为 Azure 信息保护和发现服务或数据恢复配置超级用户Configuring super users for Azure Information Protection and discovery services or data recovery

适用范围:Azure 信息保护Office 365*Applies to: Azure Information Protection, Office 365*

相关内容:AIP 统一标记客户端和经典客户端Relevant for: AIP unified labeling client and classic client*

Azure 信息保护中的 Azure Rights Management 服务的超级用户功能可以确保经授权的人员和服务始终可以阅读和检查 Azure Rights Management 为你的组织保护的数据。The super user feature of the Azure Rights Management service from Azure Information Protection ensures that authorized people and services can always read and inspect the data that Azure Rights Management protects for your organization. 如有必要,可以删除或更改保护。If necessary, the protection can then be removed or changed.

超级用户对由你的组织的 Azure 信息保护租户保护的文档和电子邮件始终具有 Rights Management 完全控制使用权限A super user always has the Rights Management Full Control usage right for documents and emails that have been protected by your organization’s Azure Information Protection tenant. 这种功能有时称为“数据推理”,是保持对组织数据进行控制的关键所在。This ability is sometimes referred to as "reasoning over data" and is a crucial element in maintaining control of your organization’s data. 例如,你将为以下任何方案使用此功能:For example, you would use this feature for any of the following scenarios:

  • 员工离职,你需要阅读其保护的文件。An employee leaves the organization and you need to read the files that they protected.

  • IT 管理员需要删除已经为文件配置的当前保护策略并应用新的保护策略。An IT administrator needs to remove the current protection policy that was configured for files and apply a new protection policy.

  • Exchange Server 需要为邮箱编制索引以便执行搜索操作。Exchange Server needs to index mailboxes for search operations.

  • 你拥有用于提供数据丢失防护 (DLP) 解决方案的现有 IT 服务、内容加密网关 (CEG) 和反恶意软件产品,它们需要检查已受保护的文件。You have existing IT services for data loss prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products that need to inspect files that are already protected.

  • 出于审核、法律或其他符合性原因,你需要对文件进行解密。You need to bulk decrypt files for auditing, legal, or other compliance reasons.

超级用户功能的配置Configuration for the super user feature

默认情况下,超级用户功能未启用,并且不会为任何用户分配此角色。By default, the super user feature is not enabled, and no users are assigned this role. 如果为 Exchange 配置了 Rights Management 连接器,则会自动启用此功能,对于运行 Microsoft 365 中的 Exchange Online、Microsoft Sharepoint Server 或 SharePoint 的标准服务,此功能不是必需的。It is enabled for you automatically if you configure the Rights Management connector for Exchange, and it is not required for standard services that run Exchange Online, Microsoft Sharepoint Server, or SharePoint in Microsoft 365.

如果需要手动启用超级用户功能,请使用 PowerShell cmdlet Enable-AipServiceSuperUserFeature,然后根据需要使用 Add-AipServiceSuperUser cmdlet 或 Set-AipServiceSuperUserGroup cmdlet 分配用户(或服务帐户)并根据需要向此组添加用户(或其他组)。If you need to manually enable the super user feature, use the PowerShell cmdlet Enable-AipServiceSuperUserFeature, and then assign users (or service accounts) as needed by using the Add-AipServiceSuperUser cmdlet or the Set-AipServiceSuperUserGroup cmdlet and add users (or other groups) as needed to this group.

虽然为超级用户使用组更容易管理,但请注意,出于性能原因,Azure Rights Management 会缓存组成员关系Although using a group for your super users is easier to manage, be aware that for performance reasons, Azure Rights Management caches the group membership. 因此,如果需要将新用户分配为超级用户来立即对内容进行解密,请使用 Add-AipServiceSuperUser 添加该用户,而不是将用户添加到已使用 Set-AipServiceSuperUserGroup 配置的现有组。So if you need to assign a new user to be a super user to decrypt content immediately, add that user by using Add-AipServiceSuperUser, rather than adding the user to an existing group that you have configured by using Set-AipServiceSuperUserGroup.


如果尚未安装适用于 Azure Rights Management 的 Windows PowerShell 模块,请参阅安装 AIPService PowerShell 模块If you have not yet installed the Windows PowerShell module for Azure Rights Management, see Installing the AIPService PowerShell module.

启用超级用户功能或将用户添加为超级用户的时间并不重要。It doesn't matter when you enable the super user feature or when you add users as super users. 例如,如果在星期四启用该功能,然后在星期五添加了一名用户,则这位用户在这周一开始即可立即打开受保护的内容。For example, if you enable the feature on Thursday and then add a user on Friday, that user can immediately open content that was protected at the very beginning of the week.

超级用户功能的最佳安全做法Security best practices for the super user feature

  • 限制并监视已分配为 Microsoft 365 或 Azure 信息保护租户全局管理员的管理员,或者通过使用 Add-AipServiceRoleBasedAdministrator cmdlet 分配为 GlobalAdministrator 角色的管理员。Restrict and monitor the administrators who are assigned a global administrator for your Microsoft 365 or Azure Information Protection tenant, or who are assigned the GlobalAdministrator role by using the Add-AipServiceRoleBasedAdministrator cmdlet. 这些用户可以启用超级用户功能并将用户(及其自己)分配为超级用户,并且可能会对你的组织保护的所有文件进行解密。These users can enable the super user feature and assign users (and themselves) as super users, and potentially decrypt all files that your organization protects.

  • 若要查看哪些用户和服务帐户被单独分配为超级用户,请使用 Get-AipServiceSuperUser cmdlet。To see which users and service accounts are individually assigned as super users, use the Get-AipServiceSuperUser cmdlet.

  • 若要确定是否配置了超级用户组,请使用 Get-AipServiceSuperUserGroup cmdlet 和标准用户管理工具,以确认哪些用户是此组的成员。To see whether a super user group is configured, use the Get-AipServiceSuperUserGroup cmdlet and your standard user management tools to check which users are a member of this group.

  • 与所有管理操作一样,启用或禁用超级功能以及添加或删除超级用户这类操作会记录到日志中,并且可以使用 Get-AipServiceAdminLog 命令进行审核。Like all administration actions, enabling or disabling the super feature, and adding or removing super users are logged and can be audited by using the Get-AipServiceAdminLog command. 有关示例,请参阅超级用户功能的审核示例For example, see Example auditing for the super user feature.

  • 当超级用户对文件进行解密时,此操作会记录到日志中并且可以通过使用情况日志记录对其进行审核。When super users decrypt files, this action is logged and can be audited with usage logging.


    尽管日志包含有关解密的详细信息(包括解密文件的用户),但当用户是超级用户时,则不会进行记录。While the logs include details about the decryption, including the user who decrypted the file, they do not note when the user is a super user. 将日志与上面列出的 cmdlet 结合使用,首先收集可在日志中识别的超级用户的列表。Use the logs together with the cmdlets listed above to first collect a list of super users that you can identify in the logs.

  • 如果不需要将超级用户功能用于日常服务,可以仅在需要此功能时启用它,然后使用 Disable-AipServiceSuperUserFeature cmdlet 将其重新禁用。If you do not need the super user feature for everyday services, enable the feature only when you need it, and disable it again by using the Disable-AipServiceSuperUserFeature cmdlet.

超级用户功能的审核示例Example auditing for the super user feature

下面的日志摘录显示了使用 Get-AipServiceAdminLog cmdlet 时的一些示例条目。The following log extract shows some example entries from using the Get-AipServiceAdminLog cmdlet.

在此示例中,Contoso Ltd 的管理员确认禁用超级用户功能,将 Richard Simone 添加为超级用户,检查 Richard 是为 Azure Rights Management 服务配置的唯一超级用户,然后启用超级用户功能以使 Richard 能够对目前已从公司离职的员工保护的一些文件进行解密。In this example, the administrator for Contoso Ltd confirms that the super user feature is disabled, adds Richard Simone as a super user, checks that Richard is the only super user configured for the Azure Rights Management service, and then enables the super user feature so that Richard can now decrypt some files that were protected by an employee who has now left the company.

2015-08-01T18:58:20 admin@contoso.com GetSuperUserFeatureState Passed Disabled

2015-08-01T18:59:44 admin@contoso.com AddSuperUser -id rsimone@contoso.com Passed True

2015-08-01T19:00:51 admin@contoso.com GetSuperUser Passed rsimone@contoso.com

2015-08-01T19:01:45 admin@contoso.com SetSuperUserFeatureState -state Enabled Passed True

超级用户的脚本选项Scripting options for super users

通常,具有 Azure Rights Management 超级用户身份的用户需要删除对位于多个位置的多个文件的保护。Often, somebody who is assigned a super user for Azure Rights Management will need to remove protection from multiple files, in multiple locations. 虽然可以手动执行此操作,但是通过脚本执行此操作更为高效(并且通常更为可靠)。While it’s possible to do this manually, it’s more efficient (and often more reliable) to script this. 为此,可以根据需要使用 Unprotect-RMSFile cmdlet 和 Protect-RMSFile cmdlet。To do so, you can use the Unprotect-RMSFile cmdlet, and Protect-RMSFile cmdlet as required.

如果你使用分类和保护,还可以使用 Set-AIPFileLabel 来应用一个不应用保护的新标签,或者删除已应用了保护的标签。If you are using classification and protection, you can also use the Set-AIPFileLabel to apply a new label that doesn't apply protection, or remove the label that applied protection.

有关这些 cmdlet 的详细信息,请参阅 Azure 信息保护客户端管理指南中的将 PowerShell 与 Azure 信息保护客户端配合使用For more information about these cmdlets, see Using PowerShell with the Azure Information Protection client from the Azure Information Protection client admin guide.


AzureInformationProtection 模块与管理 Azure 信息保护的 Azure Rights Management 服务的 AIPService PowerShell 模块不同,并对其进行了补充。The AzureInformationProtection module is different from and supplements the AIPService PowerShell module that manages the Azure Rights Management service for Azure Information Protection.

使用 Unprotect-RMSFile 进行电子数据展示的指南Guidance for using Unprotect-RMSFile for eDiscovery

虽然可以使用 Unprotect-RMSFile cmdlet 解密 PST 文件中的受保护内容,但请策略性地将此 cmdlet 用作电子数据展示过程的一部分。Although you can use the Unprotect-RMSFile cmdlet to decrypt protected content in PST files, use this cmdlet strategically as part of your eDiscovery process. 在计算机上的大型文件上运行 Unprotect-RMSFile 是资源密集型的(内存和磁盘空间),而此 cmdlet 支持的最大文件大小为 5 GB。Running Unprotect-RMSFile on large files on a computer is a resource-intensive (memory and disk space) and the maximum file size supported for this cmdlet is 5 GB.

理想情况下,使用 Microsoft 365 中的电子数据展示在电子邮件中搜索和提取受保护的电子邮件和受保护的附件。Ideally, use eDiscovery in Microsoft 365 to search and extract protected emails and protected attachment in emails. 超级用户功能自动与 Exchange Online 集成,以便 Office 365 安全与合规中心或 Microsoft 365 合规中心中的电子数据展示可以在导出之前搜索加密项目,或在导出时解密加密电子邮件。The super user ability is automatically integrated with Exchange Online so that eDiscovery in the Office 365 Security & Compliance Center or Microsoft 365 compliance center can search for encrypted items prior to export, or decrypt encrypted email on export.

如果无法使用 Microsoft 365 电子数据展示,则可能有另一个与 Azure Rights Management 服务集成的电子数据展示解决方案,用于对数据进行类似推理。If you cannot use Microsoft 365 eDiscovery, you might have another eDiscovery solution that integrates with the Azure Rights Management service to similarly reason over data. 或者,如果你的电子数据展示解决方案无法自动读取和解密受保护的内容,则仍然可以在多步骤过程中使用此解决方案,以便更有效地运行 Unprotect-RMSFile:Or, if your eDiscovery solution cannot automatically read and decrypt protected content, you can still use this solution in a multi-step process that lets you run Unprotect-RMSFile more efficiently:

  1. 将有问题的电子邮件从 Exchange Online 或 Exchange 服务器中导出为 PST 文件,或从用户存储其电子邮件的工作站导出。Export the email in question to a PST file from Exchange Online or Exchange Server, or from the workstation where the user stored their email.

  2. 将 PST 文件导入电子数据展示工具。Import the PST file into your eDiscovery tool. 由于该工具无法读取受保护的内容,因此预计这些项会产生错误。Because the tool cannot read protected content, it's expected that these items will generate errors.

  3. 从该工具无法打开的所有项目中,生成此次新的 PST 文件,仅包含受保护的项目。From all the items that the tool couldn't open, generate a new PST file that this time, contains just protected items. 第二个 PST 文件可能比原始 PST 文件小得多。This second PST file will likely be much smaller than the original PST file.

  4. 在第二个 PST 文件上运行 Unprotect-RMSFile 来解密这个小得多的文件的内容。Run Unprotect-RMSFile on this second PST file to decrypt the contents of this much smaller file. 在输出中,将现已解密的 PST 文件导入发现工具中。From the output, import the now-decrypted PST file into your discovery tool.

有关跨邮箱和 PST 文件执行电子数据展示的更多详细信息和指南,请参阅以下博客文章:Azure 信息保护和电子数据展示流程For more detailed information and guidance for performing eDiscovery across mailboxes and PST files, see the following blog post: Azure Information Protection and eDiscovery Processes.