Azure 信息保护 (AIP) 的常见问题解答Frequently asked questions for Azure Information Protection (AIP)

适用范围:Azure 信息保护Office 365*Applies to: Azure Information Protection, Office 365*

相关内容:AIP 统一标记客户端和经典客户端Relevant for: AIP unified labeling client and classic client*

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端和标签管理将于 2021 年 3 月 31 日弃用 。To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

是否有关于 Azure 信息保护 (AIP) 或 Azure Rights Management (Azure RMS) 的问题?Have a question about Azure Information Protection (AIP), or about the Azure Rights Management service (Azure RMS)?

请查看下面或后续更具体的常见问题解答页面上是否有答案。See if it's answered below or on the subsequent, more specific, FAQ pages.

Azure 信息保护和 Microsoft 信息保护之间有何不同?What's the difference between Azure Information Protection and Microsoft Information Protection?

与 Azure 信息保护不同,Microsoft 信息保护不是可以购买的订阅或产品。Unlike Azure Information Protection, Microsoft Information Protection isn't a subscription or product that you can buy. 相反,它是可帮助你保护组织敏感信息的产品和集成功能的框架。Instead, it's a framework for products and integrated capabilities that help you protect your organization's sensitive information.

Microsoft 信息保护产品包括Microsoft Information Protection products include:

  • Azure 信息保护Azure Information Protection
  • Microsoft 365 信息保护,如 Microsoft 365 DLPMicrosoft 365 Information Protection, such as Microsoft 365 DLP
  • Windows 信息保护Windows Information Protection
  • Microsoft Cloud App SecurityMicrosoft Cloud App Security

Microsoft 信息保护功能包括Microsoft Information Protection capabilities include:

  • 统一标记管理Unified label management
  • 内置于 Office 应用中的最终用户标记体验End-user labeling experiences built into Office apps
  • Windows 了解统一标记并对数据应用保护的功能The ability for Windows to understand unified labels and apply protection to data
  • Microsoft 信息保护 SDKThe Microsoft Information Protection SDK
  • Adobe Acrobat Reader 中用于查看已标记且已保护的 PDF 的功能Functionality in Adobe Acrobat Reader to view labeled and protected PDFs

有关详细信息,请参阅有助于保护敏感数据的信息保护功能For more information, see Information protection capabilities to help protect your sensitive data.

Microsoft 365 中的标签与 Azure 信息保护中的标签有何差别?What's the difference between labels in Microsoft 365 and labels in Azure Information Protection?

最初,Microsoft 365 只有保留标签,使用这些标签可以对文档和电子邮件进行分类,以便在将内容存储在 Microsoft 365 服务中时对其进行审核和保留。Originally, Microsoft 365 had only retention labels, which enabled you to classify documents and emails for auditing and retention when that content was stored in Microsoft 365 services.

相反,Azure 信息保护标签是在 Azure 门户中使用 AIP 经典客户端配置的,通过这些标签可以为文档和电子邮件应用一致的分类和保护策略,无论它们是存储在本地还是云中。In contrast, Azure Information Protection labels, configured at the time using the AIP classic client in the Azure portal, enabled you to apply a consistent classification and protection policy for documents and emails whether they were stored on-premises or in the cloud.

除了保留标签之外,Microsoft 365 现在还支持敏感度标签Microsoft 365 now supports sensitivity labels in addition to retention labels. 可以在以下管理中心中创建和配置敏感度标签:Sensitivity labels can be created and configured in the following admin centers:

  • Office 365 安全与合规中心Office 365 Security & Compliance Center
  • Microsoft 365 安全中心Microsoft 365 security center
  • Microsoft 365 合规中心Microsoft 365 compliance center

如果在 Azure 门户中配置了旧版 AIP 标签,则建议将其迁移到敏感度标签和统一标记客户端。If you have legacy AIP labels configured in the Azure portal, we recommend migrating them to sensitivity labels and unified labeling client. 有关详细信息,请参阅教程:从 Azure 信息保护 (AIP) 经典客户端迁移到统一标记客户端For more information, see Tutorial: Migrating from the Azure Information Protection (AIP) classic client to the unified labeling client.

有关详细信息,请参阅宣布推出信息保护功能以帮助保护你的敏感数据For more information, see Announcing availability of information protection capabilities to help protect your sensitive data.

如何确定我的租户是否在统一标记平台上?How can I determine if my tenant is on the unified labeling platform?

当你的租户在统一标记平台上时,它支持可由支持统一标记的客户端和服务使用的敏感度标签。When your tenant is on the unified labeling platform, it supports sensitivity labels that can be used by clients and services that support unified labeling. 如果在 2019 年 6 月或之后获取了 Azure 信息保护的订阅,则你的租户会自动在统一标记平台上,无需执行进一步操作。If you obtained your subscription for Azure Information Protection in June 2019 or later, your tenant is automatically on the unified labeling platform and no further action is needed. 你的租户还可能在此平台上,因为有人迁移了你的 Azure 信息保护标签。Your tenant might also be on this platform because somebody migrated your Azure Information Protection labels.

如果你的租户不在统一标记平台上,则会在 Azure 门户的“Azure 信息保护”窗格上看到以下信息横幅:If your tenant is not on the unified labeling platform, you'll see the following information banner in the Azure portal, on the Azure Information Protection panes:

迁移信息横幅

还可以通过转到“Azure 信息保护” > “管理” > “统一标记”进行检查,然后查看“统一标记”状态:You can also check by going to Azure Information Protection > Manage > Unified labeling, and view the Unified labeling status:

状态Status 说明Description
已激活Activated 你的租户在统一标记平台上。Your tenant is on the unified labeling platform.
可以从 Microsoft 365 合规中心创建、配置和发布标签You can create, configure, and publish labels from the Microsoft 365 compliance center.
未激活Not activated 你的租户不在统一标记平台上。Your tenant is not on the unified labeling platform.
有关迁移说明和指南,请参阅如何将 Azure 信息保护标签迁移到统一敏感度标签For migration instructions and guidance, see How to migrate Azure Information Protection labels to unified sensitivity labels.

Azure 信息保护经典客户端与统一标记客户端有何差别?What's the difference between the Azure Information Protection classic and unified labeling clients?

旧版 Azure 信息保护客户端(称为经典客户端)从 Azure 下载标签和策略设置,使你能够从 Azure 门户配置 AIP 策略The legacy Azure Information Protection client, referred to as the classic client, downloads labels and policy settings from Azure and enables you to configure the AIP policy from the Azure portal.

统一标记客户端是具有最新更新的最新客户端,并且支持多个应用程序和服务使用的统一标记平台。The unified labeling client is the most current client with the most recent updates, and supports the unified labeling platform used by multiple applications and services. 统一标记客户端从以下管理中心下载敏感度标签和策略设置:The unified labeling client downloads sensitivity labels and policy settings from the following admin centers:

  • Office 365 安全与合规中心Office 365 Security & Compliance Center
  • Microsoft 365 安全中心Microsoft 365 security center
  • Microsoft 365 合规中心Microsoft 365 compliance center

如果你是管理员,请在选择 Windows 标记解决方案中了解详细信息。If you're an admin, learn more in Choose your Windows labeling solution.

经典客户端弃用Classic client deprecation

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, the Azure Information Protection classic client and Label Management in the Azure portal are being deprecated as of March 31, 2021.

弃用后,客户端将继续按预期方式工作。After deprecation, the client will continue to work as expected. 但是,管理员将无法在门户上更新策略,也不会为经典客户端提供更多修复或更改。However, administrators will not be able to update policies on the portal, and no more fixes or changes will be supplied for the classic client.

在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

如果当前已部署经典客户端,则建议升级到统一标记客户端。If you currently have the classic client deployed, we recommend that you upgrade to the unified labeling client. 有关详细信息,请参阅:For more information, see;

确认已安装的客户端Identify the client you have installed

如果用户想要了解自己安装的是经典客户端还是统一标记客户端,可以执行以下操作之一:If you are a user who wants to understand whether you have the classic or the unified labeling client installed, you can do one of the following:

  • 在 Office 应用中,查看是否有“敏感度”或“保护” 工具栏按钮。In your Office apps, check for the Sensitivity or Protect toolbar button. 统一标记客户端会显示“敏感度” 按钮,而经典客户端则会显示“保护”按钮。

  • 查看已安装的 Azure 信息保护应用程序的版本号。Check the version number for the Azure Information Protection application you have installed.

    • 版本 1.x 表示你具有经典客户端。Versions 1.x indicate that you have the classic client. 示例:1.54.59.0Example: 1.54.59.0
    • 版本 2.x 表示你具有统一标记客户端。Versions 2.x indicate that you have the unified labeling client. 示例:2.8.85.0Example: 2.8.85.0

    例如,在“Windows 设置 > 应用和功能”区域中,向下滚动到 Microsoft Azure 信息保护应用程序,然后查看版本号 。For example, in the Windows Settings > Apps and features area, scroll down to the Microsoft Azure Information Protection application, and check the version number.

    查看 Azure 信息保护客户端版本

何时适合将我的标签迁移到统一标记平台?When is the right time to migrate my labels to unified labeling?

我们建议将 Azure 信息保护标签迁移到统一标记平台,以便可以通过其他支持统一标记的客户端和服务将这些标签用作敏感度标签。We recommend that you migrate your Azure Information Protection labels to the unified labeling platform so that you can use them as sensitivity labels with other clients and services that support unified labeling.

有关详细信息和说明,请参阅如何将 Azure 信息保护标签迁移到统一敏感度标签For more information and instructions, see How to migrate Azure Information Protection labels to unified sensitivity labels.

将标签迁移到统一标记平台后,要使用哪个管理门户?After I've migrated my labels to unified labeling, which management portal do I use?

迁移 Azure 门户中的标签后,可继续从以下任一位置管理这些标签,具体取决于所安装的客户端:After you've migrated your labels in the Azure portal, continue managing them in one of the following locations, depending on the clients you have installed:

客户端Client 说明Description
统一标记客户端和服务Unified labeling clients and services only 若仅安装了统一标记客户端,则从以下任一管理中心管理标签:Office 365 安全与合规中心、Microsoft 365 安全中心或 Microsoft 365 合规中心。If you only have unified labeling clients installed, manage your labels in one of the admin centers: Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center. 统一标签客户端从这些管理中心下载标签和策略设置。Unified labeling clients download the labels and policy settings from these admin centers.

有关说明,请参阅创建和配置敏感度标签及其策略For instructions, see Create and configure sensitivity labels and their policies.
经典客户端Classic client only 如果已迁移标签,但仍安装有经典客户端,请继续使用 Azure 门户编辑标签和策略设置。If you've migrated your labels, but still have the classic client installed, continue to use the Azure portal to edit labels and policy settings. 经典客户端继续从 Azure 下载标签和策略设置。The classic client continues to download labels and policy settings from Azure.
AIP 经典客户端统一标记客户端Both the AIP classic client and unified labeling clients 如果同时安装了两个客户端,请使用管理中心或 Azure 门户来更改标签。If you have both of the clients installed, use the admin centers or the Azure portal to make label changes.

要使经典客户端接收管理中心所做的标签更改,请返回到 Azure 门户发布这些更改。For the classic clients to pick up label changes made in the admin centers, return to the Azure portal to publish them. 在“Azure 门户 > Azure 信息保护 - 统一标记”窗格中,选择“发布” 。In the Azure portal > Azure Information Protection - Unified labeling pane, select Publish.

继续使用 Azure 门户进行集中报告扫描程序Continue to use the Azure portal for central reporting and the scanner.

迁移到敏感度标签和统一标记平台后,是否需要重新加密文件?Do I need to re-encrypt my files after moving to sensitivity labels and the unified labeling platform?

不需要,从 AIP 经典客户端迁移到统一标记平台以及将 Azure 门户中托管的标签迁移到敏感度标签后,无需重新加密文件。No, you don’t need to re-encrypt your files after moving to sensitivity labels and the unified labeling platform after migrating from the AIP classic client and the labels managed in the Azure portal.

迁移后,请从标记管理中心(例如 Microsoft 安全中心、Microsoft 合规中心或 Microsoft 安全与合规中心)管理标签和标记策略。After migrating, manage your labels and labeling policies from your labeling admin center, including the Microsoft security center, Microsoft compliance center, or the Microsoft Security & Compliance Center.

有关详细信息,请参阅 Microsoft 365 文档中的了解敏感度标签了解统一标记迁移博客。For more information, see Learn about sensitivity labels in the Microsoft 365 documentation and the Understanding unified labeling migration blog.

Azure 信息保护和 Azure Rights Management 之间有何不同?What's the difference between Azure Information Protection and Azure Rights Management?

Azure 信息保护 (AIP) 可对组织的文档和电子邮件进行分类、标记和保护。Azure Information Protection (AIP) provides classification, labeling, and protection for an organization's documents and emails.

它使用 Azure Rights Management 服务(现已成为 AIP 的一个组件)保护内容。Content is protected using the Azure Rights Management service, which is now a component of AIP.

有关详细信息,请参阅 AIP 如何保护数据以及 Azure Rights Management 是什么?For more information, see How AIP protects your data and What is Azure Rights Management?.

Azure 信息保护的身份管理的角色是什么?What's the role of identity management for Azure Information Protection?

用户必须具有有效的用户名和密码才能访问受保护的内容,因此身份管理是 AIP 的重要组件。Identity management is an important component of AIP, as users must have a valid user name and password to access protected content.

要详细了解 Azure 信息保护如何帮助保护数据,请参阅 Azure 信息保护在保护数据方面的角色To read more about how Azure Information Protection helps to secure your data, see The role of Azure Information Protection in securing data.

需要为 Azure 信息保护准备哪个订阅,以及它包括哪些功能?What subscription do I need for Azure Information Protection and what features are included?

若要进一步了解 AIP 订阅,请参阅 Azure 信息保护定价页面上的订阅信息和功能列表。To understand more about AIP subscriptions, see the subscription information and feature list on the Azure Information Protection pricing page.

如果拥有包含 Azure Rights Management 数据保护的 Microsoft 365 订阅,请下载 Azure 信息保护许可数据表,详细了解如何与 AIP 集成。If you have a Microsoft 365 subscription that includes Azure Rights Management data protection, download the Azure Information Protection licensing datasheet for more details about integrating with AIP.

还有关于许可的问题吗?Still have questions about licensing? 查看许可的常见问答解答部分是否有答案。See if they are answered in the frequently asked questions for licensing section.

是否必须是全局管理员才能配置 Azure 信息保护?我可以委派给其他管理员吗?Do you need to be a global admin to configure Azure Information Protection, or can I delegate to other administrators?

很显然,Microsoft 365 租户或 Azure AD 租户的全局管理员可以运行 Azure 信息保护的所有管理任务。Global administrators for a Microsoft 365 tenant or Azure AD tenant can obviously run all administrative tasks for Azure Information Protection.

不过,若要向其他用户分配管理权限,请使用以下角色进行分配:However, if you want to assign administrative permissions to other users, do so using the following roles:

此外,管理管理任务和角色时,请注意以下问题:Additionally, note the following when managing administrative tasks and roles:

问题Issue 详细信息Details
支持的帐户类型Supported account types 不支持 Microsoft 帐户对 Azure 信息保护执行委派管理,即使已向这些帐户分配列出的管理角色之一。Microsoft accounts are not supported for delegated administration of Azure Information Protection, even if these accounts are assigned to one of the administrative roles listed.
加入控制Onboarding controls 如果配置了加入控制,此配置不会影响管理 Azure 信息保护的能力(RMS 连接器除外)。If you have configured onboarding controls, this configuration does not affect the ability to administer Azure Information Protection, except the RMS connector.

例如,如果配置了加入控制机制,以致仅允许“IT 部门”组保护内容,那么,用于安装和配置 RMS 连接器的帐户必须是该组的成员。For example, if you have configured onboarding controls so that the ability to protect content is restricted to the IT department group, the account used to install and configure the RMS connector must be a member of that group.
删除保护Removing protection 管理员无法自动删除对于受 Azure 信息保护保护的文档或电子邮件的保护。Administrators cannot automatically remove protection from documents or emails that were protected by Azure Information Protection.

只有被分配为超级用户的用户可以删除保护,并且只有在已启用超级用户功能的情况下才可以进行删除。Only users who are assigned as super users can do remove protection, and only when the super user feature is enabled.

具有对 Azure 信息保护的管理权限的所有用户都可以启用超级用户功能,并可将用户(包括用户自己的帐户)分配为超级用户。Any user with administrative permissions to Azure Information Protection can enable the super user feature, and assign users as super users, including their own account.

这些操作记录在管理员日志中。These actions are recorded in an administrator log.

有关详细信息,请参阅为 Azure 信息保护和发现服务或数据恢复配置超级用户中的“最佳安全做法”部分。For more information, see the security best practices section in Configuring super users for Azure Information Protection and discovery services or data recovery.

提示:如果内容存储在 SharePoint 或 OneDrive 中,则管理员可以运行 Unlock-SensitivityLabelEncryptedFile cmdlet,以删除敏感度标签和加密。Tip: If your content is stored in SharePoint or OneDrive, admins can run the Unlock-SensitivityLabelEncryptedFile cmdlet to remove both the sensitivity label and the encryption. 有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation.
迁移到统一标记存储Migrating to the unified labeling store 如果要将 Azure 信息保护标签迁移到统一标记存储,请务必阅读标签迁移文档中的以下部分:If you are migrating your Azure Information Protection labels to the unified labeling store, be sure to read the following section from the label migration documentation:
支持统一标记平台的管理角色Administrative roles that support the unified labeling platform.

Azure 信息保护管理员Azure Information Protection administrator

此 Azure Active Directory 管理员角色允许管理员配置 Azure 信息保护,但不能配置其他服务。This Azure Active Directory administrator role lets an administrator configure Azure Information Protection but not other services.

具有此角色的管理员可以:Administrators with this role can:

若要将用户分配到此管理角色,请参阅将用户分配到 Azure Active Directory 中的管理员角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

备注

此角色不支持跟踪和撤销用户的文档,并且当租户在统一标记平台上时,此角色在 Azure 门户中不受支持。This role doesn't support tracking and revoking documents for users, and is not supported in the Azure portal if your tenant is on the unified labeling platform.

合规性管理员或合规性数据管理员Compliance administrator or Compliance data administrator

具有这些 Azure Active Directory 管理员角色时,管理员能够:These Azure Active Directory administrator roles enable administrators to:

  • 配置 Azure 信息保护,包括激活和停用 Azure Rights Management 保护服务Configure Azure Information Protection, including activating and deactivating the Azure Rights Management protection service
  • 配置保护设置和标签Configure protection settings and labels
  • 配置 Azure 信息保护策略Configure the Azure Information Protection policy
  • 运行针对 Azure 信息保护客户端以及 AIPService 模块中的所有 PowerShell cmdlet。Run all the PowerShell cmdlets for the Azure Information Protection client and from the AIPService module.

若要将用户分配到此管理角色,请参阅将用户分配到 Azure Active Directory 中的管理员角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

若要查看具有这些角色的用户还拥有哪些其他权限,请参阅 Azure Active Directory 文档的可用角色部分。To see what other permissions a user with these roles have, see the Available roles section from the Azure Active Directory documentation.

备注

这些角色不支持跟踪和撤销用户的文档。These roles don't support tracking and revoking documents for users.

安全读取者或全局读取者Security reader or Global reader

这些角色仅用于 Azure 信息保护分析,并使管理员能够:These roles are used for Azure Information Protection analytics only, and enable administrators to:

  • 查看标签是如何使用的View how your labels are being used
  • 监视用户对带有标记的文档和电子邮件的访问Monitor user access to labeled documents and emails
  • 查看对分类进行的更改View changes made to classification
  • 标识包含必须保护的敏感信息的文档Identify documents that contain sensitive information that must be protected

由于此功能使用 Azure Monitor,因此你还必须具有提供支持的 RBAC 角色Because this feature uses Azure Monitor, you must also have a supporting RBAC role.

安全管理员Security administrator

具有此 Azure Active Directory 管理员角色时,管理员能够在 Azure 门户中配置 Azure 信息保护,并可配置其他 Azure 服务的某些方面。This Azure Active Directory administrator role enables administrators to configure Azure Information Protection in the Azure portal and some aspects of other Azure services.

具有此角色的管理员不能运行任何 AIPService 模块中的 PowerShell cmdlet,也不能跟踪和撤销用户的文档。Administrators with this role cannot run any of the PowerShell cmdlets from the AIPService module, or track and revoke documents for users.

若要将用户分配到此管理角色,请参阅将用户分配到 Azure Active Directory 中的管理员角色To assign a user to this administrative role, see Assign a user to administrator roles in Azure Active Directory.

若要查看具有此角色的用户还拥有哪些其他权限,请参阅 Azure Active Directory 文档的可用角色部分。To see what other permissions a user with this role has, see the Available roles section from the Azure Active Directory documentation.

Azure Rights Management 全局管理员和连接器管理员Azure Rights Management Global Administrator and Connector Administrator

全局管理员角色使用户能够运行 AIPService 模块中的所有 PowerShell cmdlet,而无需使其成为其他云服务的全局管理员。The Global Administrator role enables users to run all PowerShell cmdlets from the AIPService module without making them a global administrator for other cloud services.

连接器管理员角色使用户能够仅运行 Rights Management (RMS) 连接器。The Connector Administrator role enables users to run only the Rights Management (RMS) connector.

这些管理角色无法授予对管理控制台的权限,也支持跟踪和撤销用户的文档。These administrative roles don't grant permissions to management consoles, or support tracking and revoking documents for users.

若要分配其中任一管理角色,请使用 AIPService PowerShell cmdletTo assign either of these administrative roles, use the AIPService PowerShell cmdlet, Add-AipServiceRoleBasedAdministrator.

Azure 信息保护是否支持本地和混合方案?Does Azure Information Protection support on-premises and hybrid scenarios?

是。Yes. 尽管 Azure 信息保护是基于云的解决方案,但它可对存储在本地和云中的文档和电子邮件进行分类、标签设置和保护。Although Azure Information Protection is a cloud-based solution, it can classify, label, and protect documents and emails that are stored on-premises, as well as in the cloud.

如果具有 Exchange Server、SharePoint Server 和 Windows 文件服务器,请使用下面的一种或两种方法:If you have Exchange Server, SharePoint Server, and Windows file servers, use one or both of the following methods:

  • 部署 Rights Management 连接器,以便这些本地服务器可以使用 Azure Rights Management 服务保护电子邮件和文档Deploy the Rights Management connector so that these on-premises servers can use the Azure Rights Management service to protect your emails and documents
  • 将 Active Directory 域控制器与 Azure AD 同步和联合,以便为用户提供更加无缝的身份验证体验。Synchronize and federate your Active Directory domain controllers with Azure AD for a more seamless authentication experience for users. 例如,使用 Azure AD ConnectFor example, use Azure AD Connect.

Azure Rights Management 服务根据需要自动生成并管理 XrML 证书,因此它不使用本地 PKI。The Azure Rights Management service automatically generates and manages XrML certificates as required, so it doesn't use an on-premises PKI.

有关 Azure Rights Management 如何使用证书的详细信息,请参阅 Azure RMS 工作演练:首次使用、内容保护、内容使用For more information about how Azure Rights Management uses certificates, see the Walkthrough of how Azure RMS works: First use, content protection, content consumption.

Azure 信息保护可以分类和保护哪些类型的数据?What types of data can Azure Information Protection classify and protect?

Azure 信息保护可以分类和保护电子邮件和文档,无论它们是位于本地还是云中。Azure Information Protection can classify and protect email messages and documents, whether they are located on-premises or in the cloud. 这些文档包括 Word 文档、Excel 电子表格,PowerPoint 演示文稿、PDF 文档、基于文本的文件和图像文件。These documents include Word documents, Excel spreadsheets, PowerPoint presentations, PDF documents, text-based files, and image files.

有关详细信息,请参阅完整列表:支持的文件类型For more information, see the full list file types supported.

备注

Azure 信息保护无法对结构化数据(例如数据库文件、日历项目、Yammer 帖子、Sway 内容和 OneNote 记事本)进行分类和保护。Azure Information Protection cannot classify and protect structured data such as database files, calendar items, Yammer posts, Sway content, and OneNote notebooks.

提示

Power BI 使用敏感度标签支持分类,并且可以将这些标签提供的保护应用于导出到以下文件格式的数据:.pdf、.xls 和 .ppt。Power BI supports classification by using sensitivity labels and can apply protection from those labels to data that is exported to the following file formats: .pdf, .xls, and .ppt. 有关详细信息,请参阅 Power BI 中的数据保护For more information, see Data protection in Power BI.

我看到 Azure 信息保护被列为可用于条件访问的云应用 - 工作原理是什么?I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?

是,作为预览版产品/服务,可为 Azure 信息保护配置 Azure AD 条件访问。Yes, as a preview offering, you can configure Azure AD conditional access for Azure Information Protection.

当用户打开受 Azure 信息保护保护的文档时,管理员现可基于标准条件访问控制,阻止其租户中用户的访问或授予他们访问权限。When a user opens a document that is protected by Azure Information Protection, administrators can now block or grant access to users in their tenant, based on the standard conditional access controls. 最常见的请求条件之一是需要多重身份验证 (MFA)。Requiring multi-factor authentication (MFA) is one of the most commonly requested conditions. 另一常见请求条件是,设备必须遵守 Intune 策略(以便移动设备符合密码要求和最低操作系统版本),并且计算机必须已加入域。Another one is that devices must be compliant with your Intune policies so that, for example, mobile devices meet your password requirements and a minimum operating system version, and computers must be domain-joined.

有关详细信息和演练示例,请参阅以下博客文章:Conditional Access policies for Azure Information Protection(Azure 信息保护的条件访问策略)。For more information and some walk-through examples, see the following blog post: Conditional Access policies for Azure Information Protection.

其他信息:Additional information:

主题Topic 详细信息Details
评估频率Evaluation frequency 对于 Windows 计算机和当前预览版本,初始化用户环境时会对 Azure 信息保护的条件访问策略进行评估(此过程也称为引导),之后每 30 天评估一次。For Windows computers, and the current preview release, the conditional access policies for Azure Information Protection are evaluated when the user environment is initialized (this process is also known as bootstrapping), and then every 30 days.

若要调整评估条件访问策略的频率,请配置令牌生存期To fine-tune how often your conditional access policies get evaluated, configure the token lifetime.
管理员帐户Administrator accounts 建议不要将管理员帐户添加到条件访问策略,因为这些帐户无法访问 Azure 门户中的“Azure 信息保护”窗格。We recommend that you do not add administrator accounts to your conditional access policies because these accounts will not be able to access the Azure Information Protection pane in the Azure portal.
MFA 和 B2B 协作MFA and B2B collaboration 如果在条件访问策略中使用 MFA 与其他组织展开协作 (B2B),则必须使用 Azure AD B2B 协作,并为要在其他组织中共享的用户创建来宾帐户。If you use MFA in your conditional access policies for collaborating with other organizations (B2B), you must use Azure AD B2B collaboration and create guest accounts for the users you want to share with in the other organization.
使用条款提示Terms of Use prompts 由于 Azure AD 2018 年 12 月预览版已发布,现在可以在用户第一次打开受保护文档之前提示用户接受使用条款With the Azure AD December 2018 preview release, you can now prompt users to accept a terms of use before they open a protected document for the first time.
云应用Cloud apps 如果针对条件访问使用许多云应用,则列表中可能不会显示“Microsoft Azure 信息保护”选项,因此无法进行选择。If you use many cloud apps for conditional access, you might not see Microsoft Azure Information Protection displayed in the list to select.

在这种情况下,可使用列表顶部的搜索框。In this case, use the search box at the top of the list. 开始键入“Microsoft Azure 信息保护”,筛选可用应用。Start typing "Microsoft Azure Information Protection" to filter the available apps. 如果已有受支持的订阅,则可以看到“Microsoft Azure 信息保护”选项,可进行选择。Providing you have a supported subscription, you'll then see Microsoft Azure Information Protection to select.

备注

Azure 信息保护对条件访问的支持目前以预览版提供。The Azure Information Protection support for conditional access is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

我看到 Azure 信息保护被列为 Microsoft Graph 安全提供商,它是如何工作的?我将收到哪些警报?I see Azure Information Protection is listed as a security provider for Microsoft Graph Security—how does this work and what alerts will I receive?

是,作为公共预览版产品/服务,现可收到有关 Azure 信息保护异常数据访问 的警报。Yes, as a public preview offering, you can now receive an alert for Azure Information Protection anomalous data access. 当尝试访问由 Azure 信息保护进行保护的数据存在异常时,将触发此警报。This alert is triggered when there are unusual attempts to access data that is protected by Azure Information Protection. 例如,访问大量的数据,在某天的异常时间访问或者从未知位置访问。For example, accessing an unusually high volume of data, at an unusual time of day, or access from an unknown location.

此类警报可以帮助你检测环境中与数据相关的高级攻击和内部威胁。Such alerts can help you to detect advanced data-related attacks and insider threats in your environment. 这些警报使用机器学习来分析访问受保护数据的用户的行为。These alerts use machine learning to profile the behavior of users who access your protected data.

可以通过使用 Microsoft Graph 安全 API 来访问 Azure信息保护警报,也可以使用 Azure Monitor 将警报流式传输到 SIEM 解决方案,例如 Splunk 和 IBM Qradar。The Azure Information Protection alerts can be accessed by using the Microsoft Graph Security API, or you can stream alerts to SIEM solutions, such as Splunk and IBM Qradar, by using Azure Monitor.

有关 Microsoft Graph 安全 API 的详细信息,请参阅 Microsoft Graph 安全 API 概述For more information about the Microsoft Graph Security API, see Microsoft Graph Security API overview.

备注

Azure 信息保护对 Microsoft Graph 安全的支持目前以预览版提供。The Azure Information Protection support for Microsoft Graph Security is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

听说很快将发布新版 Azure 信息保护 — 何时发布?I've heard a new release is going to be available soon, for Azure Information Protection—when will it be released?

本技术文档不包含即将发布的版本的相关信息。The technical documentation does not contain information about upcoming releases. 若要获取此类信息,请参阅 Microsoft 365 路线图,并查看“企业移动性 + 安全性”博客For this type of information, use the Microsoft 365 Roadmap, check the Enterprise Mobility + Security Blog.

Azure 信息保护是否适用于我所在的国家/地区?Is Azure Information Protection suitable for my country?

不同国家/地区的要求和法规不同。Different countries have different requirements and regulations. 要帮助你的组织回答此问题,请参阅针对不同国家/地区的适用性To help you answer this question for your organization, see Suitability for different countries.

Azure 信息保护如何帮助你符合 GDPR?How can Azure Information Protection help with GDPR?

备注

如果对查看或删除个人数据感兴趣,请查看 Microsoft 在 Microsoft 合规性管理器Microsoft 365 企业版合规性站点的 GDPR 部分中的指南。If you’re interested in viewing or deleting personal data, please review Microsoft's guidance in the Microsoft Compliance Manager and in the GDPR section of the Microsoft 365 Enterprise Compliance site. 如果正在寻找有关 GDPR 的一般信息,请参阅服务信任门户的 GDPR 部分If you’re looking for general information about GDPR, see the GDPR section of the Service Trust portal.

请参阅 Azure 信息保护的合规性和支持信息See Compliance and supporting information for Azure Information Protection.

如何针对 Azure 信息保护报告问题或发送反馈?How can I report a problem or send feedback for Azure Information Protection?

若要获取技术支持,请使用标准支持渠道或联系 Microsoft 支持For technical support, use your standard support channels or contact Microsoft Support.

我们还邀请你加入我们的工程团队:Azure 信息保护 Yammer 站点We also invite you to engage with our engineering team, on their Azure Information Protection Yammer site.

如果这里没有我的问题,我该如何操作?What do I do if my question isn't here?

首先,查看下面列出的特定于分类和标签或特定于数据保护的常见问题解答。First, review the frequently asked questions listed below, which are specific to classification and labeling, or specific to data protection. Azure Rights Management 服务 (Azure RMS) 为 Azure 信息保护提供数据保护技术。The Azure Rights Management service (Azure RMS) provides the data protection technology for Azure Information Protection. Azure RMS 可与分类和标签结合使用,也可单独使用。Azure RMS can be used with classification and labeling, or by itself.

如果你的问题未得到解答,请参阅有关 Azure 信息保护的信息和支持中列出的链接和资源。If your question isn't answered, see the links and resources listed in Information and support for Azure Information Protection.