Azure 信息保护 (AIP) 标记、分类和保护Azure Information Protection (AIP) labeling, classification, and protection

适用范围:Azure 信息保护Applies to: Azure Information Protection

相关内容适用于 Windows 的 Azure 信息保护统一标记客户端和经典客户端**Relevant for: Azure Information Protection unified labeling client and classic client for Windows*


为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端和标签管理将于 2021 年 3 月 31 日弃用 。To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

Azure 信息保护 (AIP) 是一种基于云的解决方案,可帮助组织通过应用标签来对文档和电子邮件进行分类和保护。Azure Information Protection (AIP) is a cloud-based solution that enables organizations to classify and protect documents and emails by applying labels.

例如,你的管理员可能配置了一个具有检测敏感数据(例如信用卡信息)的规则的标签。For example, your administrator might configure a label with rules that detect sensitive data, such as credit card information. 在这种情况下,在 Word 文件中保存信用卡信息的所有用户都可能在文档顶部看到一个工具栏,其中建议他们应用针对此场景的相关标签。In this case, any user who saves credit card information in a Word file might see a tooltip at the top of the document with a recommendation to apply the relevant label for this scenario.

标签可以对文档进行分类和(可选)保护,使你能够:Labels can both classify, and optionally protect your documents, enabling you to:

  • 跟踪和控制使用内容的方式Track and control how your content is used
  • 分析数据流以深入了解业务 - 检测有风险的行为并采取纠正措施 Analyze data flows to gain insight into your business - Detect risky behaviors and take corrective measures
  • 跟踪文档访问,防止数据泄漏或不当使用Track document access and prevent data leakage or misuse
  • 以及更多...And more ...

标签如何使用 AIP 应用分类How labels apply classification with AIP

使用 AIP 标记内容包括:Labeling your content with AIP includes:

  • 无论数据存储在哪里或与谁共享都能检测到的分类。Classification that can be detected regardless of where the data is stored or with whom it's shared.
  • 视觉标记,例如标头、页脚或水印。Visual markings, such as headers, footers, or watermarks.
  • 元数据,以明文形式添加到文件和电子邮件标头。Metadata, added to files and email headers in clear text. 明文形式的元数据可确保其他服务能够识别分类并执行相应的操作The clear text metadata ensures that other services can identify the classification and take appropriate action

例如在下图中,标记服务已将一封电子邮件分类为“常规”:For example, in the image below, labeling has classified an email message as General:

显示 Azure 信息保护分类的示例电子邮件页脚和标头

在此示例中,标记还:In this example, the label also:

  • 向这封电子邮件添加了“敏感度: 常规”页脚。Added a footer of Sensitivity: General to the email message. 该页脚是显示给所有收件人的一个可视指示器,用于不得在组织外部发送的一般业务数据。This footer is a visual indicator for all recipients that it's intended for general business data that should not be sent outside of the organization.
  • 在电子邮件标头中嵌入了的元数据。Embedded metadata in the email headers. 通过标头数据,电子邮件服务可检测标签,从理论上说可创建审核条目或阻止它发送到组织外部。Header data enables email services can inspect the label and theoretically create an audit entry or prevent it from being sent outside of the organization.

标签可由管理员使用规则和条件来自动应用、由用户手动应用,也可通过这两者的组合进行应用(此时管理员会定义显示给用户的建议)。Labels can be applied automatically by administrators using rules and conditions, manually by users, or using a combination where administrators define the recommendations shown to users.

AIP 如何保护数据How AIP protects your data

Azure 信息保护使用 Azure Rights Management 服务 (Azure RMS) 来保护数据。Azure Information Protection uses the Azure Rights Management service (Azure RMS) to protect your data.

Azure RMS 已与其他 Microsoft 云服务和应用程序(例如 Office 365 和 Azure Active Directory)集成,它还可用于你自己或第三方应用程序和信息保护解决方案。Azure RMS is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory, and can also be used with your own or third-party applications and information protection solutions. Azure RMS 同时适用于本地和云解决方案。Azure RMS works with both on-premises and cloud solutions.

Azure RMS 使用加密、标识和授权策略。Azure RMS uses encryption, identity, and authorization policies. 与 AIP 标签类似,无论文档或电子邮件位于何处,使用 Azure RMS 应用的保护都保留在文档和电子邮件中,从而确保你始终控制你的内容,即使与其他人共享也是如此。Similar to AIP labels, protection applied using Azure RMS stays with the documents and emails, regardless of the document or email's location, ensuring that you stay in control of your content even when it's shared with other people.

保护设置可以:Protection settings can be:

  • 并入标签配置中,让用户只需应用标签即可对文档和电子邮件进行分类和保护。Part of your label configuration, so that users both classify and protect documents and emails simply by applying a label.

  • 通过支持保护但不标记的应用程序和服务自行使用。Used on their own, by applications and services that support protection but not labeling.

    对于只支持保护的应用程序和服务,保护设置用作权限管理模板For applications and services that support protection only, protection settings are used as Rights Management templates.

例如,你可能想要配置一个报表或销售预测电子表格,以便它只能供你组织中的人员访问。For example, you may want to configure a report or sales forecast spreadsheet so that it can be accessed only by people in your organization. 在这种情况下,你要应用保护设置来控制是可编辑该文档、将文档限制为只读,还将阻止打印文档。In this case, you'd apply protection settings to control whether that document can be edited, restrict it to read-only, or prevent it from being printed.

电子邮件可具有类似的保护设置,来防止被转发或使用“全部答复”选项。Emails can have similar protection settings to prevent them from being forwarded or from using the Reply All option.

权限管理模板Rights Management templates

在激活 Azure Rights Management 服务之后,便会为你提供两个默认权限管理模板,用于将数据访问权限限制为你组织内的用户。As soon as the Azure Rights Management service is activated, two default rights management templates are available for you to restrict data access to users within your organization. 可立即使用这些模板,也可配置你自己的保护设置,在新模板中应用更严格的控制。Use these templates immediately, or configure your own protection settings to apply more restrictive controls in new templates.

权限管理模板可用于支持 Azure 权限权利的任何应用程序或服务。Rights Management templates can be used with any applications or services that support Azure Rights Management.

下图显示了 Exchange 管理中心的一个示例,其中你可配置 Exchange Online 邮件流规则来使用 RMS 模板:The following image shows an example from the Exchange admin center, where you can configure Exchange Online mail flow rules to use RMS templates:

为 Exchange Online 选择模板的示例


创建包含保护设置的 AIP 标签时,还将创建一个相应的权限管理模板,它可独立于标签单独使用。Creating an AIP label that includes protection settings also creates a corresponding Rights Management template that can be used separately from the label.

有关详细信息,请参阅什么是 Azure 权限管理?For more information, see What is Azure Rights Management?

文档和电子邮件的 AIP 和最终用户集成AIP and end-user integration for documents and emails

AIP 客户端会向 Office 应用程序安装“信息保护”栏,让最终用户能够将 AIP 集成到他们的文档和电子邮件中。The AIP client installs the Information Protection bar to Office applications and enables end users to integrate AIP with their documents and emails.

例如,在 Excel 中:For example, in Excel:

Excel 中的 Azure 信息保护栏的示例

虽然标签可自动应用于文档和电子邮件,从而免除用户的猜测并符合组织策略,但最终用户可使用“信息保护”栏自行选择标签和应用分类。While labels can be applied automatically to documents and emails, removing guesswork for users or to comply with an organization's policies, the Information Protection bar enables end users to select labels and apply classification on their own.

此外,通过 AIP 客户端,用户可使用 Windows 文件资源管理器中的右键单击菜单来分类和保护其他文件类型,或者一次性地分类和保护多个文件。Additionally, the AIP client enables users to classify and protect additional file types, or multiple files at once, using the right-click menu from Windows File Explorer. 例如:For example:

在文件资源管理器中,右键单击“使用 Azure 信息保护进行分类和保护”

“分类和保护”菜单选项的工作方式与 Office 应用程序汇总的“应用保护”栏类似,用户可选择标签或设置自定义权限。The Classify and protect menu option works similarly to the Information Protection bar in Office applications, enabling users to select a label or set custom permissions.


高级用户或管理员可能会发现,PowerShell 命令可用来更高效地管理和设置多个文件的分类和保护。Power users or administrators might find that PowerShell commands are more efficient for managing and setting classification and protection for multiple files. 客户端中有相关的 PowerShell 命令,它们也可单独安装。Relevant PowerShell commands are included with the client, and can also be installed separately.

用户和管理员可使用文档跟踪站点来监视受保护的文档、查看谁何时访问了这些文档。Users and administrators can use document tracking sites to monitor protected documents, watch who accesses them, and when. 如果他们怀疑存在误用,则还可以撤消对这些文档的访问权限。If they suspect misuse, they can also revoke access to these documents. 例如:For example:


其他电子邮件集成Additional integration for email

将 AIP 与 Exchange Online 结合使用可带来额外的好处,可将受保护的电子邮件发送给任意用户并保证他们可在任意设备上阅读这些邮件。Using AIP with Exchange Online provides the additional benefit of sending protected emails to any user, with the assurance that they can read it on any device.

例如,你可能需要将敏感信息发送到使用 Gmail、Hotmail 或 Microsoft 帐户的个人电子邮件地址,或者发送给在 Office 365 或 Azure AD 中没有帐户的用户 。For example, you may need to send sensitive information to personal email addresses that use a Gmail, Hotmail, or Microsoft account, or to users who don't have an account in Office 365 or Azure AD. 这些电子邮件应静态加密并在传输中加密,且只有原始收件人才能阅读。These emails should be encrypted at rest and in transit, and be read only by the original recipients.

此方案需要 Office 365 消息加密功能This scenario requires Office 365 Message Encryption capabilities. 如果收件人在其内置电子邮件客户端中无法打开受保护的电子邮件,则可以使用一次性密码,通过浏览器阅读敏感信息。If the recipients cannot open the protected email in their built-in email client, they can use a one-time passcode to read the sensitive information in a browser.

例如,Gmail 用户可能会在收到的电子邮件中看到以下提示:For example, a Gmail user might see the following prompt in an email message they receive:

OME 和 AIP 的 Gmail 收件人体验

对于发送电子邮件的用户,他们需要与将受保护的电子邮件发送到自己的组织中的用户时执行相同的操作。For the user sending the email, the actions required are the same as for sending a protected email to a user in their own organization. 例如,选择“请勿转发”按钮,使 AIP 客户端可添加到 Outlook 功能区。For example, select the Do Not Forward button that the AIP client can add to the Outlook ribbon.

或者,“请勿转发”功能可集成到标签中,用户可选择它来向该电子邮件同时应用分类和保护。Alternately, Do Not Forward functionality can be integrated into a label that users can select to apply both classification and protection to that email. 例如:For example:


管理员也可配置要应用权限保护的邮件流规则,为用户自动提供保护。Administrators can also automatically provide protection for users by configuring mail flow rules that apply rights protection.

附加到这些电子邮件的任何 Office 文档页将自动受到保护。Any Office documents attached to these emails are automatically protected as well.

扫描现有内容来进行分类和保护Scanning for existing content to classify and protect

理想情况是,你在创建文档和电子邮件时对它们进行标记。Ideally, you'll be labeling documents and emails as they're created. 但是,你可能已在本地或云端存储很多文档,而你也想要对这些文档进行分类和保护。However, you likely have many existing documents, stored either on-premises or in the cloud, and want to classify and protect these documents as well.

使用下述方法之一对现有内容进行分类和保护:Use one of the following methods to classify and protect existing content:

  • 本地存储:请使用 Azure 信息保护扫描程序来发现网络共享和 Microsoft SharePoint Server 站点及库中的文档,并对其进行分类和保护。On-premises storage: Use the Azure Information Protection scanner to discover, classify, and protect documents on network shares and Microsoft SharePoint Server sites and libraries.

    扫描程序将作为一项服务在 Windows Server 上运行,它使用同一套策略规则来检测敏感信息并对文档应用特定标签。The scanner runs as a service on Windows Server, and uses the same policy rules to detect sensitive information and apply specific labels to documents.

    或者,使用扫描程序向数据存储库中的所有文档应用默认标签,这样就无需检查文件内容。Alternately, use the scanner to apply a default label to all documents in a data repository without inspecting the file contents. 仅在报告模式下使用扫描程序,来发现你可能不知道的敏感信息。Use the scanner in reporting mode only to discover sensitive information that you might not know you had.

  • 云数据存储:请使用 Microsoft Cloud App Security 将标签应用于 Box、SharePoint 和 OneDrive 中的文档。Cloud data storage: Use Microsoft Cloud App Security to apply your labels to documents in Box, SharePoint, and OneDrive. 要查看教程,请参阅自动应用 Azure 信息保护分类标签For a tutorial, see Automatically apply Azure Information Protection classification labels

后续步骤Next steps

借助快速入门和教程,自行配置和使用 Azure 信息保护:Configure and see Azure Information Protection for yourself with our quickstart and tutorials:

如果已准备好为组织部署该服务,请转到操作方法指南If you're ready to deploy this service for your organization, head over to the how-to guides.