service is activated, all users in your organization can apply information protection to their documents and emails, and all users can open (consume) documents and emails that have been protected by the Azure Rights Management service. 但是,如果你愿意,可以通过对分阶段部署使用加入控制来限制哪些人员可以应用信息保护。However, if you prefer, you can restrict who can apply information protection, by using onboarding controls for a phased deployment. 有关详细信息,请参阅本文中的 为分阶段部署配置加入控制 部分。For more information, see the Configuring onboarding controls for a phased deployment section in this article.

如何激活或确认保护服务的状态How to activate or confirm the status of the protection service

重要

如果已为组织部署 Active Directory Rights Management Services (AD RMS),请不要激活保护服务。Do not activate the protection service if you have Active Directory Rights Management Services (AD RMS) deployed for your organization. 详细信息More information

若要使用此数据保护解决方案,你的组织必须拥有包含 Azure 信息保护中的 Azure Rights Management 服务的服务计划。To use this data protection solution, your organization must have a service plan that includes the Azure Rights Management service from Azure Information Protection. 如果没有,则无法激活保护服务。Without this, the protection service cannot be activated. 必须具有以下项之一:You must have one of the following:

激活保护服务后,组织中的所有用户都可以对文档和电子邮件应用信息保护,并且所有用户都能打开(使用)受该服务保护的文档和电子邮件。When the protection service is activated, all users in your organization can apply information protection to their documents and emails, and all users can open (consume) documents and emails that have been protected by this service. 但是,如果你愿意,可以通过对分阶段部署使用加入控制来限制哪些人员可以应用信息保护。However, if you prefer, you can restrict who can apply information protection, by using onboarding controls for a phased deployment. 有关详细信息,请参阅本文中的 为分阶段部署配置加入控制 部分。For more information, see the Configuring onboarding controls for a phased deployment section in this article.

支持的激活方法Supported activation methods

有关如何通过管理门户激活保护服务的说明,请选择是使用 Microsoft 365 管理中心还是 Azure 门户:For instructions how to activate the protection service from your management portal, select whether to use the Microsoft 365 admin center or the Azure portal:

或者,你也可以使用以下 PowerShell 命令:Alternatively, you can use the following PowerShell commands:

  1. 安装 AIPService 模块,配置和管理保护服务。Install the AIPService module, to configure and manage the protection service. 有关说明,请参阅安装 AIPService PowerShell 模块For instructions, see Installing the AIPService PowerShell module.

  2. 在 PowerShell 会话中,运行 Connect-AipService,并在出现提示时提供 Azure 信息保护租户的全局管理员帐户详细信息。From a PowerShell session, run Connect-AipService, and when prompted, provide the Global Administrator account details for your Azure Information Protection tenant.

  3. 运行 Get-AipService,确认是否已激活保护服务。Run Get-AipService to confirm whether the protection service is activated. 状态为“Enabled”则确认已激活;状态为“Disabled”则指示此服务已停用。A status of Enabled confirms activation; Disabled indicates that the service is deactivated.

  4. 若要激活此服务,请运行 Enable-AipServiceTo activate the service, run Enable-AipService.

为分阶段部署配置加入控制Configuring onboarding controls for a phased deployment

如果不希望所有用户都能立即使用 Azure 信息保护来保护文档和电子邮件,可使用 Set-AipServiceOnboardingControlPolicy PowerShell 命令来配置用户加入控件。If you don’t want all users to be able to protect documents and emails immediately by using Azure Information Protection, you can configure user onboarding controls by using the Set-AipServiceOnboardingControlPolicy PowerShell command. 在激活 Azure Rights Management 服务之前或之后,你可以运行此命令。You can run this command before or after you activate the Azure Rights Management service.

例如,如果出于测试目的,你最初只想让“IT 部门”组(具有对象 ID fbb99ded-32a0-45f1-b038-38b519009503)中的管理员能够保护内容,请使用以下命令:For example, if you initially want only administrators in the “IT department” group (that has an object ID of fbb99ded-32a0-45f1-b038-38b519009503) to be able to protect content for testing purposes, use the following command:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "fbb99ded-32a0-45f1-b038-38b519009503"

请注意:对于此配置选项,必须指定组,不能指定单个用户。Note that for this configuration option, you must specify a group; you cannot specify individual users. 若要获取组的对象 ID,可使用 Azure AD PowerShell,例如,对于 1.0 版的模块,请使用 Get-MsolGroup 命令。To obtain the object ID for the group, you can use Azure AD PowerShell—for example, for version 1.0 of the module, use the Get-MsolGroup command. 或者,可以从 Azure 门户复制组的 对象 ID 值。Or, you can copy the Object ID value of the group from the Azure portal.

或者,如果要确保只有正确获得使用 Azure 信息保护的许可的用户可以保护内容,请使用以下命令:Alternatively, if you want to ensure that only users who are correctly licensed to use Azure Information Protection can protect content:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $True

不需要再使用载入控件时,无论使用了组还是授权选项,都运行:When you no longer need to use onboarding controls, whether you used the group or licensing option, run:

Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False

有关此 cmdlet 的详细信息和其他示例,请参阅 Set-AipServiceOnboardingControlPolicy 帮助。For more information about this cmdlet and additional examples, see the Set-AipServiceOnboardingControlPolicy help.

使用这些加入控制时,组织中的所有用户始终可以使用由用户的子集保护的受保护内容,但他们自身将不能从客户端应用程序应用信息保护。When you use these onboarding controls, all users in the organization can always consume protected content that has been protected by your subset of users, but they won’t be able to apply information protection themselves from client applications. 例如,他们不会在 Office 应用中看到激活保护服务后自动发布的默认保护模板或你可能配置的自定义模板。For example, they won’t see in their Office apps the default protection templates that are automatically published when the protection service is activated, or custom templates that you might configure. 服务器端应用程序(例如 Exchange)可以实现自己的每用户控件,以获得相同的结果。Server-side applications, such as Exchange, can implement their own per-user controls to achieve the same result. 例如,若要阻止用户保护网页版 Outlook 中的电子邮件,请使用 Set-OwaMailboxPolicy,以将 IRMEnabled 参数设置为 $false。For example, to prevent users from protecting emails in Outlook on the web, use Set-OwaMailboxPolicy to set the IRMEnabled parameter to $false.

后续步骤Next steps

为组织激活保护服务后,可使用 Azure 信息保护部署路线图检查在向用户和管理员推出 Azure 信息保护之前是否还需要执行其他配置步骤。When the protection service is activated for your organization, use the Azure Information Protection deployment roadmap to check whether there are other configuration steps that you might need to do before you roll out Azure Information Protection to users and administrators.

例如,建议使用模板来让用户更方便地对文件应用保护,通过安装 Rights Management 连接器来连接本地服务器以使用保护服务,以及部署 Azure 信息保护客户端以便对所有设备上的所有文件类型进行保护。For example, you might want to use templates to make it easier for users to apply protection to files, connect your on-premises servers to use the protection service by installing the Rights Management connector, and deploy the Azure Information Protection client that supports protecting all file types on all devices.

Exchange Online 和 Microsoft SharePoint 等 Office 服务需要进行其他配置,然后你才能使用其信息权限管理 (IRM) 功能。Office services, such as Exchange Online and Microsoft SharePoint require additional configuration before you can use their Information Rights Management (IRM) features. 要详细了解应用程序如何与保护服务 Azure Rights Management 配合使用,请参阅应用程序如何支持 Azure Rights Management 服务For information about how your applications work with the protection service, Azure Rights Management, see How applications support the Azure Rights Management service.