Azure 信息保护要求Azure Information Protection requirements

适用范围:Azure 信息保护Office 365****Applies to**: Azure Information Protection, Office 365

相关内容:*AIP 统一标记客户端和 AIP 经典客户端Relevant for: AIP unified labeling client and AIP classic client.

在部署 Azure 信息保护之前,请确保系统满足以下先决条件:Before deploying Azure Information Protection, ensure that your system meets the following prerequisites:

Azure 信息保护订阅Subscription for Azure Information Protection

必须有以下计划之一,具体视你要使用的 Azure 信息保护功能而定:You must have one of the following, depending on the Azure Information Protection features you'll be using:

若要验证订阅是否包括要使用的 Azure 信息保护功能,请查看 Azure 信息保护定价中的功能列表。To verify that your subscription includes the Azure Information Protection features you want to use, check the feature list at Azure Information Protection pricing.

如果你对许可有疑问,请仔细阅读许可的常见问答解答If you have questions about licensing, read through the frequently asked questions for licensing.

提示

要确定你的计划是否支持 Office 365 邮件加密中的新功能,以向个人电子邮件地址发送受保护的电子邮件?Looking to see if your plan supports the new capabilities from Office 365 Message Encryption, to send protected emails to personal email addresses? 例如 Gmail、Yahoo 和 Microsoft。For example, Gmail, Yahoo, and Microsoft. 请参阅以下资源:Check the following resources:

如果你对订阅或许可有任何疑问,请勿在此页发布它们。If you have questions about subscriptions or licensing, do not post them on this page. 相反,请查看许可的常见问答解答中是否有答案。Instead, see if they are answered in the frequently asked questions for licensing. 如果问题没有得到解答,请与 Microsoft 客户经理或 Microsoft 支持部门联系。If your question is not answered there, contact your Microsoft Account Manager or Microsoft Support.

Azure Active DirectoryAzure Active Directory

为了支持 Azure 信息保护的身份验证和授权,必须有 Azure Active Directory (AD)。To support authentication and authorization for Azure Information Protection, you must have an Azure Active Directory (AD). 若要使用本地目录 (AD DS) 中的用户帐户,还必须配置目录集成。To use user accounts from your on-premises directory (AD DS), you must also configure directory integration.

  • Azure 信息保护支持单一登录 (SSO),这样就不会反复提示用户输入凭据。Single sign-on (SSO) is supported for Azure Information Protection so that users are not repeatedly prompted for their credentials. 如果使用其他供应商解决方案进行联合身份验证,请与相应供应商确认如何为它配置 Azure AD。If you use another vendor solution for federation, check with that vendor for how to configure it for Azure AD. WS-Trust 是这些解决方案支持单一登录所需满足的常见要求。WS-Trust is a common requirement for these solutions to support single sign-on.

  • 多重身份验证 (MFA) 可以与 Azure 信息保护配合使用,前提是你拥有所需的客户端软件,并正确配置了支持 MFA 的基础结构。Multi-factor authentication (MFA) is supported with Azure Information Protection when you have the required client software and have correctly configured the MFA-supporting infrastructure.

预览版支持按条件访问受 Azure 信息保护进行保护的文档。Conditional access is supported in preview for documents protected by Azure Information Protection. 有关详情,请参阅:我看到 Azure 信息保护被列为可用于条件访问的云应用 - 工作原理是什么?For more information, see: I see Azure Information Protection is listed as an available cloud app for conditional access—how does this work?

对于特定方案(如当使用基于证书的身份验证或多重身份验证时,或当 UPN 值与用户电子邮件地址不一致时),还需要满足额外的先决条件。Additional prerequisites are required for specific scenarios, such as when using certificate-based or multi-factor authentication, or when UPN values don't match user email addresses.

有关详细信息,请参阅:For more information, see:

客户端设备Client devices

用户计算机或移动设备必须在支持 Azure 信息保护的操作系统上运行。User computers or mobile devices must run on an operating system that supports Azure Information Protection.

客户端设备支持的操作系统Supported operating systems for client devices

以下操作系统支持适用于 Windows 的 Azure 信息保护客户端:The Azure Information Protection clients for Windows are supported are the following operating systems:

  • Windows 10(x86 和 x64)。Windows 10 (x86, x64). Windows 10 RS4 内部版本及更高版本中不支持手写。Handwriting is not supported in the Windows 10 RS4 build and later.

  • Windows 8.1 (x86, x64)Windows 8.1 (x86, x64)

  • Windows 8 (x86, x64)Windows 8 (x86, x64)

  • Windows Server 2019Windows Server 2019

  • Windows Server 2016Windows Server 2016

  • Windows Server 2012 R2 和 Windows Server 2012Windows Server 2012 R2 and Windows Server 2012

若要详细了解旧版 Windows 中的支持,请联系 Microsoft 帐户或支持代表。For details about support in earlier versions of Windows, contact your Microsoft account or support representative.

备注

如果 Azure 信息保护客户端使用 Azure Rights Management 服务来保护数据,那么数据可以被支持 Azure Rights Management 服务的相同设备使用。When the Azure Information Protection clients protect the data by using the Azure Rights Management service, the data can be consumed by the same devices that support the Azure Rights Management service.

ARM64ARM64

暂不支持 ARM64。ARM64 is not currently supported.

虚拟机Virtual machines

如果使用的是虚拟机,请检查虚拟桌面解决方案的软件供应商是否作为运行 Azure 信息保护统一标记客户端或 Azure 信息保护客户端所需的额外配置。If you're working with virtual machines, check whether the software vendor for your virtual desktop solution as additional configurations required for running the Azure Information Protection unified labeling or the Azure Information Protection client.

例如,对于 Citrix 解决方案,你可能需要对 Office、Azure 信息保护统一标记客户端或 Azure 信息保护客户端禁用 Citrix 应用程序编程接口 (API) 挂钩For example, for Citrix solutions, you might need to disable Citrix Application Programming Interface (API) hooks for Office, the Azure Information Protection unified labeling client, or the Azure Information Protection client.

这些应用程序分别使用以下文件:winword.exe、excel.exe、outlook.exe、powerpnt.exe、msip.app.exe、msip.viewer.exeThese applications use the following files, respectively: winword.exe, excel.exe, outlook.exe, powerpnt.exe, msip.app.exe, msip.viewer.exe

服务器支持Server support

对于上面列出的每个服务器版本,Azure 信息保护客户端都可以与远程桌面服务配合使用。For each of the server versions listed above, Azure Information Protection clients are supported for Remote Desktop Services.

如果在将 Azure 信息保护客户端与远程桌面服务配合使用时删除了用户配置文件,请勿删除 %Appdata%\Microsoft\Protect 文件夹。If you delete user profiles when you use the Azure Information Protection clients with Remote Desktop Services, do not delete the %Appdata%\Microsoft\Protect folder.

此外,不支持服务器核心和 Nano Server。Additionally, Server Core and Nano Server are not supported.

每个客户端的额外要求Additional requirements per client

每个 Azure 信息保护客户端都有额外要求。Each Azure Information Protection client has additional requirements. 有关详细信息,请参阅:For details, see:

应用程序Applications

Azure 信息保护客户端可使用以下任意 Office 版本中的 Microsoft Word、Excel、PowerPoint 和 Outlook 对文档和电子邮件进行标记和保护:The Azure Information Protection clients can label and protect documents and emails by using Microsoft Word, Excel, PowerPoint, and Outlook from any of the following Office editions:

  • Office 应用,对于各更新通道中受支持的 Microsoft 365 应用版本表中列出的版本,从 Microsoft 365 商业应用版或 Microsoft 365 商业高级版,前提是已为用户分配了 Azure Rights Management(亦称为“适用于 Microsoft 365 的 Azure 信息保护”)许可证Office apps, for the versions listed in the table of supported versions for Microsoft 365 Apps by update channel, from Microsoft 365 Apps for Business or Microsoft 365 Business Premium, when the user is assigned a license for Azure Rights Management (also known as Azure Information Protection for Office 365)

  • Microsoft 365 企业应用版Microsoft 365 Apps for Enterprise

  • Office 专业增强版 2019Office Professional Plus 2019

  • Office 专业增强版 2016Office Professional Plus 2016

  • Office 专业增强版 2013 Service Pack 1Office Professional Plus 2013 with Service Pack 1

  • Office 专业增强版 2010 Service Pack 2Office Professional Plus 2010 with Service Pack 2

Office 的其他版本无法通过使用 Rights Management 服务保护文档和电子邮件。Other editions of Office cannot protect documents and emails by using a Rights Management service. 对于这些版本,只支持使用 Azure 信息保护进行分类,不会向用户显示应用保护的标签。For these editions, Azure Information Protection is supported for classification only, and labels that apply protection are not displayed for users.

标签出现在 Office 文档顶部显示的某一栏中,可通过统一标记客户端中的“敏感度”按钮或传统客户端中的“保护”按钮进行访问 。Labels are displayed in a bar displayed at the top of the Office document, accessible from the Sensitivity button in the unified labeling client, or the Protect button in the classic client.

有关详细信息,请参阅支持 Azure Rights Management 数据保护的应用程序For more information, see Applications that support Azure Rights Management data protection.

重要

Office 2010 外延支持已于 2020 年 10 月 13 日结束。Office 2010 extended support ended on October 13, 2020. 有关详细信息,请参阅 AIP 和旧版 Windows 和 Office 版本For more information, see AIP and legacy Windows and Office versions.

不支持的 Office 特性和功能Office features and capabilities not supported

  • 适用于 Windows 的 Azure 信息保护客户端都不支持在同一台计算机上使用 Office 的多个版本,也不支持在 Office 中切换用户帐户。The Azure Information Protection clients for Windows do not support multiple versions of Office on the same computer, or switching user accounts in Office.

  • Office 邮件合并功能无法与 Azure 信息保护功能配合使用。The Office mail merge feature is not supported with any Azure Information Protection feature.

防火墙和网络基础结构Firewalls and network infrastructure

如果你有防火墙或配置为允许特定连接的类似中间网络设备,请参阅下面这篇 Office 文章中列出的网络连接要求:Microsoft 365 Common 和 Office Online If you have a firewalls or similar intervening network devices that are configured to allow specific connections, the network connectivity requirements are listed in this Office article: Microsoft 365 Common and Office Online.

Azure 信息保护有以下额外要求:Azure Information Protection has the following additional requirements:

  • 统一标记客户端。Unified labeling client. 若要下载标签和标签策略,请允许通过 HTTPS 使用以下 URL:*.protection.outlook.comTo download labels and label policies, allow the following URL over HTTPS: *.protection.outlook.com

  • Web 代理。Web proxies. 如果使用要求进行身份验证的 Web 代理,必须将代理配置为将集成 Windows 身份验证与用户的 Active Directory 登录凭据配合使用。If you use a web proxy that requires authentication, you must configure the proxy to use integrated Windows authentication with the user's Active Directory sign in credentials.

    要在使用代理获取令牌时支持 Proxy.pac 文件,请添加以下新的注册表项:To support Proxy.pac files when using a proxy to acquire a token, add the following new registry key:

    • 路径:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP\Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP\
    • 键:UseDefaultCredentialsInProxyKey: UseDefaultCredentialsInProxy
    • 类型:DWORDType: DWORD
    • 1Value: 1
  • TLS 客户端到服务连接。TLS client-to-service connections. 不要终止与 aadrm.com URL 的任何 TLS 客户端到服务连接(例如,为了执行数据包级别检查)。Do not terminate any TLS client-to-service connections, for example to perform packet-level inspection, to the aadrm.com URL. 那样做会打破 RMS 客户端用于 Microsoft 托管 CA 的证书固定,导致无法确保其与 Azure Rights Management 服务的通信安全。Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with the Azure Rights Management service.

    若要确定客户端连接是否在到达 Azure Rights Management 服务之前就终止,请使用以下 PowerShell 命令:To determine whether your client connection is terminated before it reaches the Azure Rights Management service, use the following PowerShell commands:

    $request = [System.Net.HttpWebRequest]::Create("https://admin.na.aadrm.com/admin/admin.svc")
    $request.GetResponse()
    $request.ServicePoint.Certificate.Issuer
    

    结果应显示发证 CA 来自 Microsoft CA(例如:CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US)。The result should show that the issuing CA is from a Microsoft CA, for example: CN=Microsoft Secure Server CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.

    如果发现发证 CA 名称不是来自 Microsoft,那么很可能安全的客户端到服务连接要被终止,需要在防火墙上重新配置。If you see an issuing CA name that is not from Microsoft, it is likely that your secure client-to-service connection is being terminated and needs reconfiguration on your firewall.

  • TLS 版本 1.2 或更高版本(仅限统一标记客户端)。TLS version 1.2 or higher (unified labeling client only). 统一标记客户端需要 1.2 或更高版本的 TLS,以确保使用加密安全协议并遵循 Microsoft 安全准则。The unified labeling client requires a TLS version of 1.2 or higher to ensure the use of cryptographically secure protocols and align with Microsoft security guidelines.

  • Microsoft 365 增强型配置服务 (ECS)。Microsoft 365 Enhanced Configuration Service (ECS). AIP 必须有权访问 config.edge.skype.com URL,它是一项 Microsoft 365 增强型配置服务 (ECS)。AIP must have access to the config.edge.skype.com URL, which is a Microsoft 365 Enhanced Configuration Service (ECS).

    有了 ECS,你无需重新部署 AIP,Microsoft 就能重新配置 AIP 安装项。ECS provides Microsoft the ability to reconfigure AIP installations without the need for you to redeploy AIP. 它用于控制功能或更新的逐步推出,同时通过收集的诊断数据监视这些推出所带来的影响。It’s used to control the gradual rollout of features or updates, while the impact of the rollout is monitored from diagnostic data being collected.

    ECS 还用于缓解功能或更新方面的安全或性能问题。ECS is also used to mitigate security or performance issues with a feature or update. ECS 还支持与诊断数据相关的配置更改,帮助确保收集适当的事件。ECS also supports configuration changes related to diagnostic data, to help ensure that the appropriate events are being collected.

    如果限制 config.edge.skype.com URL,可能会影响 Microsoft 缓解错误的能力以及你测试预览功能的能力。Limiting the config.edge.skype.com URL may affect Microsoft’s ability to mitigate errors and may affect your ability to test preview features.

    有关详细信息,请查看 Office 的基本服务 - 部署 OfficeFor more information, see Essential services for Office - Deploy Office.

  • 审核日志记录 URL 网络连接Audit logging URL network connectivity. AIP 必须能够访问以下 URL,以便支持 AIP 审核日志:AIP must be able to access the following URLs in order to support AIP audit logs:

    • https://*.events.data.microsoft.com
    • https://*.aria.microsoft.com(仅限 Android 设备数据)https://*.aria.microsoft.com (Android device data only)

    有关详细信息,请参阅 AIP 报告的先决条件For more information, see Prerequisites for AIP reporting.

AD RMS 和 Azure RMS 共存Coexistence of AD RMS with Azure RMS

仅在用于 HYOK(自留密钥)保护(含 Azure 信息保护)的 AD RMS 中支持在同一组织中并行使用 AD RMS 和 Azure RMS,以保护同一组织中的同一用户的内容。Using AD RMS and Azure RMS side by side, in the same organization, to protect content by the same user in the same organization, is only supported in AD RMS for HYOK (hold your own key) protection with Azure Information Protection.

提示

如果你部署 Azure 信息保护,然后决定不再想要使用此云服务,请参阅解除 Azure 信息保护授权和停用 Azure 信息保护If you deploy Azure Information Protection and then decide that you no longer want to use this cloud service, see Decommissioning and deactivating Azure Information Protection.

对于其他非迁移方案,即两个服务在同一组织中都是活动的,必须对两个服务进行配置,以便只有一个服务允许任何给定的用户保护内容。For other, non-migration scenarios, where both services are active in the same organization, both services must be configured so that only one of them allows any given user to protect content. 按照以下方式配置此类方案:Configure such scenarios as follows:

  • 如果两个服务必须同时针对不同的用户处于活动状态,请使用服务端配置来强制实现排他性。If both services must be active for different users at the same time, use service-side configurations to enforce exclusivity. 使用云服务中的 Azure RMS 加入控件和发布 URL 上的 ACL 为 AD RMS 设置只读模式。Use the Azure RMS onboarding controls in the cloud service, and an ACL on the Publish URL to set Read-Only mode for AD RMS.

服务标记Service Tags

如果使用的是 Azure 终结点和 NSG,请务必允许访问以下服务标记的所有端口:If you are using an Azure endpoint and an NSG, make sure to allow access to all ports for the following Service Tags:

  • AzureInformationProtectionAzureInformationProtection
  • AzureActiveDirectoryAzureActiveDirectory
  • AzureFrontDoor.FrontendAzureFrontDoor.Frontend

此外,在这种情况下,Azure 信息保护服务还依赖于以下 IP 地址和端口:Additionally, in this case, the Azure Information Protection service also depends on the following IP addresses and port:

  • 13.107.9.19813.107.9.198
  • 13.107.6.19813.107.6.198
  • 2620:1ec:4::1982620:1ec:4::198
  • 2620:1ec:a92::1982620:1ec:a92::198
  • 13.107.6.18113.107.6.181
  • 13.107.9.18113.107.9.181
  • 端口 443(对于 HTTPS 流量)Port 443, for HTTPS traffic

请务必创建规则来允许对这些特定 IP 地址进行出站访问,以及通过此端口进行访问。Make sure to create rules that allow outbound access to these specific IP addresses, and via this port.

支持 Azure Rights Management 数据保护的本地服务器Supported on-premises servers for Azure Rights Management data protection

当你使用 Azure Rights Management 连接器时,以下本地服务器可以与 Azure 信息保护配合使用。The following on-premises servers are supported with Azure Information Protection when you use the Azure Rights Management connector.

此连接器充当通信接口,并在本地服务器和 Azure Rights Management 服务之间中继,Azure 信息保护使用此服务来保护 Office 文档和电子邮件。This connector acts as a communications interface, and relays between on-premises servers and the Azure Rights Management service, which is used by Azure Information Protection to protect Office documents and emails.

若要使用该连接器,必须配置 Active Directory 林和 Azure Active Directory 之间的目录同步。To use this connector, you must configure directory synchronization between your Active Directory forests and Azure Active Directory.

支持的服务器包括:Supported servers include:

服务器类型Server type 支持的版本Supported versions
Exchange ServerExchange Server - Exchange Server 2016- Exchange Server 2016
- Exchange Server 2013- Exchange Server 2013
- Exchange Server 2010- Exchange Server 2010
Office SharePoint ServerOffice SharePoint Server - Office SharePoint Server 2016- Office SharePoint Server 2016
- Office SharePoint Server 2013- Office SharePoint Server 2013
- Office SharePoint Server 2010- Office SharePoint Server 2010
运行 Windows Server 和使用文件分类基础结构 (FCI) 的文件服务器File servers that run Windows Server and use File Classification Infrastructure (FCI) - Windows Server 2016- Windows Server 2016
- Windows Server 2012 R2- Windows Server 2012 R2
- Windows Server 2012- Windows Server 2012

有关详细信息,请参阅部署 Azure Rights Management 连接器For more information, see Deploying the Azure Rights Management connector.

支持 Azure Rights Management 的操作系统Supported operating systems for Azure Rights Management

以下操作系统支持为 AIP 提供数据保护的 Azure Rights Management 服务:The following operating systems support the Azure Rights Management service, which provides data protection for AIP:

OSOS 支持的版本Supported versions
Windows 计算机Windows computers - Windows 7(x86 和 x64)- Windows 7 (x86, x64)
- Windows 8(x86、x64)- Windows 8 (x86, x64)
- Windows 8.1(x86、x64)- Windows 8.1 (x86, x64)
- Windows 10(x86、x64)- Windows 10 (x86, x64)
macOSmacOS 最低版本为 macOS 10.8 (Mountain Lion)Minimum version of macOS 10.8 (Mountain Lion)
Android 手机和平板电脑Android phones and tablets 最低版本为 Android 6.0Minimum version of Android 6.0
iPhone 和 iPadiPhone and iPad 最低版本为 iOS 11.0Minimum version of iOS 11.0
Windows 手机和平板电脑Windows phones and tablets Windows 10 移动版Windows 10 Mobile

后续步骤Next steps

在审阅了所有的 AIP 要求并确认系统符合要求后,继续阅读准备用户和组以供 Azure 信息保护使用Once you've reviewed all AIP requirements and confirmed that your system complies, continue with Preparing users and groups for Azure Information Protection.