针对分类、标记和保护的 AIP 部署路线图AIP deployment roadmap for classification, labeling, and protection

适用范围:Azure 信息保护Office 365*Applies to: Azure Information Protection, Office 365*

相关内容:AIP 统一标记客户端和经典客户端Relevant for: AIP unified labeling client and classic client*

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端和标签管理将于 2021 年 3 月 31 日弃用 。To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

当你希望对数据进行分类、标记和保护时,建议使用以下步骤,为组织准备、实施和管理 Azure 信息保护。Use the following steps as recommendations to help you prepare for, implement, and manage Azure Information Protection for your organization, when you want to classify, label, and protect your data.

对于任何具有支持订阅的客户,建议使用此路线图。This roadmap is recommended for any customers with a supporting subscription. 其他功能包括发现敏感信息以及标记文档和电子邮件来进行分类。Additional capabilities include both discovering sensitive information and labeling documents and emails for classification.

标签还可以应用保护,从而为用户简化此步骤。Labels can also apply protection, simplifying this step for your users.

部署过程Deployment process

执行以下步骤:Perform the following steps:

  1. 确认订阅,分配用户许可证Confirm your subscription and assign user licenses
  2. 准备租户以使用 Azure 信息保护Prepare your tenant to use Azure Information Protection
  3. 配置、部署分类和标记Configure and deploy classification and labeling
  4. 准备数据保护Prepare for data protection
  5. 为数据保护配置标签和设置、应用程序与服务Configure labels and settings, applications, and services for data protection
  6. 使用和监视数据保护解决方案Use and monitor your data protection solutions
  7. 根据需要管理租户帐户的保护服务Administer the protection service for your tenant account as needed

提示

已在使用 Azure 信息保护提供的保护功能?Already using the protection functionality from Azure Information Protection? 可以跳过这些步骤中的许多步骤,重点关注步骤 3 和步骤 5.1You can skip many of these steps and focus on steps 3 and 5.1.

确认订阅,分配用户许可证Confirm your subscription and assign user licenses

确认你的组织具有包含你期望的功能和特性的订阅。Confirm that your organization has a subscription that includes the functionality and features you expect. 可以在 Azure 信息保护定价页面上找到这些详细信息。You can find these details on the Azure Information Protection Pricing page.

然后,将该订阅中的许可证分配给组织中的每位用户,这些用户将对文档和电子邮件进行分类、标记和保护。Then, assign licenses from this subscription to each user in your organization who will classify, label, and protect documents and emails.

重要

不要从个人订阅的免费 RMS 手动分配用户许可证,不要使用此许可证来管理组织的 Azure Rights Management 服务。Do not manually assign user licenses from the free RMS for individuals subscription, and do not use this license to administer the Azure Rights Management service for your organization.

这些许可证在 Microsoft 365 管理中心显示为“权限管理即席”,当运行 Azure AD PowerShell cmdlet Get-MsolAccountSku 时显示为 RIGHTSMANAGEMENT_ADHOCThese licenses display as Rights Management Adhoc in the Microsoft 365 admin center, and RIGHTSMANAGEMENT_ADHOC when you run the Azure AD PowerShell cmdlet, Get-MsolAccountSku.

有关详细信息,请参阅个人 RMS 和 Azure 信息保护For more information, see RMS for individuals and Azure Information Protection.

准备租户以使用 Azure 信息保护Prepare your tenant to use Azure Information Protection

开始使用 Azure 信息保护之前,请确保你在 Microsoft 365 或 Azure Active Directory 中具有 AIP 可用于对用户进行身份验证和授权的用户帐户和组。Before you begin using Azure Information Protection, make sure that you have user accounts and groups in Microsoft 365 or Azure Active Directory that AIP can use to authenticate and authorize your users.

如有必要,请创建这些帐户和组,或者从本地目录同步这些帐户和组。If necessary, create these accounts and groups, or synchronize them from your on-premises directory.

有关详细信息,请参阅准备用户和组以便使用 Azure 信息保护For more information, see Preparing users and groups for Azure Information Protection.

配置、部署分类和标记Configure and deploy classification and labeling

执行以下步骤:Perform the following steps:

  1. 扫描文件(可选,但建议执行)Scan your files (optional but recommended)

    部署 Azure 信息保护客户端,然后安装运行扫描程序,以发现你在本地数据存储中的敏感信息。Deploy the Azure Information Protection client, and then install and run the scanner to discover the sensitive information you have on your local data stores.

    扫描程序找到的信息有助于进行类别分类,提供有关所需的标签类型以及需要保护的文件的重要信息。The information that the scanner finds can help you with your classification taxonomy, provide valuable information about what labels you need, and which files need protecting.

    扫描程序发现模式不需要任何标签配置或分类,因此适用于部署的这一早期阶段。The scanner discovery mode doesn't require any label configuration or taxonomy, and is therefore suitable at this early stage of your deployment. 还可以与以下部署步骤并行使用此扫描程序配置,直到配置了建议标记或自动标记。You can also use this scanner configuration in parallel with the following deployment steps, until you configure recommended or automatic labeling.

  2. 自定义默认 AIP 策略Customize the default AIP policy.

    如果还没有分类策略,则使用默认策略作为确定数据所需的标签的基础。If you don't have a classification strategy yet, use a default policy as a basis for determining which labels you'll need for your data. 根据需要自定义这些标签以满足需求。Customize these labels as needed to meet your needs.

    例如,你可能要采用以下详细信息重新配置标签:For example, you may want to reconfigure your labels with the following details:

    • 确保标签支持分类决策。Make sure that your labels support your classification decisions.
    • 为用户进行手动标记配置策略Configure policies for manual labeling by users
    • 编写用户指导来帮助说明应在每个方案中应用的标签。Write user guidance to help explain which label should be applied in each scenario.
    • 如果默认策略是使用自动应用保护的标签进行创建,则在测试设置时,可能要临时删除保护设置或禁用标签。If your default policy was created with labels that automatically apply protection, you may want to temporarily remove the protection settings or disable the label while you test your settings.

    统一标记客户端的敏感度标签和标记策略在 Microsoft 365 安全中心、Microsoft 365 合规中心或 Microsoft 365 安全与合规中心进行配置。Sensitivity labels and labeling policies for the unified labeling client are configured in the Microsoft 365 security center, Microsoft 365 compliance center, or the Microsoft 365 Security & Compliance Center. 有关详细信息,请参阅了解敏感度标签For more information, see Learn about sensitivity labels.

  3. 为用户部署客户端Deploy your client for your users

    配置了策略后,便可为用户部署 Azure 信息保护客户端。Once you have a policy configured, deploy the Azure Information Protection client for your users. 在选择标签时,提供用户培训和特定说明。Provide user training and specific instructions when to select the labels.

    有关详细信息,请参阅统一标记客户端管理员指南For more information, see the unified labeling client administrator guide.

  4. 引入更高级的配置Introduce more advanced configurations

    等待用户对文档和电子邮件中的标签更加适应。Wait for your users to become more comfortable with labels on their documents and emails. 准备就绪后,引入高级配置,例如:When you're ready, introduce advanced configurations, such as:

    • 应用默认标签Applying default labels
    • 如果用户选择分类级别较低的标签或删除标签,则提示他们提供理由Prompting users for justification if they chose a label with a lower classification level or remove a label
    • 强制所有文档和电子邮件都具有标签Mandating that all documents and emails have a label
    • 自定义页眉、页脚或水印Customizing headers, footers, or watermarks
    • 建议标记和自动标记Recommended and automatic labeling

    有关详细信息,请参阅管理员指南:自定义配置For more information, see Admin Guide: Custom configurations.

    提示

    如果将标签配置为自动标记,请在发现模式下再次对本地数据存储运行 Azure 信息保护扫描程序,以匹配策略。If you've configured labels for automatic labeling, run the Azure Information Protection scanner again on your local data stores in discovery mode and to match your policy.

    在发现模式下运行扫描程序会告知哪些标签会应用于文件,这有助于微调标签配置并准备好批量分类和保护文件。Running the scanner in discovery mode tells you which labels would be applied to files, which helps you fine-tune your label configuration and prepares you for classifying and protecting files in bulk.

准备数据保护Prepare for data protection

用户对标记文档和电子邮件适应后,便可为最敏感的数据引入数据保护。Introduce data protection for your most sensitive data once users become comfortable labeling documents and emails.

执行以下步骤以准备进行数据保护:Perform the following steps to prepare for data protection:

  1. 确定要如何管理租户密钥Determine how you want to manage your tenant key.

    决定你是希望 Microsoft 管理你的租户密钥(默认设置),还是自行生成和管理你的租户密钥(也称为“自带密钥”,简称 BYOK)。Decide whether you want Microsoft to manage your tenant key (the default), or generate and manage your tenant key yourself (known as bring your own key, or BYOK).

    有关实现附加本地保护的详细信息和选项,请参阅规划和实现 Azure 信息保护租户密钥For more information and options for additional, on-premises protection, see Planning and implementing your Azure Information Protection tenant key.

  2. 安装适用于 AIP 的 PowerShellInstall PowerShell for AIP.

    至少在一台可以访问 Internet 的计算机上安装适用于 AIPService 的 PowerShell 模块。Install the PowerShell module for AIPService on at least one computer that has internet access. 你可以立即执行此步骤,也可以稍后执行。You can do this step now, or later.

    有关详细信息,请参阅安装 AIPService PowerShell 模块For more information, see Installing the AIPService PowerShell module.

  3. 激活保护Activate protection.

    确保保护服务已激活,以便开始保护文档和电子邮件。Make sure that the protection service is activated so that you can begin to protect documents and emails. 如果要采用多个阶段进行部署,请配置用户加入控制以限制用户应用保护的能力。If you're deploying in multiple phases, configure user onboarding controls to restrict users' ability to apply protection.

    有关详细信息,请参阅激活 Azure 信息保护的保护服务For more information, see Activating the protection service from Azure Information Protection.

  4. 考虑使用情况日志记录(可选)Consider usage logging (optional).

    考虑记录使用情况以监视组织如何使用保护服务。Consider logging usage to monitor how your organization is using the protection service. 你可以立即执行此步骤,也可以稍后执行。You can do this step now, or later.

    有关详细信息,请参阅记录和分析 Azure 信息保护中的保护服务使用情况For more information, see Logging and analyzing the protection usage from Azure Information Protection.

为数据保护配置标签和设置、应用程序与服务Configure labels and settings, applications, and services for data protection

执行以下步骤:Perform the following steps:

  1. 更新标签以应用保护Update your labels to apply protection

    有关详细信息,请参阅通过敏感度标签应用加密,从而限制对内容的访问For more information, see Restrict access to content by using encryption in sensitivity labels.

    重要

    即使没有为信息权限管理 (IRM) 配置 Exchange,用户也可以在 Outlook 中应用应用了 Rights Management 保护的标签。Users can apply labels in Outlook that apply Rights Management protection even if Exchange is not configured for information rights management (IRM).

    但是,在为 IRM 或具有新功能的 Microsoft 365 邮件加密配置 Exchange 之前,你的组织将无法获得将 Exchange 与 Azure Rights Management 保护配合使用的完整功能。However, until Exchange is configured for IRM or Microsoft 365 Message Encryption with new capabilities, your organization will not get the full functionality of using Azure Rights Management protection with Exchange. 此附加配置包含在以下列表中(对于 Exchange Online,则为 2;对于 Exchange 本地,则为 5)。This additional configuration is included in the following list (2 for Exchange Online, and 5 for Exchange on-premises).

  2. 配置 Office 应用程序和服务Configure Office applications and services

    在 Microsoft SharePoint 或 Exchange Online 中为 Office 应用程序和服务配置信息权限管理 (IRM) 功能。Configure Office applications and services for the information rights management (IRM) features in Microsoft SharePoint or Exchange Online.

    有关详细信息,请参阅为 Azure Rights Management 配置应用程序For more information, see Configuring applications for Azure Rights Management.

  3. 为数据恢复配置超级用户功能Configure the super user feature for data recovery

    如果现有 IT 服务(例如数据泄漏防护 (DLP) 解决方案、内容加密网关 (CEG) 和反恶意软件产品)需要检查 Azure 信息保护将保护的文件,请将服务帐户配置为 Azure Rights Management 的超级用户。If you have existing IT services that need to inspect files that Azure Information Protection will protect—such as data leak prevention (DLP) solutions, content encryption gateways (CEG), and anti-malware products—configure the service accounts to be super users for Azure Rights Management.

    有关详细信息,请参阅为 Azure 信息保护和发现服务或数据恢复配置超级用户For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.

  4. 批量分类和保护现有文件Classify and protect existing files in bulk

    对于本地数据存储,现在以强制模式运行 Azure 信息保护扫描程序,以便自动标记文件。For your on-premises data stores, now run the Azure Information Protection scanner in enforcement mode so that files are automatically labeled.

    对于电脑上的文件,使用 PowerShell cmdlet 对其进行分类和保护。For files on PCs, use PowerShell cmdlets to classify and protect files. 有关详细信息,请参阅对 Azure 信息保护统一标记客户端使用 PowerShellFor more information, see Using PowerShell with the Azure Information Protection unified labeling client.

    对于基于云的数据存储,请使用 Azure Cloud App SecurityFor cloud-based data stores, use Azure Cloud App Security.

    提示

    虽然批量分类和保护现有文件不是云应用安全的主要用例之一,但记录的解决方法可帮助你分类并保护文件。While classifying and protecting existing files in bulk is not one of the main use cases for cloud app security, documented workarounds can help you get your files classified and protected.

使用和监视数据保护解决方案Use and monitor your data protection solutions

你现在可以监视组织如何使用已配置的标签,并确认保护敏感信息。You're now ready to monitor how your organization is using the labels that you've configured and confirm that you're protecting sensitive information.

有关详细信息,请参阅以下页面:For more information, see the following pages:

根据需要管理租户帐户的保护服务Administer the protection service for your tenant account as needed

开始使用保护服务时,可以利用 PowerShell 帮助编写脚本或自动执行管理更改。As you begin to use the protection service, you might find PowerShell useful to help script or automate administrative changes. 某些高级配置可能还需要使用 PowerShell。PowerShell might also be needed for some of the advanced configurations.

有关详细信息,请参阅使用 PowerShell 管理 Azure 信息保护中的保护For more information, see Administering protection from Azure Information Protection by using PowerShell.

经典客户端环境参考References for classic client environments

相关内容:仅限 AIP 经典客户端Relevant for: AIP classic client only

如果使用经典客户端,请使用以下参考,而不是上面链接的参考:If you're using the classic client, use the following references instead of those linked above:

提示

你可能还会对 Azure 信息保护部署路线图(仅限保护)感兴趣(仅经典客户端支持此功能)。You may also be interested in the Azure Information Protection deployment roadmap for protection only, which is supported for the classic client only.

后续步骤Next steps

部署 Azure 信息保护时,你可能会发现可以通过常见问题解答已知问题以及信息和支持页面来查找更多资源。As you deploy Azure Information Protection, you might find it helpful to check the frequently asked questions, known issues, and the information and support page for additional resources.