如何将 Azure 信息保护标签迁移到统一敏感度标签How to migrate Azure Information Protection labels to unified sensitivity labels

适用范围:Azure 信息保护Office 365*Applies to: Azure Information Protection, Office 365*

*相关客户端适用于 Windows 的 Azure 信息保护客户端*Relevant for Azure Information Protection clients for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端和标签管理将于 2021 年 3 月 31 日弃用 。To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

将 Azure 信息保护标签迁移到统一标记平台,以便可以通过支持统一标记的客户端和服务将这些标签用作敏感度标签。Migrate Azure Information Protection labels to the unified labeling platform so that you can use them as sensitivity labels by clients and services that support unified labeling.

备注

如果你的 Azure 信息保护订阅非常新,则可能无需迁移标签,因为你的租户已在统一标记平台上。If your Azure Information Protection subscription is fairly new, you might not need to migrate labels because your tenant is already on the unified labeling platform. 有关详细信息,请参阅如何确定我的租户是否在统一标记平台上?For more information, see How can I determine if my tenant is on the unified labeling platform?

迁移标签后,你将看不到与 Azure 信息保护经典客户端之间的任何差异,因为此客户端将继续从 Azure 门户下载标签和 Azure 信息保护策略。After you migrate your labels, you won't see any difference with the Azure Information Protection classic client, because this client continues to download the labels with the Azure Information Protection policy from the Azure portal. 但是,现在可以在 Azure 信息保护统一标记客户端以及其他使用敏感度标签的客户端和服务中使用这些标签。However, you can now use the labels with the Azure Information Protection unified labeling client and other clients and services that use sensitivity labels.

在阅读有关迁移标签的说明之前,你可能会发现以下常见问题很有用:Before you read the instructions to migrate your labels, you might find the following frequently asked questions useful:

支持统一标记平台的管理角色Administrative roles that support the unified labeling platform

如果你要在组织中使用管理员角色进行委托式管理,可能需要对统一标记平台进行一些更改:If you use admin roles for delegated administration in your organization, you might need to do some changes for the unified labeling platform:

统一标记平台不支持“Azure 信息保护管理员”(以前称为“信息保护管理员”这一 Azure AD 角色The Azure AD role of Azure Information Protection administrator (formerly Information Protection administrator) is not supported by the unified labeling platform. 如果在组织中使用此管理角色来管理 Azure 信息保护,请将具有此角色的用户添加到“合规性管理员”、“合规性数据管理员”或“安全管理员”Azure AD 角色。 If this administrative role is used in your organization to manage Azure Information Protection, add the users who have this role to the Azure AD roles of Compliance administrator, Compliance data administrator, or Security administrator. 如需有关此步骤的帮助,请参阅向用户授予对 Microsoft 365 安全与合规中心的访问权限If you need help with this step, see Give users access to the Microsoft 365 Security & Compliance Center. 另外,还可以在 Azure AD 门户、Microsoft 365 安全中心和 Microsoft 365 合规中心分配这些角色。You can also assign these roles in the Azure AD portal, the Microsoft 365 security center, and the Microsoft 365 compliance center.

或者,若要使用角色,可以在管理中心为这些用户创建新角色组,然后向该组中添加“敏感度标签管理员”或“组织配置”角色。Alternatively to using roles, in the admin centers, you can create a new role group for these users and add either Sensitivity Label Administrator or Organization Configuration roles to this group.

如果未使用其中一个配置向这些用户授予对管理中心的访问权限,则在迁移标签后将无法在 Azure 门户中配置 Azure 信息保护。If you do not give these users access to the admin centers by using one of these configurations, they won't be able to configure Azure Information Protection in the Azure portal after your labels are migrated.

迁移标签后,租户的全局管理员可以继续管理 Azure 门户和管理中心中的标签和策略。Global administrators for your tenant can continue to manage labels and policies in both the Azure portal and the admin centers after your labels are migrated.

准备阶段Before you begin

标签迁移能够带来很多好处,但此操作是不可逆的。Label migration has many benefits, but is irreversible. 在迁移之前,请确保了解以下更改和注意事项:Before you migrate, make sure that you are aware of the following changes and considerations:

客户端对统一标记的支持Client support for unified labeling

确保使用支持统一标签的客户端,如果需要,请准备好在 Azure 门户(适用于不支持统一标签的客户端)和管理中心(适用于支持统一标签的客户端)进行管理。Make sure that you have clients that support unified labels and if necessary, be prepared for administration in both the Azure portal (for clients that don't support unified labels) and the admin centers (for client that do support unified labels).

策略配置Policy configuration

不会迁移策略,包括策略设置和谁有权访问策略(作用域内策略)以及所有高级客户端设置。Policies, including policy settings and who has access to them (scoped policies), and all advanced client settings are not migrated. 迁移标签后用于配置这些设置的选项包括:Your options to configure these settings after your label migration include the following:

重要

管理中心并不支持已迁移标签中的所有设置。Not all settings from a migrated label are supported by the admin centers. 使用管理中心不支持的标签设置部分中的表,来帮助识别这些设置和建议的操作过程。Use the table in the Label settings that are not supported in the admin centers section to help you identify these settings and the recommended course of action.

保护模板Protection templates

  • 使用基于云的密钥和为标签配置的一部分模板也随标签一同迁移。Templates that use a cloud-based key and that are part of a label configuration are also migrated with the label. 不迁移其他保护模板。Other protection templates are not migrated.

  • 如果你的标签已针对预定义的模板进行了配置,请编辑这些标签,并选择“设置权限”选项,配置模板中具有的相同保护设置。If you have labels that are configured for a predefined template, edit these labels and select the Set permissions option to configure the same protection settings that you had in your template. 具有预定义模板的标签不会阻止标签迁移,但管理中心不支持此标签配置。Labels with predefined templates will not block label migration but this label configuration is not supported in the admin centers.

    提示

    为了帮助你重新配置这些标签,我们提供了两个有用的浏览器窗口:在其中一个窗口中,可以选择与标签对应的“编辑模板”按钮来查看保护设置;在另一个窗口中,可以在选择“设置权限”时配置相同的设置。 To help you reconfigure these labels, you might find it useful to have two browser windows: One window in which you select the Edit Template button for the label to view the protection settings, and the other window to configure the same settings when you select Set permissions.

  • 迁移了带有基于云的保护设置的标签后,最终的保护模板范围是在 Azure 门户中定义的范围(或使用 AIPService PowerShell 模块定义的范围),以及在管理中心定义的范围。After a label with cloud-based protection settings has been migrated, the resulting scope of the protection template is the scoped that is defined in the Azure portal (or by using the AIPService PowerShell module) and the scope that is defined in the admin centers.

显示名称Display names

对于每个标签,Azure 门户仅显示可编辑的标签显示名称。For each label, the Azure portal displays only the label display name, which you can edit. 用户将在其应用中看到此标签名称。Users see this label name in their apps.

管理中心显示标签的显示名称和标签名称。The admin centers show both this display name for a label, and the label name. 标签名称是在首次创建标签时指定的初始名称,此属性由后端服务用于标识目的。The label name is the initial name that you specify when the label is first created and this property is used by the back-end service for identification purposes. 迁移标签时,显示名称将保持不变,而标签名称将重命名为 Azure 门户中的标签 ID。When you migrate your labels, the display name remains the same and the label name is renamed to the label ID from the Azure portal.

有冲突的显示名称Conflicting display names

在迁移之前,请确保在迁移完成后不会出现有冲突的显示名称。Before migrating, ensure that you would not have conflicting display names after migration is complete. 位于标记层次结构中同一位置的显示名称必须唯一。Display names in the same place in the labeling hierarchy must be unique.

例如,请考虑以下标签列表:For example, consider the following list of labels:

  • PublicPublic
  • 常规General
  • 机密Confidential
    • Confidential\HRConfidential\HR
    • Confidential\FinanceConfidential\Finance
  • 机密Secret
    • Secret\HRSecret\HR
    • Secret\FinanceSecret\Finance

在此列表中,PublicGeneralConfidentialSecret 都是父标签,它们的名称不能重复。In this list, Public, General, Confidential, and Secret are all parent labels, and cannot have duplicate names. 此外,Confidential\HRConfidential\Finance 位于层次结构中的同一位置,其名称也不能重复。Additionally, Confidential\HR and Confidential\Finance are at the same place in the hierarchy, and also cannot have duplicate names.

但是,不同父级中的子标签(例如 Confidential\HRSecret\HR)不在层次结构中的同一位置,因此它们各自的名称可以相同。However, sub-labels across different parents, such as Confidential\HR and Secret\HR are not at the same place in the hierarchy, and therefore can have the same individual names.

标签中的本地化字符串Localized strings in labels

不迁移标签的任何本地化字符串。Any localized strings for the labels are not migrated. 使用 Office 365 安全与合规 PowerShell 以及 Set-LabelLocaleSettings 参数,为迁移的标签定义新的本地化字符串。Define new localized strings for the migrated labels by using Office 365 Security & Compliance PowerShell and the LocaleSettings parameter for Set-Label.

在管理中心编辑迁移的标签Editing migrated labels in the admin centers

迁移之后,当你在 Azure 门户中编辑已迁移的标签时,相同的更改将会自动反映在管理中心。After the migration, when you edit a migrated label in the Azure portal, the same change is automatically reflected in the admin centers.

但是,在某一个管理中心编辑迁移的标签时,必须返回到 Azure 门户的“Azure 信息保护 - 统一标记”窗格,然后选择“发布”。 However, when you edit a migrated label in one of the admin centers, you must return to the Azure portal, Azure Information Protection - Unified labeling pane, and select Publish.

需要对 Azure 信息保护客户端(经典)执行此额外操作才能拾取标签更改。This additional action is needed for the Azure Information Protection clients (classic) to pick up the label changes.

管理中心不支持的标签设置Label settings that are not supported in the admin centers

使用下表来确定已迁移的标签的哪些配置设置不受 Office 365 安全与合规中心、Microsoft 365 安全中心或 Microsoft 合规中心的支持。Use the following table to identify which configuration settings of a migrated label are not supported by the Office 365 Security & Compliance Center, the Microsoft 365 security center, or the Microsoft compliance center. 如果你的标签有这些设置,请在迁移完成之后,先参考最后一列中的管理指导,然后再在所提到的某一个管理中心发布标签。If you have labels with these settings, when the migration is complete, use the administration guidance in the final column before you publish your labels in one of the referenced admin centers.

如果不确定如何配置标签,请在 Azure 门户中查看其设置。If you are not sure how your labels are configured, view their settings in the Azure portal. 如果需要有关此步骤的帮助,请参阅配置 Azure 信息保护策略If you need help with this step, see Configuring the Azure Information Protection policy.

Azure 信息保护客户端(经典)可以正常使用列出的所有标签设置,因为这些客户端会继续从 Azure 门户下载标签。Azure Information Protection clients (classic) can use all label settings listed without any problems because they continue to download the labels from the Azure portal.

标签配置Label configuration 受统一标记客户端的支持Supported by unified labeling clients 管理中心指南Guidance for the admin centers
启用或禁用状态Status of enabled or disabled

此状态不会同步到管理中心This status is not synchronized to the admin centers
不适用Not applicable 等效于是否发布标签。The equivalent is whether the label is published or not.
从列表中选择的标签颜色或使用 RGB 代码指定的标签颜色Label color that you select from list or specify by using RGB code Yes 标签颜色没有配置选项。No configuration option for label colors. 可以改为在 Azure 门户中配置标签颜色,或使用 PowerShellInstead, you can configure label colors in the Azure portal or use PowerShell.
使用预定义模板的基于云的保护或基于 HYOK 的保护Cloud-based protection or HYOK-based protection using a predefined template No 预定义模板没有配置选项。No configuration option for predefined templates. 我们不建议使用此配置发布标签。We do not recommend you publish a label with this configuration.
使用 Word、Excel 和 PowerPoint 的用户定义权限的基于云的保护Cloud-based protection using user-defined permissions for Word, Excel, and PowerPoint Yes 现在,管理中心为用户定义的权限提供了配置选项。The admin centers now have a configuration option for user-defined permissions.

如果发布带有此配置的标签,请查看下表中应用标签后的结果。If you publish a label with this configuration, check the results of applying the label from the following table.
使用 Outlook 中用户定义的权限(“不要转发”)实现基于 HYOK 的保护HYOK-based protection using user-defined permissions for Outlook (Do Not Forward) No HYOK 没有配置选项。No configuration option for HYOK. 我们不建议使用此配置发布标签。We do not recommend you publish a label with this configuration. 否则,请在下表中查看应用此标签所带来的后果。If you do, the results of applying the label are listed in the following table.
通过视觉标记(页眉、页脚、水印)的 RGB 代码提供自定义字体名称、大小和自定义字体颜色Custom font name, size, and custom font color by RGB code for visual markings (header, footer, watermark) Yes 视觉标记的配置限制为颜色和字体大小列表。Configuration for visual markings is limited to a list of colors and font sizes. 尽管无法看见管理中心中配置的值,仍可以不做任何更改发布此标签。You can publish this label without changes although you cannot see the configured values in the admin centers.

若要更改这些选项,请使用 New-Label Office 365 安全与合规中心 cmdlet。To change these options, use the New-Label Office 365 Security & Compliance Center cmdlet. 考虑将颜色更改为管理中心内列出的选项之一,以便于管理。For easier administration, consider changing the color to one of the listed options in the admin centers.

注意:安全与合规中心管理中心支持一列预定义的字体定义。Note: The Security & Compliance Center admin center supports a predefined list of font definitions. 仅支持通过 New-Label Office 365 安全与合规中心 cmdlet 使用自定义字体和颜色。Custom fonts and colors are supported only via the New-Label Office 365 Security & Compliance Center cmdlet.

如果使用的是经典客户端,请在 Azure 门户中对标签做出这些更改。If you are working with the classic client, make these changes to your label in the Azure portal.
视觉标记(页眉、页脚)中的变量Variables in visual markings (header, footer) Yes AIP 客户端和 Office 内置标记支持对某些应用使用此标签配置。This label configuration is supported by the AIP clients and Office built-in labeling for select apps.

如果在不支持此配置的应用中使用内置标记,并在不经过更改的情况下发布此标签,则变量将在客户端中显示为文本,而不是显示动态值。If you are working with built-in labeling using an app that does not support this configuration and publish this label without changes, variables display as text on clients, instead of displaying the dynamic value.

有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation.
每个应用的视觉标记Visual markings per app Yes 此标签配置仅受 AIP 客户端的支持,而不受 Office 内置标记的支持。This label configuration is supported only by the AIP clients, and not by Office built-in labeling.

如果你正在使用内置标记,并在不经过更改的情况下发布此标签,则视觉标记配置将在每个应用中显示为变量文本,而不是显示为已配置为要显示的视觉标记。If you are working with built-in labeling, and publish this label without changes, the visual marking configuration displays as variable text instead of the visual markings you've configured to display in each app.
“仅限我”保护"Just for me" protection Yes 在未指定任何用户的情况下,管理中心不允许保存目前应用的加密设置。The admin centers do not let you save encryption settings that you apply now, without specifying any users. 在 Azure 门户中,此配置会生成一个应用“仅限我”保护的标签。In the Azure portal, this configuration results in a label that applies "Just for me" protection.

作为替代方法,请创建一个应用加密的标签,并指定一个拥有任何权限的用户,然后使用 PowerShell 编辑关联的保护模板。As an alternative, create a label that applies encryption and specify a user with any permissions, and then edit the associated protection template by using PowerShell. 先使用 New-AipServiceRightsDefinition cmdlet(参阅示例 3),然后使用带 RightsDefinitions 参数的 Set-AipServiceTemplatePropertyFirst, use the New-AipServiceRightsDefinition cmdlet (see Example 3), and then Set-AipServiceTemplateProperty with the RightsDefinitions parameter.
条件和关联设置Conditions and associated settings

包括自动和建议标签及其工具提示Includes automatic and recommended labeling, and their tooltips
不适用Not applicable 若要重新配置条件,请将自动标记用作标签设置中的独立配置。Reconfigure your conditions by using auto labeling as a separate configuration from label settings.

比较标签保护设置的行为Comparing the behavior of protection settings for a label

使用下表来确定标签的同一保护设置如何表现出不同的行为,这些行为取决于使用标签的是 Azure 信息保护经典客户端、Azure 信息保护统一标记客户端,还是内置有标记功能(也称为“本机 Office 标记”)的 Office 应用。Use the following table to identify how the same protection setting for a label behaves differently, depending on whether it's used by the Azure Information Protection classic client, the Azure Information Protection unified labeling client, or by Office apps that have labeling built in (also known as "native Office labeling"). 标签行为的差异可能会改变你在是否发布标签方面所做的决定,尤其是在组织中混合使用不同的客户端时。The differences in label behavior might change your decision whether to publish the labels, especially when you have a mix of clients in your organization.

如果不确定如何配置保护设置,请在 Azure 门户的“保护”窗格中查看其设置。If you are not sure how your protection settings are configured, view their settings in the Protection pane, in the Azure portal. 如果需要有关此步骤的帮助,请参阅配置保护设置标签If you need help with this step, see To configure a label for protection settings.

下表未列出具有相同行为的保护设置,以下情形例外:Protection settings that behave the same way are not listed in the table, with the following exceptions:

  • 使用具有内置标签的 Office 应用时,除非还安装了 Azure 信息保护统一标签客户端,否则标签在文件资源管理器中不可见。When you use Office apps with built-in labeling, labels are not visible in File Explorer unless you also install the Azure Information Protection unified labeling client.
  • 使用具有内置标签的 Office 应用时,如果之前在未使用标签的情况下实施了保护,则保留保护 [1]When you use Office apps with built-in labeling, if protection was previously applied independently from a label, that protection is preserved [1].
标签的保护设置Protection setting for a label Azure 信息保护经典客户端Azure Information Protection classic client Azure 信息保护统一标识客户端Azure Information Protection unified labeling client 具有内置标签的 Office 应用Office apps with built-in labeling
带有模板的 HYOK (AD RMS):HYOK (AD RMS) with a template: 可在 Word、Excel、PowerPoint、Outlook 和文件资源管理器中查看Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

当应用此标签时:When this label is applied:

- 对文档和电子邮件应用 HYOK 保护- HYOK protection is applied to documents and emails
可在 Word、Excel、PowerPoint、Outlook 和文件资源管理器中查看Visible in Word, Excel, PowerPoint, Outlook, and File Explorer

当应用此标签时:When this label is applied:

- 不应用保护;如果之前通过标签应用了保护,则去除保护 [2]- No protection is applied and protection is removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护- If protection was previously applied independently from a label, that protection is preserved
可在 Word、Excel、PowerPoint 和 Outlook 中查看Visible in Word, Excel, PowerPoint, and Outlook

当应用此标签时:When this label is applied:

- 不应用保护;如果之前通过标签应用了保护,则去除保护 [2]- No protection is applied and protection is removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护 [1]- If protection was previously applied independently from a label, that protection is preserved [1]
HYOK (AD RMS),其中用户定义的权限适用于 Word、Excel、PowerPoint 和文件资源管理器:HYOK (AD RMS) with user-defined permissions for Word, Excel, PowerPoint, and File Explorer: 可在 Word、Excel、PowerPoint 和文件资源管理器中查看Visible in Word, Excel, PowerPoint, and File Explorer

当应用此标签时:When this label is applied:

- 对文档和电子邮件应用 HYOK 保护- HYOK protection is applied to documents and emails
可在 Word、Excel 和 PowerPoint 中查看Visible in Word, Excel, and PowerPoint

当应用此标签时:When this label is applied:

- 不应用保护;如果之前已通过标签应用保护,则删除该保护 [2]- Protection is not applied and protection is removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护- If protection was previously applied independently from a label, that protection is preserved
可在 Word、Excel 和 PowerPoint 中查看Visible in Word, Excel, and PowerPoint

当应用此标签时:When this label is applied:

- 不应用保护;如果之前已通过标签应用保护,则删除该保护 [2]- Protection is not applied and protection is removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护- If protection was previously applied independently from a label, that protection is preserved
HYOK (AD RMS),其中用户定义的权限适用于 Outlook:HYOK (AD RMS) with user-defined permissions for Outlook: 可在 Outlook 中查看Visible in Outlook

当应用此标签时:When this label is applied:

- 通过 HYOK 保护向电子邮件应用“请勿转发”规则- Do Not Forward using HYOK protection is applied to emails
可在 Outlook 中查看Visible in Outlook

当应用此标签时:When this label is applied:

- 不应用保护;如果之前已通过标签应用保护,则删除该保护 [2]- Protection is not applied and removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护- If protection was previously applied independently from a label, that protection is preserved
可在 Outlook 中查看Visible in Outlook

当应用此标签时:When this label is applied:

- 不应用保护;如果之前已通过标签应用保护,则删除该保护 [2]- Protection is not applied and removed [2] if it was previously applied by a label

- 如果之前在未使用标签的情况下实施了保护,则保留保护 [1]- If protection was previously applied independently from a label, that protection is preserved [1]
脚注 1Footnote 1

在 Outlook 中会保留保护,但有一种例外情况:当已使用“仅加密”选项(“加密”)保护电子邮件时,会删除这种保护。In Outlook, protection is preserved with one exception: When an email has been protected with the encrypt-only option (Encrypt), that protection is removed.

脚注 2Footnote 2

如果用户具有支持此操作的使用权限或角色,则去掉保护:Protection is removed if the user has a usage right or role that supports this action:

如果用户没有上述任一使用权限或角色,则不应用标签且保留原始保护。If the user doesn't have one of these usage rights or roles, the label is not applied and the original protection is preserved.

若要迁移 Azure 信息保护标签To migrate Azure Information Protection labels

请参考以下说明来迁移租户和 Azure 信息保护标签,以使用统一标记存储。Use the following instructions to migrate your tenant and Azure Information Protection labels to use the unified labeling store.

只有“合规性管理员”、“合规性数据管理员”、“安全管理员”或“全局管理员”才能迁移你的标签。You must be a Compliance administrator, Compliance data administrator, Security administrator, or Global administrator to migrate your labels.

  1. 如果尚未这样做,请打开新的浏览器窗口,登录到 Azure 门户If you haven't already done so, open a new browser window and sign in to the Azure portal. 然后导航到“Azure 信息保护”窗格。Then navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. 在“管理”菜单选项中,选择“统一标签” 。From the Manage menu option, select Unified labeling.

  3. 在“Azure 信息保护 - 统一标记”窗格中,选择“激活”并按照联机说明操作。 On the Azure Information Protection - Unified labeling pane, select Activate and follow the online instructions.

    如果用于激活的选项不可用,请检查“统一标记状态”:如果看到“已激活”,则表示租户已在使用统一标记存储,因此无需迁移标签。 If the option to activate is not available, check the Unified labeling status: If you see Activated, your tenant is already using the unified labeling store and there is no need to migrate your labels.

成功迁移的标签现在可被支持统一标签的客户端和服务使用。For the labels that successfully migrated, they can now be used by clients and services that support unified labeling. 但是,必须先将这些标签发布到以下某个管理中心:Office 365 安全与合规中心、Microsoft 365 安全中心或 Microsoft 365 合规中心。However, you must first publish these labels in one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center.

重要

如果在 Azure 门户外部编辑 Azure 信息保护客户端(经典)的标签,请返回到此“Azure 信息保护 - 统一标记”窗格,然后选择“发布”。 If you edit the labels outside the Azure portal, for Azure Information Protection clients (classic), return to this Azure Information Protection - Unified labeling pane, and select Publish.

复制策略Copy policies

迁移标签后,可以选择用于复制策略的选项。After you have migrated your labels, you can select an option to copy policies. 如果选择此选项,策略的一次性副本及其策略设置和任何高级客户端设置将发送到用于管理标签的管理中心:Office 365 安全与合规中心、Microsoft 365 安全中心或 Microsoft 365 合规中心。If you select this option, a one-time copy of your policies with their policy settings and any advanced client settings is sent to the admin center where you manage your labels: Office 365 Security & Compliance Center, Microsoft 365 security center, Microsoft 365 compliance center.

然后,已成功复制的策略及其设置和标签将自动发布到已在 Azure 门户中分配给这些策略的用户和组。Successfully copied policies with their settings and labels are then automatically published to the users and groups that were assigned to the policies in the Azure portal. 请注意,对于“全局”策略,这意味着会发布到所有用户。Note that for the Global policy, this means all users. 如果你尚未准备好发布复制的策略中的已迁移标签,复制策略后,可以在管理员标记中心删除标签策略中的标签。If you're not ready for the migrated labels in the copied policies to be published, after the policies are copied, you can remove the labels from the label policies in your admin labeling center.

在“Azure 信息保护 - 统一标记”窗格中选择“复制策略(预览版)”选项之前,请注意以下事项: Before you select the Copy policies (preview) option on the Azure Information Protection - Unified labeling pane, be aware of the following:

  • 只有在为租户激活统一标记之后,“复制策略(预览版)”选项才可用。The Copy policies (Preview) option is not available until unified labeling is activated for your tenant.

  • 无法有选择地选择要复制的策略和设置。You cannot selectively choose policies and settings to copy. 系统会自动选择复制所有策略(“全局”策略和所有作用域内策略),并且会复制支持用作标签策略设置的所有设置。All policies (the Global policy and any scoped policies) are automatically selected to be copied, and all settings that are supported as label policy settings are copied. 如果已有一个同名的标签策略,将使用 Azure 门户中的策略设置来覆盖该策略。If you already have a label policy with the same name, it will be overwritten with the policy settings in the Azure portal.

  • 不会复制某些高级客户端设置,因为对于 Azure 信息保护统一标记客户端而言,支持将这些设置用作标签高级设置,而不支持用作策略设置。Some advanced client settings are not copied because for the Azure Information Protection unified labeling client, these are supported as label advanced settings rather than policy settings. 可以使用 Microsoft 365 安全与合规中心 PowerShell 配置这些标签高级设置。You can configure these label advanced settings with Microsoft 365 Security & Compliance Center PowerShell. 不会复制的高级客户端设置:The advanced client settings that are not copied:

  • 与同步后续对标签所做的更改的标签迁移方案不同,“复制策略”操作不会同步后续对策略或策略设置所做的任何更改。Unlike label migration where subsequent changes to labels are synchronized, the Copy policies action doesn't synchronize any subsequent changes to your policies or policy settings. 进行更改后,可以在 Azure 门户中重复复制策略操作,此时会再次覆盖所有现有策略及其设置。You can repeat the copy policy action after making changes in the Azure portal, and any existing policies and their settings will be overwritten again. 或者,在 Office 365 安全与合规中心 PowerShell 中结合 AdvancedSettings 参数使用 Set-LabelPolicy 或 Set-Label cmdlet。Or, use the Set-LabelPolicy or Set-Label cmdlets with the AdvancedSettings parameter from Office 365 Security & Compliance Center PowerShell.

  • “复制策略”操作在复制每个策略之前,会验证该策略的以下各项:The Copy policies action verifies the following for each policy before it is copied:

    • 分配到该策略的用户和组当前在 Azure AD 中。Users and groups assigned to the policy are currently in Azure AD. 如果缺少一个或多个帐户,则不复制该策略。If one or more account is missing, the policy is not copied. 不会检查组成员身份。Group membership is not checked.

    • “全局”策略至少包含一个标签。The Global policy contains at least one label. 由于管理员标记中心不支持不带有标签的标签策略,因此不会复制不带有标签的“全局”策略。Because the admin labeling centers don't support label policies without labels, a Global policy without labels is not copied.

  • 如果复制了策略,然后将其从管理员标记中心删除,请在再次使用“复制策略”操作之前至少等待两小时,以确保有足够的时间来复制删除的内容。If you copy policies and then delete them from your admin labeling center, wait at least two hours before you use the Copy policies action again to ensure sufficient time for the deletion to replicate.

  • 从 Azure 信息保护复制的策略不使用相同的名称,而是改用带有 AIP_ 前缀的名称。Policies copied from Azure Information Protection will not have the same name, they will instead be named with a prefix of AIP_. 以后无法更改策略名称。Policy names cannot be subsequently changed.

有关为 Azure 信息保护统一标记客户端配置策略设置、高级客户端设置和标签设置的详细信息,请参阅管理员指南中的 Azure 信息保护统一标记客户端的自定义配置For more information about configuring the policy settings, advanced client settings, and label settings for the Azure Information Protection unified labeling client, see Custom configurations for the Azure Information Protection unified labeling client from the admin guide.

备注

Azure 信息保护对复制策略的支持目前以预览版提供。Azure Information Protection support for copying policies is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

支持统一标签的客户端和服务Clients and services that support unified labeling

若要确认使用的客户端和服务是否支持统一标记,请参阅其文档,以检查它们是否可以使用从以下某个管理中心发布的敏感度标签:Office 365 安全与合规中心、Microsoft 365 安全中心或 Microsoft 365 合规中心。To confirm whether the clients and services you use support unified labeling, refer to their documentation to check whether they can use sensitivity labels that are published from one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center.

当前支持统一标签的客户端包括:Clients that currently support unified labeling include:
当前支持统一标签的服务包括:Services that currently support unified labeling include:

后续步骤Next steps

客户体验团队提供的指导和提示Guidance and tips from our Customer Experience team:

关于敏感度标签About sensitivity labels:

部署 AIP 统一标记客户端Deploy the AIP unified labeling client:

如果尚未这样做,请安装 Azure 信息保护统一标记客户端。If you haven't already done so, install the Azure Information Protection unified labeling client.

有关详情,请参阅:For more information, see: